extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-02-17 02:00:57 +01:00
Code Issues Packages Projects Releases Wiki Activity

Shoreall 1.4.3

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@555 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-05-18 18:38:34 +00:00
parent 64064bce9a
commit 72bb7e0a83
42 changed files with 18162 additions and 18273 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
STABLE/changelog.txt
View File

@ -1,15 +1,11 @@
Changes since 1.4.1
Changes since 1.4.2
1. Re-order steps in the 'check' command so that the policy file is
checked before the rules file.
1. The 'add' and 'delete' commands no longer leave behind a temporary
directory in /tmp.
2. Create an intermediate chain for input from zones defined in terms
of specific hosts or networks.
2. Added support for 6to4 tunnels.
3. Fixed common.def to use 'reject' rather than 'REJECT'.
3. Added $LOGMARKER for fireparse support
4. Added support for INCLUDE directive in all files.
4. Return more appropriate ICMP responses if the systems supports them.
5. Made traceroute -I work.
6. Add 'routeback' interface and host attribute.

141
STABLE/documentation/6to4.htm Executable file
View File

@ -0,0 +1,141 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>6to4 Tunnels</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">6to4 Tunnels</font></h1>
</td>
</tr>
</tbody>
</table>
<h3>The 6to4 tunnel documentation is provided by Eric de Thouars.<br>
</h3>
<h3><font color="#ff6633">Warning: </font>The 6to4 tunnel feature of Shorewall
only facilitates IPv6 over IPv4 tunneling. It does not provide any IPv6 security
measures.</h3>
<p>6to4 tunneling with Shorewall can be used to connect your IPv6 network
to another IPv6 network over an IPv4 infrastructure</p>
<p>More information on Linux and IPv6 can be found in the <a
href="http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO">Linux IPv6 HOWTO</a>.
Details on how to setup a 6to4 tunnels are described in the section <a
href="http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO/configuring-ipv6to4-tunnels.html">Setup
of 6to4 tunnels</a>.</p>
<h2>Connecting two IPv6 Networks</h2>
<p>Suppose that we have the following situation:</p>
<p align="center"> <img border="0" src="images/TwoIPv6Nets1.png"
width="745" height="427" alt="">
</p>
<p align="left">We want systems in the 2002:100:333::/64 subnetwork to be
able to communicate with the systems in the 2002:488:999::/64 network. This
is accomplished through use of the /etc/shorewall/tunnels file and the "ip"
utility for network interface and routing configuration.</p>
<p align="left">Unlike GRE and IPIP tunneling, the /etc/shorewall/policy,
/etc/shorewall/interfaces and /etc/shorewall/zones files are not used. There
is no need to declare a zone to represent the remote IPv6 network. This
remote network is not visible on IPv4 interfaces and to iptables. All that
is visible on the IPv4 level is an IPv4 stream which contains IPv6 traffic.
Separate IPv6 interfaces and ip6tables rules need to be defined to handle
this traffic. </p>
<p align="left">In /etc/shorewall/tunnels on system A, we need the following:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>TYPE</b></td>
<td><b>ZONE</b></td>
<td><b>GATEWAY</b></td>
<td><b>GATEWAY ZONE</b></td>
</tr>
<tr>
<td>6to4</td>
<td>net</td>
<td>134.28.54.2</td>
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
<p>This entry in /etc/shorewall/tunnels, opens the firewall so that the IPv6
encapsulation protocol (41) will be accepted to/from the remote gateway.</p>
<p>Use the following commands to setup system A:</p>
<blockquote>
<p>&gt;ip tunnel add tun6to4 mode sit ttl 254 remote 134.28.54.2<br>
&gt;ip link set dev tun6to4 up<br>
&gt;ip addr add 3ffe:8280:0:2001::1/64 dev tun6to4<br>
&gt;ip route add 2002:488:999::/64 via 3ffe:8280:0:2001::2</p>
</blockquote>
<p>Similarly, in /etc/shorewall/tunnels on system B we have:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>TYPE</b></td>
<td><b>ZONE</b></td>
<td><b>GATEWAY</b></td>
<td><b>GATEWAY ZONE</b></td>
</tr>
<tr>
<td>6to4</td>
<td>net</td>
<td>206.191.148.9</td>
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
<p>And use the following commands to setup system B:</p>
<blockquote>
<p>&gt;ip tunnel add tun6to4 mode sit ttl 254 remote 206.191.148.9<br>
&gt;ip link set dev tun6to4 up<br>
&gt;ip addr add 3ffe:8280:0:2001::2/64 dev tun6to4<br>
&gt;ip route add 2002:100:333::/64 via 3ffe:8280:0:2001::1</p>
</blockquote>
<p>On both systems, restart Shorewall and issue the configuration commands
as listed above. The systems in both IPv6 subnetworks can now talk to each
other using IPv6.</p>
<p><font size="2">Updated 5/18/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003Thomas M. Eastep.</font></a></p>
<br>
<br>
</body>
</html>

2391
STABLE/documentation/Documentation.htm
View File

File diff suppressed because it is too large Load Diff

751
STABLE/documentation/FAQ.htm
View File

File diff suppressed because it is too large Load Diff

94
STABLE/documentation/IPSEC.htm
View File

@ -27,15 +27,16 @@
<h2><font color="#660066">Configuring FreeS/Wan</font></h2>
There is an excellent guide to configuring IPSEC tunnels at<a
href="http://jixen.tripod.com"> http://jixen.tripod.com</a> . I highly recommend
that you consult that site for information about confuring FreeS/Wan. 
href="http://www.geocities.com/jixen66/"> http://www.geocities.com/jixen66/</a>
. I highly recommend that you consult that site for information about confuring
FreeS/Wan. 
<p><font color="#ff6633"><b>Warning: </b></font>Do not use Proxy ARP and
FreeS/Wan on the same system unless you are prepared to suffer the consequences.
If you start or restart Shorewall with an IPSEC tunnel active, the proxied
IP addresses are mistakenly assigned to the IPSEC tunnel device (ipsecX)
rather than to the interface that you specify in the INTERFACE column of
/etc/shorewall/proxyarp. I haven't had the time to debug this problem so I
can't say if it is a bug in the Kernel or in FreeS/Wan. </p>
/etc/shorewall/proxyarp. I haven't had the time to debug this problem so
I can't say if it is a bug in the Kernel or in FreeS/Wan. </p>
<p>You <b>might</b> be able to work around this problem using the following
(I haven't tried it):</p>
@ -118,9 +119,10 @@ then the tunnels file entry on the <u><b>other</b></u> endpoint should specify
a tunnel type of <i>ipsecnat</i> rather than <i>ipsec</i> and the GATEWAY
address should specify the external address of the NAT gateway.<br>
</p>
<p align="left">You need to define a zone for the remote subnet or include
it in your local zone. In this example, we'll assume that you have created
a zone called "vpn" to represent the remote subnet.</p>
it in your local zone. In this example, we'll assume that you have
created a zone called "vpn" to represent the remote subnet.</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
@ -231,8 +233,8 @@ a zone called "vpn" to represent the remote host.</p>
</blockquote>
<p align="left"> In this instance, the mobile system (B) has IP address 134.28.54.2
but that cannot be determined in advance. In the /etc/shorewall/tunnels file
on system A, the following entry should be made:</p>
but that cannot be determined in advance. In the /etc/shorewall/tunnels
file on system A, the following entry should be made:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
@ -256,7 +258,8 @@ on system A, the following entry should be made:</p>
<p>Note that the GATEWAY ZONE column contains the name of the zone corresponding
to peer subnetworks. This indicates that the gateway system itself comprises
the peer subnetwork; in other words, the remote gateway is a standalone system.</p>
the peer subnetwork; in other words, the remote gateway is a standalone
system.</p>
<p>You will need to configure /etc/shorewall/interfaces and establish
your "through the tunnel" policy as shown under the first example above.<br>
@ -342,25 +345,76 @@ and add and delete remote endpoints dynamically using /sbin/shorewall. In
When Shorewall is started, the zones vpn[1-3] will all be empty and Shorewall
will issue warnings to that effect. These warnings may be safely ignored.
FreeS/Wan may now be configured to have three different Road Warrior connections
with the choice of connection being based on X-509 certificates or some other
means. Each of these connectioins will utilize a different updown script that
adds the remote station to the appropriate zone when the connection comes
up and that deletes the remote station when the connection comes down. For
example, when 134.28.54.2 connects for the vpn2 zone the 'up' part of the
script will issue the command":<br>
with the choice of connection being based on X-509 certificates or some
other means. Each of these connectioins will utilize a different updown
script that adds the remote station to the appropriate zone when the connection
comes up and that deletes the remote station when the connection comes down.
For example, when 134.28.54.2 connects for the vpn2 zone the 'up' part of
the script will issue the command":<br>
<br>
<blockquote>/sbin/shorewall add ipsec0:134.28.54.2 vpn2<br>
</blockquote>
and the 'down' part will:<br>
<blockquote>/sbin/shorewall delete ipsec0:134.28.54.2 vpn</blockquote>
<blockquote>/sbin/shorewall delete ipsec0:134.28.54.2 vpn<br>
<br>
</blockquote>
<h3>Limitations of Dynamic Zones</h3>
If you include a dynamic zone in the exclude list of a DNAT rule, the dynamically-added
hosts are not excluded from the rule.<br>
<br>
Example with dyn=dynamic zone:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="2" border="1">
<tbody>
<tr>
<td valign="top"><u><b>ACTION<br>
</b></u></td>
<td valign="top"><u><b>SOURCE<br>
</b></u></td>
<td valign="top"><u><b>DESTINATION<br>
</b></u></td>
<td valign="top"><u><b>PROTOCOL<br>
</b></u></td>
<td valign="top"><u><b>PORT(S)<br>
</b></u></td>
<td valign="top"><u><b>CLIENT<br>
PORT(S)<br>
</b></u></td>
<td valign="top"><u><b>ORIGINAL<br>
DESTINATION<br>
</b></u></td>
</tr>
<tr>
<td valign="top">DNAT<br>
</td>
<td valign="top">z:dyn<br>
</td>
<td valign="top">loc:192.168.1.3<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">80<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
</blockquote>
Dynamic changes to the zone <b>dyn</b> will have no effect on the above rule.
<p><font size="2">Last updated 10/23/2002 - </font><font size="2">
<a href="support.htm">Tom Eastep</a></font> </p>
<p><font size="2">Last updated 5/3//2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<p><a href="copyright.htm"><font size="2">
Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
<p><a href="copyright.htm"><font size="2"> Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></p>
<br>
<br>
<br>
<br>
</body>

84
STABLE/documentation/Install.htm
View File

@ -18,7 +18,6 @@
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Installation and
Upgrade</font></h1>
</td>
@ -31,10 +30,10 @@
href="upgrade_issues.htm">Upgrade Issues<br>
</a></b></p>
<div align="left"><b><br>
Before attempting installation, I strongly urge you to read and print a
copy of the <a href="shorewall_quickstart_guide.htm">Shorewall QuickStart
Guide</a> for the configuration that most closely matches your own.</b><br>
<div align="left"><b>Before attempting installation, I strongly urge you
to read and print a copy of the <a
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
for the configuration that most closely matches your own.</b><br>
</div>
<p><font size="4"><b><a href="#Install_RPM">Install using RPM</a><br>
@ -75,13 +74,13 @@ diagnostic:<br>
--nodeps &lt;shorewall rpm&gt;).<br>
<br>
</li>
<li>Edit the <a href="#Config_Files"> configuration files</a> to
match your configuration. <font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u>
SIMPLY INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
IS REQUIRED BEFORE THE FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND
AND THE FIREWALL FAILS TO START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY
NETWORK TRAFFIC. IF THIS HAPPENS, ISSUE A "shorewall clear" COMMAND TO
RESTORE NETWORK CONNECTIVITY.</b></font></li>
<li>Edit the <a href="#Config_Files"> configuration files</a>
to match your configuration. <font color="#ff0000"><b>WARNING - YOU CAN
<u>NOT</u> SIMPLY INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND.
SOME CONFIGURATION IS REQUIRED BEFORE THE FIREWALL WILL START. IF YOU
ISSUE A "start" COMMAND AND THE FIREWALL FAILS TO START, YOUR SYSTEM
WILL NO LONGER ACCEPT ANY NETWORK TRAFFIC. IF THIS HAPPENS, ISSUE A "shorewall
clear" COMMAND TO RESTORE NETWORK CONNECTIVITY.</b></font></li>
<li>Start the firewall by typing "shorewall start"</li>
</ul>
@ -104,11 +103,11 @@ RESTORE NETWORK CONNECTIVITY.</b></font></li>
type "./install.sh /etc/init.d"</li>
<li>If your distribution has directory /etc/rc.d/init.d
or /etc/init.d then type "./install.sh"</li>
<li>For other distributions, determine where your distribution
installs init scripts and type "./install.sh &lt;init script
directory&gt;</li>
<li>Edit the <a href="#Config_Files"> configuration files</a> to
match your configuration.</li>
<li>For other distributions, determine where your
distribution installs init scripts and type "./install.sh
&lt;init script directory&gt;</li>
<li>Edit the <a href="#Config_Files"> configuration files</a>
to match your configuration.</li>
<li>Start the firewall by typing "shorewall start"</li>
<li>If the install script was unable to configure Shorewall to
be started automatically at boot, see <a
@ -118,14 +117,14 @@ be started automatically at boot, see <a
<p><a name="LRP"></a>To install my version of Shorewall on a fresh Bering
disk, simply replace the "shorwall.lrp" file on the image with the file
that you downloaded. See the <a href="two-interface.htm">two-interface QuickStart
Guide</a> for information about further steps required.</p>
that you downloaded. See the <a href="two-interface.htm">two-interface
QuickStart Guide</a> for information about further steps required.</p>
<p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM installed
and are upgrading to a new version:</p>
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.4 version
or and you have entries in the /etc/shorewall/hosts file then please check
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.4 version or
and you have entries in the /etc/shorewall/hosts file then please check
your /etc/shorewall/interfaces file to be sure that it contains an entry
for each interface mentioned in the hosts file. Also, there are certain
1.2 rule forms that are no longer supported under 1.4 (you must use the
@ -135,8 +134,8 @@ details.</p>
<ul>
<li>Upgrade the RPM (rpm -Uvh &lt;shorewall rpm file&gt;) <b>Note:
</b>If you are installing version 1.2.0 and have one of the 1.2.0
Beta RPMs installed, you must use the "--oldpackage" option to rpm
(e.g., "rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm").
Beta RPMs installed, you must use the "--oldpackage" option to rpm (e.g.,
"rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm").
<p> <b>Note1: </b>Some SuSE users have encountered a problem whereby
rpm reports a conflict with kernel &lt;= 2.2 even though a 2.4 kernel
@ -160,16 +159,16 @@ iproute2 which will cause the upgrade of Shorewall to fail with the diagnostic:<
</ul>
<p><a name="Upgrade_Tarball"></a>If you already have Shorewall installed and
are upgrading to a new version using the tarball:</p>
<p><a name="Upgrade_Tarball"></a>If you already have Shorewall installed
and are upgrading to a new version using the tarball:</p>
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.4 version and
you have entries in the /etc/shorewall/hosts file then please check your
/etc/shorewall/interfaces file to be sure that it contains an entry for
each interface mentioned in the hosts file.  Also, there are certain 1.2
rule forms that are no longer supported under 1.4 (you must use the new
1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade issues</a> for
details. </p>
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.4 version
and you have entries in the /etc/shorewall/hosts file then please check
your /etc/shorewall/interfaces file to be sure that it contains an entry
for each interface mentioned in the hosts file.  Also, there are certain
1.2 rule forms that are no longer supported under 1.4 (you must use the
new 1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade issues</a>
for details. </p>
<ul>
<li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
@ -186,9 +185,9 @@ details. </p>
type "./install.sh /etc/init.d"</li>
<li>If your distribution has directory /etc/rc.d/init.d
or /etc/init.d then type "./install.sh"</li>
<li>For other distributions, determine where your distribution
installs init scripts and type "./install.sh &lt;init script
directory&gt;</li>
<li>For other distributions, determine where your
distribution installs init scripts and type "./install.sh
&lt;init script directory&gt;</li>
<li>See if there are any incompatibilities between your configuration
and the new Shorewall version (type "shorewall check") and correct as
necessary.</li>
@ -202,8 +201,8 @@ details. </p>
<h3><a name="Config_Files"></a>Configuring Shorewall</h3>
<p>You will need to edit some or all of the configuration files to match
your setup. In most cases, the <a href="shorewall_quickstart_guide.htm">Shorewall
<p>You will need to edit some or all of the configuration files to match your
setup. In most cases, the <a href="shorewall_quickstart_guide.htm">Shorewall
QuickStart Guides</a> contain all of the information you need.</p>
<ul>
@ -214,14 +213,7 @@ your setup. In most cases, the <a href="shorewall_quickstart_guide.htm">Shorewa
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></p>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
</body>
</html>

1971
STABLE/documentation/News.htm
View File

File diff suppressed because it is too large Load Diff

88
STABLE/documentation/PPTP.htm
View File

@ -27,23 +27,41 @@
</tbody>
</table>
<h4>NOTE: I am no longer attempting to maintain MPPE patches for current
Linux kernel's and pppd. I recommend that you refer to the following URLs
for information about installing MPPE into your kernel and pppd.</h4>
<h4>The <a href="http://pptpclient.sourceforge.net">Linux PPTP client project
</a>has a nice GUI for configuring and managing VPN connections where your
Linux system is the PPTP client. This is what I currently use. I am no longer
running PoPToP but rather I use the PPTP Server included with XP Professional
(see <a href="#ServerBehind">PPTP Server running behind your Firewall</a>
below).</h4>
    <a href="http://pptpclient.sourceforge.net">http://pptpclient.sourceforge.net</a>
(Everything you need to run a PPTP client).<br>
    <a href="http://www.poptop.org">http://www.poptop.org</a> (The 'kernelmod'
package can be used to quickly install MPPE into your kernel without rebooting).<br>
<h4>I am leaving the instructions for building MPPE-enabled kernels and pppd
in the text below for those who may wish to obtain the relevant current patches
and "roll their own".<br>
</h4>
<hr width="100%" size="2">
<p align="left">Shorewall easily supports PPTP in a number of configurations:</p>
<ul>
<li> <a href="#ServerFW">PPTP Server running on your Firewall</a></li>
<li> <a href="#ServerBehind">PPTP Server running behind your
Firewall.</a></li>
<li> <a href="#ServerBehind">PPTP Server running behind your Firewall.</a></li>
<li> <a href="#ClientsBehind">PPTP Clients running behind your
Firewall.</a></li>
<li> <a href="#ClientFW">PPTP Client running on your Firewall.</a></li>
</ul>
<h2 align="center"><a name="ServerFW"></a>1. PPTP Server Running on your Firewall</h2>
<h2 align="center"><a name="ServerFW"></a>1. PPTP Server Running on your
Firewall</h2>
<p>I will try to give you an idea of how to set up a PPTP server on your firewall
system. This isn't a detailed HOWTO but rather an example of how I have set
up a working PPTP server on my own firewall.</p>
<p>I will try to give you an idea of how to set up a PPTP server on your
firewall system. This isn't a detailed HOWTO but rather an example of how
I have set up a working PPTP server on my own firewall.</p>
<p>The steps involved are:</p>
@ -95,8 +113,8 @@ to use encryption:</p>
</ul>
<p>You will need to install the resulting binary on your firewall system.
To do that, I NFS mount my source filesystem and use "make install" from the
ppp-2.4.1 directory.</p>
To do that, I NFS mount my source filesystem and use "make install" from
the ppp-2.4.1 directory.</p>
<h3><a name="PatchKernel"></a>Patching and Building your Kernel</h3>
@ -128,8 +146,8 @@ ppp-2.4.1 directory.</p>
<h3><a name="Samba"></a>Configuring Samba</h3>
<p>You will need a WINS server (Samba configured to run as a WINS server is
fine). Global section from /etc/samba/smb.conf on my WINS server (192.168.1.3)
<p>You will need a WINS server (Samba configured to run as a WINS server
is fine). Global section from /etc/samba/smb.conf on my WINS server (192.168.1.3)
is:</p>
<blockquote>
@ -305,7 +323,7 @@ the remote hosts look like they are part of the local subnetwork.</li>
<td>net</td>
<td>eth0</td>
<td>206.124.146.255</td>
<td>noping,norfc1918</td>
<td>norfc1918</td>
</tr>
<tr>
<td>loc</td>
@ -337,7 +355,8 @@ the remote hosts look like they are part of the local subnetwork.</li>
<tr>
<td>loc</td>
<td>eth2:192.168.1.0/24</td>
<td>routestopped</td>
<td><br>
</td>
</tr>
<tr>
<td>loc</td>
@ -421,9 +440,10 @@ the remote hosts look like they are part of the local subnetwork.</li>
</table>
</blockquote>
<p align="left"><b>/etc/shoreawll/tunnels (For Shorewall versions 1.3.10
and later)<br>
<p align="left"><b>/etc/shoreawll/tunnels (For Shorewall versions 1.3.10 and
later)<br>
</b></p>
<blockquote>
<table cellpadding="2" border="2" style="border-collapse: collapse;">
<tbody>
@ -447,9 +467,11 @@ and later)<br>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
</blockquote>
<p align="left"><br>
Note: I have multiple ppp interfaces on my firewall. If you have a single
ppp interface, you probably want:</p>
@ -469,7 +491,7 @@ ppp interface, you probably want:</p>
<td>net</td>
<td>eth0</td>
<td>206.124.146.255</td>
<td>noping,norfc1918</td>
<td>norfc1918</td>
</tr>
<tr>
<td>loc</td>
@ -493,8 +515,8 @@ ppp interface, you probably want:</p>
<h2 align="center"><a name="ServerBehind"></a>2. PPTP Server Running Behind
your Firewall</h2>
<p>If you have a single external IP address, add the following to your /etc/shorewall/rules
file:</p>
<p>If you have a single external IP address, add the following to your
/etc/shorewall/rules file:</p>
<font face="Century Gothic, Arial, Helvetica"> </font>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
@ -589,15 +611,16 @@ you will need to follow the instructions at <a
loadmodule ip_nat_pptp </p>
</blockquote>
<h2 align="center"><a name="ClientFW"></a>4. PPTP Client Running on your Firewall.</h2>
<h2 align="center"><a name="ClientFW"></a>4. PPTP Client Running on your
Firewall.</h2>
<p align="left">The PPTP GNU/Linux client is available at <a
href="http://sourceforge.net/projects/pptpclient/">http://sourceforge.net/projects/pptpclient/</a>.   
Rather than use the configuration script that comes with the client, I built
my own. I also build my own kernel <a href="#PatchKernel">as described above</a>
rather than using the mppe package that is available with the client. My
/etc/ppp/options file is mostly unchanged from what came with the client
(see below).</p>
/etc/ppp/options file is mostly unchanged from what came with the client (see
below).</p>
<p>The key elements of this setup are as follows: </p>
@ -716,6 +739,7 @@ my own. I also build my own kernel <a href="#PatchKernel">as described above</a>
<p><b>/etc/shorewall/tunnels (For Shorewall versions 1.3.10 and later)<br>
</b></p>
<blockquote>
<table cellpadding="2" cellspacing="2" border="1"
style="border-collapse: collapse;">
@ -740,19 +764,22 @@ my own. I also build my own kernel <a href="#PatchKernel">as described above</a>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
<p>I use the combination of interface and hosts file to define the 'cpq' zone
because I also run a PPTP server on my firewall (see above). Using this technique
allows me to distinguish clients of my own PPTP server from arbitrary hosts
at Compaq; I assign addresses in 192.168.1.0/24 to my PPTP clients and Compaq
doesn't use that RFC1918 Class C subnet. </p>
<p>I use the combination of interface and hosts file to define the 'cpq'
zone because I also run a PPTP server on my firewall (see above). Using this
technique allows me to distinguish clients of my own PPTP server from arbitrary
hosts at Compaq; I assign addresses in 192.168.1.0/24 to my PPTP clients
and Compaq doesn't use that RFC1918 Class C subnet. </p>
<p>I use this script in /etc/init.d to control the client. The reason that
I disable ECN when connecting is that the Compaq tunnel servers don't do ECN
yet and reject the initial TCP connection request if I enable ECN :-( </p>
I disable ECN when connecting is that the Compaq tunnel servers don't do
ECN yet and reject the initial TCP connection request if I enable ECN :-(
</p>
<blockquote>
<p><font face="Courier" size="2">#!/bin/sh<br>
@ -889,10 +916,11 @@ yet and reject the initial TCP connection request if I enable ECN :-( </p>
and corresponding ip-up.local </a>from <a
href="mailto:jvonau@home.com">Jerry Vonau </a>that controls two PPTP connections.</p>
<p><font size="2">Last modified 10/23/2002 - <a href="support.htm">Tom Eastep</a></font></p>
<p><font size="2">Last modified 5/15/2003 - <a href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"> <font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
<p><a href="copyright.htm"> <font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></p>
<br>
<br>
<br>
</body>

69
STABLE/documentation/Shorewall_and_Aliased_Interfaces.html
View File

@ -25,28 +25,28 @@
<br>
<h2>Background</h2>
The traditional net-tools contain a program called <i>ifconfig</i> which
is used to configure network devices. ifconfig introduced the concept of
<i>aliased </i>or <i>virtial </i>interfaces. These virtual interfaces have
names of the form <i>interface</i>:<i>integer </i>(e.g., eth0:0) and ifconfig
treats them more or less like real interfaces.<br>
The traditional net-tools contain a program called <i>ifconfig</i>
which is used to configure network devices. ifconfig introduced the concept
of <i>aliased </i>or <i>virtial </i>interfaces. These virtual interfaces
have names of the form <i>interface</i>:<i>integer </i>(e.g., eth0:0) and
ifconfig treats them more or less like real interfaces.<br>
<br>
Example:<br>
<pre>[root@gateway root]# ifconfig eth0:0<br>eth0:0 Link encap:Ethernet HWaddr 02:00:08:3:FA:55<br> inet addr:206.124.146.178 Bcast:206.124.146.255 Mask:255.255.255.0<br> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br> Interrupt:11 Base address:0x2000<br>[root@gateway root]# <br></pre>
The ifconfig utility is being gradually phased out in favor of the <i>ip</i>
utility which is part of the <i>iproute </i>package. The ip utility does
not use the concept of aliases or virtual interfaces but rather treats additional
addresses on an interface as objects. The ip utility does provide for interaction
with ifconfig in that it allows addresses to be <i>labeled </i>and labels
may take the form of ipconfig virtual interfaces.<br>
not use the concept of aliases or virtual interfaces but rather treats
additional addresses on an interface as objects. The ip utility does provide
for interaction with ifconfig in that it allows addresses to be <i>labeled
</i>and labels may take the form of ipconfig virtual interfaces.<br>
<br>
Example:<br>
<br>
<pre>[root@gateway root]# ip addr show dev eth0<br>2: eth0: &lt;BROADCAST,MULTICAST,UP&gt; mtu 1500 qdisc htb qlen 100<br> link/ether 02:00:08:e3:fa:55 brd ff:ff:ff:ff:ff:ff<br> inet 206.124.146.176/24 brd 206.124.146.255 scope global eth0<br> inet 206.124.146.178/24 brd 206.124.146.255 scope global secondary eth0:0<br>[root@gateway root]# <br></pre>
Note that one <u>cannot</u> type "ip addr show dev eth0:0" because "eth0:0"
is a label for a particular address rather than a device name.<br>
Note that one <u>cannot</u> type "ip addr show dev eth0:0" because
"eth0:0" is a label for a particular address rather than a device name.<br>
<pre>[root@gateway root]# ip addr show dev eth0:0<br>Device "eth0:0" does not exist.<br>[root@gateway root]#<br></pre>
The iptables program doesn't support virtual interfaces in either it's
@ -184,12 +184,12 @@ file:<br>
</table>
<br>
</blockquote>
Shorewall can create the alias (additional address) for you if you set
ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with Shorewall
1.3.14, Shorewall can actually create the "label" (virtual interface) so
that you can see the created address using ifconfig. In addition to setting
ADD_SNAT_ALIASES=Yes, you specify the virtual interface name in the INTERFACE
column as follows:<br>
Shorewall can create the alias (additional address) for you if you
set ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with
Shorewall 1.3.14, Shorewall can actually create the "label" (virtual interface)
so that you can see the created address using ifconfig. In addition to
setting ADD_SNAT_ALIASES=Yes, you specify the virtual interface name in
the INTERFACE column as follows:<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
@ -253,12 +253,12 @@ file:<br>
</table>
<br>
</blockquote>
Shorewall can create the alias (additional address) for you if you set
ADD_IP_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with Shorewall
1.3.14, Shorewall can actually create the "label" (virtual interface) so
that you can see the created address using ifconfig. In addition to setting
ADD_IP_ALIASES=Yes, you specify the virtual interface name in the INTERFACE
column as follows:<br>
Shorewall can create the alias (additional address) for you if you
set ADD_IP_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with
Shorewall 1.3.14, Shorewall can actually create the "label" (virtual interface)
so that you can see the created address using ifconfig. In addition to
setting ADD_IP_ALIASES=Yes, you specify the virtual interface name in
the INTERFACE column as follows:<br>
<br>
<blockquote>
@ -293,8 +293,8 @@ file:<br>
</table>
<br>
</blockquote>
In either case, to create rules that pertain only to this NAT pair, you
simply qualify the local zone with the internal IP address.<br>
In either case, to create rules that pertain only to this NAT pair,
you simply qualify the local zone with the internal IP address.<br>
<br>
Example: You want to allow SSH from the net to 206.124.146.178 a.k.a.
192.168.1.3.<br>
@ -350,10 +350,10 @@ their system's routing table to bypass your firewall/router. Nevertheless,
there are cases where you simply want to consider the LAN segment itself
as a zone and allow your firewall/router to route between the two subnetworks.<br>
<br>
Example 1: &nbsp;Local interface eth1 interfaces to 192.168.1.0/24 and
192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and eth1:0
is 192.168.20.254. You want to simply route all requests between the two
subnetworks.<br>
Example 1: &nbsp;Local interface eth1 interfaces to 192.168.1.0/24
and 192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and
eth1:0 is 192.168.20.254. You want to simply route all requests between
the two subnetworks.<br>
<h4>If you are running Shorewall 1.4.1 or Later</h4>
In /etc/shorewall/interfaces:<br>
@ -402,7 +402,7 @@ as a zone and allow your firewall/router to route between the two subnetworks.<
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">eth0:192.168.1.0/24<br>
<td valign="top">eth1:192.168.1.0/24<br>
</td>
<td valign="top"><br>
</td>
@ -410,7 +410,7 @@ as a zone and allow your firewall/router to route between the two subnetworks.<
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">eth0:192.168.20.0/24<br>
<td valign="top">eth1:192.168.20.0/24<br>
</td>
<td valign="top"><br>
</td>
@ -585,7 +585,7 @@ specify the <b>multi</b> option.<br>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">eth0:192.168.1.0/24<br>
<td valign="top">eth1:192.168.1.0/24<br>
</td>
<td valign="top"><br>
</td>
@ -593,7 +593,7 @@ specify the <b>multi</b> option.<br>
<tr>
<td valign="top">loc2<br>
</td>
<td valign="top">eth0:192.168.20.0/24<br>
<td valign="top">eth1:192.168.20.0/24<br>
</td>
<td valign="top"><br>
</td>
@ -607,7 +607,7 @@ specify the <b>multi</b> option.<br>
that you want to permit.<br>
<br>
<p align="left"><font size="2">Last Updated 3/27/2003 A - <a
<p align="left"><font size="2">Last Updated 5/8/2003 A - <a
href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy;
@ -618,5 +618,6 @@ that you want to permit.<br>
<br>
<br>
<br>
<br>
</body>
</html>

99
STABLE/documentation/Shorewall_index_frame.htm
View File

@ -2,23 +2,17 @@
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title>
<base
target="main">
<base target="main">
<meta name="Microsoft Theme" content="none">
</head>
<body>
@ -28,20 +22,14 @@
bgcolor="#4b017c" height="90">
<tbody>
<tr>
<td width="100%" height="90">
<td width="100%"
height="90">
<h3 align="center"><font color="#ffffff">Shorewall</font></h3>
</td>
</tr>
<tr>
<td width="100%"
bgcolor="#ffffff">
<ul>
<li> <a
href="seattlefirewall_index.htm">Home</a></li>
@ -49,7 +37,8 @@
href="shorewall_features.htm">Features</a></li>
<li> <a
href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <a href="download.htm">Download</a><br>
<li> <a
href="download.htm">Download</a><br>
</li>
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a><br>
@ -67,20 +56,22 @@
</li>
<li> <a
href="troubleshoot.htm">Troubleshooting</a></li>
<li> <a href="errata.htm">Errata</a></li>
<li> <a
href="errata.htm">Errata</a></li>
<li> <a
href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a href="support.htm">Getting
help or Answers to Questions</a><br>
<li> <a
href="support.htm">Getting help or Answers to Questions</a></li>
<li><a href="http://lists.shorewall.net">Mailing Lists</a><a
href="http://lists.shorewall.net"> </a><br>
</li>
<li><a href="1.3" target="_top">Shorewall
1.3 Site</a></li>
<li><a
href="http://www1.shorewall.net/1.2/index.htm" target="_top">Shorewall
1.2 Site</a></li>
<li><a href="shorewall_mirrors.htm">Mirrors</a>
<ul>
<li><a target="_top"
href="http://slovakia.shorewall.net">Slovak Republic</a></li>
@ -92,72 +83,40 @@ help or Answers to Questions</a><br>
href="http://shorewall.correofuego.com.ar">Argentina</a></li>
<li><a target="_top"
href="http://france.shorewall.net">France</a></li>
<li><a href="http://www.shorewall.net"
target="_top">Washington State, USA</a><br>
<li><a href="http://shorewall.syachile.cl" target="_top">Chile</a></li>
<li><a href="http://shorewall.greshko.com" target="_top">Taiwan</a><br>
</li>
<li><a
href="http://www.shorewall.net" target="_top">Washington State, USA</a><br>
</li>
</ul>
</li>
</ul>
<ul>
<li> <a href="News.htm">News
Archive</a></li>
<li> <a
href="News.htm">News Archive</a></li>
<li> <a
href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li> <a href="quotes.htm">Quotes
from Users</a></li>
<li> <a href="shoreline.htm">About
the Author</a></li>
<li> <a
href="quotes.htm">Quotes from Users</a></li>
<li> <a
href="shoreline.htm">About the Author</a></li>
<li> <a
href="seattlefirewall_index.htm#Donations">Donations</a></li>
</ul>
</td>
</tr>
</tbody>
</table>
<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
<strong><br>
<b>Note: </b></strong>Search is unavailable
Daily 0200-0330 GMT.<br>
<strong></strong>
<p><strong>Quick Search</strong><br>
<font face="Arial" size="-1"> <input
type="text" name="words" size="15"></font><font size="-1"> </font> <font
face="Arial" size="-1"> <input type="hidden" name="format"
value="long"> <input type="hidden" name="method" value="and"> <input
type="hidden" name="config" value="htdig"> <input type="submit"
value="Search"></font> </p>
<font face="Arial"> <input
type="hidden" name="exclude"
value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
<p><b><a href="http://lists.shorewall.net/htdig/search.html">Extended Search</a></b></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001-2003 Thomas M. Eastep.</font></a><a
href="http://www.shorewall.net" target="_top"> </a></p>
size="2">2001-2003 Thomas M. Eastep.</font></a><br>
</p>
</body>
</html>

