extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-22 23:53:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Shorewall-1.3.7 Changes

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@207 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2002-08-22 21:21:41 +00:00
parent 95d02199f9
commit 72f67478b2
52 changed files with 783 additions and 319 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
Shorewall-docs/Documentation.htm
View File

@ -9,11 +9,17 @@
<base target="_self">
<meta name="Microsoft Theme" content="boldstri 011, default">
<meta name="Microsoft Theme" content="none, default">
<meta name="Microsoft Border" content="none, default">
</head>
<body>
<h1 align="center">Shorewall 1.3 Reference</h1>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber4" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Shorewall 1.3 Reference</font></h1>
</td>
</tr>
</table>
@ -120,25 +126,13 @@ Shorewall programs</p>
<p>Example:</p>
<blockquote>
<pre>NET_IF=eth0
NET_BCAST=130.252.100.255
NET_OPTIONS=noping,norfc1918</pre>
</blockquote>
<p><br>
Example (/etc/shorewall/interfaces record):</p>
<blockquote>
<pre><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></pre>
</blockquote>
<pre><font face="Courier"> NET_IF=eth0
NET_BCAST=130.252.100.255
NET_OPTIONS=noping,norfc1918</font></pre>
<p>Example (/etc/shorewall/interfaces record):</p>
<pre> <font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></pre>
<p>The result will be the same as if the record had been written</p>
<blockquote>
<pre>net eth0 130.252.100.255 noping,norfc1918</pre>
</blockquote>
<pre> <font face="Courier">net eth0 130.252.100.255 noping,norfc1918</font></pre>
<p>Variables may be used anywhere in the
other configuration files.</p>
@ -155,7 +149,9 @@ NET_OPTIONS=noping,norfc1918</pre>
length and consist of lower-case letters or numbers. Short names must begin
with a letter and the name assigned to the firewall is reserved for use by Shorewall itself. Note that the output produced
by iptables is much easier to read if you select short names that
are three characters or less in length.</li>
are three characters or less in length. The name &quot;all&quot; may not be used as
a zone name nor may the zone name assigned to the firewall itself via the FW
variable in <a href="#Conf">/etc/shorewall/shorewall.conf</a>.</li>
<li><b>
DISPLAY</b> - The name of the zone as displayed during Shorewall startup.</li>
<li><b>
@ -1989,6 +1985,12 @@ a development snapshot as patching with version 1.9 results in kernel compilat
<p>
This file is used to set the following firewall parameters:</p>
<ul>
<li><b>FORWARDPING</b> - Added in Version 1.3.7<br>
When set to &quot;Yes&quot; or &quot;yes&quot;, ICMP echo-request (ping) packets from interfaces
that specify &quot;filterping&quot; are ACCEPTed by the firewall. When set to &quot;No&quot; or
&quot;no&quot;, such ping requests are silently dropped unless they are handled by an
explicit entry in the <a href="#Rules">rules file</a>. If not specified, &quot;No&quot;
is assumed.</li>
<li><b>LOGNEWNOTSYN</b> - Added in Version 1.3.6<br>
Beginning with version 1.3.6, Shorewall drops non-SYN TCP packets that are
not part of an existing connection. If you would like to log these packets,
@ -2104,7 +2106,10 @@ starts, it will create the directory. Example: STATEDIR=/tmp/shorewall.<b
"No" ("no") and specifies whether Shorewall allows connection requests
that are related to an already allowed connection. If you say "No" ("no"),
you can still override this setting by including "related" rules in
/etc/shorewall/rules ("related" given as the protocol).</li>
/etc/shorewall/rules ("related" given as the protocol). If you specify
ALLOWRELATED=No, you will need to include rules in
<a href="shorewall_extension_scripts.htm">/etc/shorewall/icmpdef</a> to
handle common ICMP packet types.</li>
<li><b>
MODULESDIR</b><br>
This parameter specifies the directory where your kernel netfilter
@ -2689,7 +2694,7 @@ by Shorewall, you must have <a href="#MangleEnabled">mangle support enabled</a
<p><font size="2">
Updated 8/14/2002 - <a href="support.htm">Tom
Updated 8/22/2002 - <a href="support.htm">Tom
Eastep</a>
</font></p>

1
Shorewall-docs/Documentation_Index.htm
View File

@ -6,7 +6,6 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>The Documentation Index</title>
<meta name="Microsoft Theme" content="boldstri 011, default">
</head>
<body>