101
STABLE/documentation/Shorewall_sfindex_frame.htm
View File

@ -2,23 +2,17 @@
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title>
<base target="main">
<meta name="Microsoft Theme" content="none">
</head>
<body>
@ -28,28 +22,23 @@
bgcolor="#4b017c" height="90">
<tbody>
<tr>
<td width="100%" height="90">
<td width="100%"
height="90">
<h3 align="center"><font color="#ffffff">Shorewall</font></h3>
</td>
</tr>
<tr>
<td width="100%"
bgcolor="#ffffff">
<ul>
<li> <a
href="sourceforge_index.htm">Home</a></li>
href="seattlefirewall_index.htm">Home</a></li>
<li> <a
href="shorewall_features.htm">Features</a></li>
<li> <a
href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <a href="download.htm">Download</a><br>
<li> <a
href="download.htm">Download</a><br>
</li>
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a><br>
@ -70,16 +59,18 @@
<li> <a href="errata.htm">Errata</a></li>
<li> <a
href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a href="support.htm">Getting
Help or Answers to Questions</a></li>
<li> <a
href="support.htm">Getting help or Answers to Questions</a>
</li>
<li><a
href="http://lists.shorewall.net">Mailing Lists</a> <br>
</li>
<li><a href="1.3" target="_top">Shorewall 1.3 Site</a></li>
<li><a
href="http://www1.shorewall.net/1.2/index.htm" target="_top">Shorewall 1.2
Site</a></li>
<li><a href="shorewall_mirrors.htm">Mirrors</a>
<ul>
<li><a target="_top"
href="http://slovakia.shorewall.net">Slovak Republic</a></li>
@ -91,29 +82,18 @@ Help or Answers to Questions</a></li>
href="http://shorewall.correofuego.com.ar">Argentina</a></li>
<li><a target="_top"
href="http://france.shorewall.net">France</a></li>
<li><a href="http://www.shorewall.net"
target="_top">Washington State, USA</a><br>
<li><a href="http://shorewall.syachile.cl" target="_top">Chile</a></li>
<li><a href="http://shorewall.greshko.com" target="_top">Taiwan</a><br>
</li>
<li><a
href="http://www.shorewall.net" target="_top">Washington State, USA</a><br>
</li>
</ul>
</li>
</ul>
<ul>
<li> <a href="News.htm">News
Archive</a></li>
@ -121,47 +101,24 @@ Archive</a></li>
href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li> <a href="quotes.htm">Quotes
from Users</a></li>
<li> <a href="shoreline.htm">About
the Author</a></li>
<li> <a
href="sourceforge_index.htm#Donations">Donations</a></li>
href="shoreline.htm">About the Author</a></li>
<li> <a
href="seattlefirewall_index.htm#Donations">Donations</a></li>
</ul>
</td>
</tr>
</tbody>
</table>
<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
<strong><br>
<b>Note: </b></strong>Search is unavailable
Daily 0200-0330 GMT.<br>
<strong></strong>
<p><strong>Quick Search</strong><br>
<font face="Arial" size="-1">
<input type="text" name="words" size="15"></font><font size="-1"> </font>
<font face="Arial" size="-1"> <input type="hidden" name="format"
value="long"> <input type="hidden" name="method" value="and"> <input
type="hidden" name="config" value="htdig"> <input type="submit"
value="Search"></font> </p>
<font face="Arial"> <input
type="hidden" name="exclude"
value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
<p><b><a href="http://lists.shorewall.net/htdig/search.html">Extended Search</a></b></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001-2003 Thomas M. Eastep.</font></a><br>
</p>
size="2">2001-2003 Thomas M. Eastep.</font></a><a
href="http://www.shorewall.net" target="_top"> </a></p>
<br>
<br>
<br>
<br>
</body>
</html>

142
STABLE/documentation/configuration_file_basics.htm
View File

@ -20,8 +20,6 @@
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Configuration Files</font></h1>
</td>
</tr>
@ -29,8 +27,8 @@
</tbody>
</table>
<p><b><font color="#ff0000">Warning: </font>If you copy or edit your
configuration files on a system running Microsoft Windows, you <u>must</u>
<p><b><font color="#ff0000">Warning: </font>If you copy or edit your configuration
files on a system running Microsoft Windows, you <u>must</u>
run them through <a
href="http://www.megaloman.com/%7Ehany/software/hd2u/"> dos2unix</a>
before you use them with Shorewall.</b></p>
@ -48,8 +46,8 @@ several firewall parameters.</li>
view of the world into <i>zones.</i></li>
<li>/etc/shorewall/policy - establishes firewall
high-level policy.</li>
<li>/etc/shorewall/interfaces - describes the interfaces
on the firewall system.</li>
<li>/etc/shorewall/interfaces - describes the
interfaces on the firewall system.</li>
<li>/etc/shorewall/hosts - allows defining zones
in terms of individual hosts and subnetworks.</li>
<li>/etc/shorewall/masq - directs the firewall
@ -58,8 +56,8 @@ where to use many-to-one (dynamic) Network Address Translation
(SNAT).</li>
<li>/etc/shorewall/modules - directs the firewall
to load kernel modules.</li>
<li>/etc/shorewall/rules - defines rules that are
exceptions to the overall policies established in /etc/shorewall/policy.</li>
<li>/etc/shorewall/rules - defines rules that
are exceptions to the overall policies established in /etc/shorewall/policy.</li>
<li>/etc/shorewall/nat - defines static NAT rules.</li>
<li>/etc/shorewall/proxyarp - defines use of Proxy
ARP.</li>
@ -90,9 +88,9 @@ the completion of a "shorewall stop".</li>
<h2><a name="Comments"></a>Comments</h2>
<p>You may place comments in configuration files by making the first non-whitespace
character a pound sign ("#"). You may also place comments
at the end of any line, again by delimiting the comment from
the rest of the line with a pound sign.</p>
character a pound sign ("#"). You may also place comments at
the end of any line, again by delimiting the comment from the
rest of the line with a pound sign.</p>
<p>Examples:</p>
@ -109,6 +107,76 @@ the rest of the line with a pound sign.</p>
<pre>ACCEPT net fw tcp \<br>smtp,www,pop3,imap #Services running on the firewall</pre>
<h2><a name="INCLUDE"></a>IN<small><small></small></small>CLUDE Directive</h2>
Beginning with Shorewall version 1.4.2, any file may contain INCLUDE directives.
An INCLUDE directive consists of the word INCLUDE followed by a file name
and causes the contents of the named file to be logically included into
the file containing the INCLUDE. File names given in an INCLUDE directive
are assumed to reside in /etc/shorewall or in an alternate configuration
directory if one has been specified for the command.<br>
<br>
INCLUDE's may be nested to a level of 3 -- further nested INCLUDE directives
are ignored with a warning message.<big><big><br>
<br>
</big></big> Examples:<big> </big> <br>
<blockquote>    shorewall/params.mgmt:<br>
<blockquote>    MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3<br>
   TIME_SERVERS=4.4.4.4<br>
   BACKUP_SERVERS=5.5.5.5<br>
</blockquote>
   ----- end params.mgmt -----<br>
</blockquote>
<blockquote>    shorewall/params:<br>
</blockquote>
<blockquote>
<blockquote>    # Shorewall 1.3 /etc/shorewall/params<br>
   [..]<br>
   #######################################<br>
 <br>
   INCLUDE params.mgmt    <br>
  <br>
   # params unique to this host here<br>
   #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE<br>
</blockquote>
</blockquote>
<blockquote>    ----- end params -----<br>
</blockquote>
<blockquote>    shorewall/rules.mgmt:<br>
</blockquote>
<blockquote>
<blockquote>    ACCEPT net:$MGMT_SERVERS          $FW    tcp    22<br>
   ACCEPT $FW          net:$TIME_SERVERS    udp    123<br>
   ACCEPT $FW          net:$BACKUP_SERVERS  tcp    22<br>
</blockquote>
</blockquote>
<blockquote>    ----- end rules.mgmt -----<br>
</blockquote>
<blockquote>    shorewall/rules:<br>
</blockquote>
<blockquote>
<blockquote>    # Shorewall version 1.3 - Rules File<br>
   [..]<br>
   #######################################<br>
 <br>
   INCLUDE rules.mgmt     <br>
  <br>
   # rules unique to this host here<br>
   #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE<br>
</blockquote>
</blockquote>
<blockquote>    ----- end rules -----<br>
</blockquote>
<h2><a name="dnsnames"></a>Using DNS Names</h2>
<p align="left"> </p>
@ -146,8 +214,8 @@ no effect on the firewall's ruleset. </p>
<li>If your startup scripts try to start your firewall
before starting your DNS server then your firewall won't start.<br>
</li>
<li>Factors totally outside your control (your ISP's router
is down for example), can prevent your firewall from starting.</li>
<li>Factors totally outside your control (your ISP's
router is down for example), can prevent your firewall from starting.</li>
<li>You must bring up your network interfaces prior to
starting your firewall.<br>
</li>
@ -188,10 +256,10 @@ for your inconvenience but are rather limitations of iptables.<br>
<h2><a name="Compliment"></a>Complementing an Address or Subnet</h2>
<p>Where specifying an IP address, a subnet or an interface, you can
precede the item with "!" to specify the complement of the item. For
example, !192.168.1.4 means "any host but 192.168.1.4". There must be
no white space following the "!".</p>
<p>Where specifying an IP address, a subnet or an interface, you can precede
the item with "!" to specify the complement of the item. For example,
!192.168.1.4 means "any host but 192.168.1.4". There must be no white space
following the "!".</p>
<h2><a name="Lists"></a>Comma-separated Lists</h2>
@ -212,8 +280,8 @@ no white space following the "!".</p>
<h2><a name="Ports"></a>Port Numbers/Service Names</h2>
<p>Unless otherwise specified, when giving a port number you can use
either an integer or a service name from /etc/services. </p>
<p>Unless otherwise specified, when giving a port number you can use either
an integer or a service name from /etc/services. </p>
<h2><a name="Ranges"></a>Port Ranges</h2>
@ -239,7 +307,6 @@ local host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
<p>Example:</p>
<blockquote>
<pre>NET_IF=eth0<br>NET_BCAST=130.252.100.255<br>NET_OPTIONS=routefilter,norfc1918</pre>
</blockquote>
@ -247,39 +314,32 @@ local host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
Example (/etc/shorewall/interfaces record):</p>
<font
face="Century Gothic, Arial, Helvetica">
<blockquote>
<pre><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></pre>
</blockquote>
</font>
<p>The result will be the same as if the record had been written</p>
<font
face="Century Gothic, Arial, Helvetica">
<blockquote>
<pre>net eth0 130.252.100.255 routefilter,norfc1918</pre>
</blockquote>
</font>
<p>Variables may be used anywhere in the other configuration
files.</p>
<h2><a name="MAC"></a>Using MAC Addresses</h2>
<p>Media Access Control (MAC) addresses can be used to specify packet
source in several of the configuration files. To use this feature,
your kernel must have MAC Address Match support (CONFIG_IP_NF_MATCH_MAC)
source in several of the configuration files. To use this
feature, your kernel must have MAC Address Match support (CONFIG_IP_NF_MATCH_MAC)
included.</p>
<p>MAC addresses are 48 bits wide and each Ethernet Controller has a
unique MAC address.<br>
<p>MAC addresses are 48 bits wide and each Ethernet Controller has a unique
MAC address.<br>
<br>
In GNU/Linux, MAC addresses are usually written as
a series of 6 hex numbers separated by colons. Example:<br>
In GNU/Linux, MAC addresses are usually written
as a series of 6 hex numbers separated by colons. Example:<br>
<br>
     [root@gateway root]# ifconfig eth0<br>
     eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>
@ -313,8 +373,8 @@ the MAC address in the example above would be written "~02-00-08-E3-
and restart</a> commands allow you to specify an alternate configuration
directory and Shorewall will use the files in the alternate directory
rather than the corresponding files in /etc/shorewall. The alternate
directory need not contain a complete configuration; those files not in
the alternate directory will be read from /etc/shorewall.</p>
directory need not contain a complete configuration; those files not
in the alternate directory will be read from /etc/shorewall.</p>
<p> This facility permits you to easily create a test or temporary configuration
by:</p>
@ -325,19 +385,14 @@ from /etc/shorewall to a separate directory;</li>
<li> modify those files in the separate directory;
and</li>
<li> specifying the separate directory in a shorewall
start or shorewall restart command (e.g., <i><b>shorewall -c
/etc/testconfig restart</b></i> ).</li>
start or shorewall restart command (e.g., <i><b>shorewall -c /etc/testconfig
restart</b></i> )</li>
</ol>
<p><font size="2"> Updated 2/24/2003 - <a href="support.htm">Tom Eastep</a>
<p><font size="2"> Updated 4/18/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p>
@ -347,5 +402,6 @@ from /etc/shorewall to a separate directory;</li>
<br>
<br>
<br>
<br>
</body>
</html>

42
STABLE/documentation/download.htm
View File

@ -35,7 +35,8 @@
<p>The entire set of Shorewall documentation is available in PDF format at:</p>
<p>    <a href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
    <a
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
    <a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>
</p>
@ -64,8 +65,8 @@ the <a href="http://packages.debian.org/testing/net/shorewall.html">Debian
Testing Branch</a> and the <a
href="http://packages.debian.org/unstable/net/shorewall.html">Debian Unstable
Branch</a>.</li>
<li>Otherwise, download the <i>shorewall</i> module
(.tgz)</li>
<li>Otherwise, download the <i>shorewall</i>
module (.tgz)</li>
</ul>
@ -79,24 +80,9 @@ Branch</a>.</li>
<p><font color="#009900"><b>rpm --eval '%{defaultdocdir}'</b></font></p>
</blockquote>
<p>Please verify the version that you have downloaded -- during the
release of a new version of Shorewall, the links below may
point to a newer or an older version than is shown below.</p>
<ul>
<li>RPM - "rpm -qip shorewall-<i>version</i>.noarch.rpm"</li>
<li>TARBALL - "tar -ztf shorewall-<i>version</i>.tgz"
(the directory name will contain the version)</li>
<li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar
-zxf &lt;downloaded .lrp&gt;; cat var/lib/lrpkg/shorwall.version"
</li>
</ul>
<p>Once you have verified the version, check the <font
color="#ff0000"> <a href="errata.htm"> errata</a></font> to see
if there are updates that apply to the version that you have
downloaded.</p>
<p>Please check the <font color="#ff0000"> <a href="errata.htm"> errata</a></font>
to see if there are updates that apply to the version
that you have downloaded.</p>
<p><font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY INSTALL
THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION IS
@ -163,6 +149,18 @@ REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed configuration
href="http://france.shorewall.net/pub/shorewall/LATEST.lrp">Browse</a></td>
<td> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/">Browse</a></td>
</tr>
<tr>
<td valign="top">Taiwan<br>
</td>
<td valign="top">Greshko.com<br>
</td>
<td valign="top"><a
href="http://shorewall.greshko.com/pub/shorewall/">Browse<br>
</a></td>
<td valign="top"><a
href="ftp://shorewall.greshko.com/pub/shorewall/" target="_top">Browse</a><br>
</td>
</tr>
<tr>
<td>Washington State, USA</td>
@ -195,5 +193,7 @@ REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed configuration
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
<br>
<br>
</body>
</html>

54
STABLE/documentation/errata.htm
View File

@ -22,6 +22,7 @@
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1>
</td>
</tr>
@ -47,21 +48,22 @@ the archive, replace the 'firewall' script in the untarred directory
</li>
<li>
<p align="left"> <b>When the instructions say to install a corrected
firewall script in /usr/share/shorewall/firewall, you may
rename the existing file before copying in the new file.</b></p>
firewall script in /usr/share/shorewall/firewall, you
may rename the existing file before copying in the new file.</b></p>
</li>
<li>
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW.
For example, do NOT install the 1.3.9a firewall script if you are running
1.3.7c.</font></b><br>
For example, do NOT install the 1.3.9a firewall script if you are
running 1.3.7c.</font></b><br>
</p>
</li>
</ol>
<ul>
<li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
<li><b><a href="upgrade_issues.htm">Upgrade
Issues</a></b></li>
<li><b><a href="#V1.4">Problems in Version 1.4</a></b><br>
</li>
<li> <b><a
@ -91,13 +93,32 @@ iptables</a></b></li>
<h3></h3>
<h3>1.4.1a, 1.4.1 and 1.4.0</h3>
<h3>1.4.2</h3>
<ul>
<li>Some TCP requests are rejected in the 'common' chain with an ICMP port-unreachable
response rather than the more appropriate TCP RST response. This problem
is corrected in this updated common.def file which may be installed in /etc/shorewall/common.def.<br>
<li>When an 'add' or 'delete' command is executed, a temporary directory
created in /tmp is not being removed. This problem may be corrected by installing
<a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.2/firewall"
target="_top">this firewall script</a> in /usr/share/shorewall/firewall as
described ablve. <br>
</li>
</ul>
<h3>1.4.1a, 1.4.1 and 1.4.0</h3>
<ul>
<li>Some TCP requests are rejected in the 'common' chain with an ICMP
port-unreachable response rather than the more appropriate TCP RST response.
This problem is corrected in <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1a/common.def"
target="_top">this updated common.def file</a> which may be installed in
/etc/shorewall/common.def.<br>
</li>
</ul>
<h3>1.4.1</h3>
<ul>
@ -143,8 +164,8 @@ RedHat released this buggy iptables in RedHat 7.2.
<p align="left"> I have built a <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
corrected 1.2.3 rpm which you can download here</a>  and I have
also built an <a
corrected 1.2.3 rpm which you can download here</a>  and I
have also built an <a
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
iptables-1.2.4 rpm which you can download here</a>. If you are currently
running RedHat 7.1, you can install either of these RPMs
@ -218,9 +239,9 @@ running Shorewall 1.3.7a or later or:</p>
<li>set MULTIPORT=No
in /etc/shorewall/shorewall.conf; or
</li>
<li>if you are running
Shorewall 1.3.6 you may install
<a
<li>if you are
running Shorewall 1.3.6 you may
install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this firewall script</a> in /var/lib/shorewall/firewall
as described above.</li>
@ -242,15 +263,12 @@ result in Shorewall being unable to start:<br>
disabled it. The 2.4.19 kernel contains corrected support under a
new kernel configuraiton option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
<p><font size="2"> Last updated 3/25/2003 - <a href="support.htm">Tom Eastep</a></font>
<p><font size="2"> Last updated 5/11/2003 - <a href="support.htm">Tom Eastep</a></font>
</p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
<br>
<br>
<br>
</body>
</html>

BIN
STABLE/documentation/images/TwoIPv6Nets1.png Normal file
View File

Binary file not shown.

80
STABLE/documentation/mailing_list.htm
View File

@ -21,8 +21,8 @@
border="0">
<tbody>
<tr>
<td width="33%" valign="middle" align="left">
<td width="33%" valign="middle"
align="left">
<h1 align="center"><a
href="http://www.centralcommand.com/linux_products.html"><img
src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78"
@ -36,12 +36,13 @@
<p align="right"><font color="#ffffff"><b>  </b></font> </p>
</td>
<td valign="middle" width="34%" align="center">
<h1 align="center"><font color="#ffffff">Shorewall Mailing Lists</font></h1>
</td>
<td valign="middle" width="33%"> <a
href="http://www.postfix.org/"> <img
src="images/small-picture.gif" align="right" border="0" width="115"
height="45" alt="(Postfix Logo)">
src="images/postfix-white.gif" align="right" border="0" width="124"
height="66" alt="(Postfix Logo)">
</a><br>
<div align="left"><a href="http://www.spamassassin.org"><img
@ -52,7 +53,7 @@
<div align="right"><br>
<b><font color="#ffffff"><br>
Powered by Postfix    </font></b><br>
   </font></b><br>
</div>
</td>
</tr>
@ -66,19 +67,18 @@ Guide</a>.<br>
</h1>
<p align="left">If you experience problems with any of these lists, please
let <a href="mailto:teastep@shorewall.net">me</a> know</p>
let <a href="mailto:postmaster@shorewall.net">me</a> know</p>
<h2 align="left">Not able to Post Mail to shorewall.net?</h2>
<p align="left">You can report such problems by sending mail to tmeastep
at hotmail dot com.</p>
<h2>A Word about SPAM Filters <a href="http://ordb.org"></a><a
<h2>A Word about the SPAM Filters at Shorewall.net <a
href="http://osirusoft.com/"> </a></h2>
<p>Before subscribing please read my <a href="spam_filters.htm">policy
about list traffic that bounces.</a> Also please note that the mail server
at shorewall.net checks incoming mail:<br>
<p>Please note that the mail server at shorewall.net
checks incoming mail:<br>
</p>
<ol>
@ -86,38 +86,38 @@ at hotmail dot com.</p>
(including <a href="http://razor.sourceforge.net/">Vipul's Razor</a>).<br>
</li>
<li>to ensure that the sender address is fully qualified.</li>
<li>to verify that the sender's domain has an A or MX
record in DNS.</li>
<li>to ensure that the host name in the HELO/EHLO command
is a valid fully-qualified DNS name that resolves.</li>
<li>to verify that the sender's domain has an A
or MX record in DNS.</li>
<li>to ensure that the host name in the HELO/EHLO
command is a valid fully-qualified DNS name that resolves.</li>
</ol>
<h2>Please post in plain text</h2>
A growing number of MTAs serving list subscribers are rejecting
all HTML traffic. At least one MTA has gone so far as to blacklist shorewall.net
"for continuous abuse" because it has been my policy to allow HTML in
list posts!!<br>
all HTML traffic. At least one MTA has gone so far as to blacklist
shorewall.net "for continuous abuse" because it has been my policy to
allow HTML in list posts!!<br>
<br>
I think that blocking all HTML is a Draconian way to control
spam and that the ultimate losers here are not the spammers but the list
subscribers whose MTAs are bouncing all shorewall.net mail. As one list
subscriber wrote to me privately "These e-mail admin's need to get a <i>(explitive
deleted)</i> life instead of trying to rid the planet of HTML based e-mail".
Nevertheless, to allow subscribers to receive list posts as must as possible,
I have now configured the list server at shorewall.net to strip all HTML
from outgoing posts. This means that HTML-only posts will be bounced by
the list server.<br>
spam and that the ultimate losers here are not the spammers but the
list subscribers whose MTAs are bouncing all shorewall.net mail. As
one list subscriber wrote to me privately "These e-mail admin's need to
get a <i>(explitive deleted)</i> life instead of trying to rid the planet
of HTML based e-mail". Nevertheless, to allow subscribers to receive list
posts as must as possible, I have now configured the list server at shorewall.net
to strip all HTML from outgoing posts. This means that HTML-only posts
will be bounced by the list server.<br>
<p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br>
</p>
<h2>Other Mail Delivery Problems</h2>
If you find that you are missing an occasional list post, your
e-mail admin may be blocking mail whose <i>Received:</i> headers contain
the names of certain ISPs. Again, I believe that such policies hurt more
than they help but I'm not prepared to go so far as to start stripping <i>Received:</i>
headers to circumvent those policies.<br>
If you find that you are missing an occasional list post,
your e-mail admin may be blocking mail whose <i>Received:</i> headers
contain the names of certain ISPs. Again, I believe that such policies
hurt more than they help but I'm not prepared to go so far as to start
stripping <i>Received:</i> headers to circumvent those policies.<br>
<h2 align="left">Mailing Lists Archive Search</h2>
@ -147,8 +147,8 @@ than they help but I'm not prepared to go so far as to start stripping <i>Recei
value="htdig"> <input type="hidden" name="restrict"
value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden"
name="exclude" value=""> <br>
Search: <input type="text" size="30" name="words"
value=""> <input type="submit" value="Search"> </p>
Search: <input type="text" size="30"
name="words" value=""> <input type="submit" value="Search"> </p>
</form>
<h2 align="left"><font color="#ff0000">Please do not try to download the
@ -157,9 +157,9 @@ won't stand the traffic. If I catch you, you will be blacklisted.<br>
</font></h2>
<h2 align="left">Shorewall CA Certificate</h2>
If you want to trust X.509 certificates issued by Shoreline
Firewall (such as the one used on my web site), you may <a
href="Shorewall_CA_html.html">download and install my CA certificate</a>
If you want to trust X.509 certificates issued by
Shoreline Firewall (such as the one used on my web site), you
may <a href="Shorewall_CA_html.html">download and install my CA certificate</a>
in your browser. If you don't wish to trust my certificates then
you can either use unencrypted access when subscribing to Shorewall
mailing lists or you can use secure access (SSL) and accept the server's
@ -258,10 +258,10 @@ to make this less confusing. To unsubscribe:</p>
</li>
<li>
<p align="left">Down at the bottom of that page is the following text:
" To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>, get a password
reminder, or change your subscription options enter your subscription
email address:". Enter your email address in the box and
click on the "<b>Unsubscribe</b> or edit options" button.</p>
" To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>, get a
password reminder, or change your subscription options enter
your subscription email address:". Enter your email address
in the box and click on the "<b>Unsubscribe</b> or edit options" button.</p>
</li>
<li>
<p align="left">There will now be a box where you can enter your password
@ -285,7 +285,5 @@ click on the "<b>Unsubscribe</b> or edit options" button.</p>
</p>
<br>
<br>
<br>
<br>
</body>
</html>

56
STABLE/documentation/myfiles.htm
View File

File diff suppressed because one or more lines are too long

25
STABLE/documentation/ping.html
View File

@ -27,6 +27,9 @@
coming in Shorewall version 1.4.0. <br>
<h2>Shorewall Versions &gt;= 1.4.0</h2>
In Shoreall 1.4.0 and later version, ICMP echo-request's are treated just
like any other connection request.<br>
<br>
In order to accept ping requests from zone z1 to zone z2 where the policy
for z1 to z2 is not ACCEPT, you need a rule in /etc/shoreall/rules of the
form:<br>
@ -63,11 +66,12 @@ form:<br>
icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
<h2>Shorewall Versions &gt;= 1.3.14 with OLD_PING_HANDLING=No in /etc/shorewall/shorewall.conf</h2>
<h2>Shorewall Versions &gt;= 1.3.14 &nbsp;and &lt; 1.4.0 with OLD_PING_HANDLING=No
in /etc/shorewall/shorewall.conf</h2>
In 1.3.14, Ping handling was put under control of the rules and policies
just like any other connection request. In order to accept ping requests
from zone z1 to zone z2 where the policy for z1 to z2 is not ACCEPT, you need
a rule in /etc/shoreall/rules of the form:<br>
from zone z1 to zone z2 where the policy for z1 to z2 is not ACCEPT, you
need a rule in /etc/shoreall/rules of the form:<br>
<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp;
</i>icmp&nbsp;&nbsp;&nbsp; 8<br>
@ -119,8 +123,8 @@ a rule in /etc/shoreall/rules of the form:<br>
<ol>
<li>Ping requests addressed to the firewall itself; and</li>
<li>Ping requests being forwarded to another system. Included here
are all cases of packet forwarding including NAT, DNAT rule, Proxy ARP
and simple routing.</li>
are all cases of packet forwarding including NAT, DNAT rule, Proxy ARP and
simple routing.</li>
</ol>
These cases will be covered separately.<br>
@ -132,8 +136,8 @@ and simple routing.</li>
<li>If neither <b>noping</b> nor <b>filterping </b>are specified for
the interface that receives the ping request then the request will be responded
to with an ICMP echo-reply.</li>
<li>If <b>noping</b> is specified for the interface that receives the
ping request then the request is ignored.</li>
<li>If <b>noping</b> is specified for the interface that receives
the ping request then the request is ignored.</li>
<li>If <b>filterping </b>is specified for the interface then the request
is passed to the rules/policy evaluation.</li>
@ -168,12 +172,12 @@ destination is applied.<br>
to with an ICMP echo-reply.</li>
<li>If <b>FORWARDPING</b> is set to Yes in /etc/shorewall/shorewall.conf
then the request is responded to with an ICMP echo-reply.</li>
<li>Otherwise, the relevant REJECT or DROP policy is used and the request
is either rejected or simply ignored.</li>
<li>Otherwise, the relevant REJECT or DROP policy is used and the
request is either rejected or simply ignored.</li>
</ol>
<p><font size="2">Updated 2/14/2003 - <a href="support.htm">Tom Eastep</a>
<p><font size="2">Updated 5/4/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
@ -183,5 +187,6 @@ to with an ICMP echo-reply.</li>
<br>
<br>
<br>
<br>
</body>
</html>

47
STABLE/documentation/ports.htm
View File

@ -52,8 +52,8 @@
<p>DNS</p>
<blockquote>
<p>UDP Port 53. If you are configuring a DNS client, you will probably
want to open TCP Port 53 as well.<br>
<p>UDP Port 53. If you are configuring a DNS client, you will probably want
to open TCP Port 53 as well.<br>
If you are configuring a server, only open TCP Port 53 if you will
return long replies to queries or if you need to enable ZONE transfers. In
the latter case, be sure that your server is properly configured.</p>
@ -87,6 +87,12 @@ the latter case, be sure that your server is properly configured.</p>
<p> TCP Port 25.</p>
</blockquote>
<p>RealPlayer<br>
</p>
<blockquote>
<p>UDP Port 6790 inbound<br>
</p>
</blockquote>
<p>POP3</p>
<blockquote>
@ -144,8 +150,8 @@ the latter case, be sure that your server is properly configured.</p>
<p>Note that you MUST include port 21 in the <i>ports</i> list or you may
have problems accessing regular FTP servers.</p>
<p>If there is a possibility that these modules might be loaded before
Shorewall starts, then you should include the port list in /etc/modules.conf:<br>
<p>If there is a possibility that these modules might be loaded before Shorewall
starts, then you should include the port list in /etc/modules.conf:<br>
</p>
<blockquote>
@ -153,8 +159,25 @@ Shorewall starts, then you should include the port list in /etc/modules.conf:<br
options ip_nat_ftp ports=21,49<br>
</p>
</blockquote>
<p><b>IMPORTANT: </b>Once you have made these changes to /etc/shorewall/modules
and/or /etc/modules.conf, you must either:<br>
</p>
<ol>
<li>Unload the modules and restart shorewall: (<b><font
color="#009900">rmmod ip_nat_ftp; rmmod ip_conntrack_ftp; shorewall restart</font></b>);
or</li>
<li>Reboot<br>
</li>
</ol>
<p> </p>
</blockquote>
<blockquote> </blockquote>
<p>SMB/NMB (Samba/Windows Browsing/File Sharing)</p>
<blockquote> </blockquote>
@ -189,13 +212,20 @@ is lots of additional information at
href="http://nfs.sourceforge.net/nfs-howto/security.html"> http://nfs.sourceforge.net/nfs-howto/security.html</a></p>
</blockquote>
<p>Didn't find what you are looking for -- have you looked in your own
/etc/services file? </p>
<p>VNC<br>
</p>
<blockquote>
<p>TCP port 5900 + &lt;display number&gt;</p>
</blockquote>
<p>Didn't find what you are looking for -- have you looked in your own /etc/services
file? </p>
<p>Still looking? Try <a
href="http://www.networkice.com/advice/Exploits/Ports"> http://www.networkice.com/advice/Exploits/Ports</a></p>
<p><font size="2">Last updated 2/25/2003 - </font><font size="2"> <a
<p><font size="2">Last updated 5/5/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
@ -203,5 +233,8 @@ is lots of additional information at
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

326
STABLE/documentation/seattlefirewall_index.htm
View File

@ -2,9 +2,11 @@
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.4</title>
<base target="_self">
</head>
<body>
@ -14,8 +16,10 @@
bgcolor="#4b017c">
<tbody>
<tr>
<td
width="100%" height="90">
<td width="100%" height="90">
<h1 align="center"> <font size="4"><i> <a
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
alt="Shorwall Logo" height="70" width="85" align="left"
@ -28,21 +32,27 @@
<small><small><small><small><a
href="http://www.shorewall.net" target="_top"> </a></small></small></small></small>
<div align="center">
<h1><font color="#ffffff">             Shorewall 1.4</font><i><font
<h1><font color="#ffffff"> Shorewall 1.4</font><i><font
color="#ffffff"> <small><small><small>"iptables made easy"</small></small></small></font></i><a
href="1.3" target="_top"><font color="#ffffff"><br>
<small><small><small><small>Shorewall 1.3 Site is here</small></small></small></small></font></a><a
href="http://www1.shorewall.net/1.2/index.htm"><font color="#ffffff"><br>
<small><small><small><small>Shorewall 1.2 Site is here</small></small></small></small></font></a><br>
</font></a><br>
</h1>
</div>
<p><a href="http://www.shorewall.net" target="_top"> </a> </p>
</td>
</tr>
</tbody>
</table>
@ -52,165 +62,202 @@
style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody>
<tr>
<td
width="90%">
<td width="90%">
<h2 align="left">What is it?</h2>
<p>The Shoreline Firewall, more commonly known as "Shorewall", is a
<a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
that can be used on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.</p>
<p>This program is free software; you can redistribute it and/or modify
it under the
terms of <a href="http://www.gnu.org/licenses/gpl.html">Version
2 of the GNU General Public License</a> as published by the Free
Software Foundation.<br>
it
under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
General Public License</a> as published by the Free Software
Foundation.<br>
<br>
This program is
distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the
implied warranty of MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE. See the GNU General
Public License for more details.<br>
This
program is distributed in the hope that
it will be useful, but WITHOUT ANY WARRANTY;
without even the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE.
See the GNU General Public License for more
details.<br>
<br>
You should have
received a copy of the GNU General Public
License along with this program; if
not, write to the Free Software Foundation,
Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
You
should have received a copy of the GNU
General Public License along with
this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge,
MA 02139, USA</p>
<p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques Nilo
and Eric Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution
called <i>Bering</i> that features
Shorewall-1.3.14 and Kernel-2.4.20. You can find
their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
</a></p>
<p><b>Congratulations to Jacques and Eric on the recent release of Bering
1.1!!! </b><br>
</p>
<h2>This is a mirror of the main Shorewall web site at SourceForge (<a
href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
If so, almost <b>NOTHING </b>on this site will apply directly to your setup.
If you want to use the documentation that you find here, it is best if you
uninstall what you have and install a setup that matches the documentation
on this site. See the <a href="two-interface.htm">Two-interface QuickStart
Guide</a> for details.<br>
<h2> Getting Started with Shorewall</h2>
New to Shorewall? Start by selecting the <a
href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most closely
match your environment and follow the step by step instructions.<br>
<h2>News</h2>
<p><b>4/9/2003 - Shorewall 1.4.2</b><b> </b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
<p><b>5/18/2003 - Shorewall 1.4.3 </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
</b><br>
</p>
<p><b>    Problems Corrected:</b></p>
<blockquote>
    <b>Problems Corrected:<br>
</b>
<ol>
<li>TCP connection requests rejected out of the <b>common</b> chain
are now properly rejected with TCP RST; previously, some of these requests
were rejected with an ICMP port-unreachable response.</li>
<li>'traceroute -I' from behind the firewall previously timed out
on the first hop (e.g., to the firewall). This has been worked around.</li>
<li>There were several cases where Shorewall would fail to remove
a temporary directory from /tmp. These cases have been corrected.</li>
<li>The rules for allowing all traffic via the loopback interface
have been moved to before the rule that drops status=INVALID packets. This
insures that all loopback traffic is allowed even if Netfilter connection
tracking is confused.</li>
</ol>
    <b>New Features:<br>
</b>
<ol>
<li> <a href="6to4.htm">IPV6-IPV4 (6to4) tunnels are</a> now supported
in the /etc/shorewall/tunnels file.</li>
<li>Shorewall can now be easily integrated with fireparse (http://www.fireparse.com)
by setting LOGMARKER="fp=" in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a>
Note: You may not use ULOG with fireparse unless you modify fireparse. </li>
</ol>
<p><b>5/10/2003 - Shorewall Mirror in Asia</b><b> </b><br>
</p>
Ed Greshko has established a mirror in Taiwan -- Thanks Ed!
<p><b>5/8/2003 - Shorewall Mirror in Chile</b><b>  </b></p>
<p>Thanks to Darcy Ganga, there is now an HTTP mirror in Santiago Chile.<br>
</p>
<p><b>4/26/2003 - lists.shorewall.net Downtime</b><b> </b></p>
<p>The list server will be down this morning for upgrade to RH9.0.<br>
</p>
<p><b>4/21/2003 - Samples updated for Shorewall version 1.4.2</b><b>
</b></p>
<p>Thanks to Francesca Smith, the sample configurations are now upgraded
to Shorewall version 1.4.2.</p>
<p><b>4/12/2002 - Greater Seattle Linux Users Group Presentation</b><b>
</b></p>
<blockquote>This morning, I gave <a href="GSLUG.htm" target="_top">a
Shorewall presentation to GSLUG</a>. The presentation is in
HTML format but was generated from Microsoft PowerPoint and is best viewed
using Internet Explorer (although Konqueror also seems to work reasonably
well as does Opera 7.1.0). Neither Opera 6 nor Netscape work well to
view the presentation.<br>
</blockquote>
<p><b>    New Features:</b></p>
<blockquote>
<ol>
<li>Where an entry in the/etc/shorewall/hosts file specifies a
particular host or network, Shorewall now creates an intermediate chain for
handling input from the related zone. This can substantially reduce the number
of rules traversed by connections requests from such zones.<br>
<br>
</li>
<li>Any file may include an INCLUDE directive. An INCLUDE directive
consists of the word INCLUDE followed by a file name and causes the contents
of the named file to be logically included into the file containing the INCLUDE.
File names given in an INCLUDE directive are assumed to reside in /etc/shorewall
or in an alternate configuration directory if one has been specified for the
command. <br>
 <br>
   Examples:<br>
   shorewall/params.mgmt:<br>
   MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3<br>
   TIME_SERVERS=4.4.4.4<br>
   BACKUP_SERVERS=5.5.5.5<br>
   ----- end params.mgmt -----<br>
 <br>
 <br>
   shorewall/params:<br>
   # Shorewall 1.3 /etc/shorewall/params<br>
   [..]<br>
   #######################################<br>
 <br>
   INCLUDE params.mgmt    <br>
  <br>
   # params unique to this host here<br>
   #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE<br>
   ----- end params -----<br>
 <br>
 <br>
   shorewall/rules.mgmt:<br>
   ACCEPT net:$MGMT_SERVERS          $FW    tcp    22<br>
   ACCEPT $FW          net:$TIME_SERVERS    udp    123<br>
   ACCEPT $FW          net:$BACKUP_SERVERS  tcp    22<br>
   ----- end rules.mgmt -----<br>
 <br>
   shorewall/rules:<br>
   # Shorewall version 1.3 - Rules File<br>
   [..]<br>
   #######################################<br>
 <br>
   INCLUDE rules.mgmt     <br>
  <br>
   # rules unique to this host here<br>
   #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE<br>
   ----- end rules -----<br>
 <br>
INCLUDE's may be nested to a level of 3 -- further nested INCLUDE directives
are ignored with a warning message.<br>
<br>
</li>
<li>Routing traffic from an interface back out that interface continues
to be a problem. While I firmly believe that this should never happen, people
continue to want to do it. To limit the damage that such nonsense produces,
I have added a new 'routeback' option in /etc/shorewall/interfaces and /etc/shorewall/hosts.
When used in /etc/shorewall/interfaces, the 'ZONE' column may not contain
'-'; in other words, 'routeback' can't be used as an option for a multi-zone
interface. The 'routeback' option CAN be specified however on individual group
entries in /etc/shorewall/hosts.<br>
 <br>
The 'routeback' option is similar to the old 'multi' option with two exceptions:<br>
 <br>
   a) The option pertains to a particular zone,interface,address tuple.<br>
 <br>
   b) The option only created infrastructure to pass traffic from (zone,interface,address)
tuples back to themselves (the 'multi' option affected all (zone,interface,address)
tuples associated with the given 'interface').<br>
 <br>
See the '<a href="file:///Z:/Shorewall-docs/upgrade_issues.htm">Upgrade
Issues</a>' for information about how this new option may affect your configuration.<br>
</li>
</ol>
</blockquote>
<p><b></b></p>
<blockquote>
<ol>
</ol>
</blockquote>
<p><a href="News.htm">More News</a></p>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36"
alt="(Leaf Logo)">
</a>Jacques
Nilo and Eric Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution
called <i>Bering</i> that
features Shorewall-1.3.14 and Kernel-2.4.20.
You can find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
</a></p>
<b>Congratulations to Jacques and Eric on the recent release of Bering
1.2!!! </b><br>
<h2><a name="Donations"></a>Donations</h2>
</td>
<td
width="88" bgcolor="#4b017c" valign="top" align="center"> <br>
<td width="88" bgcolor="#4b017c" valign="top" align="center">
<form method="post"
action="http://lists.shorewall.net/cgi-bin/htsearch">
<strong><br>
<font color="#ffffff"><b>Note:
</b></font></strong><font color="#ffffff">Search is unavailable
Daily 0200-0330 GMT.</font><br>
<strong></strong>
<p><font color="#ffffff"><strong>Quick Search</strong></font><br>
<font face="Arial"
size="-1"> <input type="text" name="words" size="15"></font><font
size="-1"> </font> <font face="Arial" size="-1"> <input
type="hidden" name="format" value="long"> <input type="hidden"
name="method" value="and"> <input type="hidden" name="config"
value="htdig"> <input type="submit" value="Search"></font> </p>
<font face="Arial"> <input
type="hidden" name="exclude"
value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
<p><font color="#ffffff"><b><a
href="http://lists.shorewall.net/htdig/search.html"><font
color="#ffffff">Extended Search</font></a></b></font></p>
<br>
</td>
</tr>
</tbody>
</table>
</center>
@ -221,25 +268,32 @@ Issues</a>' for information about how this new option may affect your configurat
bgcolor="#4b017c">
<tbody>
<tr>
<td width="100%"
style="margin-top: 1px;">
<td
width="100%" style="margin-top: 1px;">
<p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10">
</a></p>
<p align="center"><font size="4" color="#ffffff">Shorewall is free but
if you try it and find it useful, please consider making a donation
to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
to
<a href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
Foundation.</font></a> Thanks!</font></p>
</td>
</tr>
</tbody>
</table>
<p><font size="2">Updated 4/7/2003 - <a href="support.htm">Tom Eastep</a></font>
<p><font size="2">Updated 5/18/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
<br>
</p>
<br>

77
STABLE/documentation/shoreline.htm
View File

@ -6,7 +6,6 @@
content="text/html; charset=windows-1252">
<title>About the Shorewall Author</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
@ -40,28 +39,28 @@
<ul>
<li>Born 1945 in <a
href="http://www.experiencewashington.com">Washington State</a> .</li>
<li>BA Mathematics from <a href="http://www.wsu.edu">Washington
State University</a> 1967</li>
<li>BA Mathematics from <a
href="http://www.wsu.edu">Washington State University</a> 1967</li>
<li>MA Mathematics from <a
href="http://www.washington.edu">University of Washington</a> 1969</li>
<li>Burroughs Corporation (now <a
href="http://www.unisys.com">Unisys</a> ) 1969 - 1980</li>
<li><a href="http://www.tandem.com">Tandem Computers, Incorporated</a>
(now part of the <a href="http://www.hp.com">The New HP</a>) 1980
- present</li>
<li><a href="http://www.tandem.com">Tandem Computers,
Incorporated</a> (now part of the <a href="http://www.hp.com">The
New HP</a>) 1980 - present</li>
<li>Married 1969 - no children.</li>
</ul>
<p>I am currently a member of the design team for the next-generation
operating system from the NonStop Enterprise Division of HP. </p>
<p>I am currently a member of the design team for the next-generation operating
system from the NonStop Enterprise Division of HP. </p>
<p>I became interested in Internet Security when I established a home office
in 1999 and had DSL service installed in our home. I investigated
ipchains and developed the scripts which are now collectively known as
<a href="http://seawall.sourceforge.net"> Seattle Firewall</a>. Expanding
on what I learned from Seattle Firewall, I then designed and
wrote Shorewall. </p>
ipchains and developed the scripts which are now collectively known
as <a href="http://seawall.sourceforge.net"> Seattle Firewall</a>.
Expanding on what I learned from Seattle Firewall, I then designed
and wrote Shorewall. </p>
<p>I telework from our <a
href="http://lists.shorewall.net/SeattleInTheSpring.html">home</a> in <a
@ -71,27 +70,30 @@ I live with my wife Tarry.
<p>Our current home network consists of: </p>
<ul>
<li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp;
20GB IDE HDs and LNE100TX (Tulip) NIC - My personal Windows system.
Serves as a PPTP server for Road Warrior access. Dual boots <a
<li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB
&amp; 20GB IDE HDs and LNE100TX (Tulip) NIC - My personal Windows
system. Serves as a PPTP server for Road Warrior access. Dual boots <a
href="http://www.mandrakelinux.com">Mandrake</a> 9.0.</li>
<li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip)
NIC - My personal Linux System which runs Samba configured as a
WINS server. This system also has <a
NIC - My personal Linux System which runs Samba configured
as a WINS server. This system also has <a
href="http://www.vmware.com/">VMware</a> installed and can run both
<a href="http://www.debian.org">Debian Woody</a> and <a
href="http://www.suse.com">SuSE 8.1</a> in virtual machines.</li>
<li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC 
- Email (Postfix, Courier-IMAP and Mailman), HTTP (Apache), FTP (Pure_ftpd),
DNS server (Bind 9).</li>
<li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD - 3
LNE100TX  (Tulip) and 1 TLAN NICs  - Firewall running Shorewall 1.4.0 
and a DHCP server.</li>
<li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC
- My wife's personal system.</li>
<li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD, onboard
EEPRO100 and EEPRO100 in expansion base and LinkSys WAC11 - My
main work system.</li>
<li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100
NIC  - Email (Postfix, Courier-IMAP and Mailman), HTTP (Apache), FTP
(Pure_ftpd), DNS server (Bind 9).</li>
<li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD -
3 LNE100TX  (Tulip) and 1 TLAN NICs  - Firewall running Shorewall
1.4.2  and a DHCP server.</li>
<li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139
NIC - My wife's personal system.</li>
<li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD,
built-in EEPRO100, EEPRO100 in expansion base and LinkSys WAC11 - My
work system.</li>
<li>XP 2200 Laptop, WinXP SP1, 512MB RAM, 40GB HD, built-in NIC and LinkSys
WAC11 - Our Laptop.<br>
</li>
</ul>
@ -114,11 +116,16 @@ main work system.</li>
</a><a href="http://www.mandrakelinux.com"><img
src="images/medbutton.png" alt="Powered by Mandrake" width="90"
height="32">
</a><img src="images/shorewall.jpg" alt="Protected by Shorewall"
width="125" height="40" hspace="4">
</font></p>
</a><img src="images/shorewall.jpg"
alt="Protected by Shorewall" width="125" height="40" hspace="4">
<a href="http://www.opera.com"><img src="images/opera.png"
alt="(Opera Logo)" width="102" height="39" border="0">
</a>  <a href="http://www.hp.com"><img
src="images/penquin_in_blue_racer_sm2.gif" alt="" width="120"
height="75" border="0">
</a><a href="http://www.opera.com"> </a> </font></p>
<p><font size="2">Last updated 3/17/2003 - </font><font size="2"> <a
<p><font size="2">Last updated 5/8/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas
@ -126,5 +133,11 @@ main work system.</li>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

11
STABLE/documentation/shorewall_mirrors.htm
View File

@ -47,6 +47,9 @@ is updated at the same time as the rsync site.</b></p>
(Martinez (Zona Norte - GBA), Argentina)</li>
<li><a target="_top" href="http://france.shorewall.net">http://france.shorewall.net</a>
(Paris, France)</li>
<li><a href="http://shorewall.syachile.cl" target="_top">http://shorewall.syachile.cl
</a>(Santiago Chile)<br>
</li>
<li><a href="http://www.shorewall.net" target="_top">http://www.shorewall.net</a>
(Washington State, USA)<br>
</li>
@ -59,8 +62,9 @@ is updated at the same time as the rsync site.</b></p>
<li><a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/">ftp://slovakia.shorewall.net/mirror/shorewall</a>
(Slovak Republic).</li>
<li> <a href="ftp://ftp.infohiiway.com/pub/mirrors/shorewall/"
target="_blank">ftp://ftp.infohiiway.com/pub/shorewall</a> (Texas, USA).</li>
<li> <a
href="ftp://ftp.infohiiway.com/pub/mirrors/shorewall/" target="_blank">ftp://ftp.infohiiway.com/pub/shorewall</a>
(Texas, USA).</li>
<li><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall"> ftp://germany.shorewall.net/pub/shorewall</a>
(Hamburg, Germany)</li>
@ -75,7 +79,7 @@ is updated at the same time as the rsync site.</b></p>
Search results and the mailing list archives are always fetched from the
site in Washington State.<br>
<p align="left"><font size="2">Last Updated 3/7/2003 - <a
<p align="left"><font size="2">Last Updated 5/8/2003 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
@ -84,5 +88,6 @@ site in Washington State.<br>
<br>
<br>
<br>
<br>
</body>
</html>

263
STABLE/documentation/shorewall_quickstart_guide.htm
View File

@ -2,22 +2,16 @@
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall QuickStart Guide</title>
<meta name="Microsoft Theme" content="none">
</head>
<body>
@ -29,19 +23,17 @@
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides
(HOWTO's)<br>
Version 4.0</font></h1>
</td>
</tr>
</tbody>
</table>
<p align="center">With thanks to Richard who reminded me once again that
we must all first walk before we can run.<br>
<p align="center">With thanks to Richard who reminded me once again that we
must all first walk before we can run.<br>
The French Translations are courtesy of Patrice Vetsel<br>
</p>
@ -53,102 +45,27 @@ we must all first walk before we can run.<br>
<p>The following guides are for <b>users who have a single public IP address</b>:</p>
<ul>
<li><a href="standalone.htm">Standalone</a> Linux
System (<a href="standalone_fr.html">Version Française</a>)</li>
<li><a href="standalone.htm">Standalone</a>
Linux System (<a href="standalone_fr.html">Version Française</a>)</li>
<li><a href="two-interface.htm">Two-interface</a>
Linux System acting as a firewall/router for a small local network
(<a href="two-interface_fr.html">Version Française</a>)</li>
Linux System acting as a firewall/router for a small local
network (<a href="two-interface_fr.html">Version Française</a>)</li>
<li><a href="three-interface.htm">Three-interface</a>
Linux System acting as a firewall/router for a small local network
and a DMZ. (<a href="three-interface_fr.html">Version Française</a>)</li>
Linux System acting as a firewall/router for a small local
network and a DMZ. (<a href="three-interface_fr.html">Version Française</a>)</li>
</ul>
<p>The above guides are designed to get your first firewall up and running
quickly in the three most common Shorewall configurations.</p>
<p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> outlines
the steps necessary to set up a firewall where <b>there are multiple
public IP addresses involved or if you want to learn more about
Shorewall than is explained in the single-address guides above.</b></p>
<p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> (See
Index Below) outlines the steps necessary to set up a firewall
where <b>there are multiple public IP addresses involved or
if you want to learn more about Shorewall than is explained in
the single-address guides above.</b></p>
<ul>
<li><a
href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li>
<li><a
href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall Concepts</a></li>
<li><a
href="shorewall_setup_guide.htm#Interfaces">3.0 Network Interfaces</a></li>
<li><a
href="shorewall_setup_guide.htm#Addressing">4.0 Addressing, Subnets
and Routing</a>
<ul>
<li><a
href="shorewall_setup_guide.htm#Addresses">4.1 IP Addresses</a></li>
<li><a
href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
<li><a
href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
<li><a href="shorewall_setup_guide.htm#ARP">4.4
Address Resolution Protocol</a></li>
</ul>
<ul>
<li><a
href="shorewall_setup_guide.htm#RFC1918">4.5 RFC 1918</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Options">5.0
Setting up your Network</a>
<ul>
<li><a
href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
</ul>
<ul>
<li><a
href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a>
<ul>
<li><a
href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li>
<li><a
href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li>
<li><a
href="shorewall_setup_guide.htm#ProxyARP">5.2.3 Proxy ARP</a></li>
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4
Static NAT</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Rules">5.3
Rules</a></li>
<li><a
href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds and Ends</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#DNS">6.0
DNS</a></li>
<li><a
href="shorewall_setup_guide.htm#StartingAndStopping">7.0 Starting and
Stopping the Firewall</a></li>
</ul>
@ -166,24 +83,23 @@ trying to use this documentation directly.</p>
</li>
<li><a href="blacklisting_support.htm">Blacklisting</a>
<ul>
<li>Static Blacklisting using /etc/shorewall/blacklist</li>
<li>Dynamic Blacklisting using /sbin/shorewall</li>
</ul>
</li>
<li><a href="configuration_file_basics.htm">Common
configuration file features</a>
<li><a
href="configuration_file_basics.htm">Common configuration file
features</a>
<ul>
<li><a
href="configuration_file_basics.htm#Comments">Comments in configuration
files</a></li>
<li><a
href="configuration_file_basics.htm#Continuation">Line Continuation</a></li>
<li><a href="configuration_file_basics.htm#INCLUDE">INCLUDE Directive</a><br>
</li>
<li><a
href="configuration_file_basics.htm#Ports">Port Numbers/Service Names</a></li>
<li><a
@ -197,20 +113,18 @@ trying to use this documentation directly.</p>
href="configuration_file_basics.htm#Compliment">Complementing an IP address
or Subnet</a></li>
<li><a
href="configuration_file_basics.htm#Configs">Shorewall Configurations (making
a test configuration)</a></li>
href="configuration_file_basics.htm#Configs">Shorewall Configurations
(making a test configuration)</a></li>
<li><a
href="configuration_file_basics.htm#MAC">Using MAC Addresses in Shorewall</a></li>
</ul>
</li>
<li><a href="Documentation.htm">Configuration File
Reference Manual</a>
<li><a href="Documentation.htm">Configuration
File Reference Manual</a>
<ul>
<li> <a href="Documentation.htm#Variables">params</a></li>
<li> <a
href="Documentation.htm#Variables">params</a></li>
<li><font color="#000099"><a
href="Documentation.htm#Zones">zones</a></font></li>
<li><font color="#000099"><a
@ -230,65 +144,133 @@ a test configuration)</a></li>
href="Documentation.htm#NAT">nat</a></font></li>
<li><font color="#000099"><a
href="Documentation.htm#Tunnels">tunnels</a></font></li>
<li><a href="traffic_shaping.htm#tcrules">tcrules</a></li>
<li><a
href="traffic_shaping.htm#tcrules">tcrules</a></li>
<li><font color="#000099"><a
href="Documentation.htm#Conf">shorewall.conf</a></font></li>
<li><a href="Documentation.htm#modules">modules</a></li>
<li><a href="Documentation.htm#TOS">tos</a> </li>
<li><a href="Documentation.htm#Blacklist">blacklist</a></li>
<li><a href="Documentation.htm#rfc1918">rfc1918</a></li>
<li><a href="Documentation.htm#Routestopped">routestopped</a></li>
<li><a
href="Documentation.htm#modules">modules</a></li>
<li><a href="Documentation.htm#TOS">tos</a>
</li>
<li><a
href="Documentation.htm#Blacklist">blacklist</a></li>
<li><a
href="Documentation.htm#rfc1918">rfc1918</a></li>
<li><a
href="Documentation.htm#Routestopped">routestopped</a></li>
</ul>
</li>
<li><a href="dhcp.htm">DHCP</a></li>
<li><a href="ECN.html">ECN Disabling by host
or subnet</a><br>
</li>
<li><font color="#000099"><a
href="shorewall_extension_scripts.htm">Extension Scripts</a></font> (How
to extend Shorewall without modifying Shorewall code through the use of
files in /etc/shorewall -- /etc/shorewall/start, /etc/shorewall/stopped,
href="shorewall_extension_scripts.htm">Extension Scripts</a></font>
(How to extend Shorewall without modifying Shorewall code through the
use of files in /etc/shorewall -- /etc/shorewall/start, /etc/shorewall/stopped,
etc.)</li>
<li><a href="fallback.htm">Fallback/Uninstall</a></li>
<li><a href="shorewall_firewall_structure.htm">Firewall
Structure</a></li>
<li><font color="#000099"><a href="kernel.htm">Kernel
Configuration</a></font></li>
<li><a
href="shorewall_firewall_structure.htm">Firewall Structure</a></li>
<li><font color="#000099"><a
href="kernel.htm">Kernel Configuration</a></font></li>
<li><a href="shorewall_logging.html">Logging</a><br>
</li>
<li><a href="MAC_Validation.html">MAC Verification</a><br>
</li>
<li><a href="myfiles.htm">My Shorewall Configuration
(How I personally use Shorewall)</a><br>
<li><a href="myfiles.htm">My Shorewall
Configuration (How I personally use Shorewall)</a><br>
</li>
<li><a href="ping.html">'Ping' Management</a><br>
</li>
<li><a href="ports.htm">Port Information</a>
<ul>
<li>Which applications use which ports</li>
<li>Ports used by Trojans</li>
</ul>
</li>
<li><a href="ProxyARP.htm">Proxy ARP</a></li>
<li><a href="samba.htm">Samba</a></li>
<li><a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a><br>
</li>
<ul>
<li><a href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li>
<li><a href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall
Concepts</a></li>
<li><a href="shorewall_setup_guide.htm#Interfaces">3.0 Network
Interfaces</a></li>
<li><a href="shorewall_setup_guide.htm#Addressing">4.0 Addressing,
Subnets and Routing</a>
<ul>
<li><a href="shorewall_setup_guide.htm#Addresses">4.1 IP
Addresses</a></li>
<li><a href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
<li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
<li><a href="shorewall_setup_guide.htm#ARP">4.4 Address
Resolution Protocol (ARP)</a></li>
</ul>
<ul>
<li><a href="shorewall_setup_guide.htm#RFC1918">4.5 RFC
1918</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Options">5.0 Setting
up your Network</a>
<ul>
<li><a href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
</ul>
<ul>
<li><a href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a>
<ul>
<li><a href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li>
<li><a href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li>
<li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3
Proxy ARP</a></li>
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4 Static
NAT</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li>
<li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds
and Ends</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li>
<li><a href="shorewall_setup_guide.htm#StartingAndStopping">7.0
Starting and Stopping the Firewall</a></li>
</ul>
<li><font color="#000099"><a
href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font></li>
<ul>
<li>Description of all /sbin/shorewall commands</li>
<li>How to safely test a Shorewall configuration change<br>
<li>How to safely test a Shorewall configuration
change<br>
</li>
</ul>
<li><font color="#000099"><a href="NAT.htm">Static
NAT</a></font></li>
<li><font color="#000099"><a
href="NAT.htm">Static NAT</a></font></li>
<li><a href="Shorewall_Squid_Usage.html">Squid as a Transparent
Proxy with Shorewall</a><br>
</li>
<li><a href="traffic_shaping.htm">Traffic Shaping/QOS</a></li>
<li><a href="traffic_shaping.htm">Traffic
Shaping/QOS</a></li>
<li>VPN
<ul>
@ -297,25 +279,30 @@ Proxy with Shorewall</a><br>
<li><a href="OPENVPN.html">OpenVPN</a><br>
</li>
<li><a href="PPTP.htm">PPTP</a></li>
<li><a href="VPN.htm">IPSEC/PPTP</a> from a system
behind your firewall to a remote network.</li>
<li><a href="6to4.htm">6t04</a><br>
</li>
<li><a href="VPN.htm">IPSEC/PPTP</a> from
a system behind your firewall to a remote network.</li>
</ul>
</li>
<li><a href="whitelisting_under_shorewall.htm">White
List Creation</a></li>
<li><a
href="whitelisting_under_shorewall.htm">White List Creation</a></li>
</ul>
<p>If you use one of these guides and have a suggestion for improvement <a
href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
<p><font size="2">Last modified 3/12/2003 - <a href="support.htm">Tom Eastep</a></font></p>
<p><font size="2">Last modified 5/18/2003 - <a href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright 2002, 2003 Thomas M.
Eastep</font></a><br>
</p>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