146
Shorewall-docs/FAQ.htm
View File

@ -6,79 +6,86 @@
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall FAQ</title>
<meta name="Microsoft Theme" content="boldstri 011, default">
<meta name="Microsoft Theme" content="none">
</head>
<body>
<h1 align="center">Shorewall FAQs</h1>
<h2 align="left">About Shorewall</h2>
<blockquote>
<p align="left"><a href="#faq13">Why do you call it &quot;Shorewall&quot;?</a></p>
<p align="left"><a href="#faq10">What distributions does it work with?</a></p>
<p align="left"><a href="shorewall_features.htm">What features does it support?</a></p>
<p align="left"><a href="#faq12">Why isn't there a GUI?</a></p>
</blockquote>
<h2 align="left">Filtering</h2>
<blockquote>
<p align="left"><a href="#faq14">I'm connected via a cable modem and it has an
internel web server that allows me to configure/monitor it but as expected if I
enable rfc1918 blocking for my eth0 interface, it also blocks the cable modems
web server</a>.</p>
<p align="left"><a href="#faq14a">Even though it assigns public IP addresses, my
ISP's DHCP server has an RFC 1918 address. If I enable RFC 1918 filtering on my
external interface, my DHCP client cannot renew its lease.</a></p>
<p align="left"><a href="#faq4">I just used an online port scanner to check my
firewall and it shows some ports as 'closed' rather than 'blocked'. Why?</a></p>
<p align="left"><a href="#faq4a">I just ran an nmap UDP scan of my firewall and
it showed 100s of ports as open!!!!</a></p>
</blockquote>
<h2 align="left">Port Forwarding</h2>
<blockquote>
<p align="left"><a href="#faq1">I want to forward UDP port 7777 to my my personal PC with IP
address 192.168.1.5. I've looked everywhere and can't find how to do it.</a></p>
<p align="left"><a href="#faq1a">Ok -- I followed those instructions but it
doesn't work.</a></p>
<p align="left"><a href="#faq2">I port forward www requests to www.mydomain.com (IP
130.151.100.69) to system 192.168.1.5 in my local network. External clients can browse
http://www.mydomain.com but internal clients can't.</a></p>
<p align="left"><a href="#faq3">I have a zone &quot;Z&quot; with an RFC1918 subnet and I
use static NAT to assign non-RFC1918 addresses to hosts in Z. Hosts in Z cannot
communicate with each other using their external (non-RFC1918 addresses) so they
can't access each other using their DNS names.</a></p>
</blockquote>
<h2 align="left">Applications</h2>
<blockquote>
<p align="left"><a href="#faq3">I want to use Netmeeting with Shorewall. What do I do?</a></p>
</blockquote>
<h2 align="left">Connection Problems</h2>
<blockquote>
<p align="left"><a href="#faq5">I've installed Shorewall and now I can't ping through the
firewall</a></p>
<p align="left"><a href="#faq15">My local systems can't see out to the net</a></p>
</blockquote>
<h2 align="left">Logging</h2>
<blockquote>
<p align="left"><a href="#faq6">Where are the log messages written and&nbsp;
how do I change the destination?</a></p>
<p align="left"><a href="#faq16">Shorewall is writing log messages all over my
console making it unusable!</a></p>
<p align="left"><a href="#faq6a">Are there any log parsers that work with
Shorewall?</a></p>
</blockquote>
<h2 align="left">Starting and stopping the firewall</h2>
<blockquote>
<p align="left"><a href="#faq7">When I stop Shorewall using 'shorewall stop',
I can't connect to anything. Why doesn't that command work?</a></p>
<p align="left"><a href="#faq8">When I try to start Shorewall on RedHat 7.x, I
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber4" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Shorewall FAQs</font></h1>
</td>
</tr>
</table>
<p align="left"><b>1. </b><a href="#faq1">&nbsp;I want to <b>forward</b> UDP <b>
port</b> 7777 to my my personal PC with IP address 192.168.1.5. I've looked
everywhere and can't find <b>how to do it</b>.</a></p>
<p align="left"><b>1a. </b><a href="#faq1a">Ok -- I followed those instructions
but it doesn't work.</a></p>
<p align="left"><b>2.</b> <a href="#faq2">I <b>port forward</b> www requests to www.mydomain.com (IP
130.151.100.69) to system 192.168.1.5 in my local network. <b>External clients can browse</b>
http://www.mydomain.com but <b>internal clients can't</b>.</a></p>
<p align="left"><b>2a. </b><a href="#faq3">I have a zone &quot;Z&quot; with an RFC1918
subnet and I use <b>static NAT</b> to assign non-RFC1918 addresses to hosts in
Z. Hosts in Z cannot communicate with each other using their external
(non-RFC1918 addresses) so they <b>can't access each other using their DNS
names.</b></a></p>
<p align="left"><b>3. </b><a href="#faq3">I want to use <b>Netmeeting </b>with
Shorewall. What do I do?</a></p>
<p align="left"><b>4. </b><a href="#faq4">I just used an online port scanner to
check my firewall and it shows <b>some ports as 'closed' rather than 'blocked'.</b>
Why?</a></p>
<p align="left"><b>4a. </b><a href="#faq4a">I just ran an <b>nmap UDP scan</b>
of my firewall and it showed 100s of ports as open!!!!</a></p>
<p align="left"><b>5. </b><a href="#faq5">I've installed Shorewall and now I <b>
can't ping</b> through the firewall</a></p>
<p align="left"><b>6. </b><a href="#faq6">Where are the <b>log messages</b>
written and&nbsp; how do I <b>change the destination</b>?</a></p>
<p align="left"><b>6a. </b><a href="#faq6a">Are there any <b>log parsers</b>
that work with Shorewall?</a></p>
<p align="left"><b>7. </b><a href="#faq7">When I stop Shorewall <b>using
'shorewall stop', I can't connect to anything</b>. Why doesn't that command
work?</a></p>
<p align="left"><b>8. </b><a href="#faq8">When I try to <b>start Shorewall on RedHat 7.x</b>, I
get messages about insmod failing -- what's wrong?</a></p>
<p align="left"><a href="#faq17">Why can't Shorewall detect my interfaces
properly?</a></p>
</blockquote>
<h2 align="left">Design</h2>
<blockquote>
<p align="left"><a href="#faq9">Why does Shorewall only accept IP addresses as
<p align="left"><b>9. </b><a href="#faq9"><b>Why </b>does Shorewall <b>only accept IP addresses</b> as
opposed to FQDNs?</a></p>
<p align="left"><b>10. </b><a href="#faq10">What <b>distributions</b> does it
work with?</a></p>
<p align="left"><b>11. </b><a href="#faq18">What <b>features</b> does it
support?</a></p>
<p align="left"><b>12. </b><a href="#faq12">Why isn't there a <b>GUI</b></a></p>
<p align="left"><b>13. </b><a href="#faq13">Why do you call it <b>&quot;Shorewall&quot;?</b></a></p>
<p align="left"><b>14. </b><a href="#faq14">I'm connected via a cable modem and it has an internel
web server that allows me to configure/monitor it but as expected if I enable <b>
rfc1918 blocking</b> for my eth0 interface, it also blocks the <b>cable modems
web server</b></a>.</p>
<p align="left"><b>14a. </b><a href="#faq14a">Even though it assigns public IP
addresses, my ISP's DHCP server has an RFC 1918 address. If I enable RFC 1918
filtering on my external interface, <b>my DHCP client cannot renew its lease</b>.</a></p>
<p align="left"><b>15. </b><a href="#faq15"><b>My local systems can't see out to
the net</b></a></p>
<p align="left"><b>16. </b><a href="#faq16">Shorewall is writing <b>log messages
all over my console</b> making it unusable!</a></p>
<p align="left"><b>17. </b><a href="#faq17">Why can't Shorewall <b>detect my
interfaces </b>properly?</a></p>
<blockquote>
<p align="left">&nbsp;</p>
</blockquote>
<hr>
<h4 align="left"><a name="faq1"></a>1. I want to forward UDP port 7777 to my my personal PC with IP
@ -556,11 +563,10 @@ over my console making it unusable!</h4>
<div align="left">
<p align="left"><b>Answer: </b>The above output is perfectly normal. The Net
zone is defined as all hosts that are connected through eth0 and the local
zone is defined as all hosts connected through eth1.
</div>
zone is defined as all hosts connected through eth1.</div>
<p align="left"><font size="2">Last updated
7/31/2002 - <a href="support.htm">Tom
8/15/2002 - <a href="support.htm">Tom
Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>

9
Shorewall-docs/GnuCopyright.htm
View File

@ -6,12 +6,17 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Copyright</title>
<meta name="Microsoft Theme" content="boldstri 011, default">
</head>
<body>
<h2><a href="#TOC1" name="SEC1">GNU Free Documentation License</a></h2>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h2 align="center"><font color="#FFFFFF">GNU Free Documentation License</font></h2>
</td>
</tr>
</table>
<p>Version 1.1, March 2000 </p>
<pre>Copyright (C) 2000 Free Software Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA

9
Shorewall-docs/IPIP.htm
View File

@ -5,11 +5,16 @@
<title>GRE/IPIP Tunnels</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="boldstri 011, default">
</head>
<body>
<h1 align="center">GRE and IPIP Tunnels</h1>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">GRE and IPIP Tunnels</font></h1>
</td>
</tr>
</table>
<h3><font color="#FF6633">Warning: </font>GRE and IPIP Tunnels are insecure when used
over the internet; use them at your own risk</h3>
<p>GRE and IPIP tunneling with Shorewall requires iproute2 and can be used to bridge two masqueraded networks.&nbsp;GRE