390
STABLE/documentation/shorewall_setup_guide.htm
View File

@ -27,7 +27,7 @@
<p><a href="#Addresses">4.1 IP Addresses</a><br>
<a href="#Subnets">4.2 Subnets</a><br>
<a href="#Routing">4.3 Routing</a><br>
<a href="#ARP">4.4 Address Resolution Protocol</a><br>
<a href="#ARP">4.4 Address Resolution Protocol (ARP)</a><br>
<a href="#RFC1918">4.5 RFC 1918</a></p>
</blockquote>
@ -57,8 +57,8 @@
where a set of public IP addresses must be managed or who want to know
more about Shorewall than is contained in the <a
href="shorewall_quickstart_guide.htm">single-address guides</a>. Because
the range of possible applications is so broad, the Guide will give you
general guidelines and will point you to other resources as necessary.</p>
the range of possible applications is so broad, the Guide will give
you general guidelines and will point you to other resources as necessary.</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60">
    If you run LEAF Bering, your Shorewall configuration is NOT
@ -81,9 +81,9 @@ this program:</p>
.</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60">
    If you edit your configuration files on a Windows system, you
must save them as Unix files if your editor supports that option or you
must run them through dos2unix before trying to use them with Shorewall.
    If you edit your configuration files on a Windows system,
you must save them as Unix files if your editor supports that option
or you must run them through dos2unix before trying to use them with Shorewall.
Similarly, if you copy a configuration file from your Windows hard drive
to a floppy disk, you must run dos2unix against the copy before using
it with Shorewall.</p>
@ -99,10 +99,10 @@ Version of dos2unix</a></li>
<h2 align="left"><a name="Concepts"></a>2.0 Shorewall Concepts</h2>
<p>The configuration files for Shorewall are contained in the directory
/etc/shorewall -- for most setups, you will only need to deal with a few
of these as described in this guide. Skeleton files are created during the
<a href="Install.htm">Shorewall Installation Process</a>.</p>
<p>The configuration files for Shorewall are contained in the directory /etc/shorewall
-- for most setups, you will only need to deal with a few of these as described
in this guide. Skeleton files are created during the <a
href="Install.htm">Shorewall Installation Process</a>.</p>
<p>As each file is introduced, I suggest that you look through the actual
file on your system -- each file contains detailed configuration instructions
@ -144,9 +144,9 @@ the <a href="Documentation.htm#Configs">/etc/shorewall/shorewall.conf</a>
file. In this guide, the default name (<b>fw</b>) will be used.</p>
<p>With the exception of <b>fw</b>, Shorewall attaches absolutely no meaning
to zone names. Zones are entirely what YOU make of them. That means that
you should not expect Shorewall to do something special "because this
is the internet zone" or "because that is the DMZ".</p>
to zone names. Zones are entirely what YOU make of them. That means
that you should not expect Shorewall to do something special "because
this is the internet zone" or "because that is the DMZ".</p>
<p><img border="0" src="images/BD21298_.gif" width="13" height="13">
    Edit the /etc/shorewall/zones file and make any changes necessary.</p>
@ -175,21 +175,21 @@ zone to another zone in the<a href="Documentation.htm#Policy"> /etc/shorew
<li> Identify the source zone.</li>
<li> Identify the destination zone.</li>
<li> If the POLICY from the client's zone to the server's
zone is what you want for this client/server pair, you need do
nothing further.</li>
zone is what you want for this client/server pair, you need do nothing
further.</li>
<li> If the POLICY is not what you want, then you must
add a rule. That rule is expressed in terms of the client's zone
and the server's zone.</li>
</ol>
<p> Just because connections of a particular type are allowed from zone A
to the firewall and are also allowed from the firewall to zone B <font
<p> Just because connections of a particular type are allowed from zone
A to the firewall and are also allowed from the firewall to zone B <font
color="#ff6633"><b><u> DOES NOT mean that these connections are allowed
from zone A to zone B</u></b></font>. It rather means that you can
have a proxy running on the firewall that accepts a connection from zone
A and then establishes its own separate connection from the firewall to
zone B.</p>
have a proxy running on the firewall that accepts a connection from
zone A and then establishes its own separate connection from the firewall
to zone B.</p>
<p>For each connection request entering the firewall, the request is first
checked against the /etc/shorewall/rules file. If no rule in that file
@ -241,8 +241,8 @@ zone B.</p>
<ol>
<li>allow all connection requests from your local network to
the internet</li>
<li>drop (ignore) all connection requests from the internet to
your firewall or local network and log a message at the <i>info</i>
<li>drop (ignore) all connection requests from the internet
to your firewall or local network and log a message at the <i>info</i>
level (<a href="shorewall_logging.html">here</a> is a description of log
levels).</li>
<li>reject all other connection requests and log a message at
@ -265,12 +265,12 @@ to illustrate the important aspects of Shorewall configuration.</p>
<p align="left">In this diagram:</p>
<ul>
<li>The DMZ Zone consists of systems DMZ 1 and DMZ 2. A DMZ is
used to isolate your internet-accessible servers from your local systems
so that if one of those servers is compromised, you still have the firewall
between the compromised system and your local systems. </li>
<li>The Local Zone consists of systems Local 1, Local 2 and Local
3. </li>
<li>The DMZ Zone consists of systems DMZ 1 and DMZ 2. A DMZ
is used to isolate your internet-accessible servers from your local
systems so that if one of those servers is compromised, you still have
the firewall between the compromised system and your local systems. </li>
<li>The Local Zone consists of systems Local 1, Local 2 and
Local 3. </li>
<li>All systems from the ISP outward comprise the Internet Zone.
</li>
@ -308,17 +308,17 @@ If you connect using ISDN, you external interface will be <b>ippp0.</b></p>
a <i>cross-over </i> cable).</p>
<p align="left">Your <i>DMZ Interface</i> will also be an Ethernet adapter
(eth0, eth1 or eth2) and will be connected to a hub or switch. Your DMZ
computers will be connected to the same switch (note: If you have only
a single DMZ system, you can connect the firewall directly to the computer
using a <i>cross-over </i> cable).</p>
(eth0, eth1 or eth2) and will be connected to a hub or switch. Your
DMZ computers will be connected to the same switch (note: If you have
only a single DMZ system, you can connect the firewall directly to the
computer using a <i>cross-over </i> cable).</p>
<p align="left"><u><b> <img border="0" src="images/j0213519.gif"
width="60" height="60">
</b></u>Do not connect more than one interface to the same hub
or switch (even for testing). It won't work the way that you expect
it to and you will end up confused and believing that Linux networking
doesn't work at all.</p>
or switch (even for testing). It won't work the way that you expect it
to and you will end up confused and believing that Linux networking doesn't
work at all.</p>
<p align="left">For the remainder of this Guide, we will assume that:</p>
@ -456,17 +456,17 @@ many times as necessary.</p>
<p align="left">Normally, your ISP will assign you a set of <i> Public</i>
IP addresses. You will configure your firewall's external interface to
use one of those addresses permanently and you will then have to decide
how you are going to use the rest of your addresses. Before we tackle that
question though, some background is in order.</p>
how you are going to use the rest of your addresses. Before we tackle
that question though, some background is in order.</p>
<p align="left">If you are thoroughly familiar with IP addressing and routing,
you may <a href="#Options">go to the next section</a>.</p>
<p align="left">The following discussion barely scratches the surface of addressing
and routing. If you are interested in learning more about this subject,
I highly recommend <i>"IP Fundamentals: What Everyone Needs to Know about
Addressing &amp; Routing",</i> Thomas A. Maufer, Prentice-Hall, 1999, ISBN
0-13-975483-0.</p>
<p align="left">The following discussion barely scratches the surface of
addressing and routing. If you are interested in learning more about this
subject, I highly recommend <i>"IP Fundamentals: What Everyone Needs to
Know about Addressing &amp; Routing",</i> Thomas A. Maufer, Prentice-Hall,
1999, ISBN 0-13-975483-0.</p>
<h3 align="left"><a name="Addresses"></a>4.1 IP Addresses</h3>
@ -504,17 +504,17 @@ Addressing &amp; Routing",</i> Thomas A. Maufer, Prentice-Hall, 1999, ISBN
of the high order byte of its address so you could look at an IP address
and immediately determine the associated <i>netmask</i>. The netmask
is a number that when logically ANDed with an address isolates the <i>network
number</i>; the remainder of the address is the <i>host number</i>. For
example, in the Class C address 192.0.2.14, the network number is hex
C00002 and the host number is hex 0E.</p>
number</i>; the remainder of the address is the <i>host number</i>.
For example, in the Class C address 192.0.2.14, the network number is
hex C00002 and the host number is hex 0E.</p>
<p align="left">As the internet grew, it became clear that such a gross
partitioning of the 32-bit address space was going to be very limiting (early
on, large corporations and universities were assigned their own class A
network!). After some false starts, the current technique of <i>subnetting</i>
these networks into smaller <i>subnetworks</i> evolved; that technique is
referred to as <i>Classless InterDomain Routing</i> (CIDR). Today, any system
that you are likely to work with will understand CIDR and Class-based networking
<p align="left">As the internet grew, it became clear that such a gross partitioning
of the 32-bit address space was going to be very limiting (early on, large
corporations and universities were assigned their own class A network!).
After some false starts, the current technique of <i>subnetting</i> these
networks into smaller <i>subnetworks</i> evolved; that technique is referred
to as <i>Classless InterDomain Routing</i> (CIDR). Today, any system that
you are likely to work with will understand CIDR and Class-based networking
is largely a thing of the past.</p>
<p align="left">A <i>subnetwork</i> (often referred to as a <i>subnet) </i>is
@ -637,8 +637,8 @@ are used for the subnet address and subnet broadcast address respectively.
<p align="left">You will notice that the above table also contains a column
for (32 - log2 <b>n</b>). That number is the <i>Variable Length Subnet
Mask</i> for a network of size <b>n</b>. From the above table, we can
derive the following one which is a little easier to use.</p>
Mask</i> for a network of size <b>n</b>. From the above table, we
can derive the following one which is a little easier to use.</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -820,9 +820,9 @@ as "<b>a.b.c.d/v</b>" using <i>CIDR</i> <i>Notation</i>.
<p align="left">Later in this guide, you will see the notation <b>a.b.c.d/v</b>
used to describe the ip configuration of a network interface (the 'ip'
utility also uses this syntax). This simply means that the interface is
configured with ip address <b>a.b.c.d</b> and with the netmask that corresponds
to VLSM <b>/v</b>.</p>
utility also uses this syntax). This simply means that the interface
is configured with ip address <b>a.b.c.d</b> and with the netmask that
corresponds to VLSM <b>/v</b>.</p>
<p align="left">Example: 192.0.2.65/29</p>
@ -847,17 +847,16 @@ as "<b>a.b.c.d/v</b>" using <i>CIDR</i> <i>Notation</i>.
how to get to a single host. In the 'netstat' output this can be seen
by the "Genmask" (Subnet Mask) of 255.255.255.255 and the "H" in the
Flags column. The remainder are 'net' routes since they tell the kernel
how to route packets to a subnetwork. The last route is the <i>default
route</i> and the gateway mentioned in that route is called the <i>default
gateway</i>.</p>
how to route packets to a subnetwork. The last route is the <i>default route</i>
and the gateway mentioned in that route is called the <i>default gateway</i>.</p>
<p align="left">When the kernel is trying to send a packet to IP address <b>A</b>,
it starts at the top of the routing table and:</p>
<p align="left">When the kernel is trying to send a packet to IP address
<b>A</b>, it starts at the top of the routing table and:</p>
<ul>
<li>
<p align="left"><b>A</b> is logically ANDed with the 'Genmask' value in
the table entry.</p>
<p align="left"><b>A</b> is logically ANDed with the 'Genmask' value
in the table entry.</p>
</li>
<li>
<p align="left">The result is compared with the 'Destination' value in
@ -869,12 +868,10 @@ the table entry.</p>
<ul>
<li>
<p align="left">If the 'Gateway' column is non-zero, the packet is
sent to the gateway over the interface named in the 'Iface' column.</p>
</li>
<li>
<p align="left">Otherwise, the packet is sent directly to <b>A </b>over
the interface named in the 'iface' column.</p>
</li>
@ -888,10 +885,10 @@ the table entry.</p>
</ul>
<p align="left">Since the default route matches any IP address (<b>A</b> land
0.0.0.0 = 0.0.0.0), packets that don't match any of the other routing table
entries are sent to the <i>default gateway</i> which is usually a router
at your ISP.</p>
<p align="left">Since the default route matches any IP address (<b>A</b>
land 0.0.0.0 = 0.0.0.0), packets that don't match any of the other routing
table entries are sent to the <i>default gateway</i> which is usually a
router at your ISP.</p>
<p align="left">Lets take an example. Suppose that we want to route a packet
to 192.168.1.5. That address clearly doesn't match any of the host routes
@ -903,19 +900,20 @@ at your ISP.</p>
<pre>192.168.1.0 0.0.0.0 255.255.255.0 U 40 0 0 eth2</pre>
</blockquote>
<p>So to route a packet to 192.168.1.5, the packet is sent directly over eth2.</p>
<p>So to route a packet to 192.168.1.5, the packet is sent directly over
eth2.</p>
</div>
<p align="left">One more thing needs to be emphasized -- all outgoing packet
are sent using the routing table and reply packets are not a special
case. There seems to be a common mis-conception whereby people think that
request packets are like salmon and contain a genetic code that is magically
transferred to reply packets so that the replies follow the reverse route
taken by the request. That isn't the case; the replies may take a totally
different route back to the client than was taken by the requests -- they
are totally independent.</p>
case. There seems to be a common mis-conception whereby people think
that request packets are like salmon and contain a genetic code that
is magically transferred to reply packets so that the replies follow
the reverse route taken by the request. That isn't the case; the replies
may take a totally different route back to the client than was taken by
the requests -- they are totally independent.</p>
<h3 align="left"><a name="ARP"></a>4.4 Address Resolution Protocol</h3>
<h3 align="left"><a name="ARP"></a>4.4 Address Resolution Protocol (ARP)</h3>
<p align="left">When sending packets over Ethernet, IP addresses aren't used.
Rather Ethernet addressing is based on <i>Media Access Control</i> (MAC)
@ -930,9 +928,9 @@ are totally independent.</p>
</blockquote>
<div align="left">
<p align="left">As you can see from the above output, the MAC is 6 bytes (48
bits) wide. A card's MAC is usually also printed on a label attached to
the card itself. </p>
<p align="left">As you can see from the above output, the MAC is 6 bytes
(48 bits) wide. A card's MAC is usually also printed on a label attached
to the card itself. </p>
</div>
<div align="left">
@ -985,10 +983,10 @@ system (including your Windows system) using the 'arp' command:</p>
of us don't deal with these registrars but rather get our IP addresses
from our ISP.</p>
<p align="left">It's a fact of life that most of us can't afford as many Public
IP addresses as we have devices to assign them to so we end up making use
of <i> Private </i>IP addresses. RFC 1918 reserves several IP address ranges
for this purpose:</p>
<p align="left">It's a fact of life that most of us can't afford as many
Public IP addresses as we have devices to assign them to so we end up making
use of <i> Private </i>IP addresses. RFC 1918 reserves several IP address
ranges for this purpose:</p>
<div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
@ -998,8 +996,8 @@ for this purpose:</p>
<p align="left">The addresses reserved by RFC 1918 are sometimes referred
to as <i>non-routable</i> because the Internet backbone routers don't
forward packets which have an RFC-1918 destination address. This is
understandable given that anyone can select any of these addresses for
their private use.</p>
understandable given that anyone can select any of these addresses
for their private use.</p>
</div>
<div align="left">
@ -1010,8 +1008,8 @@ their private use.</p>
<div align="left">
<ul>
<li>
<p align="left">As the IPv4 address space becomes depleted, more and more
organizations (including ISPs) are beginning to use RFC 1918 addresses
<p align="left">As the IPv4 address space becomes depleted, more and
more organizations (including ISPs) are beginning to use RFC 1918 addresses
in their infrastructure. </p>
</li>
<li>
@ -1035,9 +1033,10 @@ their private use.</p>
<div align="left">
<p align="left">The choice of how to set up your network depends primarily
on how many Public IP addresses you have vs. how many addressable entities
you have in your network. Regardless of how many addresses you have,
your ISP will handle that set of addresses in one of two ways:</p>
on how many Public IP addresses you have vs. how many addressable
entities you have in your network. Regardless of how many addresses
you have, your ISP will handle that set of addresses in one of two
ways:</p>
</div>
<div align="left">
@ -1084,13 +1083,13 @@ change them appropriately:<br>
</div>
<div align="left">
<p align="left">Let's assume that your ISP has assigned you the subnet
192.0.2.64/28 routed through 192.0.2.65. That means that you have IP addresses
192.0.2.64 - 192.0.2.79 and that your firewall's external IP address
is 192.0.2.65. Your ISP has also told you that you should use a netmask
of 255.255.255.0 (so your /28 is part of a larger /24). With this many
IP addresses, you are able to subnet your /28 into two /29's and set
up your network as shown in the following diagram.</p>
<p align="left">Let's assume that your ISP has assigned you the subnet 192.0.2.64/28
routed through 192.0.2.65. That means that you have IP addresses 192.0.2.64
- 192.0.2.79 and that your firewall's external IP address is 192.0.2.65.
Your ISP has also told you that you should use a netmask of 255.255.255.0
(so your /28 is part of a larger /24). With this many IP addresses,
you are able to subnet your /28 into two /29's and set up your network
as shown in the following diagram.</p>
</div>
<div align="left">
@ -1100,10 +1099,10 @@ change them appropriately:<br>
</div>
<div align="left">
<p align="left">Here, the DMZ comprises the subnet 192.0.2.64/29 and the Local
network is 192.0.2.72/29. The default gateway for hosts in the DMZ would
be configured to 192.0.2.66 and the default gateway for hosts in the local
network would be 192.0.2.73.</p>
<p align="left">Here, the DMZ comprises the subnet 192.0.2.64/29 and the
Local network is 192.0.2.72/29. The default gateway for hosts in the DMZ
would be configured to 192.0.2.66 and the default gateway for hosts in
the local network would be 192.0.2.73.</p>
</div>
<div align="left">
@ -1139,13 +1138,13 @@ of 256 would be justified because of the simplicity of the setup.</p>
</div>
<div align="left">
<p align="left">It is this rather unexpected ARP behavior on the part of the
Linux Kernel that prompts the warning earlier in this guide regarding the
connecting of multiple firewall/router interfaces to the same hub or switch.
When an ARP request for one of the firewall/router's IP addresses is sent
by another system connected to the hub/switch, all of the firewall's
interfaces that connect to the hub/switch can respond! It is then a
race as to which "here-is" response reaches the sender first.</p>
<p align="left">It is this rather unexpected ARP behavior on the part of
the Linux Kernel that prompts the warning earlier in this guide regarding
the connecting of multiple firewall/router interfaces to the same hub
or switch. When an ARP request for one of the firewall/router's IP addresses
is sent by another system connected to the hub/switch, all of the firewall's
interfaces that connect to the hub/switch can respond! It is then
a race as to which "here-is" response reaches the sender first.</p>
</div>
<div align="left">
@ -1153,22 +1152,22 @@ by another system connected to the hub/switch, all of the firewall's
</div>
<div align="left">
<p align="left">If you have the above situation but it is non-routed, you
can configure your network exactly as described above with one additional
twist; simply specify the "proxyarp" option on all three firewall interfaces
in the /etc/shorewall/interfaces file.</p>
<p align="left">If you have the above situation but it is non-routed,
you can configure your network exactly as described above with one additional
twist; simply specify the "proxyarp" option on all three firewall
interfaces in the /etc/shorewall/interfaces file.</p>
</div>
<div align="left">
<p align="left">Most of us don't have the luxury of having enough public IP
addresses to set up our networks as shown in the preceding example (even
if the setup is routed). </p>
<p align="left">Most of us don't have the luxury of having enough public
IP addresses to set up our networks as shown in the preceding example
(even if the setup is routed). </p>
</div>
<div align="left">
<p align="left"><b>For the remainder of this section, assume that your ISP
has assigned you IP addresses 192.0.2.176-180 and has told you to use
netmask 255.255.255.0 and default gateway 192.0.2.254.</b></p>
has assigned you IP addresses 192.0.2.176-180 and has told you to
use netmask 255.255.255.0 and default gateway 192.0.2.254.</b></p>
</div>
<div align="left">
@ -1200,8 +1199,8 @@ this problem.</p>
</div>
<div align="left">
<p align="left">Often a combination of these techniques is used. Each of these
will be discussed in the sections that follow.</p>
<p align="left">Often a combination of these techniques is used. Each of
these will be discussed in the sections that follow.</p>
</div>
<div align="left">
@ -1212,11 +1211,11 @@ this problem.</p>
<p align="left">With SNAT, an internal LAN segment is configured using RFC
1918 addresses. When a host <b>A </b>on this internal segment initiates
a connection to host <b>B</b> on the internet, the firewall/router
rewrites the IP header in the request to use one of your public IP addresses
as the source address. When <b>B</b> responds and the response is received
by the firewall, the firewall changes the destination address back
to the RFC 1918 address of <b>A</b> and forwards the response back to
<b>A.</b></p>
rewrites the IP header in the request to use one of your public IP
addresses as the source address. When <b>B</b> responds and the response
is received by the firewall, the firewall changes the destination address
back to the RFC 1918 address of <b>A</b> and forwards the response back
to <b>A.</b></p>
</div>
<div align="left">
@ -1274,10 +1273,11 @@ local interface).</div>
<div align="left">
<p align="left">This example used the normal technique of assigning the same
public IP address for the firewall external interface and for SNAT.
If you wanted to use a different IP address, you would either have to
use your distributions network configuration tools to add that IP address
to the external interface or you could set ADD_SNAT_ALIASES=Yes in
/etc/shorewall/shorewall.conf and Shorewall will add the address for you.</p>
If you wanted to use a different IP address, you would either have
to use your distributions network configuration tools to add that IP
address to the external interface or you could set ADD_SNAT_ALIASES=Yes
in /etc/shorewall/shorewall.conf and Shorewall will add the address for
you.</p>
</div>
<div align="left">
@ -1295,8 +1295,8 @@ local interface).</div>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13">
     Suppose that your daughter wants to run a web server on
her system "Local 3". You could allow connections to the internet
to her server by adding the following entry in <a
her system "Local 3". You could allow connections to the internet to
her server by adding the following entry in <a
href="Documentation.htm#Rules">/etc/shorewall/rules</a>:</p>
</div>
@ -1334,15 +1334,15 @@ to her server by adding the following entry in <a
to access your daughter's server, she can connect to <a
href="http://192.0.2.176"> http://192.0.2.176</a> (the firewall's external
IP address) and the firewall will rewrite the destination IP address
to 192.168.201.4 (your daughter's system) and forward the request. When
your daughter's server responds, the firewall will rewrite the source
address back to 192.0.2.176 and send the response back to <b>A.</b></p>
to 192.168.201.4 (your daughter's system) and forward the request.
When your daughter's server responds, the firewall will rewrite the
source address back to 192.0.2.176 and send the response back to <b>A.</b></p>
</div>
<div align="left">
<p align="left">This example used the firewall's external IP address for DNAT.
You can use another of your public IP addresses but Shorewall will not
add that address to the firewall's external interface for you.</p>
<p align="left">This example used the firewall's external IP address for
DNAT. You can use another of your public IP addresses but Shorewall will
not add that address to the firewall's external interface for you.</p>
</div>
<div align="left">
@ -1356,8 +1356,8 @@ add that address to the firewall's external interface for you.</p>
<div align="left">
<ul>
<li>
<p align="left">A host <b>H </b>behind your firewall is assigned one of
your public IP addresses (<b>A)</b> and is assigned the same netmask
<p align="left">A host <b>H </b>behind your firewall is assigned one
of your public IP addresses (<b>A)</b> and is assigned the same netmask
<b>(M) </b>as the firewall's external interface. </p>
</li>
<li>
@ -1365,9 +1365,9 @@ your public IP addresses (<b>A)</b> and is assigned the same netmask
</p>
</li>
<li>
<p align="left">When <b>H</b> issues an ARP "who has" request for an address
in the subnetwork defined by <b>A</b> and <b>M</b>, the firewall will
respond (with the MAC if the firewall interface to <b>H</b>). </p>
<p align="left">When <b>H</b> issues an ARP "who has" request for an
address in the subnetwork defined by <b>A</b> and <b>M</b>, the firewall
will respond (with the MAC if the firewall interface to <b>H</b>). </p>
</li>
</ul>
@ -1387,8 +1387,8 @@ respond (with the MAC if the firewall interface to <b>H</b>). </p>
<div align="left"> Here, we've assigned the IP addresses 192.0.2.177 to
system DMZ 1 and 192.0.2.178 to DMZ 2. Notice that we've just assigned
an arbitrary RFC 1918 IP address and subnet mask to the DMZ interface
on the firewall. That address and netmask isn't relevant - just be sure
it doesn't overlap another subnet that you've defined.</div>
on the firewall. That address and netmask isn't relevant - just be
sure it doesn't overlap another subnet that you've defined.</div>
<div align="left">  </div>
@ -1442,6 +1442,7 @@ rather than behind it.<br>
(192.0.2.177 and 192.0.2.178 in the above example)  to the external interface
(eth0 in this example) of the firewall.</b></font><br>
</p>
<div align="left"> </div>
</div>
@ -1463,26 +1464,27 @@ rather than behind it.<br>
Illustrated, Vol 1</i> reveals that a <br>
<br>
"gratuitous" ARP packet should cause the ISP's router to refresh their
ARP cache (section 4.7). A gratuitous ARP is simply a host requesting
the MAC address for its own IP; in addition to ensuring that the IP address
ARP cache (section 4.7). A gratuitous ARP is simply a host requesting the
MAC address for its own IP; in addition to ensuring that the IP address
isn't a duplicate,...<br>
<br>
"if the host sending the gratuitous ARP has just changed its hardware
address..., this packet causes any other host...that has an entry in its
cache for the old hardware address to update its ARP cache entry accordingly."<br>
<br>
Which is, of course, exactly what you want to do when you switch a
host from being exposed to the Internet to behind Shorewall using proxy
Which is, of course, exactly what you want to do when you switch
a host from being exposed to the Internet to behind Shorewall using proxy
ARP (or static NAT for that matter). Happily enough, recent versions of
Redhat's iputils package include "arping", whose "-U" flag does just that:<br>
<br>
    <font color="#009900"><b>arping -U -I &lt;net if&gt; &lt;newly
proxied IP&gt;</b></font><br>
    <font color="#009900"><b>arping -U -I eth0 66.58.99.83 # for example</b></font><br>
    <font color="#009900"><b>arping -U -I eth0 66.58.99.83 # for
example</b></font><br>
<br>
Stevens goes on to mention that not all systems respond correctly
to gratuitous ARPs, but googling for "arping -U" seems to support the
idea that it works most of the time.<br>
to gratuitous ARPs, but googling for "arping -U" seems to support the idea
that it works most of the time.<br>
<br>
</li>
<li>You can call your ISP and ask them to purge the stale ARP
@ -1518,11 +1520,11 @@ cache entry but many either can't or won't purge individual entries.</li>
<div align="left">
<p align="left">Notice that the source MAC address in the echo request is
different from the destination MAC address in the echo reply!! In this
case 0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while 0:c0:a8:50:b2:57
was the MAC address of DMZ 1. In other words, the gateway's ARP cache
still associates 192.0.2.177 with the NIC in DMZ 1 rather than with
the firewall's eth0.</p>
different from the destination MAC address in the echo reply!! In
this case 0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while
0:c0:a8:50:b2:57 was the MAC address of DMZ 1. In other words, the
gateway's ARP cache still associates 192.0.2.177 with the NIC in DMZ
1 rather than with the firewall's eth0.</p>
</div>
<div align="left">
@ -1533,9 +1535,9 @@ the firewall's eth0.</p>
<p align="left">With static NAT, you assign local systems RFC 1918 addresses
then establish a one-to-one mapping between those addresses and public
IP addresses. For outgoing connections SNAT (Source Network Address
Translation) occurs and on incoming connections DNAT (Destination
Network Address Translation) occurs. Let's go back to our earlier example
involving your daughter's web server running on system Local 3.</p>
Translation) occurs and on incoming connections DNAT (Destination Network
Address Translation) occurs. Let's go back to our earlier example involving
your daughter's web server running on system Local 3.</p>
</div>
<div align="left">
@ -1574,8 +1576,8 @@ connections. This is done with the following entry in /etc/shorewall/masq:
<div align="left">
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13">
    Suppose now that you have decided to give your daughter her
own IP address (192.0.2.179) for both inbound and outbound connections.
    Suppose now that you have decided to give your daughter
her own IP address (192.0.2.179) for both inbound and outbound connections.
You would do that by adding an entry in <a
href="Documentation.htm#NAT">/etc/shorewall/nat</a>.</p>
</div>
@ -1816,8 +1818,8 @@ way to allow connection requests through your firewall is to use ACCEPT
</div>
<div align="left">
<p align="left">If you run a public DNS server on 192.0.2.177, you would need
to add the following rules:</p>
<p align="left">If you run a public DNS server on 192.0.2.177, you would
need to add the following rules:</p>
</div>
<div align="left">
@ -1949,10 +1951,10 @@ way to allow connection requests through your firewall is to use ACCEPT
</div>
<div align="left">
<p align="left">The above discussion reflects my personal preference for using
Proxy ARP for my servers in my DMZ and SNAT/NAT for my local systems. I
prefer to use NAT only in cases where a system that is part of an RFC 1918
subnet needs to have it's own public IP. </p>
<p align="left">The above discussion reflects my personal preference for
using Proxy ARP for my servers in my DMZ and SNAT/NAT for my local systems.
I prefer to use NAT only in cases where a system that is part of an RFC
1918 subnet needs to have it's own public IP. </p>
</div>
<div align="left">
@ -1960,20 +1962,21 @@ subnet needs to have it's own public IP.
height="13">
    If you haven't already, it would be a good idea to browse
through <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>
just to see if there is anything there that might be of interest. You
might also want to look at the other configuration files that you
haven't touched yet just to get a feel for the other things that Shorewall
can do.</p>
just to see if there is anything there that might be of interest.
You might also want to look at the other configuration files that
you haven't touched yet just to get a feel for the other things that
Shorewall can do.</p>
</div>
<div align="left">
<p align="left">In case you haven't been keeping score, here's the final set
of configuration files for our sample network. Only those that were modified
from the original installation are shown.</p>
<p align="left">In case you haven't been keeping score, here's the final
set of configuration files for our sample network. Only those that were
modified from the original installation are shown.</p>
</div>
<div align="left">
<p align="left">/etc/shorewall/interfaces (The "options" will be very site-specific).</p>
<p align="left">/etc/shorewall/interfaces (The "options" will be very
site-specific).</p>
</div>
<div align="left">
@ -2353,21 +2356,21 @@ can do.</p>
</div>
<div align="left">
<p align="left">Given the collection of RFC 1918 and public addresses in this
setup, it only makes sense to have separate internal and external DNS
servers. You can combine the two into a single BIND 9 server using <i>Views.
</i> If you are not interested in Bind 9 views, you can <a
<p align="left">Given the collection of RFC 1918 and public addresses in
this setup, it only makes sense to have separate internal and external
DNS servers. You can combine the two into a single BIND 9 server using
<i>Views. </i> If you are not interested in Bind 9 views, you can <a
href="#StartingAndStopping">go to the next section</a>.</p>
</div>
<div align="left">
<p align="left">Suppose that your domain is foobar.net and you want the two
DMZ systems named www.foobar.net and mail.foobar.net and you want the
three local systems named "winken.foobar.net, blinken.foobar.net and
nod.foobar.net. You want your firewall to be known as firewall.foobar.net
DMZ systems named www.foobar.net and mail.foobar.net and you want
the three local systems named "winken.foobar.net, blinken.foobar.net
and nod.foobar.net. You want your firewall to be known as firewall.foobar.net
externally and it's interface to the local network to be know as gateway.foobar.net
and its interface to the dmz as dmz.foobar.net. Let's have the DNS server
on 192.0.2.177 which will also be known by the name ns1.foobar.net.</p>
and its interface to the dmz as dmz.foobar.net. Let's have the DNS
server on 192.0.2.177 which will also be known by the name ns1.foobar.net.</p>
</div>
<div align="left">
@ -2493,8 +2496,8 @@ servers. You can combine the two into a single BIND 9 server using <i>Views.
<div align="left">
<p align="left">The firewall is started using the "shorewall start" command
and stopped using "shorewall stop". When the firewall is stopped, routing
is enabled on those hosts that have an entry in <a
and stopped using "shorewall stop". When the firewall is stopped,
routing is enabled on those hosts that have an entry in <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A
running firewall may be restarted using the "shorewall restart" command.
If you want to totally remove any trace of Shorewall from your Netfilter
@ -2504,23 +2507,23 @@ servers. You can combine the two into a single BIND 9 server using <i>Views.
<div align="left">
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13">
    Edit the /etc/shorewall/routestopped file and configure those
systems that you want to be able to access the firewall when it is
stopped.</p>
    Edit the /etc/shorewall/routestopped file and configure
those systems that you want to be able to access the firewall when
it is stopped.</p>
</div>
<div align="left">
<p align="left"><b>WARNING: </b>If you are connected to your firewall from
the internet, do not issue a "shorewall stop" command unless you have
added an entry for the IP address that you are connected from to <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
added an entry for the IP address that you are connected from to
<a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to create
an <i><a href="Documentation.htm#Configs">alternate configuration</a></i>
and test it using the <a href="Documentation.htm#Starting">"shorewall
try" command</a>.</p>
</div>
<p align="left"><font size="2">Last updated 3/21/2003 - <a
<p align="left"><font size="2">Last updated 5/3/2003 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002, 2003
@ -2535,5 +2538,6 @@ stopped.</p>
<br>
<br>
<br>
<br>
</body>
</html>

340
STABLE/documentation/sourceforge_index.htm
View File

@ -2,9 +2,11 @@
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.3</title>
<base target="_self">
</head>
<body>
@ -14,26 +16,27 @@
bgcolor="#4b017c">
<tbody>
<tr>
<td
width="100%" height="90">
<td width="100%" height="90">
<h1 align="center"> <font size="4"><i> <a
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0">
</a></i></font><font
color="#ffffff">Shorewall 1.4 - <font
size="4">"<i>iptables made easy"</i></font></font><br>
<a target="_top" href="1.3/index.html"><font color="#ffffff">
<small><small><small>Shorewall 1.3 Site here</small></small></small></font></a><br>
<a target="_top" href="http://www1.shorewall.net/1.2/index.htm"><font
color="#ffffff"><small><small><small>Shorewall 1.2 Site here<br>
</a></i></font><font color="#ffffff">Shorewall 1.4 -
<font size="4">"<i>iptables made easy"</i></font></font><br>
<a target="_top" href="1.3/index.html"><font
color="#ffffff"> </font></a><a target="_top"
href="http://www1.shorewall.net/1.2/index.htm"><font color="#ffffff"><small><small><small><br>
</small></small></small></font></a>
</h1>
</td>
</tr>
</tbody>
</table>
@ -41,177 +44,226 @@
<center>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody>
<tr>
<td
width="90%">
<td width="90%">
<h2 align="left">What is it?</h2>
<p>The Shoreline Firewall, more commonly known as "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> (iptables)
based firewall that can be used on a dedicated firewall
system, a multi-function gateway/router/server or on
a standalone GNU/Linux system.</p>
a <a href="http://www.netfilter.org">Netfilter</a>
(iptables) based firewall that can be used on
a dedicated firewall system, a multi-function gateway/router/server
or on a standalone GNU/Linux system.</p>
<p>This program is free software; you can redistribute it and/or modify
it under
the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the
GNU General Public License</a> as published by the Free Software
it
under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
General Public License</a> as published by the Free Software
Foundation.<br>
<br>
This program
is distributed in the hope that it will
be useful, but WITHOUT ANY WARRANTY; without
even the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.<br>
This
program is distributed in the hope that
it will be useful, but WITHOUT ANY WARRANTY;
without even the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE.
See the GNU General Public License for more
details.<br>
<br>
You should have
received a copy of the GNU General Public
License along with this program; if
not, write to the Free Software Foundation,
Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
You
should have received a copy of the GNU
General Public License along with
this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge,
MA 02139, USA</p>
<p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques Nilo
and Eric Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution
called <i>Bering</i> that features
Shorewall-1.3.14 and Kernel-2.4.20. You can
find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
<b>Congratulations
to Jacques and Eric on the recent release of Bering
1.1!!! <br>
</b>
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
If so, almost <b>NOTHING </b>on this site will apply directly to your setup.
If you want to use the documentation that you find here, it is best if you
uninstall what you have and install a setup that matches the documentation
on this site. See the <a href="two-interface.htm">Two-interface QuickStart
Guide</a> for details.<br>
<h2>Getting Started with Shorewall</h2>
New to Shorewall? Start by selecting the <a
href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most closely
match your environment and follow the step by step instructions.<br>
<h2><b>News</b></h2>
<b> </b>
<p><b>4/9/2003 - Shorewall 1.4.2</b><b> </b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
<p><b>5/18/2003 - Shorewall 1.4.3 </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
</b><br>
</p>
    <b>Problems Corrected:<br>
</b>
<ol>
<li>There were several cases where Shorewall would fail to remove
a temporary directory from /tmp. These cases have been corrected.</li>
<li>The rules for allowing all traffic via the loopback interface
have been moved to before the rule that drops status=INVALID packets. This
insures that all loopback traffic is allowed even if Netfilter connection
tracking is confused.</li>
<p><b>    Problems Corrected:</b></p>
</ol>
    <b>New Features:<br>
</b>
<ol>
<li><a href="6to4.htm"> </a><a href="6to4.htm">IPV6-IPV4 (6to4)
tunnels </a>are now supported in the /etc/shorewall/tunnels file.</li>
<li>Shorewall can now be easily integrated with fireparse (<a
href="http://www.fireparse.com">http://www.fireparse.com</a>) by setting
LOGMARKER="fp=" in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a>
Note: You may not use ULOG with fireparse unless you modify fireparse. </li>
</ol>
<p><b>5/10/2003 - Shorewall Mirror in Asia</b><b> </b><br>
</p>
Ed Greshko has established a mirror in Taiwan -- Thanks Ed!
<p><b>5/8/2003 - Shorewall Mirror in Chile</b><b>  </b></p>
<p>Thanks to Darcy Ganga, there is now an HTTP mirror in Santiago Chile.<br>
</p>
<p><b>4/26/2003 - lists.shorewall.net Downtime</b><b>  </b></p>
<p>The list server will be down this morning for upgrade to RH9.0.<br>
</p>
<p><b>4/21/2003 - Samples updated for Shorewall version 1.4.2</b><b>
</b></p>
<p>Thanks to Francesca Smith, the sample configurations are now upgraded
to Shorewall version 1.4.2.</p>
<p><b>4/12/2002 - Greater Seattle Linux Users Group Presentation</b><b>
</b></p>
<blockquote> This morning, I gave <a href="GSLUG.htm"
target="_top">a Shorewall presentation to GSLUG</a>. The presentation
is in HTML format but was generated from Microsoft PowerPoint and is
best viewed using Internet Explorer (although Konqueror also seems to
work reasonably well as does Opera 7.1.0). Neither Opera 6 nor Netscape
work well to view the presentation.</blockquote>
<p><b></b></p>
<blockquote>
<ol>
<li>TCP connection requests rejected out of the <b>common</b> chain
are now properly rejected with TCP RST; previously, some of these requests
were rejected with an ICMP port-unreachable response.</li>
<li>'traceroute -I' from behind the firewall previously timed out
on the first hop (e.g., to the firewall). This has been worked around.</li>
</ol>
</blockquote>
<p><b>    New Features:</b></p>
<blockquote>
<ol>
<li>Where an entry in the/etc/shorewall/hosts file specifies a
particular host or network, Shorewall now creates an intermediate chain for
handling input from the related zone. This can substantially reduce the number
of rules traversed by connections requests from such zones.<br>
<br>
</li>
<li>Any file may include an INCLUDE directive. An INCLUDE directive
consists of the word INCLUDE followed by a file name and causes the contents
of the named file to be logically included into the file containing the INCLUDE.
File names given in an INCLUDE directive are assumed to reside in /etc/shorewall
or in an alternate configuration directory if one has been specified for the
command. <br>
 <br>
   Examples:<br>
   shorewall/params.mgmt:<br>
   MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3<br>
   TIME_SERVERS=4.4.4.4<br>
   BACKUP_SERVERS=5.5.5.5<br>
   ----- end params.mgmt -----<br>
 <br>
 <br>
   shorewall/params:<br>
   # Shorewall 1.3 /etc/shorewall/params<br>
   [..]<br>
   #######################################<br>
 <br>
   INCLUDE params.mgmt    <br>
  <br>
   # params unique to this host here<br>
   #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE<br>
   ----- end params -----<br>
 <br>
 <br>
   shorewall/rules.mgmt:<br>
   ACCEPT net:$MGMT_SERVERS          $FW    tcp    22<br>
   ACCEPT $FW          net:$TIME_SERVERS    udp    123<br>
   ACCEPT $FW          net:$BACKUP_SERVERS  tcp    22<br>
   ----- end rules.mgmt -----<br>
 <br>
   shorewall/rules:<br>
   # Shorewall version 1.3 - Rules File<br>
   [..]<br>
   #######################################<br>
 <br>
   INCLUDE rules.mgmt     <br>
  <br>
   # rules unique to this host here<br>
   #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE<br>
   ----- end rules -----<br>
 <br>
INCLUDE's may be nested to a level of 3 -- further nested INCLUDE directives
are ignored with a warning message.<br>
<br>
</li>
<li>Routing traffic from an interface back out that interface continues
to be a problem. While I firmly believe that this should never happen, people
continue to want to do it. To limit the damage that such nonsense produces,
I have added a new 'routeback' option in /etc/shorewall/interfaces and /etc/shorewall/hosts.
When used in /etc/shorewall/interfaces, the 'ZONE' column may not contain
'-'; in other words, 'routeback' can't be used as an option for a multi-zone
interface. The 'routeback' option CAN be specified however on individual group
entries in /etc/shorewall/hosts.<br>
 <br>
The 'routeback' option is similar to the old 'multi' option with two exceptions:<br>
 <br>
   a) The option pertains to a particular zone,interface,address tuple.<br>
 <br>
   b) The option only created infrastructure to pass traffic from (zone,interface,address)
tuples back to themselves (the 'multi' option affected all (zone,interface,address)
tuples associated with the given 'interface').<br>
 <br>
See the '<a href="file:///Z:/Shorewall-docs/upgrade_issues.htm">Upgrade
Issues</a>' for information about how this new option may affect your configuration.<br>
</li>
</ol>
</blockquote>
<p><a href="file:///Z:/Shorewall-docs/News.htm"></a></p>
<b> </b>
<p><b><a href="News.htm">More News</a></b></p>
<b> </b>
<h2><b> </b></h2>
<b> </b>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36"
alt="(Leaf Logo)">
</a>Jacques Nilo and Eric Wolzak have
a LEAF (router/firewall/gateway on a floppy,
CD or compact flash) distribution called
<i>Bering</i> that features Shorewall-1.3.14
and Kernel-2.4.20. You can find their
work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
<b>Congratulations to Jacques and Eric on
the recent release of Bering 1.2!!! </b><br>
<h1 align="center"><b><a href="http://www.sf.net"><img
align="left" alt="SourceForge Logo"
src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3">
</a></b></h1>
<b> </b>
<h4><b> </b></h4>
<b> </b>
<h2><b>This site is hosted by the generous folks at <a
href="http://www.sf.net">SourceForge.net</a> </b></h2>
<b> </b>
<h2><b><a name="Donations"></a>Donations</b></h2>
<b> </b></td>
<td
width="88" bgcolor="#4b017c" valign="top" align="center"> <br>
<td width="88" bgcolor="#4b017c" valign="top"
align="center">
<form method="post"
action="http://lists.shorewall.net/cgi-bin/htsearch">
<p><strong><br>
<font color="#ffffff"><b>Note: </b></font></strong>
<font color="#ffffff">Search is unavailable Daily 0200-0330
GMT.</font><br>
 </p>
<p><font color="#ffffff"><strong>Quick Search</strong></font><br>
<font face="Arial" size="-1"> <input
type="text" name="words" size="15"></font><font size="-1"> </font><font
face="Arial" size="-1"> <input type="hidden" name="format"
value="long"> <input type="hidden" name="method" value="and">
<input type="hidden" name="config" value="htdig"> <input
type="submit" value="Search"></font> </p>
<font face="Arial"> <input type="hidden"
name="exclude" value="[http://lists.shorewall.net/pipermail/*]">
</font> </form>
<p><font color="#ffffff"><b> <a
href="http://lists.shorewall.net/htdig/search.html"> <font
color="#ffffff">Extended Search</font></a></b></font></p>
<a target="_top"
href="file:///vfat/Shorewall-docs/1.3/index.html"><font color="#ffffff">
</font></a><a target="_top"
href="http://www1.shorewall.net/1.2/index.htm"><font color="#ffffff"><small><small><small></small></small></small></font></a><br>
</td>
</tr>
</tbody>
</table>
</center>
@ -222,27 +274,35 @@ Issues</a>' for information about how this new option may affect your configurat
bgcolor="#4b017c">
<tbody>
<tr>
<td width="100%"
style="margin-top: 1px;">
<td width="100%" style="margin-top: 1px;">
<p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10">
</a></p>
<p align="center"><font size="4" color="#ffffff">Shorewall is free
but if you try it and find it useful, please consider making a donation
to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
Foundation.</font></a> Thanks!</font></p>
<p align="center"><font size="4" color="#ffffff">Shorewall is free but
if you try it and find it useful, please consider making a donation
to
<a href="http://www.starlight.org"><font color="#ffffff">Starlight
Children's Foundation.</font></a> Thanks!</font></p>
</td>
</tr>
</tbody>
</table>
<p><font size="2">Updated 4/7/2003 - <a href="support.htm">Tom Eastep</a></font>
<p><font size="2">Updated 5/18/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
<br>
<br>
</body>
</html>