68
Shorewall-docs/IPSEC.htm
View File

@ -10,10 +10,15 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="boldstri 011, default">
</head>
</head>
<body>
<h1 align="center">IPSEC Tunnels</h1>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">IPSEC Tunnels</font></h1>
</td>
</tr>
</table>
<h2><font color="#660066">Configuring FreeS/Wan</font></h2>
There is an excellent guide to configuring IPSEC tunnels at<a href="http://jixen.tripod.com">
http://jixen.tripod.com</a>
@ -113,8 +118,28 @@ on system B, we would have:</p>
</tbody>
</table></blockquote>
<p align="Left">You need to define a zone for the remote subnet or include
it in your local zone. In this example, we'll assume that you have created a
zone called &quot;vpn&quot; to represent the remote subnet.</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tr>
<td><strong>ZONE</strong></td>
<td><strong>DISPLAY</strong></td>
<td><strong>COMMENTS</strong></td>
</tr>
<tr>
<td>vpn</td>
<td>VPN</td>
<td>Remote Subnet</td>
</tr>
</table>
</blockquote>
<p align="Left">At both
systems, ipsec0 would be included in /etc/shorewall/interfaces as a "gw"
systems, ipsec0 would be included in /etc/shorewall/interfaces as a "vpn"
interface:</p>
<blockquote>
@ -131,7 +156,7 @@ interface:</p>
OPTIONS</strong></td>
</tr>
<tr>
<td>gw</td>
<td>vpn</td>
<td>ipsec0</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
@ -140,7 +165,7 @@ interface:</p>
</tbody>
</table></blockquote>
<p align="Left"> You will need to allow traffic between the &quot;gw&quot; zone and
<p align="Left"> You will need to allow traffic between the &quot;vpn&quot; zone and
the &quot;loc&quot; zone -- if you simply want to admit all traffic in both
directions, you can use the policy file:</p>
@ -155,13 +180,13 @@ interface:</p>
</tr>
<tr>
<td>loc</td>
<td>gw</td>
<td>vpn</td>
<td>ACCEPT</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>gw</td>
<td>vpn</td>
<td>loc</td>
<td>ACCEPT</td>
<td>&nbsp;</td>
@ -188,6 +213,26 @@ be able to establish a secure connection back to your local network.</p>
<img src="images/Mobile.png" width="677" height="426">
</font></strong></p>
<p align="Left">You need to define a zone for the laptop or include it in
your local zone. In this example, we'll assume that you have created a zone
called &quot;vpn&quot; to represent the remote host.</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tr>
<td><strong>ZONE</strong></td>
<td><strong>DISPLAY</strong></td>
<td><strong>COMMENTS</strong></td>
</tr>
<tr>
<td>vpn</td>
<td>VPN</td>
<td>Remote Subnet</td>
</tr>
</table>
</blockquote>
<p align="Left"> In this
instance, the mobile system (B) has IP address 134.28.54.2 but that cannot
be determined in advance. In the /etc/shorewall/tunnels file on system A,
@ -210,15 +255,14 @@ the following entry should be made:</p>
<td>ipsec</td>
<td>net</td>
<td>0.0.0.0/0</td>
<td>gw</td>
<td>vpn</td>
</tr>
</tbody>
</table></blockquote>
<p>Note that the GATEWAY
ZONE column contains the name of the zone corresponding to peer subnetworks
(<i>gw</i> in the default /etc/shorewall/zones). This indicates that the
ZONE column contains the name of the zone corresponding to peer subnetworks. This indicates that the
gateway system itself comprises the peer subnetwork; in other words, the
remote gateway is a standalone system.</p>
@ -228,7 +272,7 @@ remote gateway is a standalone system.</p>
<p><font size="2"> Last
updated 5/18/2002 - </font><font size="2">
updated 8/20/2002 - </font><font size="2">
<a href="support.htm">Tom Eastep</a></font>
</p>

10
Shorewall-docs/Install.htm
View File

@ -5,10 +5,16 @@
<title>Shorewall Installation</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="boldstri 011, default">
</head>
<body><h1 align="center">Shorewall Installation</h1>
<body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Shorewall Installation</font></h1>
</td>
</tr>
</table>
<p><font size="4"><b><a href="#Install_RPM">Install using RPM</a><br>
<a href="#Install_Tarball">Install

9
Shorewall-docs/NAT.htm
View File

@ -5,13 +5,18 @@
<title>Shorewall NAT</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="boldstri 011, default">
</head>
<body>
<blockquote>
<h1 align="center">Static NAT</h1>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Static NAT</font></h1>
</td>
</tr>
</table>
<p><font color="#FF0000"><b>IMPORTANT: If all you want to do is forward
ports to servers behind your firewall, you do NOT want to use static NAT.
Port forwarding can be accomplished with simple entries in the

35
Shorewall-docs/News.htm
View File

@ -5,12 +5,41 @@
<title>Shorewall News</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none">
</head>
<body>
<h1 align="center">Shorewall News Archive</h1>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Shorewall News Archive</font></h1>
</td>
</tr>
</table>
<p><b>8/22/2002 - Shorewall 1.3.7 Released 8/13/2002</b></p>
<p>Features in this release include:</p>
<ul>
<li>The 'icmp.def' file is now empty! The rules in that file were required in
ipchains firewalls but are not required in Shorewall. Users who have
ALLOWRELATED=No in <a href="Documentation.htm#Conf">shorewall.conf</a> should
see the <a href="errata.htm#Upgrade">Upgrade Issues</a>.</li>
<li>A 'FORWARDPING' option has been added to <a href="Documentation.htm#Conf">
shorewall.conf</a>. The effect of setting this variable to Yes is the same as
the effect of adding an ACCEPT rule for ICMP echo-request in
<a href="shorewall_extension_scripts.htm">/etc/shorewall/icmpdef</a>. Users
who have such a rule in icmpdef are encouraged to switch to FORWARDPING=Yes.</li>
<li>The loopback CLASS A Network (127.0.0.0/8) has been added to the rfc1918
file.</li>
<li>Shorewall now works with iptables 1.2.7</li>
<li>The documentation and web site no longer uses FrontPage themes.</li>
</ul>
<p>I would like to thank John Distler for his valuable input regarding TCP SYN
and ICMP treatment in Shorewall. That input has led to marked improvement in
Shorewall in the last two releases.</p>
<p><b>8/13/2002 - Documentation in the <a target="_top" href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">CVS Repository</a></b></p>
@ -995,7 +1024,7 @@ version:</p>
additional &quot;gw&quot; (gateway) zone for tunnels and it supports IPSEC
tunnels with end-points on the firewall. There is also a .lrp available now.</b></p>
<p><font size="2">Updated 8/13/2002 - <a href="support.htm">Tom
<p><font size="2">Updated 8/22/2002 - <a href="support.htm">Tom
Eastep</a> </font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">

9
Shorewall-docs/PPTP.htm
View File

@ -6,12 +6,17 @@
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall PPTP</title>
<meta name="Microsoft Theme" content="boldstri 011, default">
</head>
<body>
<h1 align="center">PPTP</h1>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">PPTP</font></h1>
</td>
</tr>
</table>
<p align="left">Shorewall easily supports PPTP in a number of configurations:</p>
<ul>

27
Shorewall-docs/ProxyARP.htm
View File

@ -5,27 +5,37 @@
<title>Shorewall Proxy ARP</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="boldstri 011, default">
<meta name="Microsoft Theme" content="none">
</head>
<body>
<blockquote>
<h1 align="center">Proxy ARP</h1>
<p>&nbsp;</p>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Proxy ARP</font></h1>
</td>
</tr>
</table>
<p>Proxy ARP allows you to insert a firewall in front of a set of servers
without changing their IP addresses and without having to re-subnet.</p>
<p>The following figure represents a Proxy ARP
environment.</p>
<blockquote>
<p align="center"><strong>
<img src="images/proxyarp.png" width="444" height="397"></strong></p>
<img src="images/proxyarp.png" width="519" height="397"></strong></p>
<blockquote>
</blockquote>
</blockquote>
<p align="left">Proxy ARP can be used to make the systems with addresses
130.252.100.18 and 130.252.100.19 appear to be on the upper (130.252.100.*)
subnet.&nbsp; Assuming that the upper firewall interface is eth0 and the
lower interface is eth1, this is accomplished using the following entries in
/etc/shorewall/proxyarp:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tr>
<td><b>ADDRESS</b></td>
@ -46,6 +56,8 @@
<td>no</td>
</tr>
</table>
</blockquote>
<p>Be sure that the internal systems (130.242.100.18 and 130.252.100.19&nbsp;
in the above example) are not included in any specification in
/etc/shorewall/masq or /etc/shorewall/nat.</p>
@ -56,7 +68,7 @@
Firewall system's eth0 is configured.</p>
<div align="left">
<p align="left">A word of warning is in order here. ISPs typically configure
there routers with a long ARP cache timeout. If you move a system from
their routers with a long ARP cache timeout. If you move a system from
parallel to your firewall to behind your firewall with Proxy ARP, it will
probably be HOURS before that system can communicate with the internet. You
can call your ISP and ask them to purge the stale ARP cache entry but many
@ -86,9 +98,8 @@
was the MAC address of the system on the lower left. In other words, the gateway's ARP cache still
associates 130.252.100.19 with the NIC in that system rather than with the firewall's
eth0.</div>
</blockquote>
<p><font size="2">Last updated 8/11/2002 - </font><font size="2">
<p><font size="2">Last updated 8/17/2002 - </font><font size="2">
<a href="support.htm">Tom
Eastep</a></font> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>

75
Shorewall-docs/Shorewall_index_frame.htm
View File

@ -7,47 +7,70 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title>
<base target="main">
<meta name="Microsoft Theme" content="boldstri 011, default">
<meta name="Microsoft Theme" content="none">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber1" bgcolor="#4B017C" height="90">
<tr>
<td width="100%">
<td width="100%" height="90">
<h3 align="center"><font color="#FFFFFF">Shorewall</font></h3>
</td>
</tr>
</table>
<table border="0" cellpadding="8" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber2">
<tr>
<td width="14%">&nbsp;</td>
<td width="86%">
<a href="seattlefirewall_index.htm">Home</a><br>
<a target="_top" href="/1.2/index.htm">Shorewall 1.2 Home</a><br>
<a href="shorewall_features.htm">Features</a><br>
<a href="shorewall_prerequisites.htm">Requirements</a><br>
<a href="download.htm">Download</a><br>
<a href="shorewall_quickstart_guide.htm">QuickStart Guides</a><br>
<a href="Install.htm">Installation/Upgrade<br>
/Configuration</a><br>
<a href="shorewall_quickstart_guide.htm#Documentation">Documentation</a><br>
<a href="Documentation.htm">Reference Manual</a><br>
<a href="FAQ.htm">FAQs</a><br>
<a href="troubleshoot.htm">Troubleshooting</a><br>
<a href="errata.htm">Errata</a><br>
<a href="support.htm">Support</a><br>
<a href="mailing_list.htm">Mailing Lists</a><br>
<td width="100%" bgcolor="#FFFFFF">
<ul>
<li>
<a href="seattlefirewall_index.htm">Home</a></li>
<li>
<a target="_top" href="/1.2/index.htm">Shorewall 1.2 Home</a></li>
<li>
<a href="shorewall_features.htm">Features</a></li>
<li>
<a href="shorewall_prerequisites.htm">Requirements</a></li>
<li>
<a href="download.htm">Download</a></li>
<li>
<a href="shorewall_quickstart_guide.htm">QuickStart Guides</a></li>
<li>
<a href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a></li>
<li>
<a href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></li>
<li>
<a href="Documentation.htm">Reference Manual</a></li>
<li>
<a href="FAQ.htm">FAQs</a></li>
<li>
<a href="troubleshoot.htm">Troubleshooting</a></li>
<li>
<a href="errata.htm">Errata/Upgrade Issues</a></li>
<li>
<a href="support.htm">Support</a></li>
<li>
<a href="mailing_list.htm">Mailing Lists</a></li>
<li>
<a href="shorewall_mirrors.htm">Mirrors</a><ul>
<li><a target="_top" href="http://slovakia.shorewall.net">Slovak Republic</a></li>
<li><a target="_top" href="http://shorewall.infohiiway.com">Texas, USA</a></li>
<li><a target="_top" href="http://germany.shorewall.net">Germany</a></li>
<li><a target="_top" href="http://shorewall.correofuego.com.ar">Argentina</a></li>
</ul>
<a href="News.htm">News Archive</a><br>
<a target="_top" href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">CVS Repository</a><br>
<a href="quotes.htm">Quotes from Users</a><br>
<a href="shoreline.htm">About the Author</a><br>
<a href="seattlefirewall_index.htm#Donations">Donations</a></td>
</li>
</ul>
<ul>
<li>
<a href="News.htm">News Archive</a></li>
<li>
<a target="_top" href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">CVS Repository</a></li>
<li>
<a href="quotes.htm">Quotes from Users</a></li>
<li>
<a href="shoreline.htm">About the Author</a></li>
<li>
<a href="seattlefirewall_index.htm#Donations">Donations</a></li>
</ul>
</td>
</tr>
</table>

9
Shorewall-docs/blacklisting_support.htm
View File

@ -6,12 +6,17 @@
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Blacklisting Support</title>
<meta name="Microsoft Theme" content="boldstri 011, default">
</head>
<body>
<h1 align="center">Blacklisting Support</h1>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Blacklisting Support</font></h1>
</td>
</tr>
</table>
<p>Shorewall supports two different forms of blacklisting; static and dynamic.</p>
<h2>Static Blacklisting</h2>
<p>Shorewall

9
Shorewall-docs/configuration_file_basics.htm
View File

@ -6,12 +6,17 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Configuration File Basics</title>
<meta name="Microsoft Theme" content="boldstri 011, default">
</head>
<body>
<h1 align="center">Configuration Files</h1>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Configuration Files</font></h1>
</td>
</tr>
</table>
<p><b><font color="#FF0000">Warning: </font>If you copy or edit your
configuration files on a system running Microsoft Windows, you <u>must</u>
run them through <a href="http://www.megaloman.com/~hany/software/hd2u/">