86
STABLE/documentation/standalone.htm
View File

@ -45,28 +45,29 @@
<p>Shorewall requires that you have the iproute/iproute2 package installed
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell
if this package is installed by the presence of an <b>ip</b> program on
your firewall system. As root, you can use the 'which' command to check
for this program:</p>
if this package is installed by the presence of an <b>ip</b> program
on your firewall system. As root, you can use the 'which' command to
check for this program:</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
<p>I recommend that you read through the guide first to familiarize yourself
with what's involved then go back through it again making your configuration
changes.  Points at which configuration changes are recommended are flagged
with <img border="0" src="images/BD21298_.gif" width="13" height="13">
changes.  Points at which configuration changes are recommended are
flagged with <img border="0" src="images/BD21298_.gif" width="13"
height="13">
.</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60">
    If you edit your configuration files on a Windows system, you
must save them as Unix files if your editor supports that option or you
must run them through dos2unix before trying to use them. Similarly, if
you copy a configuration file from your Windows hard drive to a floppy disk,
you must run dos2unix against the copy before using it with Shorewall.</p>
you copy a configuration file from your Windows hard drive to a floppy
disk, you must run dos2unix against the copy before using it with Shorewall.</p>
<ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
of dos2unix</a></li>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows
Version of dos2unix</a></li>
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
Version of dos2unix</a></li>
@ -77,21 +78,21 @@ you must run dos2unix against the copy before using it with Shorewall.</p>
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
alt="">
    The configuration files for Shorewall are contained in the directory
/etc/shorewall -- for simple setups, you only need to deal with a few of
these as described in this guide. After you have <a
/etc/shorewall -- for simple setups, you only need to deal with a few
of these as described in this guide. After you have <a
href="Install.htm">installed Shorewall</a>, <b>download the <a
href="http://www.shorewall.net/pub/shorewall/LATEST.samples/one-interface.tgz">one-interface
sample</a>, un-tar it (tar -zxvf one-interface.tgz) and and copy the files
to /etc/shorewall (they will replace files with the same names that were
placed in /etc/shorewall during Shorewall installation)</b>.</p>
href="http://www1.shorewall.net/pub/shorewall/Samples/">one-interface sample</a>,
un-tar it (tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewall
(they will replace files with the same names that were placed in /etc/shorewall
during Shorewall installation)</b>.</p>
<p>As each file is introduced, I suggest that you look through the actual
file on your system -- each file contains detailed configuration instructions
and default entries.</p>
<p>Shorewall views the network where it is running as being composed of a
set of <i>zones.</i> In the one-interface sample configuration, only one
zone is defined:</p>
set of <i>zones.</i> In the one-interface sample configuration, only
one zone is defined:</p>
<table border="0" style="border-collapse: collapse;" cellpadding="3"
cellspacing="0" id="AutoNumber2">
@ -132,8 +133,8 @@ placed in /etc/shorewall during Shorewall installation)</b>.</p>
the request is first checked against the rules in /etc/shorewall/common
(the samples provide that file for you).</p>
<p>The /etc/shorewall/policy file included with the one-interface sample has
the following policies:</p>
<p>The /etc/shorewall/policy file included with the one-interface sample
has the following policies:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -191,21 +192,21 @@ your firewall</li>
<p align="left">The firewall has a single network interface. Where Internet
connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
will be the ethernet adapter (<b>eth0</b>) that is connected to that "Modem" 
<u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol
over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling
<u>P</u>rotocol </i>(PPTP) in which case the External Interface will be
a <b>ppp0</b>. If you connect via a regular modem, your External Interface
will also be <b>ppp0</b>. If you connect using ISDN, your external interface
will be<b> ippp0.</b></p>
will be the ethernet adapter (<b>eth0</b>) that is connected to that
"Modem"  <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint
<u>P</u>rotocol over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint
<u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External
Interface will be a <b>ppp0</b>. If you connect via a regular modem, your
External Interface will also be <b>ppp0</b>. If you connect using ISDN,
your external interface will be<b> ippp0.</b></p>
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
height="13">
    The Shorewall one-interface sample configuration assumes that the
external interface is <b>eth0</b>. If your configuration is different,
    The Shorewall one-interface sample configuration assumes that
the external interface is <b>eth0</b>. If your configuration is different,
you will have to modify the sample /etc/shorewall/interfaces file accordingly.
While you are there, you may wish to review the list of options that are
specified for the interface. Some hints:</p>
While you are there, you may wish to review the list of options that
are specified for the interface. Some hints:</p>
<ul>
<li>
@ -214,8 +215,8 @@ your firewall</li>
</li>
<li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>
or if you have a static IP address, you can remove "dhcp" from the option
list. </p>
or if you have a static IP address, you can remove "dhcp" from the
option list. </p>
</li>
</ul>
@ -234,8 +235,8 @@ your firewall</li>
<p align="left">These addresses are sometimes referred to as <i>non-routable</i>
because the Internet backbone routers will not forward a packet whose
destination address is reserved by RFC 1918. In some cases though, ISPs
are assigning these addresses then using <i>Network Address Translation
destination address is reserved by RFC 1918. In some cases though,
ISPs are assigning these addresses then using <i>Network Address Translation
</i>to rewrite packet headers when forwarding to/from the internet.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" align="left"
@ -284,8 +285,8 @@ should remove the 'norfc1918' option from the entry in /etc/shorewall/interf
</div>
<div align="left">
<p align="left">Example - You want to run a Web Server and a POP3 Server on
your firewall system:</p>
<p align="left">Example - You want to run a Web Server and a POP3 Server
on your firewall system:</p>
</div>
<div align="left">
@ -333,8 +334,8 @@ uses, see <a href="ports.htm">here</a>.</p>
<div align="left">
<p align="left"><b>Important: </b>I don't recommend enabling telnet to/from
the internet because it uses clear text (even for login!). If you want
shell access to your firewall from the internet, use SSH:</p>
the internet because it uses clear text (even for login!). If you
want shell access to your firewall from the internet, use SSH:</p>
</div>
<div align="left">
@ -395,8 +396,8 @@ uses, see <a href="ports.htm">here</a>.</p>
<div align="left">
<p align="left">The firewall is started using the "shorewall start" command
and stopped using "shorewall stop". When the firewall is stopped, routing
is enabled on those hosts that have an entry in <a
and stopped using "shorewall stop". When the firewall is stopped,
routing is enabled on those hosts that have an entry in <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A
running firewall may be restarted using the "shorewall restart" command.
If you want to totally remove any trace of Shorewall from your Netfilter
@ -406,8 +407,8 @@ uses, see <a href="ports.htm">here</a>.</p>
<div align="left">
<p align="left"><b>WARNING: </b>If you are connected to your firewall from
the internet, do not issue a "shorewall stop" command unless you have
added an entry for the IP address that you are connected from to <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
added an entry for the IP address that you are connected from to
<a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to create
an <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i>
and test it using the <a
@ -427,5 +428,6 @@ Thomas M. Eastep</font></a></p>
<br>
<br>
<br>
<br>
</body>
</html>

104
STABLE/documentation/standalone_fr.html
View File

@ -30,24 +30,24 @@
<h2 align="center">Version 2.0.1 Française</h2>
<p align="left"><small><i><u>Notes du traducteur</u> :<br>
Je ne prétends pas être un vrai traducteur dans le sens ou mon travail n'est
pas des plus précis (loin de là...). Je ne me suis pas attaché à une traduction
exacte du texte, mais plutôt à en faire une version française intelligible
par tous (et par moi). Les termes techniques sont la plupart du temps conservés
sous leur forme originale et mis entre parenthèses car vous pouvez les retrouver
dans le reste des documentations ainsi que dans les fichiers de configuration.
N?hésitez pas à me contacter afin d?améliorer ce document <a
href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a> (merci à JMM pour
sa relecture et ses commentaires pertinents, ainsi qu'à Tom EASTEP pour son
formidable outil et sa disponibilité)</i><i>.</i></small></p>
Je ne prétends pas être un vrai traducteur dans le sens ou mon travail
n'est pas des plus précis (loin de là...). Je ne me suis pas attaché à une
traduction exacte du texte, mais plutôt à en faire une version française
intelligible par tous (et par moi). Les termes techniques sont la plupart
du temps conservés sous leur forme originale et mis entre parenthèses car
vous pouvez les retrouver dans le reste des documentations ainsi que dans
les fichiers de configuration. N?hésitez pas à me contacter afin d?améliorer
ce document <a href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a>
(merci à JMM pour sa relecture et ses commentaires pertinents, ainsi qu'à
Tom EASTEP pour son formidable outil et sa disponibilité)</i><i>.</i></small></p>
<p align="left">Mettre en place un système Linux en tant que firewall (écluse)
pour un petit réseau est une chose assez simple, si vous comprenez les bases
et suivez la documentation.</p>
<p>Ce guide ne veut pas vous apprendre tous les rouages de Shorewall. Il
se focalise sur ce qui est nécessaire pour configurer Shorewall, dans son
utilisation la plus courante :</p>
<p>Ce guide ne veut pas vous apprendre tous les rouages de Shorewall. Il se
focalise sur ce qui est nécessaire pour configurer Shorewall, dans son utilisation
la plus courante :</p>
<ul>
<li>Un système Linux</li>
@ -57,8 +57,8 @@ rtc...</li>
</ul>
<p>Ce guide suppose que vous avez le paquet iproute/iproute2 d'installé.
Vous pouvez voir si le paquet est installé en vérifiant la présence du programme
<p>Ce guide suppose que vous avez le paquet iproute/iproute2 d'installé. Vous
pouvez voir si le paquet est installé en vérifiant la présence du programme
ip sur votre système de firewall. Sous root, utilisez la commande 'which'
pour rechercher le programme :</p>
@ -73,11 +73,11 @@ la configuration sont recommand
<p><img border="0" src="images/j0213519.gif" width="60" height="60">
Si vous éditez vos fichiers de configuration sur un système Windows, vous
devez les sauver comme des fichiers Unix si votre éditeur supporte cette option
sinon vous devez les faire passer par dos2unix avant d'essayer de les utiliser.
De la même manière, si vous copiez un fichier de configuration depuis votre
disque dur Windows vers une disquette, vous devez lancer dos2unix sur la
copie avant de l'utiliser avec Shorewall.</p>
devez les sauver comme des fichiers Unix si votre éditeur supporte cette
option sinon vous devez les faire passer par dos2unix avant d'essayer de
les utiliser. De la même manière, si vous copiez un fichier de configuration
depuis votre disque dur Windows vers une disquette, vous devez lancer dos2unix
sur la copie avant de l'utiliser avec Shorewall.</p>
<ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
@ -95,18 +95,18 @@ of dos2unix</a></li>
/etc/shorewall -- pour de simples paramétrages, vous n'avez à faire qu'avec
quelques un d'entre eux comme décris dans ce guide. Après avoir <a
href="Install.htm">installé Shorewall</a>, <b>téléchargez le <a
href="http://france.shorewall.net/pub/shorewall/LATEST.samples/one-interface.tgz">one-interface
sample</a>, un-tarez le (tar -zxvf one-interface.tgz) et copiez les fichiers
vers /etc/shorewall (Ils remplaceront les fichiers de même nom déjà existant
dans /etc/shorewall installés lors de l'installation de Shorewall)</b>.</p>
href="http://www1.shorewall.net/pub/shorewall/Samples/">one-interface sample</a>,
un-tarez le (tar -zxvf one-interface.tgz) et copiez les fichiers vers /etc/shorewall
(Ils remplaceront les fichiers de même nom déjà existant dans /etc/shorewall
installés lors de l'installation de Shorewall)</b>.</p>
<p>Parallèlement à la description, je vous suggère de jeter un oeil à ceux
physiquement présents sur votre système -- chacun des fichiers contient des
instructions de configuration détaillées et des entrées par défaut.</p>
<p>Shorewall voit le réseau où il tourne comme composé par un ensemble de
<i>zones.</i> Dans les fichiers de configuration fournis pour une unique
interface, une seule zone est définie :</p>
<i>zones.</i> Dans les fichiers de configuration fournis pour une unique interface,
une seule zone est définie :</p>
<table border="0" style="border-collapse: collapse;" cellpadding="3"
cellspacing="0" id="AutoNumber2">
@ -126,15 +126,15 @@ interface, une seule zone est d
<p>Les zones de Shorewall sont définies dans <a
href="Documentation.htm#Zones"> /etc/shorewall/zones</a>.</p>
<p>Shorewall reconnaît aussi le système de firewall comme sa propre zone
- par défaut, le firewall lui-même est connu en tant que <b>fw</b>.</p>
<p>Shorewall reconnaît aussi le système de firewall comme sa propre zone -
par défaut, le firewall lui-même est connu en tant que <b>fw</b>.</p>
<p>Les règles concernant le trafic à autoriser ou à interdire sont exprimées
en utilisant les termes de zones.</p>
<ul>
<li>Vous exprimez les politiques par défaut pour les connexions d'une zone
à une autre dans le fichier<a href="Documentation.htm#Policy"> /etc/shorewall/policy
<li>Vous exprimez les politiques par défaut pour les connexions d'une
zone à une autre dans le fichier<a href="Documentation.htm#Policy"> /etc/shorewall/policy
</a>.</li>
<li>Vous définissez les exceptions à ces règles de politiques par défaut
dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
@ -143,11 +143,10 @@ dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
<p>Pour chacune des demandes de connexion entrantes dans le firewall, les
demandes sont en premier lieu comparées par rapport au fichier /etc/shorewall/rules.
Si aucune des règles dans ce fichier ne correspondent, alors la première
politique dans /etc/shorewall/policy qui y correspond est appliquée. Si cette
politique est REJECT ou DROP la requête est alors comparée par rapport aux
règles contenues dans /etc/shorewall/common (l'archive d'exemple vous fournit
ce fichier).</p>
Si aucune des règles dans ce fichier ne correspondent, alors la première politique
dans /etc/shorewall/policy qui y correspond est appliquée. Si cette politique
est REJECT ou DROP la requête est alors comparée par rapport aux règles contenues
dans /etc/shorewall/common (l'archive d'exemple vous fournit ce fichier).</p>
<p>Le fichier /etc/shorewall/policy d'exemple contenu dans l'archive one-interface
a les politiques suivantes :</p>
@ -198,8 +197,8 @@ a les politiques suivantes :</p>
Ces politiques vont :
<ol>
<li>permettre toutes demandes de connexion depuis le firewall vers l'Internet</li>
<li>drop (ignorer) toutes les demandes de connexion depuis l'Internet vers
votre firewall</li>
<li>drop (ignorer) toutes les demandes de connexion depuis l'Internet
vers votre firewall</li>
<li>rejeter toutes les autres requêtes de connexion (Shorewall à besoin
de cette politique).</li>
@ -223,8 +222,8 @@ sera<b> ippp0.</b></p>
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
height="13">
L'exemple de configuration de Shorewall pour une interface suppose que votre
interface externe est <b>eth0</b>. Si votre configuration est différente,
L'exemple de configuration de Shorewall pour une interface suppose que
votre interface externe est <b>eth0</b>. Si votre configuration est différente,
vous devrez modifier le fichier d'exemple /etc/shorewall/interfaces en conséquence.
Puisque vous y êtes, vous pourriez parcourir la liste d'options qui sont
spécifiées pour l'interface. Quelques astuces :</p>
@ -248,8 +247,8 @@ de la liste d'option. </p>
</div>
<div align="left">
<p align="left">La RFC 1918 définie plusieurs plage d'adresses IP privée
(<i>Private</i>IP) pour l'utilisation dans des réseaux privés :</p>
<p align="left">La RFC 1918 définie plusieurs plage d'adresses IP privée (<i>Private</i>IP)
pour l'utilisation dans des réseaux privés :</p>
<div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
@ -310,8 +309,8 @@ vers votre firewall, le format g
</div>
<div align="left">
<p align="left">Exemple - Vous voulez faire tourner un serveur Web et un
serveur POP3 sur votre système de firewall :</p>
<p align="left">Exemple - Vous voulez faire tourner un serveur Web et un serveur
POP3 sur votre système de firewall :</p>
</div>
<div align="left">
@ -417,16 +416,16 @@ d
<div align="left">
<p align="left"> <img border="0" src="images/BD21298_2.gif" width="13"
height="13" alt="Arrow">
La <a href="Install.htm">procédure d'installation </a> configure votre système
pour lancer Shorewall au boot du système, mais au début avec la version 1.3.9
de Shorewall le lancement est désactivé, n'essayer pas de lancer Shorewall
La <a href="Install.htm">procédure d'installation </a> configure votre
système pour lancer Shorewall au boot du système, mais au début avec la version
1.3.9 de Shorewall le lancement est désactivé, n'essayer pas de lancer Shorewall
avec que la configuration soit finie. Une fois que vous en aurez fini avec
la configuration du firewall, vous pouvez permettre le lancement de Shorewall
en supprimant le fichier /etc/shorewall/startup_disabled.<br>
</p>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Les utilisateurs
des paquets .deb doivent éditer /etc/default/shorewall et mettre 'startup=1'.</font><br>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Les utilisateurs des
paquets .deb doivent éditer /etc/default/shorewall et mettre 'startup=1'.</font><br>
</p>
</div>
@ -441,10 +440,10 @@ de Netfilter, utilisez "shorewall clear".</p>
</div>
<div align="left">
<p align="left"><b>ATTENTION: </b>Si vous êtes connecté à votre firewall
depuis Internet, n'essayez pas une commande "shorewall stop" tant que vous
n'avez pas ajouté une entrée pour votre adresse IP (celle à partir de laquelle
vous êtes connectée) dans <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
<p align="left"><b>ATTENTION: </b>Si vous êtes connecté à votre firewall depuis
Internet, n'essayez pas une commande "shorewall stop" tant que vous n'avez
pas ajouté une entrée pour votre adresse IP (celle à partir de laquelle vous
êtes connectée) dans <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
De la même manière, je ne vous recommande pas d'utiliser "shorewall restart";
il est plus intéressant de créer une <i><a
href="configuration_file_basics.htm#Configs">configuration alternative</a></i>
@ -465,5 +464,6 @@ M. Eastep</font></a></p>
<br>
<br>
<br>
<br>
</body>
</html>

269
STABLE/documentation/support.htm
View File

@ -2,19 +2,14 @@
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall Support Guide</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90">
@ -23,54 +18,45 @@
<td
width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Support Guide<img
src="images/obrasinf.gif" alt="" width="90" height="90" align="middle">
</font></h1>
</td>
</tr>
</tbody>
</table>
<h2>Before Reporting a Problem or Asking a Question<br>
</h2>
There are a number
of sources of Shorewall information. Please try these before you
post.
There are
a number of sources of Shorewall information. Please try these before
you post.
<ul>
<li>More than half of the questions posted
on the support list have answers directly accessible from the
<a href="shorewall_quickstart_guide.htm#Documentation">Documentation
<li>Shorewall versions earlier
that 1.3.0 are no longer supported.<br>
</li>
<li>More than half of the questions posted on the support
list have answers directly accessible from the <a
href="http://www.shorewall.net/shorewall_quickstart_guide.htm#Documentation">Documentation
Index</a><br>
</li>
<li> The <a
href="FAQ.htm">FAQ</a> has solutions to more than 20 common problems.
</li>
<li> The <a
href="troubleshoot.htm">Troubleshooting</a> Information contains
a number of tips to help you solve common problems.
</li>
<li> The <a
href="errata.htm"> Errata</a> has links to download updated
components. </li>
<li> The Site and Mailing
List Archives search facility can locate documents and posts
about similar problems: </li>
<li>
The <a href="http://www.shorewall.net/FAQ.htm">FAQ</a> has solutions
to more than 20 common problems. </li>
<li> The
<a href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a>
Information contains a number of tips to help
you solve common problems. </li>
<li> The
<a href="http://www.shorewall.net/errata.htm"> Errata</a> has links
to download updated components. </li>
<li> The Site
and Mailing List Archives search facility can locate documents
and posts about similar problems: </li>
</ul>
<h2>Site and Mailing List Archive Search</h2>
<blockquote>
@ -96,45 +82,48 @@ Index</a><br>
<option value="revtime">Reverse Time </option>
<option value="revtitle">Reverse Title </option>
</select>
</font><input type="hidden" name="config" value="htdig"><input
type="hidden" name="restrict" value=""><font size="-1"> Include Mailing
List Archives:
</font><input type="hidden" name="config"
value="htdig"><input type="hidden" name="restrict" value=""><font
size="-1"> Include Mailing List Archives:
<select size="1" name="exclude">
<option value="">Yes</option>
<option value="[http://lists.shorewall.net/pipermail/.*]">No</option>
</select>
</font><br>
Search: <input type="text" size="30" name="words" value=""> <input
type="submit" value="Search"><br>
Search: <input type="text" size="30" name="words"
value=""> <input type="submit" value="Search"><br>
</form>
</blockquote>
<h2>Problem Reporting Guidelines<br>
</h2>
<ul>
<li>Please remember we only know what is posted
in your message. Do not leave out any information that appears
to be correct, or was mentioned in a previous post. There have
been countless posts by people who were sure that some part of their
configuration was correct when it actually contained a small error.
We tend to be skeptics where detail is lacking.<br>
<li>Please remember we only know what
is posted in your message. Do not leave out any information
that appears to be correct, or was mentioned in a previous
post. There have been countless posts by people who were sure
that some part of their configuration was correct when it actually
contained a small error. We tend to be skeptics where detail
is lacking.<br>
<br>
</li>
<li>Please keep in mind that you're asking for
<strong>free</strong> technical support. Any help we offer
is an act of generosity, not an obligation. Try to make it easy
for us to help you. Follow good, courteous practices in writing and
formatting your e-mail. Provide details that we need if you expect good
answers. <em>Exact quoting </em> of error messages, log entries,
command output, and other output is better than a paraphrase or summary.<br>
<li>Please keep in mind that you're
asking for <strong>free</strong> technical support.
Any help we offer is an act of generosity, not an obligation.
Try to make it easy for us to help you. Follow good, courteous
practices in writing and formatting your e-mail. Provide details that
we need if you expect good answers. <em>Exact quoting </em> of
error messages, log entries, command output, and other output is better
than a paraphrase or summary.<br>
<br>
</li>
<li> Please
don't describe your environment and then ask us to send
you custom configuration files. We're here to answer
your questions but we can't do your job for you.<br>
<li>
Please don't describe your environment and then ask us
to send you custom configuration files. We're here
to answer your questions but we can't do your
job for you.<br>
<br>
</li>
<li>When reporting a problem, <strong>ALWAYS</strong>
@ -144,71 +133,53 @@ command output, and other output is better than a paraphrase or summary.<br
<ul>
<ul>
<li>the exact version of Shorewall you are
running.<br>
<li>the exact version of Shorewall
you are running.<br>
<br>
<b><font color="#009900">shorewall version</font><br>
<b><font color="#009900">shorewall
version</font><br>
</b> <br>
</li>
</ul>
<ul>
<li>the exact kernel version you are running<br>
<li>the exact kernel version you are
running<br>
<br>
<font color="#009900"><b>uname -a<br>
<br>
</b></font></li>
</ul>
<ul>
<li>the complete, exact output of<br>
<br>
<font color="#009900"><b>ip addr show<br>
<font color="#009900"><b>ip addr
show<br>
<br>
</b></font></li>
</ul>
<ul>
<li>the complete, exact output of<br>
<br>
<font color="#009900"><b>ip route show<br>
<font color="#009900"><b>ip route
show<br>
<br>
</b></font></li>
</ul>
<ul>
<li>If your kernel is modularized, the exact
output from<br>
<li>If your kernel is modularized,
the exact output from<br>
<br>
<font color="#009900"><b>lsmod</b></font><br>
<br>
</li>
<li>the exact wording of any <code
style="color: green; font-weight: bold;">ping</code> failure responses<br>
<br>
</li>
<li>If you installed Shorewall using one of the QuickStart
Guides, please indicate which one. <br>
<br>
</li>
<li><b>If you are running Shorewall under Mandrake
using the Mandrake installation of Shorewall, please say so.</b><br>
</li>
</ul>
@ -224,20 +195,33 @@ using the Mandrake installation of Shorewall, please say so.</b><br>
<br>
2. Try the connection that is failing.<br>
<br>
3.<b><font color="#009900"> /sbin/shorewall status &gt; /tmp/status.txt</font></b><br>
3.<b><font color="#009900"> /sbin/shorewall status
&gt; /tmp/status.txt</font></b><br>
<br>
4. Post the /tmp/status.txt file as an attachment.<br>
<br>
</li>
<li>the exact wording of any <code
style="color: green; font-weight: bold;">ping</code> failure responses<br>
<br>
</li>
<li>If you installed Shorewall using one of the QuickStart
Guides, please indicate which one. <br>
<br>
</li>
<li><b>If you are running Shorewall under Mandrake using the
Mandrake installation of Shorewall, please say so.<br>
<br>
</b></li>
</ul>
<li>As a general
matter, please <strong>do not edit the diagnostic information</strong>
in an attempt to conceal your IP address, netmask, nameserver
addresses, domain name, etc. These aren't secrets, and concealing
them often misleads us (and 80% of the time, a hacker could derive
them anyway from information contained in the SMTP headers of your
post).<br>
<li>As
a general matter, please <strong>do not edit the diagnostic
information</strong> in an attempt to conceal your IP address,
netmask, nameserver addresses, domain name, etc. These aren't
secrets, and concealing them often misleads us (and 80% of the time,
a hacker could derive them anyway from information contained in
the SMTP headers of your post).<br>
<br>
<strong></strong></li>
<li>Do you see any "Shorewall" messages ("<b><font
@ -247,64 +231,63 @@ post).<br>
file.<br>
<br>
</li>
<li>Please include any of the Shorewall configuration files
(especially the /etc/shorewall/hosts file if you have
modified that file) that you think are relevant. If
you include /etc/shorewall/rules, please include /etc/shorewall/policy
<li>Please include any of the Shorewall configuration
files (especially the /etc/shorewall/hosts file if
you have modified that file) that you think are relevant.
If you include /etc/shorewall/rules, please include /etc/shorewall/policy
as well (rules are meaningless unless one also knows the policies).<br>
<br>
</li>
<li>If an error occurs when you try to "<font
color="#009900"><b>shorewall start</b></font>", include a
trace (See the <a href="troubleshoot.htm">Troubleshooting</a>
color="#009900"><b>shorewall start</b></font>", include a trace
(See the <a href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a>
section for instructions).<br>
<br>
</li>
<li><b>The list server limits posts to 120kb so don't post
GIFs of your network layout, etc. to the Mailing
List -- your post will be rejected.</b></li>
<li><b>The list server limits posts to 120kb so don't
post GIFs of your network layout, etc. to
the Mailing List -- your post will be rejected.</b></li>
</ul>
<blockquote>
The author gratefully acknowleges that the above list was heavily
plagiarized from the excellent LEAF document by <i>Ray</i> <em>Olszewski</em>
found at <a
<blockquote> The author gratefully acknowleges that the above list was
heavily plagiarized from the excellent LEAF document by <i>Ray</i>
<em>Olszewski</em> found at <a
href="http://leaf-project.org/pub/doc/docmanager/docid_1891.html">http://leaf-project.org/pub/doc/docmanager/docid_1891.html</a>.<br>
</blockquote>
<h2>When using the mailing list, please post in plain text</h2>
<blockquote>
A growing number of MTAs serving list subscribers are rejecting
all HTML traffic. At least one MTA has gone so far as to blacklist
shorewall.net "for continuous abuse" because it has been my policy
to allow HTML in list posts!!<br>
<blockquote> A growing number of MTAs serving list subscribers are
rejecting all HTML traffic. At least one MTA has gone so far as to
blacklist shorewall.net "for continuous abuse" because it has been
my policy to allow HTML in list posts!!<br>
<br>
I think that blocking all HTML is a Draconian
way to control spam and that the ultimate losers here are not
the spammers but the list subscribers whose MTAs are bouncing
all shorewall.net mail. As one list subscriber wrote to me privately
"These e-mail admin's need to get a <i>(expletive deleted)</i> life
instead of trying to rid the planet of HTML based e-mail". Nevertheless,
to allow subscribers to receive list posts as must as possible, I have
now configured the list server at shorewall.net to strip all HTML
from outgoing posts.<br>
I think that blocking all HTML is
a Draconian way to control spam and that the ultimate losers
here are not the spammers but the list subscribers whose MTAs
are bouncing all shorewall.net mail. As one list subscriber wrote
to me privately "These e-mail admin's need to get a <i>(expletive
deleted)</i> life instead of trying to rid the planet of HTML based
e-mail". Nevertheless, to allow subscribers to receive list posts
as must as possible, I have now configured the list server at shorewall.net
to strip all HTML from outgoing posts.<br>
</blockquote>
<h2>Where to Send your Problem Report or to Ask for Help</h2>
<blockquote>
<blockquote> <b>If you have a <u>quick</u> question about
capabilities or where to find something, you may use the</b> <a
href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support
Forum</a>. <u><b>DO NOT POST THE OUTPUT OF "shorewall status" TO THE FORUM;
I WON'T LOOK AT IT.</b></u> <b>If you need to supply "shorewall status"
output, use the appropriate mailing list below.</b><br>
<h4>If you run Shorewall under Bering -- <span
style="font-weight: 400;">please post your question or problem
to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF
Users mailing list</a>.</span></h4>
to the <a
href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing
list</a>.</span></h4>
<b>If you run Shorewall under MandrakeSoft
Multi Network Firewall (MNF) and you have not purchased an
MNF license from MandrakeSoft then you can post non MNF-specific
@ -312,35 +295,25 @@ Shorewall questions to the </b><a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
list</a>. <b>Do not expect to get free MNF support on the list.</b><br>
<p>Otherwise, please post your question or problem to the <a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
list</a>.<br>
To Subscribe to the mailing list go to <a
list</a> .</p>
<p> To Subscribe to the mailing list go to <a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a>
.<br>
</p>
</blockquote>
<p>For information on other Shorewall mailing lists, go to <a
href="http://lists.shorewall.net/mailing_list.htm">http://lists.shorewall.net/mailing_list.htm</a><br>
href="http://lists.shorewall.net">http://lists.shorewall.net</a><br>
</p>
<p align="left"><font size="2">Last Updated 4/10/2003 - Tom Eastep</font></p>
<p align="left"><font size="2">Last Updated 5/12/2003 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
<br>
</p>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