9
Shorewall-docs/copyright.htm
View File

@ -6,12 +6,17 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Copyright</title>
<meta name="Microsoft Theme" content="boldstri 011, default">
</head>
<body>
<h1 align="center">Copyright</h1>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Copyright</font></h1>
</td>
</tr>
</table>
<p align="left">Copyright <font face="Trebuchet MS">©</font>&nbsp; 2000, 2001
Thomas M Eastep<br>
&nbsp;</p>

9
Shorewall-docs/dhcp.htm
View File

@ -6,12 +6,17 @@
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>DHCP</title>
<meta name="Microsoft Theme" content="boldstri 011, default">
</head>
<body>
<h1 align="center">DHCP</h1>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">DHCP</font></h1>
</td>
</tr>
</table>
<h2 align="left">DHCP Server on your firewall</h2>
<ul>
<li>

13
Shorewall-docs/download.htm
View File

@ -6,12 +6,17 @@
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Download</title>
<meta name="Microsoft Theme" content="boldstri 011, default">
</head>
<body>
<h1 align="center">Shorewall Download</h1>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Shorewall Download</font></h1>
</td>
</tr>
</table>
<p><b>I strongly urge you to read and print a copy of the
<a href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
@ -61,7 +66,7 @@ AND ISSUE A &quot;shorewall start&quot; COMMAND. SOME CONFIGURATION IS REQUIRED
FIREWALL WILL START. IF YOU ISSUE A &quot;start&quot; COMMAND AND THE FIREWALL FAILS TO
START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY NETWORK TRAFFIC. IF THIS HAPPENS,
ISSUE A &quot;shorewall clear&quot; COMMAND TO RESTORE NETWORK CONNECTIVITY.</b></font></p>
<p>Download Latest Version (<b>1.3.6</b>): <b>Remember that updates to the mirrors
<p>Download Latest Version (<b>1.3.7</b>): <b>Remember that updates to the mirrors
occur 1-12 hours after an update to the primary site.</b></p>
<blockquote>
<table border="2" cellspacing="3" cellpadding="3" style="border-collapse: collapse">
@ -211,7 +216,7 @@ Shorewall component. There's no guarantee that what you find there will work at
all.</p>
</blockquote>
<p align="left"><font size="2">Last Updated 8/05/2002 - <a href="support.htm">Tom
<p align="left"><font size="2">Last Updated 8/22/2002 - <a href="support.htm">Tom
Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>

114
Shorewall-docs/errata.htm
View File

@ -10,15 +10,19 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="boldstri 011, default">
<meta name="Microsoft Theme" content="none">
</head>
<body>
<h1 align="center">Shorewall Errata/Upgrade Issues</h1>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Shorewall Errata/Upgrade Issues</font></h1>
</td>
</tr>
</table>
<p align="center">
<font face="Century Gothic, Arial, Helvetica">
<b><u>IMPORTANT</u></b></font></p>
<b><u>IMPORTANT</u></b></p>
<ol>
<li>
@ -86,6 +90,53 @@ dos2unix</a></u>
<h2 align="Left"><a name="Upgrade"></a>Upgrade Issues</h2>
<h3>Version &gt;= 1.3.7</h3>
<p>Users specifying ALLOWRELATED=No in
/etc/shorewall.conf will need to include the
following rules in their /etc/shorewall/icmpdef
file (creating this file if necessary):</p>
<pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</pre>
<p>Users having an /etc/shorewall/icmpdef file may remove the &quot;.
/etc/shorewall/icmp.def&quot; command from that file since the icmp.def file is now
empty.</p>
<h3><b><a name="Bering">Upgrading </a>Bering to
Shorewall &gt;= 1.3.3</b></h3>
<p>To properly upgrade with Shorewall version
1.3.3 and later:</p>
<ol>
<li>Be sure you have a backup -- you will need
to transcribe any Shorewall configuration
changes that you have made to the new
configuration.</li>
<li>Replace the shorwall.lrp package provided on
the Bering floppy with the later one. If you did
not obtain the later version from Jacques's
site, see additional instructions below.</li>
<li>Edit the /var/lib/lrpkg/root.exclude.list
file and remove the /var/lib/shorewall entry if
present. Then do not forget to backup root.lrp !</li>
</ol>
<p>The .lrp that I release isn't set up for a two-interface firewall like
Jacques's. You need to follow the <a href="two-interface.htm">instructions for
setting up a two-interface firewall</a> plus you also need to add the following
two Bering-specific rules to /etc/shorewall/rules:</p>
<blockquote>
<pre># Bering specific rules:
# allow loc to fw udp/53 for dnscache to work
# allow loc to fw tcp/80 for weblet to work
#
ACCEPT loc fw udp 53
ACCEPT loc fw tcp 80</pre>
</blockquote>
<h3 align="Left">Version &gt;= 1.3.6</h3>
<p align="Left">If you have a pair of firewall systems configured for
@ -144,6 +195,38 @@ dos2unix</a></u>
<h2 align="Left"><a name="V1.3"></a>Problems in Version 1.3</h2>
<h3 align="Left">Version 1.3.6</h3>
<ul>
<li>
<p align="Left">If ADD_SNAT_ALIASES=Yes is specified in
/etc/shorewall/shorewall.conf, an error occurs when the firewall
script attempts to add an SNAT alias.</li>
<li>
<p align="Left">The <b>logunclean </b>and <b>dropunclean</b> options
cause errors during startup when Shorewall is run with iptables 1.2.7.</li>
</ul>
<p align="Left">These problems are fixed in
<a href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this correct firewall script</a> which must be installed in
/var/lib/shorewall/ as described above. These problems are also
corrected in version 1.3.7.</p>
<h3 align="Left">Two-interface Samples 1.3.6 (file two-interfaces.tgz)</h3>
<p align="Left">A line was inadvertently deleted from the &quot;interfaces
file&quot; -- this line should be added back in if the version that you
downloaded is missing it:</p>
<p align="Left">net&nbsp;&nbsp;&nbsp; eth0&nbsp;&nbsp;&nbsp; detect&nbsp;&nbsp;&nbsp;
routefilter,dhcp,norfc1918</p>
<p align="Left">If you downloaded two-interfaces-a.tgz then the above
line should already be in the file.</p>
<h3 align="Left">Version 1.3.5-1.3.5b</h3>
<p align="Left">The new 'proxyarp' interface option doesn't work :-(
@ -289,8 +372,7 @@ you are currently running RedHat 7.1, you can install either of these RPMs
<p align="Left"><font color="#FF6633"><b>Update
11/9/2001: </b></font>RedHat has
released an iptables-1.2.4 RPM of their own which you can download from<font face="Century Gothic, Arial, Helvetica" color="#FF6633">
</font><font color="#FF6633">
released an iptables-1.2.4 RPM of their own which you can download from<font color="#FF6633">
<a href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
</font>I have installed this RPM
on my firewall and it works fine.</p>
@ -357,21 +439,25 @@ Aborted (core dumped)
<p>Upgrading: rpm -Uvh <i>&lt;shorewall rpm&gt;</i></p>
<p><a name="Multiport"></a><b>Problems with
iptables version 1.2.7 and MULTIPORT=Yes</b></p>
<h3><a name="Multiport"></a><b>Problems with
iptables version 1.2.7 and MULTIPORT=Yes</b></h3>
<p>The iptables 1.2.7 release of iptables has made
an incompatible change to the syntax used to
specify multiport match rules; as a consequence,
users who install iptables 1.2.7 must set
MULTIPORT=No in /etc/shorewall/shorewall.conf or
if you install iptables 1.2.7 you must</p>
<ul>
<li>set MULTIPORT=No in
/etc/shorewall/shorewall.conf; or </li>
<li>if you are running Shorewall 1.3.6 you may
install
<a href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this firewall script</a> in /var/lib/shorewall/firewall
as described above.</p>
as described above.</li>
</ul>
<p><font size="2">
Last updated 8/14/2002 -
Last updated 8/22/2002 -
<a href="support.htm">Tom Eastep</a></font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>