215
STABLE/documentation/three-interface.htm
View File

@ -55,9 +55,9 @@ local network.</li>
<p>Shorewall requires that you have the iproute/iproute2 package installed
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can
tell if this package is installed by the presence of an <b>ip</b> program
on your firewall system. As root, you can use the 'which' command to
check for this program:</p>
tell if this package is installed by the presence of an <b>ip</b>
program on your firewall system. As root, you can use the 'which'
command to check for this program:</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
@ -74,15 +74,16 @@ tell if this package is installed by the presence of an <b>ip</b> program
    If you edit your configuration files on a Windows system,
you must save them as Unix files if your editor supports that option
or you must run them through dos2unix before trying to use them. Similarly,
if you copy a configuration file from your Windows hard drive to a floppy
disk, you must run dos2unix against the copy before using it with Shorewall.</p>
if you copy a configuration file from your Windows hard drive to a
floppy disk, you must run dos2unix against the copy before using it with
Shorewall.</p>
<ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows
Version of dos2unix</a></li>
<li><a
href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version of
dos2unix</a></li>
href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
of dos2unix</a></li>
</ul>
@ -91,17 +92,17 @@ tell if this package is installed by the presence of an <b>ip</b> program
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
alt="">
    The configuration files for Shorewall are contained in the directory
/etc/shorewall -- for simple setups, you will only need to deal with a
few of these as described in this guide. After you have <a
/etc/shorewall -- for simple setups, you will only need to deal with
a few of these as described in this guide. After you have <a
href="Install.htm">installed Shorewall</a>, <b>download the <a
href="http://www.shorewall.net/pub/shorewall/LATEST.samples/three-interfaces.tgz">three-interface
href="http://www.shorewall.net/pub/shorewall/Samples/">three-interface
sample</a>, un-tar it (tar -zxvf three-interfaces.tgz) and and copy
the files to /etc/shorewall (the files will replace files with the same
names that were placed in /etc/shorewall when Shorewall was installed)</b>.</p>
the files to /etc/shorewall (the files will replace files with the
same names that were placed in /etc/shorewall when Shorewall was installed)</b>.</p>
<p>As each file is introduced, I suggest that you look through the actual
file on your system -- each file contains detailed configuration instructions
and default entries.</p>
file on your system -- each file contains detailed configuration
instructions and default entries.</p>
<p>Shorewall views the network where it is running as being composed of a
set of <i>zones.</i> In the three-interface sample configuration,
@ -235,8 +236,8 @@ firewall to the internet (if you uncomment the additional policy)</li>
</ol>
<p><img border="0" src="images/BD21298_1.gif" width="13" height="13">
    At this point, edit your /etc/shorewall/policy file and
make any changes that you wish.</p>
    At this point, edit your /etc/shorewall/policy file
and make any changes that you wish.</p>
<h2 align="left">Network Interfaces</h2>
@ -245,9 +246,9 @@ firewall to the internet (if you uncomment the additional policy)</li>
</p>
<p align="left">The firewall has three network interfaces. Where Internet
connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
will be the ethernet adapter that is connected to that "Modem" (e.g.,
<b>eth0</b>)  <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint
connectivity is through a cable or DSL "Modem", the <i>External
Interface</i> will be the ethernet adapter that is connected to
that "Modem" (e.g., <b>eth0</b>)  <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint
<u>P</u>rotocol over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint
<u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External
Interface will be a ppp interface (e.g., <b>ppp0</b>). If you connect
@ -262,22 +263,22 @@ If you connect using ISDN, you external interface will be <b>ippp0.</b></p>
<p align="left">Your <i>Local Interface</i> will be an ethernet adapter (eth0,
eth1 or eth2) and will be connected to a hub or switch. Your local
computers will be connected to the same switch (note: If you have only
a single local system, you can connect the firewall directly to the
computer using a <i>cross-over </i> cable).</p>
computers will be connected to the same switch (note: If you have
only a single local system, you can connect the firewall directly to
the computer using a <i>cross-over </i> cable).</p>
<p align="left">Your <i>DMZ Interface</i> will also be an ethernet adapter
(eth0, eth1 or eth2) and will be connected to a hub or switch. Your
DMZ computers will be connected to the same switch (note: If you have
only a single DMZ system, you can connect the firewall directly to the
computer using a <i>cross-over </i> cable).</p>
only a single DMZ system, you can connect the firewall directly to
the computer using a <i>cross-over </i> cable).</p>
<p align="left"><u><b> <img border="0" src="images/j0213519.gif"
width="60" height="60">
</b></u>Do not connect more than one interface to the same
hub or switch (even for testing). It won't work the way that you expect
it to and you will end up confused and believing that Shorewall doesn't
work at all.</p>
hub or switch (even for testing). It won't work the way that you
expect it to and you will end up confused and believing that Shorewall
doesn't work at all.</p>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13">
@ -285,18 +286,19 @@ hub or switch (even for testing). It won't work the way that you expect
that the external interface is <b>eth0, </b>the local interface is
<b>eth1 </b>and the DMZ interface is <b> eth2</b>. If your configuration
is different, you will have to modify the sample /etc/shorewall/interfaces
file accordingly. While you are there, you may wish to review the list
of options that are specified for the interfaces. Some hints:</p>
file accordingly. While you are there, you may wish to review the
list of options that are specified for the interfaces. Some hints:</p>
<ul>
<li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>,
you can replace the "detect" in the second column with "-". </p>
you can replace the "detect" in the second column with "-".
</p>
</li>
<li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>
or if you have a static IP address, you can remove "dhcp" from the
option list. </p>
or if you have a static IP address, you can remove "dhcp" from
the option list. </p>
</li>
</ul>
@ -306,14 +308,14 @@ is different, you will have to modify the sample /etc/shorewall/interfaces
<p align="left">Before going further, we should say a few words about Internet
Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you
a single <i> Public</i> IP address. This address may be assigned via
the<i> Dynamic Host Configuration Protocol</i> (DHCP) or as part of establishing
your connection when you dial in (standard modem) or establish your PPP
connection. In rare cases, your ISP may assign you a<i> static</i> IP
address; that means that you configure your firewall's external interface
the<i> Dynamic Host Configuration Protocol</i> (DHCP) or as part of
establishing your connection when you dial in (standard modem) or establish
your PPP connection. In rare cases, your ISP may assign you a<i> static</i>
IP address; that means that you configure your firewall's external interface
to use that address permanently.<i> </i>Regardless of how the address
is assigned, it will be shared by all of your systems when you access the
Internet. You will have to assign your own addresses for your internal network
(the local and DMZ Interfaces on your firewall plus your other computers).
is assigned, it will be shared by all of your systems when you access
the Internet. You will have to assign your own addresses for your internal
network (the local and DMZ Interfaces on your firewall plus your other computers).
RFC 1918 reserves several <i>Private </i>IP address ranges for this purpose:</p>
<div align="left">
@ -323,8 +325,8 @@ RFC 1918 reserves several <i>Private </i>IP address ranges for this purpose:</
<div align="left">
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13">
    Before starting Shorewall, you should look at the IP
address of your external interface and if it is one of the above
    Before starting Shorewall, you should look at the
IP address of your external interface and if it is one of the above
ranges, you should remove the 'norfc1918' option from the external
interface's entry in /etc/shorewall/interfaces.</p>
</div>
@ -333,14 +335,14 @@ interface's entry in /etc/shorewall/interfaces.</p>
<p align="left">You will want to assign your local addresses from one <i>
sub-network </i>or <i>subnet</i> and your DMZ addresses from another
subnet. For our purposes, we can consider a subnet to consists of
a range of addresses x.y.z.0 - x.y.z.255. Such a subnet will have a
<i>Subnet Mask </i>of 255.255.255.0. The address x.y.z.0 is reserved
a range of addresses x.y.z.0 - x.y.z.255. Such a subnet will have
a <i>Subnet Mask </i>of 255.255.255.0. The address x.y.z.0 is reserved
as the <i>Subnet Address</i> and x.y.z.255 is reserved as the <i>Subnet
Broadcast</i> <i>Address</i>. In Shorewall, a subnet is described using <a
href="shorewall_setup_guide.htm#Subnets"><i>Classless InterDomain Routing
</i>(CIDR)</a> notation with consists of the subnet address followed
by "/24". The "24" refers to the number of consecutive "1" bits from
the left of the subnet mask. </p>
by "/24". The "24" refers to the number of consecutive "1" bits
from the left of the subnet mask. </p>
</div>
<div align="left">
@ -390,18 +392,18 @@ example) or the last usable address (10.10.10.254).</p>
<div align="left">
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13">
    Your local computers (Local Computers 1 &amp; 2) should
be configured with their<i> default gateway</i> set to the IP address
of the firewall's internal interface and your DMZ computers ( DMZ
Computers 1 &amp; 2) should be configured with their default gateway
set to the IP address of the firewall's DMZ interface.   </p>
    Your local computers (Local Computers 1 &amp; 2)
should be configured with their<i> default gateway</i> set to the
IP address of the firewall's internal interface and your DMZ computers
( DMZ Computers 1 &amp; 2) should be configured with their default
gateway set to the IP address of the firewall's DMZ interface.   </p>
</div>
<p align="left">The foregoing short discussion barely scratches the surface
regarding subnetting and routing. If you are interested in learning
more about IP addressing and routing, I highly recommend <i>"IP Fundamentals:
What Everyone Needs to Know about Addressing &amp; Routing",</i> Thomas
A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
What Everyone Needs to Know about Addressing &amp; Routing",</i>
Thomas A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
<p align="left">The remainder of this quide will assume that you have configured
your network as shown here:</p>
@ -417,33 +419,33 @@ example) or the last usable address (10.10.10.254).</p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13" alt="">
    <font color="#ff0000"><b>WARNING: </b></font><b>Your ISP  might assign
your external interface an RFC 1918 address. If that address is in the 10.10.10.0/24
subnet then you will need to select a DIFFERENT RFC 1918 subnet for your
local network and if it is in the 10.10.11.0/24 subnet then you will need
to select a different RFC 1918 subnet for your DMZ.</b><br>
your external interface an RFC 1918 address. If that address is in the
10.10.10.0/24 subnet then you will need to select a DIFFERENT RFC 1918
subnet for your local network and if it is in the 10.10.11.0/24 subnet then
you will need to select a different RFC 1918 subnet for your DMZ.</b><br>
</p>
<p align="left">IP Masquerading (SNAT)</p>
<p align="left">The addresses reserved by RFC 1918 are sometimes referred
to as <i>non-routable</i> because the Internet backbone routers don't
forward packets which have an RFC-1918 destination address. When one
of your local systems (let's assume local computer 1) sends a connection
request to an internet host, the firewall must perform <i>Network Address
Translation </i>(NAT). The firewall rewrites the source address in the
packet to be the address of the firewall's external interface; in other
words, the firewall makes it look as if the firewall itself is initiating
the connection.  This is necessary so that the destination host will
be able to route return packets back to the firewall (remember that
packets whose destination address is reserved by RFC 1918 can't be routed
accross the internet). When the firewall receives a return packet, it
rewrites the destination address back to 10.10.10.1 and forwards the
packet on to local computer 1. </p>
forward packets which have an RFC-1918 destination address. When
one of your local systems (let's assume local computer 1) sends a
connection request to an internet host, the firewall must perform
<i>Network Address Translation </i>(NAT). The firewall rewrites the
source address in the packet to be the address of the firewall's external
interface; in other words, the firewall makes it look as if the firewall
itself is initiating the connection.  This is necessary so that the
destination host will be able to route return packets back to the firewall
(remember that packets whose destination address is reserved by RFC
1918 can't be routed accross the internet). When the firewall receives
a return packet, it rewrites the destination address back to 10.10.10.1
and forwards the packet on to local computer 1. </p>
<p align="left">On Linux systems, the above process is often referred to as<i>
IP Masquerading</i> and you will also see the term <i>Source Network Address
Translation </i>(SNAT) used. Shorewall follows the convention used with
Netfilter:</p>
<p align="left">On Linux systems, the above process is often referred to
as<i> IP Masquerading</i> and you will also see the term <i>Source Network
Address Translation </i>(SNAT) used. Shorewall follows the convention used
with Netfilter:</p>
<ul>
<li>
@ -465,8 +467,8 @@ packet on to local computer 1. </p>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13">
    If your external firewall interface is <b>eth0</b>, your
local interface <b>eth1 </b>and your DMZ interface is <b>eth2</b> then
you do not need to modify the file provided with the sample. Otherwise,
local interface <b>eth1 </b>and your DMZ interface is <b>eth2</b>
then you do not need to modify the file provided with the sample. Otherwise,
edit /etc/shorewall/masq and change it to match your configuration.</p>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
@ -481,8 +483,8 @@ your static IP in column 3 makes <br>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13" alt="">
    If you are using the Debian package, please check your shorewall.conf
file to ensure that the following are set correctly; if they are not, change
them appropriately:<br>
file to ensure that the following are set correctly; if they are not,
change them appropriately:<br>
</p>
<ul>
@ -496,12 +498,12 @@ your static IP in column 3 makes <br>
<p align="left">One of your goals will be to run one or more servers on your
DMZ computers. Because these computers have RFC-1918 addresses, it
is not possible for clients on the internet to connect directly to them.
It is rather necessary for those clients to address their connection
is not possible for clients on the internet to connect directly to
them. It is rather necessary for those clients to address their connection
requests to your firewall who rewrites the destination address to the
address of your server and forwards the packet to that server. When your
server responds, the firewall automatically performs SNAT to rewrite
the source address in the response.</p>
address of your server and forwards the packet to that server. When
your server responds, the firewall automatically performs SNAT to
rewrite the source address in the response.</p>
<p align="left">The above process is called<i> Port Forwarding</i> or <i>
Destination Network Address Translation</i> (DNAT). You configure
@ -538,8 +540,8 @@ port forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
</table>
</blockquote>
<p>If you don't specify the <i>&lt;server port&gt;</i>, it is assumed to be
the same as <i>&lt;port&gt;</i>.</p>
<p>If you don't specify the <i>&lt;server port&gt;</i>, it is assumed to
be the same as <i>&lt;port&gt;</i>.</p>
<p>Example - you run a Web Server on DMZ 2 and you want to forward incoming
TCP port 80 to that system:</p>
@ -621,8 +623,8 @@ following rule and try connecting to port 5000 (e.g., connect to <a
</blockquote>
<p>If you want to be able to access your server from the local network using
your external address, then if you have a static external IP you can
replace the loc-&gt;dmz rule above with:</p>
your external address, then if you have a static external IP you
can replace the loc-&gt;dmz rule above with:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -703,10 +705,10 @@ servers. </p>
<p align="left">Normally, when you connect to your ISP, as part of getting
an IP address your firewall's <i>Domain Name Service </i>(DNS) resolver
will be automatically configured (e.g., the /etc/resolv.conf file will
be written). Alternatively, your ISP may have given you the IP address
of a pair of DNS <i> name servers</i> for you to manually configure as
your primary and secondary name servers. It is <u>your</u> responsibility
will be automatically configured (e.g., the /etc/resolv.conf file
will be written). Alternatively, your ISP may have given you the IP
address of a pair of DNS <i> name servers</i> for you to manually configure
as your primary and secondary name servers. It is <u>your</u> responsibility
to configure the resolver in your internal systems. You can take one
of two approaches:</p>
@ -724,16 +726,16 @@ servers. </p>
<p align="left"><img border="0" src="images/BD21298_2.gif"
width="13" height="13">
    You can configure a<i> Caching Name Server </i>on your
firewall or in your DMZ.<i> </i>Red Hat has an RPM for a caching name
server (which also requires the 'bind' RPM) and for Bering users,
there is dnscache.lrp. If you take this approach, you configure your
internal systems to use the caching name server as their primary (and
only) name server. You use the internal IP address of the firewall (10.10.10.254
in the example above) for the name server address if you choose to
run the name server on your firewall. To allow your local systems to
talk to your caching name server, you must open port 53 (both UDP
and TCP) from the local network to the server; you do that by adding
the rules in /etc/shorewall/rules. </p>
firewall or in your DMZ.<i> </i>Red Hat has an RPM for a caching
name server (which also requires the 'bind' RPM) and for Bering
users, there is dnscache.lrp. If you take this approach, you configure
your internal systems to use the caching name server as their primary
(and only) name server. You use the internal IP address of the firewall
(10.10.10.254 in the example above) for the name server address if
you choose to run the name server on your firewall. To allow your local
systems to talk to your caching name server, you must open port 53
(both UDP and TCP) from the local network to the server; you do that
by adding the rules in /etc/shorewall/rules. </p>
</li>
</ul>
@ -900,8 +902,8 @@ the rules in /etc/shorewall/rules. </p>
<div align="left">
<p align="left">Those rules allow DNS access from your firewall and may be
removed if you commented out the line in /etc/shorewall/policy allowing
all connections from the firewall to the internet.</p>
removed if you commented out the line in /etc/shorewall/policy
allowing all connections from the firewall to the internet.</p>
</div>
<div align="left">
@ -1041,8 +1043,8 @@ uses, look <a href="ports.htm">here</a>.</p>
<div align="left">
<p align="left"><b>Important: </b>I don't recommend enabling telnet to/from
the internet because it uses clear text (even for login!). If you
want shell access to your firewall from the internet, use SSH:</p>
the internet because it uses clear text (even for login!). If
you want shell access to your firewall from the internet, use SSH:</p>
</div>
<div align="left">
@ -1178,9 +1180,9 @@ set of hosts, modify /etc/shorewall/routestopped accordingly.</p>
the internet, do not issue a "shorewall stop" command unless you
have added an entry for the IP address that you are connected from
to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to create
an <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i>
and test it using the <a
Also, I don't recommend using "shorewall restart"; it is better to
create an <i><a href="configuration_file_basics.htm#Configs">alternate
configuration</a></i> and test it using the <a
href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p>
</div>
@ -1205,5 +1207,6 @@ set of hosts, modify /etc/shorewall/routestopped accordingly.</p>
<br>
<br>
<br>
<br>
</body>
</html>

276
STABLE/documentation/three-interface_fr.html
View File

@ -32,14 +32,14 @@
<p align="left"><small><i><u>Notes du traducteur</u> :<br>
Je ne prétends pas être un vrai traducteur dans le sens ou mon travail
n?est pas des plus précis (loin de là...). Je ne me suis pas attaché à une
traduction exacte du texte, mais plutôt à en faire une version française
intelligible par tous (et par moi). Les termes techniques sont la plupart
du temps conservés sous leur forme originale et mis entre parenthèses car
vous pouvez les retrouver dans le reste des documentations ainsi que dans
les fichiers de configuration. N?hésitez pas à me contacter afin d?améliorer
ce document <a href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a>
(merci à JMM pour sa relecture et ses commentaires pertinents, ainsi qu'à
Tom EASTEP pour son formidable outil et sa disponibilité).</i></small></p>
traduction exacte du texte, mais plutôt à en faire une version française intelligible
par tous (et par moi). Les termes techniques sont la plupart du temps conservés
sous leur forme originale et mis entre parenthèses car vous pouvez les retrouver
dans le reste des documentations ainsi que dans les fichiers de configuration.
N?hésitez pas à me contacter afin d?améliorer ce document <a
href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a> (merci à JMM
pour sa relecture et ses commentaires pertinents, ainsi qu'à Tom EASTEP pour
son formidable outil et sa disponibilité).</i></small></p>
<p align="left"><br>
Mettre en place un système linux en tant que firewall pour un petit réseau
@ -66,17 +66,17 @@ RTC, ...</li>
height="635">
</p>
<p>Ce guide suppose que vous avez le paquet iproute/iproute2 d'installé. Vous
pouvez voir si le paquet est installé en vérifiant la présence du programme
<p>Ce guide suppose que vous avez le paquet iproute/iproute2 d'installé.
Vous pouvez voir si le paquet est installé en vérifiant la présence du programme
ip sur votre système de firewall. Sous root, utilisez la commande 'which'
pour rechercher le programme :</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
<p>Je vous recommande dans un premier temps de parcourir tout le guide pour
vous familiariser avec ce qu'il va se passer, et de revenir au début en effectuant
le changements dans votre configuration. Les points où, les changements dans
la configuration sont recommandées, sont signalés par une <img
vous familiariser avec ce qu'il va se passer, et de revenir au début en
effectuant le changements dans votre configuration. Les points où, les changements
dans la configuration sont recommandées, sont signalés par une <img
border="0" src="images/BD21298_.gif" width="13" height="13">
</p>
@ -85,14 +85,14 @@ la configuration sont recommand
devez les sauver comme des fichiers Unix si votre éditeur offre cette option
sinon vous devez les faire passer par dos2unix avant d'essayer de les utiliser.
De la même manière, si vous copiez un fichier de configuration depuis votre
disque dur Windows vers une disquette, vous devez lancer dos2unix sur la copie
avant de l'utiliser avec Shorewall.</p>
disque dur Windows vers une disquette, vous devez lancer dos2unix sur la
copie avant de l'utiliser avec Shorewall.</p>
<ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
of dos2unix</a></li>
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
of dos2unix</a></li>
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
Version of dos2unix</a></li>
</ul>
@ -104,11 +104,11 @@ of dos2unix</a></li>
/etc/shorewall -- pour de simples paramétrages, vous n'avez à faire qu'avec
quelques un d'entre eux comme décris dans ce guide. Après avoir <a
href="Install.htm">installé Shorewall</a>, <b>téléchargez la configuration
d'exemple <a
href="http://france.shorewall.net/pub/shorewall/LATEST.samples/three-interfaces.tgz">three-interface
d'exemple <a href="http://www1.shorewall.net/pub/shorewall/Samples/">three-interface
sample</a>, un-tarez la (tar -zxvf three-interfaces.tgz) </b><b>et copiez
les fichiers vers /etc/shorewall (Ils remplaceront les fichiers de même nom
déjà existant dans /etc/shorewall installés lors de l'installation de Shorewall)</b>.</p>
les fichiers vers /etc/shorewall (Ils remplaceront les fichiers de même
nom déjà existant dans /etc/shorewall installés lors de l'installation de
Shorewall)</b>.</p>
<p>En même temps que chacun des fichiers est présenté, je vous suggère de
jeter un oeil à ceux qui se trouvent réellement sur votre système -- chacun
@ -144,8 +144,8 @@ trois zones sont d
<p>Les noms de zone sont définis dans <a href="Documentation.htm#Zones">/etc/shorewall/zones</a>.</p>
<p>Shorewall reconnaît aussi le système de firewall comme sa propre zone -
par défaut, le firewall lui même est connu en tant que <b>fw</b>.</p>
<p>Shorewall reconnaît aussi le système de firewall comme sa propre zone
- par défaut, le firewall lui même est connu en tant que <b>fw</b>.</p>
<p>Les règles concernant le trafic à autoriser ou à interdire sont exprimées
en utilisant les termes de zones.</p>
@ -161,10 +161,11 @@ dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
<p>Pour chacune des demandes de connexion entrantes dans le firewall, les
demandes sont en premier lieu comparées par rapport au fichier /etc/shorewall/rules.
Si aucune des règles dans ce fichier ne correspondent, alors la première politique
dans /etc/shorewall/policy qui y correspond est appliquée. Si cette politique
est REJECT ou DROP la requête est alors comparée par rapport aux règles contenues
dans /etc/shorewall/common (l'archive d'exemple vous fournit ce fichier).</p>
Si aucune des règles dans ce fichier ne correspondent, alors la première
politique dans /etc/shorewall/policy qui y correspond est appliquée. Si cette
politique est REJECT ou DROP la requête est alors comparée par rapport aux
règles contenues dans /etc/shorewall/common (l'archive d'exemple vous fournit
ce fichier).</p>
<p>Le fichier /etc/shorewall/policy d'exemple contenu dans l'archive three-interface
sample a les politiques suivantes :</p>
@ -262,14 +263,14 @@ que vous d
</p>
<p align="left">Le firewall a trois interfaces de réseau. Lorsque la connexion
Internet passe par le câble ou par un ROUTEUR (pas un simple modem) ADSL (non
USB), l'interface vers l'extérieur (External Interface) sera l'adaptateur
Internet passe par le câble ou par un ROUTEUR (pas un simple modem) ADSL
(non USB), l'interface vers l'extérieur (External Interface) sera l'adaptateur
sur lequel est connecté le routeur (e.g., eth0) à moins que vous ne vous
connectiez par Point-to-PointProtocol overEthernet (PPPoE) ou par Point-to-PointTunneling
Protocol (PPTP), dans ce cas l'interface extérieure sera une interface de
type ppp (e.g., ppp0). Si vous vous connectez par un simple modem (RTC), votre
interface extérieure sera aussi ppp0. Si votre connexion passe par Numéris
(ISDN), votre interface extérieure sera ippp0<b>.</b></p>
type ppp (e.g., ppp0). Si vous vous connectez par un simple modem (RTC),
votre interface extérieure sera aussi ppp0. Si votre connexion passe par
Numéris (ISDN), votre interface extérieure sera ippp0<b>.</b></p>
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13">
@ -284,24 +285,24 @@ un <i>c
<p align="left">Votre <i>interface DMZ</i> sera aussi un adaptateur Ethernet
(eth0, eth1 ou eth2) et sera connecté à un hub ou un switch. Vos ordinateurs
appartenant à la DMZ seront connectés à ce même switch (note : si vous n'avez
qu'un seul ordinateur dans la DMZ, vous pouvez le connecter directement au
firewall par un <i>câble croisé</i>).</p>
appartenant à la DMZ seront connectés à ce même switch (note : si vous
n'avez qu'un seul ordinateur dans la DMZ, vous pouvez le connecter directement
au firewall par un <i>câble croisé</i>).</p>
<p align="left"><u><b> <img border="0" src="images/j0213519.gif"
width="60" height="60">
</b></u> Ne connectez pas l'interface interne et externe sur le même hub
ou switch (même pour tester). Cela ne fonctionnera pas et ne croyez pas que
ce soit shorewall qui ne marche pas.</p>
ou switch (même pour tester). Cela ne fonctionnera pas et ne croyez pas
que ce soit shorewall qui ne marche pas.</p>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13">
L'exemple de configuration de Shorewall pour trois interfaces suppose que
l'interface externe est <b>eth0, </b>l'interface locale est <b>eth1 </b> et
que la DMZ est sur l'interface <b>eth2</b>. Si votre configuration diffère,
vous devrez modifier le fichier d'exemple /etc/shorewall/interfaces en conséquence.
Tant que vous y êtes, vous pourriez parcourir la liste des options qui sont
spécifiées pour les interfaces. Quelques trucs :</p>
L'exemple de configuration de Shorewall pour trois interfaces suppose
que l'interface externe est <b>eth0, </b>l'interface locale est <b>eth1
</b> et que la DMZ est sur l'interface <b>eth2</b>. Si votre configuration
diffère, vous devrez modifier le fichier d'exemple /etc/shorewall/interfaces
en conséquence. Tant que vous y êtes, vous pourriez parcourir la liste des
options qui sont spécifiées pour les interfaces. Quelques trucs :</p>
<ul>
<li>
@ -309,9 +310,9 @@ sp
remplacer le "detect" dans la seconde colonne par un "-". </p>
</li>
<li>
<p align="left">Si votre interface externe est ppp0 ou ippp0 ou bien si
vous avez une adresse IP statique, vous pouvez enlever le "dhcp" de la liste
d'option. </p>
<p align="left">Si votre interface externe est ppp0 ou ippp0 ou bien
si vous avez une adresse IP statique, vous pouvez enlever le "dhcp" de la
liste d'option. </p>
</li>
</ul>
@ -323,14 +324,15 @@ sujet du Protocole d'adresse Internet (IP). Normalement, votre fournisseur
Internet (ISP) vous assignera une seule adresse IP (single Public IP address).
Cette adresse peut être assignée par le Dynamic Host Configuration Protocol
(DHCP) ou lors de l'établissement de votre connexion lorsque vous vous connectez
(modem standard) ou établissez votre connexion PPP. Dans de rares cas , votre
provider peu vous assigner une adresse statique (staticIP address); cela signifie
que vous configurez votre interface externe sur votre firewall afin d'utiliser
cette adresse de manière permanente. Une fois votre adresse externe assignée,
elle va être partagée par tout vos systèmes lors de l'accès à Internet. Vous
devrez assigner vos propres adresses à votre réseau local (votre interface
interne sur le firewall ainsi que les autres ordinateurs). La RFC 1918 réserve
plusieurs plages d'IP (Private IP address ranges) à cette fin :</p>
(modem standard) ou établissez votre connexion PPP. Dans de rares cas ,
votre provider peu vous assigner une adresse statique (staticIP address);
cela signifie que vous configurez votre interface externe sur votre firewall
afin d'utiliser cette adresse de manière permanente. Une fois votre adresse
externe assignée, elle va être partagée par tout vos systèmes lors de l'accès
à Internet. Vous devrez assigner vos propres adresses à votre réseau local
(votre interface interne sur le firewall ainsi que les autres ordinateurs).
La RFC 1918 réserve plusieurs plages d'IP (Private IP address ranges) à
cette fin :</p>
<div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
@ -351,12 +353,12 @@ sous-r
en une plage d'adresse x.y.z.0 à x.y.z.255. Chacun des sous-réseaux possèdera
une masque (<i>Subnet Mask)</i> de 255.255.255.0. L'adresse x.y.z.0 est
réservée comme l'adresse du sous-réseau (<i>Subnet Address)</i> et x.y.z.255
est réservée en tant qu'adresse de broadcast du sous-réseau (<i>Subnet Broadcast</i>
<i>Address)</i>. Sous Shorewall, un sous-réseau est décrit/désigné en utilisant
la notation <a href="shorewall_setup_guide.htm#Subnets"><i>Classless InterDomain
Routing</i>(CIDR)</a> qui consiste en l'adresse du sous-réseau suivie par
"/24". Le "24" se réfère au nombre de bits "1" consécutifs dans la partie
gauche du masque de sous-réseau. </p>
est réservée en tant qu'adresse de broadcast du sous-réseau (<i>Subnet
Broadcast</i> <i>Address)</i>. Sous Shorewall, un sous-réseau est décrit/désigné
en utilisant la notation <a href="shorewall_setup_guide.htm#Subnets"><i>Classless
InterDomain Routing</i>(CIDR)</a> qui consiste en l'adresse du sous-réseau
suivie par "/24". Le "24" se réfère au nombre de bits "1" consécutifs dans
la partie gauche du masque de sous-réseau. </p>
</div>
<div align="left">
@ -391,17 +393,17 @@ gauche du masque de sous-r
</div>
<div align="left">
<p align="left">Il est de convention d'assigner à l'interface interne la première
adresse utilisable dans le sous-réseau (10.10.10.1 dans l'exemple précédent)
ou la dernière utilisable (10.10.10.254).</p>
<p align="left">Il est de convention d'assigner à l'interface interne la
première adresse utilisable dans le sous-réseau (10.10.10.1 dans l'exemple
précédent) ou la dernière utilisable (10.10.10.254).</p>
</div>
<div align="left">
<p align="left">L'un des buts d'un sous-réseau est de permettre à tous les
ordinateurs dans le sous-réseau de savoir avec quels autres ordinateurs ils
peuvent communiquer directement. Pour communiquer avec des systèmes en dehors
du sous-réseau, les ordinateurs envoient des paquets à travers le gateway
(routeur).</p>
ordinateurs dans le sous-réseau de savoir avec quels autres ordinateurs
ils peuvent communiquer directement. Pour communiquer avec des systèmes
en dehors du sous-réseau, les ordinateurs envoient des paquets à travers
le gateway (routeur).</p>
</div>
<div align="left">
@ -410,15 +412,15 @@ du sous-r
Vos ordinateurs locaux (ordinateur local 1 et 2) devraient être configurés
avec leur passerelle par défaut (<i>default gateway)</i>pointant sur l'adresse
IP de l'interface interne du firewall, et les ordinateurs de la DMZ devraient
être configurés avec leur passerelle par défaut (<i>default gateway)</i> pointant
sur l'adresse IP de l'interface DMZ du firewall. </p>
être configurés avec leur passerelle par défaut (<i>default gateway)</i>
pointant sur l'adresse IP de l'interface DMZ du firewall. </p>
</div>
<p align="left">Cette courte description ne fait que survoler les concepts
de routage et de sous-réseau. Si vous vous voulez en apprendre plus sur l'adressage
IP et le routage, je vous recommande chaudement <i>"IP Fundamentals: What
Everyone Needs to Know about Addressing &amp; Routing",</i> Thomas A.
Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
de routage et de sous-réseau. Si vous vous voulez en apprendre plus sur
l'adressage IP et le routage, je vous recommande chaudement <i>"IP Fundamentals:
What Everyone Needs to Know about Addressing &amp; Routing",</i> Thomas
A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
<p align="left">Pour rappel, ce guide supposera que vous avez configuré votre
réseau comme montrer ci-dessous :</p>
@ -436,22 +438,23 @@ en local sera 10.10.10.254.</p>
<p align="left">Les adresses réservées par la RFC 1918 sont parfois désignées
comme non-routables car les routeurs Internet (backbone) ne font pas circuler
les paquets qui ont une adresse de destination appartenant à la RFC-1918.
Lorsqu'un de vos systèmes en local (supposons l'ordinateur1) demande une connexion
à un serveur par Internet, le firewall doit appliquer un NAT (Network Address
Translation). Le firewall ré écrit l'adresse source dans le paquet, et l'a
remplace par l'adresse de l'interface externe du firewall; en d'autres mots,
le firewall fait croire que c'est lui même qui initie la connexion. Ceci
est nécessaire afin que l'hôte de destination soit capable de renvoyer les
paquets au firewall (souvenez vous que les paquets qui ont pour adresse de
destination, une adresse réservée par la RFC 1918 ne pourront pas être routés
à travers Internet, donc l'hôte Internet ne pourra adresser sa réponse à
l'ordinateur 1). Lorsque le firewall reçoit le paquet de réponse, il remet
Lorsqu'un de vos systèmes en local (supposons l'ordinateur1) demande une
connexion à un serveur par Internet, le firewall doit appliquer un NAT (Network
Address Translation). Le firewall ré écrit l'adresse source dans le paquet,
et l'a remplace par l'adresse de l'interface externe du firewall; en d'autres
mots, le firewall fait croire que c'est lui même qui initie la connexion.
Ceci est nécessaire afin que l'hôte de destination soit capable de renvoyer
les paquets au firewall (souvenez vous que les paquets qui ont pour adresse
de destination, une adresse réservée par la RFC 1918 ne pourront pas être
routés à travers Internet, donc l'hôte Internet ne pourra adresser sa réponse
à l'ordinateur 1). Lorsque le firewall reçoit le paquet de réponse, il remet
l'adresse de destination à 10.10.10.1 et fait passer le paquet vers l'ordinateur
1. </p>
<p align="left">Sur les systèmes Linux, ce procédé est souvent appelé de l'IP
Masquerading mais vous verrez aussi le terme de Source Network Address Translation
(SNAT) utilisé. Shorewall suit la convention utilisée avec Netfilter :</p>
<p align="left">Sur les systèmes Linux, ce procédé est souvent appelé de
l'IP Masquerading mais vous verrez aussi le terme de Source Network Address
Translation (SNAT) utilisé. Shorewall suit la convention utilisée avec Netfilter
:</p>
<ul>
<li>
@ -480,8 +483,8 @@ le fichier fourni avec l'exemple. Dans le cas contraire,
Si votre IP externe est statique, vous pouvez la mettre dans la troisième
colonne dans /etc/shorewall/masq si vous le désirez, de toutes façons votre
firewall fonctionnera bien si vous laissez cette colonne vide. Le fait de
mettre votre IP statique dans la troisième colonne permet un traitement des
paquets sortant un peu plus efficace.<br>
mettre votre IP statique dans la troisième colonne permet un traitement
des paquets sortant un peu plus efficace.<br>
</p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
@ -504,9 +507,10 @@ faite les changements n
serveurs sur nos ordinateurs dans la DMZ. que ces ordinateurs on une adresse
RFC-1918, il n'est pas possible pour les clients sur Internet de se connecter
directement à eux. Il est nécessaire à ces clients d'adresser leurs demandes
de connexion au firewall qui ré écrit l'adresse de destination de votre serveur,
et fait passer le paquet à celui-ci. Lorsque votre serveur répond, le firewall
applique automatiquement un SNAT pour ré écrire l'adresse source dans la réponse.</p>
de connexion au firewall qui ré écrit l'adresse de destination de votre
serveur, et fait passer le paquet à celui-ci. Lorsque votre serveur répond,
le firewall applique automatiquement un SNAT pour ré écrire l'adresse source
dans la réponse.</p>
<p align="left">Ce procédé est appelé Port Forwarding ou Destination Network
Address Translation(DNAT). Vous configurez le port forwarding en utilisant
@ -531,7 +535,8 @@ est :</p>
<tr>
<td>DNAT</td>
<td>net</td>
<td>dmz:<i>&lt;server local ip address&gt; </i>[:<i>&lt;server port&gt;</i>]</td>
<td>dmz:<i>&lt;server local ip address&gt; </i>[:<i>&lt;server
port&gt;</i>]</td>
<td><i>&lt;protocol&gt;</i></td>
<td><i>&lt;port&gt;</i></td>
<td> <br>
@ -595,8 +600,9 @@ local, vous devez utiliser l'adresse IP interne du serveur (10.10.11.2).</li>
<li>Quelques fournisseurs Internet (Provider/ISP) bloquent les requêtes
de connexion entrantes sur le port 80. Si vous avez des problèmes pour vous
connecter à votre serveur web, essayez la règle suivante et connectez vous
sur le port 5000 (c.a.d., connectez vous à <a href="http://w.x.y.z:5000">
http://w.x.y.z:5000</a> où w.x.y.z est votre IP externe).</li>
sur le port 5000 (c.a.d., connectez vous à <a
href="http://w.x.y.z:5000"> http://w.x.y.z:5000</a> où w.x.y.z est votre
IP externe).</li>
</ul>
@ -629,10 +635,10 @@ http://w.x.y.z:5000</a> o
</table>
</blockquote>
<p>Si vous voulez avoir la possibilité de vous connecter à votre serveur depuis
le réseau local en utilisant votre adresse externe, et si vous avez une adresse
IP externe statique (fixe), vous pouvez remplacer la règle loc-&gt;dmz précédente
par :</p>
<p>Si vous voulez avoir la possibilité de vous connecter à votre serveur
depuis le réseau local en utilisant votre adresse externe, et si vous avez
une adresse IP externe statique (fixe), vous pouvez remplacer la règle loc-&gt;dmz
précédente par :</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -703,8 +709,8 @@ les
</table>
</blockquote>
<p>Si vous voulez accéder à votre serveur dans la DMZ en utilisant votre adresse
IP externe, regardez <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
<p>Si vous voulez accéder à votre serveur dans la DMZ en utilisant votre
adresse IP externe, regardez <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
<p><img border="0" src="images/BD21298_2.gif" width="13" height="13">
A ce point, ajoutez les règles DNAT et ACCEPT pour vos serveurs..</p>
@ -712,22 +718,22 @@ IP externe, regardez <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
<h2 align="left">Domain Name Server (DNS)</h2>
<p align="left">Normalement, quand vous vous connectez à votre fournisseur
(ISP), une partie consiste à obtenir votre adresse IP, votre DNS pour le firewall
(Domain Name Service) est configuré automatiquement (c.a.d., le fichier /etc/resolv.conf
a été écrit). Il arrive que votre provider vous donne une paire d'adresse
IP pour les DNS (name servers) afin que vous configuriez manuellement votre
serveur de nom primaire et secondaire. La manière dont le DNS est configuré
sur votre firewall est de votre responsabilité. Vous pouvez procéder d'une
de ses deux façons :</p>
(ISP), une partie consiste à obtenir votre adresse IP, votre DNS pour le
firewall (Domain Name Service) est configuré automatiquement (c.a.d., le
fichier /etc/resolv.conf a été écrit). Il arrive que votre provider vous
donne une paire d'adresse IP pour les DNS (name servers) afin que vous configuriez
manuellement votre serveur de nom primaire et secondaire. La manière dont
le DNS est configuré sur votre firewall est de votre responsabilité. Vous
pouvez procéder d'une de ses deux façons :</p>
<ul>
<li>
<p align="left">Vous pouvez configurer votre système interne pour utiliser
les noms de serveurs de votre provider. Si votre fournisseur vous donne les
adresses de leurs serveurs ou si ces adresses sont disponibles sur leur site
web, vous pouvez configurer votre système interne afin de les utiliser. Si
cette information n'est pas disponible, regardez dans /etc/resolv.conf sur
votre firewall -- les noms des serveurs sont donnés dans l'enregistrement
les noms de serveurs de votre provider. Si votre fournisseur vous donne
les adresses de leurs serveurs ou si ces adresses sont disponibles sur leur
site web, vous pouvez configurer votre système interne afin de les utiliser.
Si cette information n'est pas disponible, regardez dans /etc/resolv.conf
sur votre firewall -- les noms des serveurs sont donnés dans l'enregistrement
"nameserver" dans ce fichier. </p>
</li>
<li>
@ -737,13 +743,14 @@ votre firewall -- les noms des serveurs sont donn
votre firewall ou dans la DMZ.<i> </i>Red Hat a un RPM pour mettre en cache
un serveur de nom (le RPM requis aussi le RPM 'bind') et pour les utilisateurs
de Bering, il y a dnscache.lrp. Si vous adoptez cette approche, vous configurez
votre système interne pour utiliser le firewall lui même comme étant le seul
serveur de nom primaire. Vous pouvez utiliser l'adresse IP interne du firewall
(10.10.10.254 dans l'exemple) pour l'adresse de serveur de nom si vous décidez
de faire tourner le serveur de nom sur votre firewall. Pour permettre à vos
systèmes locaux de discuter avec votre serveur cache de nom, vous devez ouvrir
le port 53 (UDP ET  TCP) sur le firewall vers le réseau local; vous ferez
ceci en ajoutant les règles suivantes dans /etc/shorewall/rules. </p>
votre système interne pour utiliser le firewall lui même comme étant le
seul serveur de nom primaire. Vous pouvez utiliser l'adresse IP interne
du firewall (10.10.10.254 dans l'exemple) pour l'adresse de serveur de nom
si vous décidez de faire tourner le serveur de nom sur votre firewall. Pour
permettre à vos systèmes locaux de discuter avec votre serveur cache de
nom, vous devez ouvrir le port 53 (UDP ET  TCP) sur le firewall vers le
réseau local; vous ferez ceci en ajoutant les règles suivantes dans /etc/shorewall/rules.
</p>
</li>
</ul>
@ -1080,9 +1087,9 @@ particuli
<div align="left">
<p align="left">Important: Je ne vous recommande pas d'autoriser le telnet
depuis ou vers l'Internet car il utilise du texte en clair (même pour le login
et le mot de passe !). Si vous voulez avoir un accès au shell de votre firewall
depuis Internet, utilisez SSH :</p>
depuis ou vers l'Internet car il utilise du texte en clair (même pour le
login et le mot de passe !). Si vous voulez avoir un accès au shell de votre
firewall depuis Internet, utilisez SSH :</p>
</div>
<div align="left">
@ -1130,12 +1137,12 @@ d
<div align="left">
<p align="left"> <img border="0" src="images/BD21298_2.gif" width="13"
height="13" alt="Arrow">
La <a href="Install.htm">procédure d'installation</a> configure votre système
pour lancer Shorewall au boot du système, mais au début avec la version 1.3.9
de Shorewall le lancement est désactivé, n'essayer pas de lancer Shorewall
avec que la configuration soit finie. Une fois que vous en avez fini avec
la configuration du firewall, vous pouvez permettre le lancement de Shorewall
en supprimant le fichier /etc/shorewall/startup_disabled.<br>
La <a href="Install.htm">procédure d'installation</a> configure votre
système pour lancer Shorewall au boot du système, mais au début avec la
version 1.3.9 de Shorewall le lancement est désactivé, n'essayer pas de
lancer Shorewall avec que la configuration soit finie. Une fois que vous
en avez fini avec la configuration du firewall, vous pouvez permettre le
lancement de Shorewall en supprimant le fichier /etc/shorewall/startup_disabled.<br>
</p>
<p align="left">IMPORTANT: Les utilisateurs des paquets .deb doivent éditer
@ -1145,8 +1152,8 @@ en supprimant le fichier /etc/shorewall/startup_disabled.<br>
<div align="left">
<p align="left">Le firewall est activé en utilisant la commande "shorewall
start" et arrêté avec "shorewall stop". Lorsque le firewall est stoppé, le
routage est autorisé sur les hôtes qui possèdent une entrée dans <a
start" et arrêté avec "shorewall stop". Lorsque le firewall est stoppé,
le routage est autorisé sur les hôtes qui possèdent une entrée dans <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. Un
firewall qui tourne peut être relancé en utilisant la commande "shorewall
restart". Si vous voulez enlever toutes traces de Shorewall sur votre configuration
@ -1164,10 +1171,10 @@ d'h
</div>
<div align="left">
<p align="left">ATTENTION: Si vous êtes connecté à votre firewall depuis Internet,
n'essayez pas une commande "shorewall stop" tant que vous n'avez pas ajouté
une entrée pour votre adresse IP (celle à partir de laquelle vous êtes connectée)
dans <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
<p align="left">ATTENTION: Si vous êtes connecté à votre firewall depuis
Internet, n'essayez pas une commande "shorewall stop" tant que vous n'avez
pas ajouté une entrée pour votre adresse IP (celle à partir de laquelle vous
êtes connectée) dans <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
De la même manière, je ne vous recommande pas d'utiliser "shorewall restart";
il est plus intéressant de créer une <i><a
href="configuration_file_basics.htm#Configs">configuration </a></i><i><a
@ -1201,5 +1208,6 @@ M. Eastep</font></a></p>
<br>
<br>
<br>
<br>
</body>
</html>

69
STABLE/documentation/troubleshoot.htm
View File

@ -18,7 +18,6 @@
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Troubleshooting<img
src="images/obrasinf.gif" alt="Beating head on table" width="90"
height="90" align="middle">
@ -50,9 +49,8 @@
<li>shorewall debug start 2&gt; /tmp/trace</li>
<li>Look at the /tmp/trace file and see if that helps you
determine what the problem is. Be sure you find the place in the log
where the error message you saw is generated -- in 99.9% of the cases, it
will not be near the end of the log because after startup errors, Shorewall
goes through a "shorewall stop" phase which will also be traced.</li>
where the error message you saw is generated -- If you are using Shorewall
1.4.0 or later, you should find the message near the end of the log.</li>
<li>If you still can't determine what's wrong then see the
<a href="support.htm">support page</a>.</li>
@ -73,13 +71,12 @@
<h3>Your network environment</h3>
<p>Many times when people have problems with Shorewall, the problem is
actually an ill-conceived network setup. Here are several popular snafus:
</p>
<p>Many times when people have problems with Shorewall, the problem is actually
an ill-conceived network setup. Here are several popular snafus: </p>
<ul>
<li>Port Forwarding where client and server are in
the same subnet. See <a href="FAQ.htm">FAQ 2.</a></li>
<li>Port Forwarding where client and server are
in the same subnet. See <a href="FAQ.htm">FAQ 2.</a></li>
<li>Changing the IP address of a local system to be in the
external subnet, thinking that Shorewall will suddenly believe that
the system is in the 'net' zone.</li>
@ -114,16 +111,14 @@ the event that you forget to remove them later.</p>
<p align="left">LOGRATE=""<br>
LOGBURST=""</p>
<p align="left">This way, you will see all of the log messages being
generated (be sure to restart shorewall after clearing these variables).</p>
<p align="left">This way, you will see all of the log messages being generated
(be sure to restart shorewall after clearing these variables).</p>
<p align="left">Example:</p>
<font face="Century Gothic, Arial, Helvetica">
<p align="left"><font face="Courier">Jun 27 15:37:56 gateway kernel:
Shorewall:all2all:REJECT:IN=eth2 OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3
LEN=67 TOS=0x00 PREC=0x00 TTL=63 ID=5805 DF PROTO=UDP SPT=1803 DPT=53
LEN=47</font></p>
<p align="left"><font face="Courier">Jun 27 15:37:56 gateway kernel: Shorewall:all2all:REJECT:IN=eth2
OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3 LEN=67 TOS=0x00 PREC=0x00 TTL=63
ID=5805 DF PROTO=UDP SPT=1803 DPT=53 LEN=47</font></p>
</font>
<p align="left">Let's look at the important parts of this message:</p>
@ -151,8 +146,8 @@ policy (see <a href="FAQ.htm#faq17">FAQ 17).</a></li>
</p>
<h3 align="left">'Ping' Problems?</h3>
Either can't ping when you think you should be able to or are able to ping
when you think that you shouldn't be allowed? Shorewall's 'Ping' Management<a
Either can't ping when you think you should be able to or are able to
ping when you think that you shouldn't be allowed? Shorewall's 'Ping' Management<a
href="ping.html"> is described here</a>.<br>
<h3 align="left">Other Gotchas</h3>
@ -160,27 +155,26 @@ policy (see <a href="FAQ.htm#faq17">FAQ 17).</a></li>
<ul>
<li>Seeing rejected/dropped packets logged out of the INPUT
or FORWARD chains? This means that:
<ol>
<li>your zone definitions are screwed up and the host that
is sending the packets or the destination host isn't in any zone
(using an <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>
file are you?); or</li>
<li>the source and destination hosts are both connected to
the same interface and you don't have a policy or rule for the
source zone to or from the destination zone.</li>
<li>the source and destination hosts are both connected
to the same interface and you don't have a policy or rule for
the source zone to or from the destination zone.</li>
</ol>
</li>
<li>Remember that Shorewall doesn't automatically allow ICMP
type 8 ("ping") requests to be sent between zones. If you want
pings to be allowed between zones, you need a rule of the form:<br>
type 8 ("ping") requests to be sent between zones. If you want pings
to be allowed between zones, you need a rule of the form:<br>
<br>
    ACCEPT    &lt;source zone&gt;    &lt;destination zone&gt;   
icmp    echo-request<br>
    ACCEPT    &lt;source zone&gt;    &lt;destination
zone&gt;    icmp    echo-request<br>
<br>
The ramifications of this can be subtle. For example, if you
have the following in /etc/shorewall/nat:<br>
The ramifications of this can be subtle. For example, if
you have the following in /etc/shorewall/nat:<br>
<br>
    10.1.1.2    eth0    130.252.100.18<br>
<br>
@ -190,20 +184,20 @@ and the zone containing 10.1.1.2, the ping requests will be dropped.
<li>If you specify "routefilter" for an interface, that
interface must be up prior to starting the firewall.</li>
<li>Is your routing correct? For example, internal systems
usually need to be configured with their default gateway set to
the IP address of their nearest firewall interface. One often overlooked
usually need to be configured with their default gateway set to the
IP address of their nearest firewall interface. One often overlooked
aspect of routing is that in order for two hosts to communicate, the
routing between them must be set up <u>in both directions.</u> So
when setting up routing between <b>A</b> and<b> B</b>, be sure to
verify that the route from <b>B</b> back to <b>A</b> is defined.</li>
routing between them must be set up <u>in both directions.</u> So when
setting up routing between <b>A</b> and<b> B</b>, be sure to verify
that the route from <b>B</b> back to <b>A</b> is defined.</li>
<li>Some versions of LRP (EigerStein2Beta for example) have
a shell with broken variable expansion. <a
href="ftp://ftp.shorewall.net/pub/shorewall/ash.gz"> You can get a corrected
shell from the Shorewall Errata download site.</a> </li>
<li>Do you have your kernel properly configured? <a
href="kernel.htm">Click here to see my kernel configuration.</a> </li>
<li>Shorewall requires the "ip" program. That program is
generally included in the "iproute" package which should be included
<li>Shorewall requires the "ip" program. That program
is generally included in the "iproute" package which should be included
with your distribution (though many distributions don't install iproute
by default). You may also download the latest source tarball from <a
href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank"> ftp://ftp.inr.ac.ru/ip-routing</a>
@ -219,15 +213,12 @@ add all external addresses to be use with NAT unless you have set <a
<p>See the<a href="support.htm"> support page.<br>
</a></p>
<font face="Century Gothic, Arial, Helvetica">
<blockquote> </blockquote>
</font>
<p><font size="2">Last updated 2/21/2003 - Tom Eastep</font> </p>
<p><font size="2">Last updated 4/29/2003 - Tom Eastep</font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
<br>
</body>
</html>

272
STABLE/documentation/two-interface.htm
View File

@ -30,8 +30,8 @@
</table>
<p align="left">Setting up a Linux system as a firewall for a small network
is a fairly straight-forward task if you understand the basics and
follow the documentation.</p>
is a fairly straight-forward task if you understand the basics
and follow the documentation.</p>
<p>This guide doesn't attempt to acquaint you with all of the features of
Shorewall. It rather focuses on what is required to configure Shorewall
@ -59,8 +59,8 @@ local network.</li>
</b></p>
<p><b>Note however, that the Shorewall configuration produced by Mandrake
Internet Connection Sharing is strange and is apt to confuse you if you use
the rest of this documentation (it has two local zones; "loc" and "masq"
Internet Connection Sharing is strange and is apt to confuse you if you
use the rest of this documentation (it has two local zones; "loc" and "masq"
where "loc" is empty; this conflicts with this documentation which assumes
a single local zone "loc"). We therefore recommend that once you have set
up this sharing that you uninstall the Mandrake Shorewall RPM and install
@ -70,37 +70,37 @@ instructions in this Guide.</b><br>
<p>Shorewall requires that you have the iproute/iproute2 package installed
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can
tell if this package is installed by the presence of an <b>ip</b> program
on your firewall system. As root, you can use the 'which' command
to check for this program:</p>
tell if this package is installed by the presence of an <b>ip</b>
program on your firewall system. As root, you can use the 'which'
command to check for this program:</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
<p>I recommend that you first read through the guide to familiarize yourself
with what's involved then go back through it again making your configuration
changes. Points at which configuration changes are recommended are
flagged with <img border="0" src="images/BD21298_.gif" width="13"
height="13">
with what's involved then go back through it again making your
configuration changes. Points at which configuration changes are
recommended are flagged with <img border="0"
src="images/BD21298_.gif" width="13" height="13">
. Configuration notes that are unique to LEAF/Bering are
marked with <img src="images/leaflogo.gif" alt="(LEAF Logo)" width="49"
height="36">
marked with <img src="images/leaflogo.gif" alt="(LEAF Logo)"
width="49" height="36">
</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60">
    If you edit your configuration files on a Windows system,
you must save them as Unix files if your editor supports that option
or you must run them through dos2unix before trying to use them. Similarly,
if you copy a configuration file from your Windows hard drive to a
floppy disk, you must run dos2unix against the copy before using it with
Shorewall.</p>
    If you edit your configuration files on a Windows
system, you must save them as Unix files if your editor supports
that option or you must run them through dos2unix before trying to
use them. Similarly, if you copy a configuration file from your Windows
hard drive to a floppy disk, you must run dos2unix against the copy
before using it with Shorewall.</p>
<ul>
<li><a
href="http://www.simtel.net/pub/pd/51438.html">Windows Version of
dos2unix</a></li>
<li><a
href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version of
dos2unix</a></li>
href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
of dos2unix</a></li>
</ul>
@ -112,18 +112,17 @@ Shorewall.</p>
directory /etc/shorewall -- for simple setups, you will only need to
deal with a few of these as described in this guide. After you have <a
href="Install.htm">installed Shorewall</a>, <b>download the <a
href="http://www.shorewall.net/pub/shorewall/LATEST.samples/two-interfaces.tgz">two-interface
sample</a>, un-tar it (tar -zxvf two-interfaces.tgz) and and copy
the files to /etc/shorewall (these files will replace files with
the same name).</b></p>
href="http://www1.shorewall.net/pub/shorewall/Samples/">two-interface sample</a>,
un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files to
/etc/shorewall (these files will replace files with the same name).</b></p>
<p>As each file is introduced, I suggest that you look through the actual
file on your system -- each file contains detailed configuration
instructions and default entries.</p>
<p>Shorewall views the network where it is running as being composed of a
set of <i>zones.</i> In the two-interface sample configuration, the
following zone names are used:</p>
set of <i>zones.</i> In the two-interface sample configuration,
the following zone names are used:</p>
<table border="0" style="border-collapse: collapse;" cellpadding="3"
cellspacing="0" id="AutoNumber2">
@ -154,23 +153,23 @@ instructions and default entries.</p>
in terms of zones.</p>
<ul>
<li>You express your default policy for connections from
one zone to another zone in the<a
<li>You express your default policy for connections
from one zone to another zone in the<a
href="Documentation.htm#Policy"> /etc/shorewall/policy </a>file.</li>
<li>You define exceptions to those default policies in
the <a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
<li>You define exceptions to those default policies
in the <a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
</ul>
<p>For each connection request entering the firewall, the request is first
checked against the /etc/shorewall/rules file. If no rule in that
file matches the connection request then the first policy in /etc/shorewall/policy
that matches the request is applied. If that policy is REJECT or
DROP  the request is first checked against the rules in /etc/shorewall/common
that matches the request is applied. If that policy is REJECT
or DROP  the request is first checked against the rules in /etc/shorewall/common
(the samples provide that file for you).</p>
<p>The /etc/shorewall/policy file included with the two-interface sample has
the following policies:</p>
<p>The /etc/shorewall/policy file included with the two-interface sample
has the following policies:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -250,8 +249,8 @@ firewall to the internet (if you uncomment the additional policy)</li>
</ol>
<p><img border="0" src="images/BD21298_.gif" width="13" height="13">
    At this point, edit your /etc/shorewall/policy and make
any changes that you wish.</p>
    At this point, edit your /etc/shorewall/policy and
make any changes that you wish.</p>
<h2 align="left">Network Interfaces</h2>
@ -259,9 +258,9 @@ firewall to the internet (if you uncomment the additional policy)</li>
height="635">
</p>
<p align="left">The firewall has two network interfaces. Where Internet
connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
will be the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>) 
<p align="left">The firewall has two network interfaces. Where Internet connectivity
is through a cable or DSL "Modem", the <i>External Interface</i> will be
the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>) 
<u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol
over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint
<u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External
@ -277,9 +276,9 @@ connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
<p align="left">Your <i>Internal Interface</i> will be an ethernet adapter
(eth1 or eth0) and will be connected to a hub or switch. Your other
computers will be connected to the same hub/switch (note: If you have
only a single internal system, you can connect the firewall directly
to the computer using a <i>cross-over </i> cable).</p>
computers will be connected to the same hub/switch (note: If you
have only a single internal system, you can connect the firewall
directly to the computer using a <i>cross-over </i> cable).</p>
<p align="left"><u><b> <img border="0" src="images/j0213519.gif"
width="60" height="60">
@ -292,8 +291,8 @@ connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
width="13" height="13">
    The Shorewall two-interface sample configuration assumes
that the external interface is <b>eth0</b> and the internal interface
is <b>eth1</b>. If your configuration is different, you will have to
modify the sample <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
is <b>eth1</b>. If your configuration is different, you will have
to modify the sample <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
file accordingly. While you are there, you may wish to review the
list of options that are specified for the interfaces. Some hints:</p>
@ -314,17 +313,18 @@ the option list. </p>
<h2 align="left">IP Addresses</h2>
<p align="left">Before going further, we should say a few words about Internet
Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you
a single <i> Public</i> IP address. This address may be assigned via
the<i> Dynamic Host Configuration Protocol</i> (DHCP) or as part of
establishing your connection when you dial in (standard modem) or establish
your PPP connection. In rare cases, your ISP may assign you a<i> static</i>
IP address; that means that you configure your firewall's external interface
to use that address permanently.<i> </i>However your external address
is assigned, it will be shared by all of your systems when you access the
Internet. You will have to assign your own addresses in your internal
network (the Internal Interface on your firewall plus your other computers).
RFC 1918 reserves several <i>Private </i>IP address ranges for this purpose:</p>
Protocol (IP) <i>addresses</i>. Normally, your ISP will assign
you a single <i> Public</i> IP address. This address may be assigned
via the<i> Dynamic Host Configuration Protocol</i> (DHCP) or as part
of establishing your connection when you dial in (standard modem) or
establish your PPP connection. In rare cases, your ISP may assign you
a<i> static</i> IP address; that means that you configure your firewall's
external interface to use that address permanently.<i> </i>However
your external address is assigned, it will be shared by all of your systems
when you access the Internet. You will have to assign your own addresses
in your internal network (the Internal Interface on your firewall plus
your other computers). RFC 1918 reserves several <i>Private </i>IP address
ranges for this purpose:</p>
<div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
@ -334,18 +334,18 @@ RFC 1918 reserves several <i>Private </i>IP address ranges for this purpose:</
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13">
    Before starting Shorewall, you should look at the
IP address of your external interface and if it is one of the above
ranges, you should remove the 'norfc1918' option from the external
interface's entry in /etc/shorewall/interfaces.</p>
IP address of your external interface and if it is one of the
above ranges, you should remove the 'norfc1918' option from the
external interface's entry in /etc/shorewall/interfaces.</p>
</div>
<div align="left">
<p align="left">You will want to assign your addresses from the same <i>
sub-network </i>(<i>subnet)</i>.  For our purposes, we can consider a subnet
to consists of a range of addresses x.y.z.0 - x.y.z.255. Such a
subnet will have a <i>Subnet Mask </i>of 255.255.255.0. The address
x.y.z.0 is reserved as the <i>Subnet Address</i> and x.y.z.255 is
reserved as the <i>Subnet Broadcast</i> <i>Address</i>. In Shorewall,
to consists of a range of addresses x.y.z.0 - x.y.z.255. Such
a subnet will have a <i>Subnet Mask </i>of 255.255.255.0. The address
x.y.z.0 is reserved as the <i>Subnet Address</i> and x.y.z.255
is reserved as the <i>Subnet Broadcast</i> <i>Address</i>. In Shorewall,
a subnet is described using <a
href="shorewall_setup_guide.htm#Subnets"><i>Classless InterDomain Routing
</i>(CIDR) notation</a> with consists of the subnet address followed
@ -400,17 +400,17 @@ bits from the left of the subnet mask. </p>
<div align="left">
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13">
    Your local computers (computer 1 and computer 2 in
the above diagram) should be configured with their<i> default gateway</i>
to be the IP address of the firewall's internal interface.<i>     
    Your local computers (computer 1 and computer 2
in the above diagram) should be configured with their<i> default
gateway</i> to be the IP address of the firewall's internal interface.<i>     
</i> </p>
</div>
<p align="left">The foregoing short discussion barely scratches the surface
regarding subnetting and routing. If you are interested in learning
more about IP addressing and routing, I highly recommend <i>"IP Fundamentals:
What Everyone Needs to Know about Addressing &amp; Routing",</i>
Thomas A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
more about IP addressing and routing, I highly recommend <i>"IP
Fundamentals: What Everyone Needs to Know about Addressing &amp;
Routing",</i> Thomas A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
<p align="left">The remainder of this quide will assume that you have configured
your network as shown here:</p>
@ -424,23 +424,23 @@ Thomas A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13" alt="">
    <font color="#ff0000"><b>WARNING: </b></font><b>Your ISP might assign
your external interface an RFC 1918 address. If that address is in the 10.10.10.0/24
subnet then you will need to select a DIFFERENT RFC 1918 subnet for your
local network.</b><br>
    <font color="#ff0000"><b>WARNING: </b></font><b>Your ISP might
assign your external interface an RFC 1918 address. If that address is
in the 10.10.10.0/24 subnet then you will need to select a DIFFERENT RFC
1918 subnet for your local network.</b><br>
</p>
<h2 align="left">IP Masquerading (SNAT)</h2>
<p align="left">The addresses reserved by RFC 1918 are sometimes referred
to as <i>non-routable</i> because the Internet backbone routers don't
forward packets which have an RFC-1918 destination address. When one
of your local systems (let's assume computer 1) sends a connection
request to an internet host, the firewall must perform <i>Network Address
Translation </i>(NAT). The firewall rewrites the source address in
the packet to be the address of the firewall's external interface; in
other words, the firewall makes it look as if the firewall itself is
initiating the connection.  This is necessary so that the destination
to as <i>non-routable</i> because the Internet backbone routers
don't forward packets which have an RFC-1918 destination address.
When one of your local systems (let's assume computer 1) sends a connection
request to an internet host, the firewall must perform <i>Network
Address Translation </i>(NAT). The firewall rewrites the source address
in the packet to be the address of the firewall's external interface;
in other words, the firewall makes it look as if the firewall itself
is initiating the connection.  This is necessary so that the destination
host will be able to route return packets back to the firewall (remember
that packets whose destination address is reserved by RFC 1918 can't
be routed across the internet so the remote host can't address its response
@ -448,10 +448,10 @@ initiating the connection.
the destination address back to 10.10.10.1 and forwards the packet on
to computer 1. </p>
<p align="left">On Linux systems, the above process is often referred to as<i>
IP Masquerading</i> but you will also see the term <i>Source Network Address
Translation </i>(SNAT) used. Shorewall follows the convention used with
Netfilter:</p>
<p align="left">On Linux systems, the above process is often referred to
as<i> IP Masquerading</i> but you will also see the term <i>Source Network
Address Translation </i>(SNAT) used. Shorewall follows the convention used
with Netfilter:</p>
<ul>
<li>
@ -468,8 +468,9 @@ to computer 1. </p>
</ul>
<p align="left">In Shorewall, both Masquerading and SNAT are configured with
entries in the /etc/shorewall/masq file. You will normally use Masquerading
if your external IP is dynamic and SNAT if the IP is static.</p>
entries in the /etc/shorewall/masq file. You will normally use
Masquerading if your external IP is dynamic and SNAT if the IP
is static.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13">
@ -505,12 +506,12 @@ change them appropriately:<br>
<p align="left">One of your goals may be to run one or more servers on your
local computers. Because these computers have RFC-1918 addresses,
it is not possible for clients on the internet to connect directly to
them. It is rather necessary for those clients to address their connection
requests to the firewall who rewrites the destination address to the
address of your server and forwards the packet to that server. When
your server responds, the firewall automatically performs SNAT to rewrite
the source address in the response.</p>
it is not possible for clients on the internet to connect directly
to them. It is rather necessary for those clients to address their
connection requests to the firewall who rewrites the destination address
to the address of your server and forwards the packet to that server.
When your server responds, the firewall automatically performs SNAT
to rewrite the source address in the response.</p>
<p align="left">The above process is called<i> Port Forwarding</i> or <i>
Destination Network Address Translation</i> (DNAT). You configure
@ -581,13 +582,13 @@ port forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
<ul>
<li>You must test the above rule from a client outside
of your local network (i.e., don't test from a browser running on
computers 1 or 2 or on the firewall). If you want to be able to
access your web server using the IP address of your external interface,
of your local network (i.e., don't test from a browser running
on computers 1 or 2 or on the firewall). If you want to be able
to access your web server using the IP address of your external interface,
see <a href="FAQ.htm#faq2">Shorewall FAQ #2</a>.</li>
<li>Many ISPs block incoming connection requests to port
80. If you have problems connecting to your web server, try the
following rule and try connecting to port 5000.</li>
<li>Many ISPs block incoming connection requests to
port 80. If you have problems connecting to your web server, try
the following rule and try connecting to port 5000.</li>
</ul>
@ -619,29 +620,30 @@ following rule and try connecting to port 5000.</li>
</blockquote>
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13">
    At this point, modify /etc/shorewall/rules to add any
DNAT rules that you require.</p>
    At this point, modify /etc/shorewall/rules to add
any DNAT rules that you require.</p>
<h2 align="left">Domain Name Server (DNS)</h2>
<p align="left">Normally, when you connect to your ISP, as part of getting
an IP address your firewall's <i>Domain Name Service </i>(DNS) resolver
will be automatically configured (e.g., the /etc/resolv.conf file
will be written). Alternatively, your ISP may have given you the IP
address of a pair of DNS <i> name servers</i> for you to manually configure
as your primary and secondary name servers. Regardless of how DNS gets
configured on your firewall, it is <u>your</u> responsibility to configure
the resolver in your internal systems. You can take one of two approaches:</p>
an IP address your firewall's <i>Domain Name Service </i>(DNS)
resolver will be automatically configured (e.g., the /etc/resolv.conf
file will be written). Alternatively, your ISP may have given you
the IP address of a pair of DNS <i> name servers</i> for you to manually
configure as your primary and secondary name servers. Regardless of
how DNS gets configured on your firewall, it is <u>your</u> responsibility
to configure the resolver in your internal systems. You can take one
of two approaches:</p>
<ul>
<li>
<p align="left">You can configure your internal systems to use your ISP's
name servers. If you ISP gave you the addresses of their servers
or if those addresses are available on their web site, you can configure
your internal systems to use those addresses. If that information
isn't available, look in /etc/resolv.conf on your firewall system
-- the name servers are given in "nameserver" records in that file.
</p>
or if those addresses are available on their web site, you can
configure your internal systems to use those addresses. If that
information isn't available, look in /etc/resolv.conf on your firewall
system -- the name servers are given in "nameserver" records in that
file. </p>
</li>
<li>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
@ -652,10 +654,10 @@ as your primary and secondary name servers. Regardless of how DNS gets
is dnscache.lrp. If you take this approach, you configure your internal
systems to use the firewall itself as their primary (and only) name
server. You use the internal IP address of the firewall (10.10.10.254
in the example above) for the name server address. To allow your
local systems to talk to your caching name server, you must open port
53 (both UDP and TCP) from the local network to the firewall; you
do that by adding the following rules in /etc/shorewall/rules. </p>
in the example above) for the name server address. To allow your local
systems to talk to your caching name server, you must open port 53
(both UDP and TCP) from the local network to the firewall; you do
that by adding the following rules in /etc/shorewall/rules. </p>
</li>
</ul>
@ -744,8 +746,8 @@ do that by adding the following rules in /etc/shorewall/rules. </p>
<div align="left">
<p align="left">Those rules allow DNS access from your firewall and may be
removed if you uncommented the line in /etc/shorewall/policy allowing
all connections from the firewall to the internet.</p>
removed if you uncommented the line in /etc/shorewall/policy
allowing all connections from the firewall to the internet.</p>
</div>
<div align="left">
@ -821,8 +823,7 @@ do that by adding the following rules in /etc/shorewall/rules. </p>
</div>
<div align="left">
<p align="left">Example - You want to run a Web Server on your firewall
system:</p>
<p align="left">Example - You want to run a Web Server on your firewall system:</p>
</div>
<div align="left">
@ -876,8 +877,8 @@ uses, look <a href="ports.htm">here</a>.</p>
<div align="left">
<p align="left"><b>Important: </b>I don't recommend enabling telnet to/from
the internet because it uses clear text (even for login!). If you
want shell access to your firewall from the internet, use SSH:</p>
the internet because it uses clear text (even for login!). If
you want shell access to your firewall from the internet, use SSH:</p>
</div>
<div align="left">
@ -974,8 +975,8 @@ delete other connections as required.</p>
    The <a href="Install.htm">installation procedure </a>
configures your system to start Shorewall at system boot  but beginning
with Shorewall version 1.3.9 startup is disabled so that your system
won't try to start Shorewall before configuration is complete. Once you
have completed configuration of your firewall, you can enable Shorewall
won't try to start Shorewall before configuration is complete. Once
you have completed configuration of your firewall, you can enable Shorewall
startup by removing the file /etc/shorewall/startup_disabled.<br>
</p>
@ -991,27 +992,27 @@ delete other connections as required.</p>
routing is enabled on those hosts that have an entry in <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A
running firewall may be restarted using the "shorewall restart"
command. If you want to totally remove any trace of Shorewall from
your Netfilter configuration, use "shorewall clear".</p>
command. If you want to totally remove any trace of Shorewall
from your Netfilter configuration, use "shorewall clear".</p>
</div>
<div align="left">
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13">
    The two-interface sample assumes that you want to enable
routing to/from <b>eth1 </b>(the local network) when Shorewall is
stopped. If your local network isn't connected to <b>eth1</b> or if you
wish to enable access to/from other hosts, change /etc/shorewall/routestopped
routing to/from <b>eth1 </b>(the local network) when Shorewall
is stopped. If your local network isn't connected to <b>eth1</b> or
if you wish to enable access to/from other hosts, change /etc/shorewall/routestopped
accordingly.</p>
</div>
<div align="left">
<p align="left"><b>WARNING: </b>If you are connected to your firewall from
the internet, do not issue a "shorewall stop" command unless you
have added an entry for the IP address that you are connected from
to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to create
an <i><a href="configuration_file_basics.htm#Configs">alternate
the internet, do not issue a "shorewall stop" command unless
you have added an entry for the IP address that you are connected
from to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to
create an <i><a href="configuration_file_basics.htm#Configs">alternate
configuration</a></i> and test it using the <a
href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p>
</div>
@ -1025,5 +1026,6 @@ configuration</a></i> and test it using the <a
<br>
<br>
<br>
<br>
</body>
</html>