9
Shorewall-docs/errata_1.htm
View File

@ -6,12 +6,17 @@
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Errata for Version 1</title>
<meta name="Microsoft Theme" content="boldstri 011, default">
</head>
<body>
<h1 align="center">Shorewall Errata for Version 1.1</h1>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Shorewall Errata for Version 1.1</font></h1>
</td>
</tr>
</table>
<h3 align="Left"><font color="#660066"><u>To those of you who downloaded the 1.1.13 updated firewall script prior
to Sept 20, 2001:</u></font></h3>

11
Shorewall-docs/errata_2.htm
View File

@ -10,10 +10,15 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="boldstri 011, default">
</head>
</head>
<body>
<h1 align="center">Shorewall 1.2 Errata</h1>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" height="90" bgcolor="#400169">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Shorewall 1.2 Errata</font></h1>
</td>
</tr>
</table>
<p align="center">
<font face="Century Gothic, Arial, Helvetica">

11
Shorewall-docs/fallback.htm
View File

@ -5,12 +5,19 @@
<title>Shorewall Fallback and Uninstall</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="boldstri 011, default">
</head>
<body>
<h1 align="center">Fallback and Uninstall</h1>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Fallback and Uninstall</font></h1>
</td>
</tr>
</table>
<p><strong>Shorewall includes
a </strong><a href="#fallback"><strong>fallback script</strong></a><strong>

13
Shorewall-docs/gnu_mailman.htm
View File

@ -6,13 +6,20 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>GNU Mailman</title>
<meta name="Microsoft Theme" content="boldstri 011, default">
</head>
<body>
<h1 align="center">GNU Mailman/Postfix<br>
the Easy Way</h1>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">GNU Mailman/Postfix
the Easy Way</font></h1>
</td>
</tr>
</table>
<h1 align="center">&nbsp;</h1>
<h4>The following was posted on the Postfix mailing list on 5/4/2002 by Michael
Tokarev as a suggested addition to the Postfix FAQ.</h4>
<p>Q: Mailman does not work with Postfix, complaining about GID mismatch<br>

3
Shorewall-docs/index.htm
View File

@ -5,10 +5,9 @@
<title>Shoreline Firewall</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="boldstri 011, default">
</head>
<frameset cols="237,*">
<frameset cols="242,*">
<frame name="contents" target="main" src="Shorewall_index_frame.htm">
<frame name="main" src="seattlefirewall_index.htm" target="_self" scrolling="auto">
<noframes>

9
Shorewall-docs/kernel.htm
View File

@ -5,11 +5,16 @@
<title>Shorewall Kernel Configuration</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="boldstri 011, default">
</head>
<body>
<h1 align="center">Kernel Configuration</h1>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Kernel Configuration</font></h1>
</td>
</tr>
</table>
<p>For information regarding configuring and building GNU/Linux kernels, see <a href="http://www.kernelnewbies.org">http://www.kernelnewbies.org</a>.</p>
<p>Here's a screen shot of my Network Options Configuration:</p>
<blockquote>

14
Shorewall-docs/mailing_list.htm
View File

@ -11,12 +11,14 @@
<body>
<h1 align="center"><a href="http://www.gnu.org/software/mailman/mailman.html">
<img border="0" src="images/logo-sm.jpg" align="left" width="110" height="35"></a>Shorewall Mailing Lists</h1>
<p align="left">&nbsp;<a href="http://www.postfix.org/"><img src="images/small-picture.gif" align="left" width="115" height="45"></a> </p>
<h2 align="left">&nbsp;</h2>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><a href="http://www.gnu.org/software/mailman/mailman.html">
<img border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110" height="35"></a><a href="http://www.postfix.org/"><img src="images/small-picture.gif" align="right" border="0" width="115" height="45"></a><font color="#FFFFFF">Shorewall Mailing Lists</font></h1>
</td>
</tr>
</table>
<p align="left">
<b>Note: </b>The list server limits posts to 120kb.</p>

9
Shorewall-docs/mailing_list_problems.htm
View File

@ -6,12 +6,17 @@
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Mailing List Problems</title>
<meta name="Microsoft Theme" content="boldstri 011, default">
</head>
<body>
<h1 align="center">Mailing List Problems</h1>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Mailing List Problems</font></h1>
</td>
</tr>
</table>
<h2 align="left">Shorewall.net is currently experiencing mail delivery problems
to at least one address in each of the following domains:</h2>

14
Shorewall-docs/myfiles.htm
View File

@ -10,10 +10,16 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="boldstri 011, default">
<meta name="Microsoft Theme" content="none">
</head>
<body>
<h1 align="center">About My Network</h1>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">About My Network</font></h1>
</td>
</tr>
</table>
<blockquote> </blockquote>
@ -116,10 +122,10 @@ interfaces. </p>
<h3>Routestopped File:</h3>
<pre> #INTERFACE HOST(S)
<pre><font face="Courier" size="2"> #INTERFACE HOST(S)
eth1 206.124.146.177
eth2 -
eth3 206.124.146.180</pre>
eth3 206.124.146.180</font></pre>
<h3>Common File: </h3>
<pre><font size="2" face="Courier"> . /etc/shorewall/common.def
run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP

18
Shorewall-docs/ports.htm
View File

@ -5,10 +5,16 @@
<title>Shorewall Port Information</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="boldstri 011, default">
</head>
<body><h1 align="center">Ports required for Various Services/Applications</h1>
<body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Ports required for Various Services/Applications</font></h1>
</td>
</tr>
</table>
<p>In addition to those applications described in <a href="Documentation.htm">the
/etc/shorewall/rules documentation</a>, here are some other
@ -95,6 +101,12 @@ services/applications that you may need to configure your firewall to accommodat
<p>Traceroute</p>
<blockquote>
<p>UDP ports 33434 through 33434+<i>&lt;max number of hops&gt;</i>-1</p>
</blockquote>
<p>NFS</p>
<blockquote>
<p>There's some good information at&nbsp;
<a href="http://nfs.sourceforge.net/nfs-howto/security.html">
http://nfs.sourceforge.net/nfs-howto/security.html</a></p>
</blockquote>
<p>Didn't find what you are looking for -- have you looked in your own
/etc/services file? </p>
@ -103,7 +115,7 @@ services/applications that you may need to configure your firewall to accommodat
<a href="http://www.networkice.com/advice/Exploits/Ports">
http://www.networkice.com/advice/Exploits/Ports</a></p>
<p><font size="2">Last updated 7/30/2002 - </font><font size="2">
<p><font size="2">Last updated 8/21/2002 - </font><font size="2">
<a href="support.htm">Tom
Eastep</a></font> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>

9
Shorewall-docs/quotes.htm
View File

@ -6,12 +6,17 @@
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Quotes from Shorewall Users</title>
<meta name="Microsoft Theme" content="boldstri 011, default">
</head>
<body>
<h1 align="center">Quotes from Shorewall Users</h1>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Quotes from Shorewall Users</font></h1>
</td>
</tr>
</table>
<p>&quot;I just installed Shorewall after weeks of messing with

9
Shorewall-docs/samba.htm
View File

@ -6,12 +6,17 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Samba</title>
<meta name="Microsoft Theme" content="boldstri 011, default">
</head>
<body>
<h1 align="center">Samba</h1>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Samba</font></h1>
</td>
</tr>
</table>
<p>If you wish to run Samba on your firewall and access shares between the
firewall and local hosts, you need the following rules:</p>
<h4>/etc/shorewall/rules:</h4>

44
Shorewall-docs/seattlefirewall_index.htm
View File

@ -11,7 +11,7 @@
<base target="_self">
<meta name="Microsoft Theme" content="boldstri 011, default">
<meta name="Microsoft Theme" content="none">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="4" style="border-collapse: collapse" width="100%" id="AutoNumber3" bgcolor="#4B017C">
@ -63,29 +63,53 @@
<h2>News</h2>
<p><b>8/22/2002 - Shorewall 1.3.7 Released 8/13/2002
<img border="0" src="images/new10.gif" width="28" height="12"> </b></p>
<p>Features in this release include:</p>
<ul>
<li>The 'icmp.def' file is now empty! The rules in that file were
required in ipchains firewalls but are not required in Shorewall. Users
who have ALLOWRELATED=No in <a href="Documentation.htm#Conf">
shorewall.conf</a> should see the <a href="errata.htm#Upgrade">Upgrade
Issues</a>.</li>
<li>A 'FORWARDPING' option has been added to
<a href="Documentation.htm#Conf">shorewall.conf</a>. The effect of
setting this variable to Yes is the same as the effect of adding an
ACCEPT rule for ICMP echo-request in
<a href="shorewall_extension_scripts.htm">/etc/shorewall/icmpdef</a>.
Users who have such a rule in icmpdef are encouraged to switch to
FORWARDPING=Yes.</li>
<li>The loopback CLASS A Network (127.0.0.0/8) has been added to the
rfc1918 file.</li>
<li>Shorewall now works with iptables 1.2.7.</li>
<li>The documentation and Web site no longer use FrontPage themes.</li>
</ul>
<p>I would like to thank John Distler for his valuable input regarding TCP SYN
and ICMP treatment in Shorewall. That input has led to marked improvement in
Shorewall in the last two releases.</p>
<p><b>8/13/2002 - Documentation in the <a target="_top" href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">
CVS Repository</a>
<img border="0" src="images/new10.gif" width="28" height="12"></b></p>
CVS Repository</a></b></p>
<p>The Shorewall-docs project now contains just the HTML and image files - the
Frontpage files have been removed.</p>
<p><b>8/7/2002 - <i>STABLE</i></b> <b>branch added to <a target="_top" href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">
CVS Repository</a>
<img border="0" src="images/new10.gif" width="28" height="12"></b></p>
CVS Repository</a></b></p>
<p>This branch will only be updated after I release a new version of Shorewall
so you can always update from this branch to get the latest stable tree.</p>
<p><b>8/7/2002 - <a href="errata.htm#Upgrade">Upgrade Issues</a> section added
to the <a href="errata.htm">Errata Page</a>
<img border="0" src="images/new10.gif" width="28" height="12"></b></p>
to the <a href="errata.htm">Errata Page</a></b></p>
<p>Now there is one place to go to look for issues involved with upgrading to
recent versions of Shorewall.</p>
<p><b>8/7/2002 - Shorewall 1.3.6
<img border="0" src="images/new10.gif" width="28" height="12"></b></p>
<p><b>8/7/2002 - Shorewall 1.3.6</b></p>
<p>This is primarily a bug-fix rollup with a couple of new features:</p>
@ -126,7 +150,7 @@
</table>
<p><font size="2">Updated
8/13/2002 - <a href="support.htm">Tom Eastep</a>
8/22/2002 - <a href="support.htm">Tom Eastep</a>
</font>

29
Shorewall-docs/shoreline.htm
View File

@ -10,13 +10,19 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="boldstri 011">
<meta name="Microsoft Theme" content="none">
</head>
<body>
<h1 align="Center">Tom Eastep</h1>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Tom Eastep</font></h1>
</td>
</tr>
</table>
@ -65,16 +71,15 @@ Washington</a>
<p>Our current home network consists of: </p>
<ul>
<li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp; 8GB IDE HDs
and LNE100TX (Tulip) NIC - My personal Windows system. This system also has
RH7.3 installed.</li>
<li>PII/266, RH7.3, 320MB RAM, 20GB HD, LNE100TX(Tulip) NIC - My personal
GNU/Linux System which runs Samba configured as a WINS server.</li>
<li>K6-2/350, RH7.3, 256MB RAM, 8GB IDE HD, EEPRO100 NIC 
<li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp; 8GB IDE HDs and LNE100TX
(Tulip) NIC - My personal Windows system.</li>
<li>Celeron 1.4Gz, RH7.3, 256MB RAM, 60GB HD, LNE100TX(Tulip) NIC - My
personal Linux System which runs Samba configured as a WINS server.</li>
<li>K6-2/350, RH7.3, 384MB RAM, 8GB IDE HD, EEPRO100 NIC 
- Mail (Postfix &amp; Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd), DNS server
(Bind).</li>
<li>PII/233, RH7.3 with 2.4.19 kernel, 128MB MB RAM, 2GB SCSI HD - 3
LNE100TX&nbsp; (Tulip) and 1 TLAN NICs&nbsp; - Firewall running Shorewall 1.3.4 and a DHCP
<li>PII/233, RH7.3 with 2.4.19 kernel, 256MB MB RAM, 2GB SCSI HD - 3
LNE100TX&nbsp; (Tulip) and 1 TLAN NICs&nbsp; - Firewall running Shorewall 1.3.6 and a DHCP
server.  Also runs PoPToP for road warrior access.</li>
<li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My wife's personal system.</li>
<li>PII/400 Laptop, Win2k SP2, 224MB RAM, 12GB HD, onboard EEPRO100 and EEPRO100
@ -83,7 +88,7 @@ in expansion base - My main work system.</li>
<p>For more about our network see <a href="myfiles.htm">my Shorewall
Configuration</a>.</p>
<p>The PII/266 is made by <a href="http://www.dell.com">Dell</a>. All of our
<p>All of our
other systems are made by <a href="http://www.compaq.com">Compaq</a> (part
of the new <a href="http://www.hp.com/">HP</a>).. All of our Tulip NICs are <a href="http://www.netgear.com">Netgear</a>
FA310TXs.</p>
@ -93,7 +98,7 @@ in expansion base - My main work system.</li>
</font></p>
<p><font size="2">Last updated 8/10/2002 - </font><font size="2">
<p><font size="2">Last updated 8/16/2002 - </font><font size="2">
<a href="support.htm">Tom Eastep</a></font>
</p>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>