184
STABLE/documentation/two-interface_fr.html
View File

@ -39,11 +39,11 @@
<p align="left"><br>
<small><i><u>Notes du traducteur</u> :<br>
Je ne pr&eacute;tends pas &ecirc;tre un vrai traducteur dans le sens ou mon
travail n&#8217;est pas des plus pr&eacute;cis (loin de l&agrave;...). Je ne me
suis pas attach&eacute; &agrave; une traduction exacte du texte, mais plut&ocirc;t
&agrave; en faire une version fran&ccedil;aise intelligible par tous (et
par moi). Les termes techniques sont la plupart du temps conserv&eacute;s
Je ne pr&eacute;tends pas &ecirc;tre un vrai traducteur dans le sens ou
mon travail n&#8217;est pas des plus pr&eacute;cis (loin de l&agrave;...). Je ne
me suis pas attach&eacute; &agrave; une traduction exacte du texte, mais
plut&ocirc;t &agrave; en faire une version fran&ccedil;aise intelligible
par tous (et par moi). Les termes techniques sont la plupart du temps conserv&eacute;s
sous leur forme originale et mis entre parenth&egrave;ses car vous pouvez
les retrouver dans le reste des documentations ainsi que dans les fichiers
de configuration. N&#8217;h&eacute;sitez pas &agrave; me contacter afin d&#8217;am&eacute;liorer
@ -57,8 +57,8 @@ qu'&agrave; Tom EASTEP pour son formidable outil et sa disponibilit&eacute;)</i>
pour un petit r&eacute;seau est une chose assez simple, si vous comprenez
les bases et suivez la documentation.</p>
<p>Ce guide ne veut pas vous apprendre tous les rouages de Shorewall. Il
se focalise sur ce qui est n&eacute;cessaire pour configurer Shorewall, dans
<p>Ce guide ne veut pas vous apprendre tous les rouages de Shorewall. Il se
focalise sur ce qui est n&eacute;cessaire pour configurer Shorewall, dans
son utilisation la plus courante :</p>
<ul>
@ -91,8 +91,8 @@ guide.</b></p>
<p>Ce guide suppose que vous avez le paquet iproute/iproute2 d'install&eacute;.<i>
</i>Vous pouvez voir si le paquet est install&eacute; en v&eacute;rifiant
la pr&eacute;sence du programme ip sur votre syst&egrave;me de firewall.
Sous root, utilisez la commande 'which' pour rechercher le programme :</p>
la pr&eacute;sence du programme ip sur votre syst&egrave;me de firewall. Sous
root, utilisez la commande 'which' pour rechercher le programme :</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
@ -107,8 +107,8 @@ par une <img src="images/BD21298_.gif" name="Image2" align="bottom"
<p><img src="images/j0213519.gif" name="Image3" align="bottom"
width="60" height="60" border="0">
&nbsp;&nbsp;&nbsp; Si vous &eacute;ditez vos fichiers de configuration sur
un syst&egrave;me Windows, vous devez les sauver comme des fichiers Unix
si votre &eacute;diteur offre cette option sinon vous devez les faire passer
un syst&egrave;me Windows, vous devez les sauver comme des fichiers Unix si
votre &eacute;diteur offre cette option sinon vous devez les faire passer
par dos2unix avant d'essayer de les utiliser. De la m&ecirc;me mani&egrave;re,
si vous copiez un fichier de configuration depuis votre disque dur Windows
vers une disquette, vous devez lancer dos2unix sur la copie avant de l'utiliser
@ -134,12 +134,11 @@ of dos2unix</a> </p>
&nbsp;&nbsp;&nbsp; Les fichiers de configuration pour Shorewall sont dans
le r&eacute;pertoire /etc/shorewall -- pour de simples configurations, vous
n'aurez seulement &agrave; faire qu'avec quelques fichiers comme d&eacute;crit
dans ce guide. Apr&egrave;s avoir <a href="Install.htm">install&eacute; Shorewall</a>,
t&eacute;l&eacute; chargez<b> le <a
href="http://france.shorewall.net/pub/shorewall/LATEST.samples/two-interfaces.tgz">two-interface
sample</a>, un-tarez le (tar -zxvf two-interfaces.tgz) et copiez les fichiers
vers /etc/shorewall (ces fichiers remplaceront les fichiers de m&ecirc;me
nom).</b></p>
dans ce guide. Apr&egrave;s avoir <a href="Install.htm">install&eacute;
Shorewall</a>, t&eacute;l&eacute; chargez<b> le <a
href="http://www1.shorewall.net/pub/shorewall/Samples/">two-interface sample</a>,
un-tarez le (tar -zxvf two-interfaces.tgz) et copiez les fichiers vers /etc/shorewall
(ces fichiers remplaceront les fichiers de m&ecirc;me nom).</b></p>
<p>Parall&egrave;lement &agrave; la pr&eacute;sentation de chacun des fichiers,
je vous sugg&egrave;re de regarder le fichier qui se trouve r&eacute;ellement
@ -205,11 +204,11 @@ d&eacute;faut dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/r
<p>Pour chaque connexion demandant &agrave; entrer dans le firewall, la requ&ecirc;te
est en premier lieu compar&eacute;e par rapport au fichier /etc/shorewall/rules.
Si aucune r&egrave;gle dans ce fichier ne correspond &agrave; la demande
de connexion alors la premi&egrave;re politique dans le fichier /etc/shorewall/policy
qui y correspond sera appliqu&eacute;e. Si cette politique est REJECT ou
DROP&nbsp; la requ&ecirc;te est dans un premier temps compar&eacute;e par
rapport aux r&egrave;gles contenues dans /etc/shorewall/common.</p>
Si aucune r&egrave;gle dans ce fichier ne correspond &agrave; la demande de
connexion alors la premi&egrave;re politique dans le fichier /etc/shorewall/policy
qui y correspond sera appliqu&eacute;e. Si cette politique est REJECT ou DROP&nbsp;
la requ&ecirc;te est dans un premier temps compar&eacute;e par rapport aux
r&egrave;gles contenues dans /etc/shorewall/common.</p>
<p>Le fichier /etc/shorewall/policy inclue dans l'archive d'exemple (two-interface)
a les politiques suivantes:</p>
@ -292,9 +291,9 @@ a les politiques suivantes:</p>
</dd>
</dl>
<blockquote>Dans le fichier d'exemple (two-interface), la ligne suivante
est inclue mais elle est comment&eacute;e. Si vous voulez que votre firewall
puisse avoir un acc&egrave;s complet aux serveurs sur Internet, d&eacute;commentez
<blockquote>Dans le fichier d'exemple (two-interface), la ligne suivante est
inclue mais elle est comment&eacute;e. Si vous voulez que votre firewall puisse
avoir un acc&egrave;s complet aux serveurs sur Internet, d&eacute;commentez
la ligne.</blockquote>
<a name="AutoNumber31"></a>
<dl>
@ -409,8 +408,8 @@ pas que ce soit shorewall qui ne marche pas.</p>
suppose que votre interface externe est <b>eth0</b>et que l'interne est <b>eth1</b>.
Si votre configuration est diff&eacute;rente, vous devrez modifier le fichier
<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> en cons&eacute;quence.
Tant que vous y &ecirc;tes, vous pourriez parcourir la liste des options
qui sont sp&eacute;cifi&eacute;es pour les interfaces. Quelques trucs:</p>
Tant que vous y &ecirc;tes, vous pourriez parcourir la liste des options qui
sont sp&eacute;cifi&eacute;es pour les interfaces. Quelques trucs:</p>
<ul>
<li>
@ -432,17 +431,17 @@ ou <b>ippp0</b> ou si vous avez une adresse IP statique, vous pouvez enlever
sujet de Internet Protocol (IP) <i>addresses</i>. Normalement, votre fournisseur
Internet (ISP) vous assignera une seule adresse IP (single <i>Public</i>IP
address). Cette adresse peut &ecirc;tre assign&eacute;e par le Dynamic<i>
Host Configuration Protocol</i>(DHCP) ou lors de l'&eacute;tablissement de
votre connexion lorsque vous vous connectez (modem standard) ou &eacute;tablissez
Host Configuration Protocol</i>(DHCP) ou lors de l'&eacute;tablissement
de votre connexion lorsque vous vous connectez (modem standard) ou &eacute;tablissez
votre connexion PPP. Dans de rares cas , votre provider peut vous assigner
une adresse statique<i> (static</i>IP address); cela signifie que vous devez
configurer l'interface externe de votre firewall afin d'utiliser cette adresse
de mani&egrave;re permanente. Votre adresse externe assign&eacute;e, elle
va &ecirc;tre partag&eacute;e par tous vos syst&egrave;mes lors de l'acc&egrave;s
&agrave; Internet. Vous devrez assigner vos propres adresses dans votre r&eacute;seau
local (votre interface interne sur le firewall &nbsp;ainsi que les autres
ordinateurs). La RFC 1918 r&eacute;serve plusieurs plages d'IP (<i>Private</i>IP
address ranges) &agrave; cette fin :</p>
&agrave; Internet. Vous devrez assigner vos propres adresses dans votre
r&eacute;seau local (votre interface interne sur le firewall &nbsp;ainsi
que les autres ordinateurs). La RFC 1918 r&eacute;serve plusieurs plages
d'IP (<i>Private</i>IP address ranges) &agrave; cette fin :</p>
<pre style="text-align: left;"> 10.0.0.0 - 10.255.255.255an<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
@ -456,11 +455,11 @@ externe dans le fichier /etc/shorewall/interfaces.</p>
<p align="left">Vous devrez assigner vos adresses depuis le m&ecirc;me sous-r&eacute;seau
(<i>sub-network/subnet)</i>. Pour ce faire, nous pouvons consid&eacute;rer
un sous-r&eacute;seau dans une plage d'adresses x.y.z.0 - x.y.z.255. Chaque
sous-r&eacute;seau aura un masque (<i>Subnet Mask) </i>de 255.255.255.0.
L'adresse x.y.z.0 est r&eacute;serv&eacute;e comme l'adresse de sous-r&eacute;seau
(<i>Subnet Address) </i>et x.y.z.255 est r&eacute;serv&eacute;e en tant qu'adresse
de broadcast (<i>Subnet Broadcast</i> <i>Address)</i>. Dans Shorewall, un
sous-r&eacute;seau est d&eacute;crit en utilisant <a
sous-r&eacute;seau aura un masque (<i>Subnet Mask) </i>de 255.255.255.0. L'adresse
x.y.z.0 est r&eacute;serv&eacute;e comme l'adresse de sous-r&eacute;seau (<i>Subnet
Address) </i>et x.y.z.255 est r&eacute;serv&eacute;e en tant qu'adresse de
broadcast (<i>Subnet Broadcast</i> <i>Address)</i>. Dans Shorewall, un sous-r&eacute;seau
est d&eacute;crit en utilisant <a
href="shorewall_setup_guide.htm#Subnets"><i>la notation Classless InterDomain
Routing </i>(CIDR)</a> qui consiste en l'adresse du sous-r&eacute;seau suivie
par "/24". Le "24" se r&eacute;f&egrave;re au nombre cons&eacute;cutif de
@ -523,16 +522,16 @@ des paquets &agrave; travers le gateway (routeur).</p>
<p align="left"><img src="images/BD21298_1.gif" name="Image11"
align="bottom" width="13" height="13" border="0">
&nbsp;&nbsp;&nbsp; Vos ordinateurs en local (ordinateur 1 et ordinateur 2
dans le diagramme) devraient &ecirc;tre configur&eacute;s avec leur passerelle
par d&eacute;faut<i> (default gateway</i>) pointant sur l'adresse IP de l'interface
interne du firewall.</p>
&nbsp;&nbsp;&nbsp; Vos ordinateurs en local (ordinateur 1 et ordinateur
2 dans le diagramme) devraient &ecirc;tre configur&eacute;s avec leur passerelle
par d&eacute;faut<i> (default gateway</i>) pointant sur l'adresse IP de
l'interface interne du firewall.</p>
<p align="left">The foregoing short discussion barely scratches the surface
regarding subnetting and routing. If you are interested in learning more
about IP addressing and routing, I highly recommend <i>"IP Fundamentals:
What Everyone Needs to Know about Addressing &amp; Routing",</i> Thomas A.
Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
regarding subnetting and routing. If you are interested in learning more about
IP addressing and routing, I highly recommend <i>"IP Fundamentals: What Everyone
Needs to Know about Addressing &amp; Routing",</i> Thomas A. Maufer, Prentice-Hall,
1999, ISBN 0-13-975483-0.</p>
<p align="left">Le reste de ce guide assumera que vous avez configur&eacute;
votre r&eacute;seau comme montr&eacute; ci-dessous :</p>
@ -548,8 +547,8 @@ votre r&eacute;seau comme montr&eacute; ci-dessous :</p>
<p align="left">Les adresses r&eacute;serv&eacute;es par la RFC 1918 sont
parfois d&eacute;sign&eacute;es comme <i>non-routables</i> car les routeurs
Internet (backbone) ne font pas circuler les paquets qui ont une adresse
de destination appartenant &agrave; la RFC-1918. Lorsqu'un de vos syst&egrave;mes
Internet (backbone) ne font pas circuler les paquets qui ont une adresse de
destination appartenant &agrave; la RFC-1918. Lorsqu'un de vos syst&egrave;mes
en local (supposons l'ordinateur1) demande une connexion &agrave; un serveur
par Internet, le firewall doit appliquer un NAT<i> (Network Address Translation)</i>.
Le firewall r&eacute; &eacute;crit l'adresse source dans le paquet, et l'a
@ -558,22 +557,22 @@ le firewall fait croire que c'est lui m&ecirc;me qui initie la connexion.
Ceci est n&eacute;cessaire afin que l'h&ocirc;te de destination soit capable
de renvoyer les paquets au firewall (souvenez vous que les paquets qui ont
pour adresse de destination, une adresse r&eacute;serv&eacute;e par la RFC
1918 ne pourront pas &ecirc;tre rout&eacute;s &agrave; travers Internet,
donc l'h&ocirc;te Internet ne pourra adresser sa r&eacute;ponse &agrave;
l'ordinateur 1). Lorsque le firewall re&ccedil;oit le paquet de r&eacute;ponse,
il remet l'adresse de destination &agrave; 10.10.10.1 et fait passer le paquet
vers l'ordinateur 1. </p>
1918 ne pourront pas &ecirc;tre rout&eacute;s &agrave; travers Internet, donc
l'h&ocirc;te Internet ne pourra adresser sa r&eacute;ponse &agrave; l'ordinateur
1). Lorsque le firewall re&ccedil;oit le paquet de r&eacute;ponse, il remet
l'adresse de destination &agrave; 10.10.10.1 et fait passer le paquet vers
l'ordinateur 1. </p>
<p align="left">Sur les syst&egrave;mes Linux, ce proc&eacute;d&eacute; est
souvent appel&eacute; de l'<i>IP Masquerading</i> mais vous verrez aussi
le terme de <i>Source Network Address Translation </i>(SNAT) utilis&eacute;.
souvent appel&eacute; de l'<i>IP Masquerading</i> mais vous verrez aussi le
terme de <i>Source Network Address Translation </i>(SNAT) utilis&eacute;.
Shorewall suit la convention utilis&eacute;e avec Netfilter:</p>
<ul>
<li>
<p align="left"><i>Masquerade</i> d&eacute;signe le cas ou vous laissez
votre firewall d&eacute;tecter automatiquement l'adresse de l'interface
externe. </p>
votre firewall d&eacute;tecter automatiquement l'adresse de l'interface externe.
</p>
</li>
<li>
<p align="left"><i>SNAT</i> d&eacute;signe le cas o&ugrave; vous sp&eacute;cifiez
@ -593,22 +592,22 @@ SNAT si elle est statique.</p>
&nbsp;&nbsp;&nbsp; Si votre interface externe du firewall est <b>eth0</b>,
vous n'avez pas besoin de modifier le fichier fourni avec l'exemple. Dans
le cas contraire, &eacute;ditez /etc/shorewall/masq et changez la premi&egrave;re
colonne par le nom de votre interface externe, et la seconde colonne par
le nom de votre interface interne.</p>
colonne par le nom de votre interface externe, et la seconde colonne par le
nom de votre interface interne.</p>
<p align="left"><img src="images/BD21298_.gif" name="Image14"
align="bottom" width="13" height="13" border="0">
&nbsp;&nbsp;&nbsp; Si votre IP externe est statique, vous pouvez la mettre
dans la troisi&egrave;me colonne dans /etc/shorewall/masq si vous le d&eacute;sirez,
de toutes fa&ccedil;ons votre firewall fonctionnera bien si vous laissez
cette colonne vide. Le fait de mettre votre IP statique dans la troisi&egrave;me
de toutes fa&ccedil;ons votre firewall fonctionnera bien si vous laissez cette
colonne vide. Le fait de mettre votre IP statique dans la troisi&egrave;me
colonne permet un traitement des paquets sortant un peu plus efficace.<br>
<br>
<img src="images/BD21298_.gif" name="Image15" align="bottom" width="13"
height="13" border="0">
&nbsp;&nbsp;&nbsp; Si vous utilisez les paquets Debian, v&eacute;rifiez que
votre fichier de configuration shorewall.conf contient bien les valeurs suivantes,
si elles n'y sont pas faite les changements n&eacute;cessaires:</p>
<img src="images/BD21298_.gif" name="Image15" align="bottom"
width="13" height="13" border="0">
&nbsp;&nbsp;&nbsp; Si vous utilisez les paquets Debian, v&eacute;rifiez
que votre fichier de configuration shorewall.conf contient bien les valeurs
suivantes, si elles n'y sont pas faite les changements n&eacute;cessaires:</p>
<ul>
<li>
@ -633,8 +632,8 @@ applique automatiquement un SNAT pour r&eacute; &eacute;crire l'adresse source
dans la r&eacute;ponse.</p>
<p align="left">Ce proc&eacute;d&eacute; est appel&eacute;<i> Port Forwarding</i>
ou <i>Destination Network Address Translation</i>(DNAT). Vous configurez
le port forwarding en utilisant les r&egrave;gles DNAT dans le fichier /etc/shorewall/rules.</p>
ou <i>Destination Network Address Translation</i>(DNAT). Vous configurez le
port forwarding en utilisant les r&egrave;gles DNAT dans le fichier /etc/shorewall/rules.</p>
<p>La forme g&eacute;n&eacute;rale d'une simple r&egrave;gle de port forwarding
dans /etc/shorewall/rules est:</p>
@ -761,8 +760,8 @@ voulez faire passer les requ&ecirc;tes TCP sur le port 80 &agrave; ce syst&egrav
<li>
<p style="margin-bottom: 0cm;">Vous devez tester la r&egrave;gle pr&eacute;c&eacute;dente
depuis un client &agrave; l'ext&eacute;rieur de votre r&eacute;seau local
(c.a.d., ne pas tester depuis un navigateur tournant sur l'ordinateur 1
ou 2 ou sur le firewall). Si vous voulez avoir la possibilit&eacute; d'acc&eacute;der
(c.a.d., ne pas tester depuis un navigateur tournant sur l'ordinateur 1 ou
2 ou sur le firewall). Si vous voulez avoir la possibilit&eacute; d'acc&eacute;der
&agrave; votre serveur web en utilisant l'adresse IP externe de votre firewall,
regardez <a href="FAQ.htm#faq2">Shorewall FAQ #2</a>. </p>
</li>
@ -850,9 +849,9 @@ proc&eacute;der d'une de ses deux fa&ccedil;ons :</p>
<ul>
<li>
<p align="left">Vous pouvez configurer votre syst&egrave;me interne
pour utiliser les noms de serveurs de votre provider. Si votre fournisseur
vous donne les adresses de leurs serveurs ou si ces adresses sont disponibles
<p align="left">Vous pouvez configurer votre syst&egrave;me interne pour
utiliser les noms de serveurs de votre provider. Si votre fournisseur vous
donne les adresses de leurs serveurs ou si ces adresses sont disponibles
sur leur site web, vous pouvez configurer votre syst&egrave;me interne afin
de les utiliser. Si cette information n' est pas disponible, regardez dans
/etc/resolv.conf sur votre firewall -- les noms des serveurs sont donn&eacute;s
@ -1039,10 +1038,10 @@ contiennent les r&egrave;gles suivantes :</p>
</dd>
</dl>
<p align="left">Ces r&egrave;gles autorisent l'acc&egrave;s DNS &agrave;
partir de votre firewall et peuvent &ecirc;tre enlev&eacute;es si vous avez
d&eacute; comment&eacute; la ligne dans /etc/shorewall/policy autorisant
toutes les connexions depuis le firewall vers Internet.</p>
<p align="left">Ces r&egrave;gles autorisent l'acc&egrave;s DNS &agrave; partir
de votre firewall et peuvent &ecirc;tre enlev&eacute;es si vous avez d&eacute;
comment&eacute; la ligne dans /etc/shorewall/policy autorisant toutes les
connexions depuis le firewall vers Internet.</p>
<p align="left">Les exemples contiennent aussi :</p>
<a name="AutoNumber45"></a>
@ -1103,12 +1102,11 @@ toutes les connexions depuis le firewall vers Internet.</p>
</dl>
<p align="left">Cette r&egrave;gle vous autorise &agrave; faire tourner un
serveur SSH sur votre firewall et &agrave; vous y connecter depuis votre
r&eacute;seau local.</p>
serveur SSH sur votre firewall et &agrave; vous y connecter depuis votre r&eacute;seau
local.</p>
<p align="left">Si vous voulez permettre d'autres connexions entre votre
firewall et d'autres syst&egrave;mes, la forme g&eacute;n&eacute;rale est
:</p>
<p align="left">Si vous voulez permettre d'autres connexions entre votre firewall
et d'autres syst&egrave;mes, la forme g&eacute;n&eacute;rale est :</p>
<a name="AutoNumber46"></a>
<dl>
<dd>
@ -1249,15 +1247,15 @@ firewall :</p>
</dd>
</dl>
<p align="left">Ces deux r&egrave;gles bien s&ucirc;r viennent s'ajouter
aux r&egrave;gles d&eacute;crites pr&eacute;c&eacute;demment dans "Vous pouvez
<p align="left">Ces deux r&egrave;gles bien s&ucirc;r viennent s'ajouter aux
r&egrave;gles d&eacute;crites pr&eacute;c&eacute;demment dans "Vous pouvez
configurer un cache dns<i> (Caching Name Server) </i>sur votre firewall"</p>
<p align="left">Si vous ne savez pas quel port et quel protocole une application
particuli&egrave;re utilise, regardez <a href="ports.htm">ici</a>.</p>
<p align="left"><b>Important: </b>Je ne vous recommande pas de permettre
le telnet depuis ou vers Internet car il utilise du texte en clair (m&ecirc;me
<p align="left"><b>Important: </b>Je ne vous recommande pas de permettre le
telnet depuis ou vers Internet car il utilise du texte en clair (m&ecirc;me
pour le login et le mot de passe!). Si vous voulez un acc&egrave;s au shell
sur votre firewall depuis Internet, utilisez SSH :</p>
<a name="AutoNumber48"></a>
@ -1333,8 +1331,8 @@ est d&eacute;sactiv&eacute; tant que la configuration n' est pas finie. Une
fois la configuration de votre firewall achev&eacute;e, vous pouvez permettre
le lancement de Shorewall en enlevant le fichier /etc/shorewall/startup_disabled.</p>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Les utilisateurs
des paquets .deb doivent &eacute;diter /etc/default/shorewall et mettre 'startup=1'.</font></p>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Les utilisateurs des
paquets .deb doivent &eacute;diter /etc/default/shorewall et mettre 'startup=1'.</font></p>
<p align="left">Le firewall est lanc&eacute; en utilisant la commande "shorewall
start" et stopp&eacute; avec "shorewall stop". Lorsque le firewall est stopp&eacute;,
@ -1347,11 +1345,10 @@ dans votre configuration de Netfilter, utilisez "shorewall clear".</p>
<p align="left"><img src="images/BD21298_.gif" name="Image20"
align="bottom" width="13" height="13" border="0">
&nbsp;&nbsp;&nbsp; Les exemples (two-interface) supposent que vous voulez
permettre le routage depuis ou vers <b>eth1 </b>(le r&eacute;seau local)
lorsque Shorewall est stopp&eacute;. Si votre r&eacute;seau local n' est
pas connect&eacute; &agrave; <b>eth1</b> ou si vous voulez permettre l'acc&egrave;s
depuis ou vers d'autres h&ocirc;tes, changez /etc/shorewall/routestopped
en cons&eacute;quence.</p>
permettre le routage depuis ou vers <b>eth1 </b>(le r&eacute;seau local) lorsque
Shorewall est stopp&eacute;. Si votre r&eacute;seau local n' est pas connect&eacute;
&agrave; <b>eth1</b> ou si vous voulez permettre l'acc&egrave;s depuis ou
vers d'autres h&ocirc;tes, changez /etc/shorewall/routestopped en cons&eacute;quence.</p>
<p align="left"><b>ATTENTION: </b>Si vous &ecirc;tes connect&eacute; &agrave;
votre firewall depuis Internet, n'essayez pas la commande "shorewall stop"
@ -1376,5 +1373,6 @@ M. Eastep</font></a></p>
<br>
<br>
<br>
<br>
</body>
</html>

144
STABLE/documentation/upgrade_issues.htm
View File

@ -35,16 +35,21 @@
version number mentioned in the section title is later than what you are
currently running.<br>
</p>
<p> In the descriptions that follows, the term <b><i>group </i></b>refers
to a particular network or subnetwork (which may be 0.0.0.0/0 or it may
be a host address) accessed through a particular interface.<br>
to a particular network or subnetwork (which may be 0.0.0.0/0 or it may be
a host address) accessed through a particular interface.<br>
</p>
<p>Examples:<br>
    <br>
    eth0:0.0.0.0/0<br>
    eth2:192.168.1.0/24<br>
    eth3:192.0.2.123<br>
</p>
<p> You can use the "shorewall check" command to see the groups associated
with each of your zones.<br>
</p>
<h3> </h3>
@ -52,36 +57,36 @@ be a host address) accessed through a particular interface.<br>
There are some cases where you may want to handle traffic from a particular
group to itself. While I personally think that such a setups are ridiculous,
there are two cases covered in this documentation where it can occur:<br>
<ol>
<li><a href="FAQ.htm#faq2">In FAQ #2</a>.</li>
<li><a href="Shorewall_Squid_Usage.html">When running Squid as a transparent
proxy in your local zone.</a></li>
</ol>
If you have either of these cases, you will want to review the current documentation
and change your configuration accordingly.<br>
<h3>Version &gt;= 1.4.1</h3>
You can use the "shorewall check" command to see the groups associated with
each of your zones.<br>
<br>
<ul>
<li>Beginning with Version 1.4.1, traffic between groups in the same
zone is accepted by default. Previously, traffic from a zone to itself
was treated just like any other traffic; any matching rules were applied
followed by enforcement of the appropriate policy. With 1.4.1 and later
versions, unless you have explicit rules for traffic from Z to Z or you
have an explicit Z to Z policy (where "Z" is some zone) then traffic between
the groups in zone Z will be accepted. If you do have one or more explicit
rules for Z to Z or if you have an explicit Z to Z policy then the behavior
is as it was in prior versions.</li>
zone is accepted by default. Previously, traffic from a zone to itself was
treated just like any other traffic; any matching rules were applied followed
by enforcement of the appropriate policy. With 1.4.1 and later versions,
unless you have explicit rules for traffic from Z to Z or you have an explicit
Z to Z policy (where "Z" is some zone) then traffic between the groups
in zone Z will be accepted. If you do have one or more explicit rules for
Z to Z or if you have an explicit Z to Z policy then the behavior is as it
was in prior versions.</li>
</ul>
<blockquote>
<ol>
<li>If you have a Z Z ACCEPT policy for a zone to allow traffic between
two interfaces to the same zone, that policy can be removed and traffic
between the interfaces will traverse fewer rules than previously.</li>
<li>If you have a Z Z ACCEPT policy for a zone to allow traffic
between two interfaces to the same zone, that policy can be removed and
traffic between the interfaces will traverse fewer rules than previously.</li>
<li>If you have a Z Z DROP or Z Z REJECT policy or you have Z-&gt;Z
rules then your configuration should not require any change.</li>
<li>If you are currently relying on a implicit policy (one that has
@ -94,45 +99,11 @@ between the interfaces will traverse fewer rules than previously.</li>
</blockquote>
<ul>
<li>Beginning with Version 1.4.1, Shorewall will never create rules
to deal with traffic from a given group back to itself. The <i>multi</i>
interface option is no longer available so if you want to route traffic between
two subnetworks on the same interface then either:</li>
<li> Sometimes, you want two separate zones on one interface but you
don't want Shorewall to set up any infrastructure to handle traffic between
them. </li>
</ul>
<blockquote>
<ol>
<li>The subnetworks must be in different zones; or</li>
<li>You must use the /etc/shorewall/hosts file to define the subnetworks
as two groups in a single zone.</li>
</ol>
</blockquote>
If you use the technique described in FAQ 2 to send local requests addressed
to your firewall's external address back to a local server then you need to
change your configuration to match <a href="FAQ.htm#faq2">the new version
of FAQ #2.<br>
</a><br>
Example 1 -- Two zones:<br>
<blockquote>
<pre>/etc/shorewall/zones<br><br>z1 Zone1 The first Zone<br>z2 Zone2 The secont Zone<br><br>/etc/shorewall/policy<br><br>z1 z2 ACCEPT<br>z2 z1 ACCEPT<br><br>/etc/shorewall/interfaces<br><br>- eth1 192.168.1.255,192.168.2.255<br><br>/etc/shorewall/hosts<br><br>z1 eth1:192.168.1.0/24<br>z2 eth1:192.168.2.0/24<br></pre>
</blockquote>
Example 2 -- One zone:
<blockquote>
<pre><br>/etc/shorewall/zones<br><br>z Zone The Zone<br><br>/etc/shorewall/interfaces<br><br>- eth1 192.168.1.255,192.168.2.255<br><br>/etc/shorewall/hosts<br><br>z eth1:192.168.1.0/24<br>z eth1:192.168.2.0/24<br></pre>
</blockquote>
Note that in the second example, we don't need any policy since z-&gt;z
traffic is accepted by default. The second technique is preferable if you
want unlimited access between the two subnetworks.<br>
<br>
Sometimes, you want two separate zones on one interface but you don't
want Shorewall to set up any infrastructure to handle traffic between them.
<br>
<br>
Example:<br>
<blockquote>Example:<br>
<blockquote>
<pre>/etc/shorewall/zones<br><br>z1 Zone1 The first Zone<br>z2 Zone2 The secont Zone<br><br>/etc/shorewall/interfaces<br><br>z2 eth1 192.168.1.255<br><br>/etc/shorewall/hosts<br><br>z1 eth1:192.168.1.3<br></pre>
</blockquote>
@ -140,13 +111,24 @@ want Shorewall to set up any infrastructure to handle traffic between them.
involved in any traffic between these two zones. Beginning with Shorewall
1.4.1, you can prevent Shorewall from setting up any infrastructure to handle
traffic between z1 and z2 by using the new NONE policy:<br>
<blockquote>
<pre>/etc/shorewall/policy<br><pre>z1 z2 NONE<br>z2 z1 NONE</pre></pre>
</blockquote>
Note that NONE policies are generally used in pairs unless there is asymetric
routing where only the traffic on one direction flows through the firewall
and you are using a NONE polciy in the other direction. 
and you are using a NONE polciy in the other direction. </blockquote>
<h3>Version 1.4.1<br>
</h3>
<ul>
<li>In Version 1.4.1, Shorewall will never create rules to deal
with traffic from a given group back to itself. The <i>multi</i> interface
option is no longer available so if you want to route traffic between two
subnetworks on the same interface then I recommend that you upgrade to Version
1.4.2 and use the 'routeback' interface or host option. </li>
</ul>
<h3>Version &gt;= 1.4.0</h3>
<b>IMPORTANT: Shorewall &gt;=1.4.0 </b><b>requires</b> <b>the iproute
package ('ip' utility).</b><br>
@ -179,10 +161,11 @@ are entries for the zone in both files.</li>
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is
no longer accepted; you must convert to using the new syntax.</li>
<li value="6">The ALLOWRELATED variable in shorewall.conf is
no longer supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.</li>
<li value="6">Late-arriving DNS replies are now dropped by default;
there is no need for your own /etc/shorewall/common file simply to avoid
logging these packets.</li>
no longer supported. Shorewall 1.4 behavior is the same as 1.3 with
ALLOWRELATED=Yes.</li>
<li value="6">Late-arriving DNS replies are now dropped by
default; there is no need for your own /etc/shorewall/common file simply
to avoid logging these packets.</li>
<li value="6">The 'firewall', 'functions' and 'version' file
have been moved to /usr/share/shorewall.</li>
<li value="6">The icmp.def file has been removed. If you include
@ -205,8 +188,8 @@ have been moved to /usr/share/shorewall.</li>
<ul>
<li value="8">The 'multi' interface option is no longer supported.
 Shorewall will generate rules for sending packets back out the same
interface that they arrived on in two cases:</li>
 Shorewall will generate rules for sending packets back out the same interface
that they arrived on in two cases:</li>
</ul>
@ -219,11 +202,11 @@ not use the 'all' reserved word.</li>
</ul>
<ul>
<li>There are one or more rules for traffic for the source zone to
or from the destination zone including rules that use the 'all' reserved
word. Exception: if the source zone and destination zone are the same
then the rule must be explicit - it must name the zone in both the SOURCE
and DESTINATION columns.</li>
<li>There are one or more rules for traffic for the source zone
to or from the destination zone including rules that use the 'all' reserved
word. Exception: if the source zone and destination zone are the same then
the rule must be explicit - it must name the zone in both the SOURCE and
DESTINATION columns.</li>
</ul>
</blockquote>
@ -282,11 +265,11 @@ follows:<br>
    Version 1.3.14 also introduced simplified ICMP echo-request
(ping) handling. The option OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf
is used to specify that the old (pre-1.3.14) ping handling is to be
used (If the option is not set in your /etc/shorewall/shorewall.conf
then OLD_PING_HANDLING=Yes is assumed). I don't plan on supporting the
old handling indefinitely so I urge current users to migrate to using
the new handling as soon as possible. See the <a href="ping.html">'Ping'
handling documentation</a> for details.<br>
used (If the option is not set in your /etc/shorewall/shorewall.conf then
OLD_PING_HANDLING=Yes is assumed). I don't plan on supporting the old
handling indefinitely so I urge current users to migrate to using the
new handling as soon as possible. See the <a href="ping.html">'Ping' handling
documentation</a> for details.<br>
<h3>Version 1.3.10</h3>
If you have installed the 1.3.10 Beta 1 RPM and are now upgrading
@ -315,8 +298,8 @@ handling documentation</a> for details.<br>
<p>Users specifying ALLOWRELATED=No in /etc/shorewall.conf
will need to include the following
rules in their /etc/shorewall/icmpdef file (creating this
file if necessary):</p>
rules in their /etc/shorewall/icmpdef file (creating this file
if necessary):</p>
<pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</pre>
@ -328,8 +311,8 @@ file if necessary):</p>
<p>To properly upgrade with Shorewall version 1.3.3 and later:</p>
<ol>
<li>Be sure you have a
backup -- you will need to transcribe
<li>Be sure you have
a backup -- you will need to transcribe
any Shorewall configuration changes
that you have made to the new configuration.</li>
<li>Replace the shorwall.lrp
@ -357,8 +340,8 @@ to add the following two Bering-specific rules to /etc/shorewall/rules:<
<p align="left">If you have a pair of firewall systems configured for
failover or if you have asymmetric routing, you will need to modify
your firewall setup slightly under Shorewall versions 1.3.6
and 1.3.7</p>
your firewall setup slightly under Shorewall versions
1.3.6 and 1.3.7</p>
<ol>
<li>
@ -426,12 +409,13 @@ symbolic link have moved from /etc/shorewall to /var/lib/shorewall.
If you have applications that access these files, those applications
should be modified accordingly.</p>
<p><font size="2"> Last updated 4/7/2003 - <a href="support.htm">Tom Eastep</a></font>
</p>
<p><font size="2"> Last updated 4/13/2003 - <a href="support.htm">Tom
Eastep</a></font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
<br>
</body>
</html>

2
STABLE/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=1.4.2
VERSION=1.4.3
usage() # $1 = exit status
{

2
STABLE/install.sh
View File

@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall.
#
VERSION=1.4.2
VERSION=1.4.3
usage() # $1 = exit status
{

93
STABLE/releasenotes.txt
View File

@ -2,89 +2,20 @@ This is a minor release of Shorewall.
Problems Corrected:
1) TCP connection requests rejected out of the common chain are now
properly rejected with TCP RST; previously, some of these requests
were rejeced with an ICMP port-unreachable response.
1) There were several cases where Shorewall would fail to remove a
temporary directory from /tmp. These cases have been corrected.
2) 'traceroute -I' from behind the firewall previously timed out on the
first hop (e.g., to the firewall). This has been worked around.
2) The rules for allowing all traffic via the loopback interface have
been moved to before the rule that drops status=INVALID
packets. This insures that all loopback traffic is allowed even if
Netfilter connection tracking is confused.
New Features:
1) Where an entry in the/etc/shorewall/hosts file specifies a
particular host or network, Shorewall now creates an intermediate
chain for handling input from the related zone. This can
substantially reduce the number of rules traversed by connections
requests from such zones.
2) Any file may include an INCLUDE directive. An INCLUDE directive
consists of the word INCLUDE followed by a file name and causes the
contents of the named file to be logically included into the file
containing the INCLUDE. File names given in an INCLUDE directive
are assumed to reside in /etc/shorewall or in an alternate
configuration directory if one has been specified for the command.
Examples:
shorewall/params.mgmt:
MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3
TIME_SERVERS=4.4.4.4
BACKUP_SERVERS=5.5.5.5
----- end params.mgmt -----
shorewall/params:
# Shorewall 1.3 /etc/shorewall/params
[..]
#######################################
INCLUDE params.mgmt
# params unique to this host here
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
----- end params -----
shorewall/rules.mgmt:
ACCEPT net:$MGMT_SERVERS $FW tcp 22
ACCEPT $FW net:$TIME_SERVERS udp 123
ACCEPT $FW net:$BACKUP_SERVERS tcp 22
----- end rules.mgmt -----
shorewall/rules:
# Shorewall version 1.3 - Rules File
[..]
#######################################
INCLUDE rules.mgmt
# rules unique to this host here
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
----- end rules -----
INCLUDE's may be nested to a level of 3 -- further nested INCLUDE
directives are ignored.
3) Routing traffic from an interface back out that interface continues
to be a problem. While I firmly believe that this should never
happen, people continue to want to do it. To limit the damage that
such nonsense produces, I have added a new 'routeback' option in
/etc/shorewall/interfaces and /etc/shorewall/hosts. When used in
/etc/shorewall/interfaces, the 'ZONE' column may not contain '-'; in
other words, 'routeback' can't be used as an option for a multi-zone
interface. The 'routeback' option CAN be specified however on
individual group entries in /etc/shorewall/hosts.
The 'routeback' option is similar to the old 'multi' option with two
exceptions:
a) The option pertains to a particular zone,interface,address tuple.
b) The option only created infrastructure to pass traffic from
(zone,interface,address) tuples back to themselves (the 'multi'
option affected all (zone,interface,address) tuples associated with
the given 'interface').
See the 'Upgrade Issues' for information about how this new option
may affect your configuration.
1) IPV6-IPV4 (6to4) tunnels are now supported in the
/etc/shorewall/tunnels file.
2) Shorewall can now be easily integrated with fireparse
(http://www.fireparse.com) by setting LOGMARKER="fp=" in
/etc/shorewall/shorewall.conf. Note: You may not use ULOG
with fireparse unless you modify fireparse.

16
STABLE/shorewall
View File

@ -134,6 +134,8 @@ get_config() {
fi
[ -n "$FW" ] || FW=fw
[ -n "$LOGMARKER" ] || LOGMARKER="Shorewall:"
}
#
@ -259,9 +261,9 @@ packet_log() # $1 = number of messages
[ -n "$realtail" ] && options="-n$1"
grep 'Shorewall:\|ipt_unclean' $LOGFILE | \
grep "${LOGMARKER}\|ipt_unclean" $LOGFILE | \
sed s/" kernel:"// | \
sed s/" $host Shorewall:"/" "/ | \
sed s/" $host $LOGMARKER"/" "/ | \
sed s/" $host kernel: ipt_unclean: "/" "/ | \
sed 's/MAC=.*SRC=/SRC=/' | \
tail $options
@ -732,27 +734,27 @@ case "$1" in
timeout=30
if [ `grep -c "Shorewall:" $LOGFILE ` -gt 0 ] ; then
if [ `grep -c "$LOGMARKER" $LOGFILE ` -gt 0 ] ; then
echo " HITS IP DATE"
echo " ---- --------------- ------"
grep "Shorewall:" $LOGFILE | sed 's/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\3 \1/' | sort | uniq -c | sort -rn
grep "$LOGMARKER" $LOGFILE | sed 's/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\3 \1/' | sort | uniq -c | sort -rn
echo ""
echo " HITS IP PORT"
echo " ---- --------------- -----"
grep "Shorewall:" $LOGFILE | sed 's/\(.*SRC=\)\(.*\)\( DST=.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2 \4/
grep "$LOGMARKER" $LOGFILE | sed 's/\(.*SRC=\)\(.*\)\( DST=.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2 \4/
t
s/\(.*SRC=\)\(.*\)\( DST=.*\)/\2/' | sort | uniq -c | sort -rn
echo ""
echo " HITS DATE"
echo " ---- ------"
grep "Shorewall:" $LOGFILE | sed 's/\(.\{6\}\)\(.*\)/\1/' | sort | uniq -c | sort -rn
grep "$LOGMARKER" $LOGFILE | sed 's/\(.\{6\}\)\(.*\)/\1/' | sort | uniq -c | sort -rn
echo ""
echo " HITS PORT SERVICE(S)"
echo " ---- ----- ----------"
grep 'Shorewall:.*DPT' $LOGFILE | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | \
grep '${LOGMARKER}.*DPT' $LOGFILE | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | \
while read count port ; do
# List all services defined for the given port
srv=`grep "^[^#].*\\b$port/" /etc/services | cut -f 1 | sort -u`

9
STABLE/shorewall.conf
View File

@ -54,6 +54,15 @@
LOGFILE=/var/log/messages
#
# LOG MARKER
#
# Used to identify Shorewall log messages. If you are using fireparse, you must
# set this to "fp=Shorewall:". You may not use the ULOG level with fireparse and
# you must not embed white space in the LOGMARKER value.
LOGMARKER="Shorewall:"
#
# LOG RATE LIMITING
#

4
STABLE/shorewall.spec
View File

@ -1,5 +1,5 @@
%define name shorewall
%define version 1.4.2
%define version 1.4.3
%define release 1
%define prefix /usr
@ -105,6 +105,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog
* Sun May 18 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.3-1
* Mon Apr 07 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.2-1
* Fri Mar 21 2003 Tom Eastep <tom@shorewall.net>

2
STABLE/tunnels
View File

@ -10,7 +10,7 @@
# The columns are:
#
# TYPE -- must start in column 1 and be "ipsec", "ipsecnat","ip"
# "gre", "pptpclient", "pptpserver" or "openvpn".
# "gre", "6to4", "pptpclient", "pptpserver" or "openvpn".
#
# If type is "openvpn", it may optionally be followed
# by ":" and the port number used by the tunnel. if no

2
STABLE/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall
VERSION=1.4.2
VERSION=1.4.3
usage() # $1 = exit status
{