1
Shorewall-docs/shorewall_ca_certificate.htm
View File

@ -6,7 +6,6 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Shorewall CA Certificate</title>
<meta name="Microsoft Theme" content="boldstri 011, default">
</head>
<body>

53
Shorewall-docs/shorewall_extension_scripts.htm
View File

@ -6,12 +6,17 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Shorewall Extension Scripts</title>
<meta name="Microsoft Theme" content="boldstri 011, default">
</head>
<body>
<h1 align="center">Extension Scripts</h1>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Extension Scripts</font></h1>
</td>
</tr>
</table>
<p>
Extension scripts are user-provided
@ -41,20 +46,10 @@ been processed.</p>
<p>The following two files receive
special treatment:</p>
<ul>
<li>/etc/shorewall/common -- If this file is present, the rules that it
<p>The /etc/shorewall/common file receives special treatment. If this file is present, the rules that it
defines will totally replace the default rules in the common chain. These
default rules are contained in the file /etc/shorewall/common.def which
may be used as a starting point for making your own customized file.</li>
<li>/etc/shorewall/icmpdef -- If this file is present, the rules that it
defines will totally replace the default rules in the icmpdef chain.
These default rules are contained in the file /etc/shorewall/icmp.def
which may be used as a starting point for making your own customized
file.</li>
</ul>
may be used as a starting point for making your own customized file.</p>
@ -68,9 +63,8 @@ processing of the command.</p>
<p>
If you decide to create /etc/shorewall/common or /etc/shorewall/icmp.def, it
is a good idea to use the following technique (common file shown but the same
technique applies to icmpdef).</p>
If you decide to create /etc/shorewall/common it is a good idea to use the
following technique</p>
@ -80,25 +74,36 @@ processing of the command.</p>
<blockquote>
<pre>source /etc/shorewall/common.def
<pre>. /etc/shorewall/common.def
&lt;add your rules here&gt;</pre>
</blockquote>
<p>If you need to supercede a rule in the released common.def file, you can add
the superceding rule before the 'source' command. Using this technique allows
the superceding rule before the '.' command. Using this technique allows
you to add new rules while still getting the benefit of the latest common.def
file.</p>
<p>Remember that /etc/shorewall/common and /etc/shorewall/icmpdef define rules
<p>Remember that /etc/shorewall/common defines rules
that are only applied if the applicable policy is DROP or REJECT. These rules
are NOT applied if the policy is ACCEPT or CONTINUE.<br>
</p>
are NOT applied if the policy is ACCEPT or CONTINUE.</p>
<p align="left"><font size="2">Last updated
8/5/2002 - <a href="support.htm">Tom
<p>If you set ALLOWRELATED=No in shorewall.conf, then most ICMP packets will be
rejected by the firewall. It is recommended with this setting that you create
the file /etc/shorewall/icmpdef and in it place the following commands:</p>
<pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT
</pre>
<p align="left"><font size="2">Last updated
8/22/2002 - <a href="support.htm">Tom
Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas M. Eastep</font></a></p>

9
Shorewall-docs/shorewall_features.htm
View File

@ -6,12 +6,17 @@
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Features</title>
<meta name="Microsoft Theme" content="boldstri 011, default">
</head>
<body>
<h1 align="center">Shorewall Features</h1>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Shorewall Features</font></h1>
</td>
</tr>
</table>
<ul>
<li>Uses Netfilter's connection tracking facilities for stateful packet
filtering.</li>

26
Shorewall-docs/shorewall_firewall_structure.htm
View File

@ -6,14 +6,19 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Shorewall Firewall Structure</title>
<meta name="Microsoft Theme" content="boldstri 011, default">
</head>
<body>
<h1 align="center">Firewall Structure</h1>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Firewall Structure</font></h1>
</td>
</tr>
</table>
<p>
Shorewall views the network in which it is running as a set of disjoint
Shorewall views the network in which it is running as a set of
<i> zones. </i>Shorewall itself defines exactly one zone called "fw"
which refers to the firewall system itself . The /etc/shorewall/zones file
is used to define additional zones and the example file provided with Shorewall
@ -36,6 +41,21 @@ from the internet and from the DMZ and in some cases, from each other.</li
with the exception of the firewall zone, Shorewall itself attaches no meaning to
zone names. Zone names are simply labels used to refer to a collection of
network hosts.</p>
<p>While zones are normally disjoint (no two zones have a host in common),
there are cases where nested or overlapping zone definitions are appropriate.</p>
<p>Packets entering the firewall first pass through the <i>mangle </i>table's
PREROUTING chain (you can see the mangle table by typing &quot;shorewall show
mangle&quot;). If the packet entered through an interface that has the <b>norfc1918</b>
option, then the packet is sent down the <b>man1918</b>&nbsp; which will drop
the packet if its destination IP address is reserved (as specified in the
/etc/shorewall/rfc1918 file). Next the packet passes through the<b> pretos</b>
chain to set its TOS field as specified in the /etc/shorewall/tos file.
Finally, if traffic control/shaping is being used, the packet is sent through
the<b> tcpre</b> chain to be marked for later use in policy routing or traffic
control.</p>
<p>Next, if the packet isn't part of an established connection, it passes
through the<i> nat</i> table's PREROUTING chain (you can see the nat table by
typing &quot;shorewall show nat&quot;). </p>
<p>
Traffic entering the
firewall is sent to an<i> input </i>chain. If the traffic is destined for the

1
Shorewall-docs/shorewall_index.htm
View File

@ -5,7 +5,6 @@
<title>Shoreline Firewall</title>
<meta name="GENERATOR" content="Microsoft FrontPage 4.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="boldstri 011, default">
<meta name="Microsoft Border" content="none, default">
</head>

9
Shorewall-docs/shorewall_mailing_list_migration.htm
View File

@ -6,12 +6,17 @@
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Mailing List Migration</title>
<meta name="Microsoft Theme" content="boldstri 011, default">
</head>
<body>
<h1 align="center">Shorewall Mailing List Migration</h1>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Shorewall Mailing List Migration</font></h1>
</td>
</tr>
</table>
<p align="left">If you are a current subscriber to the Shorewall mailing list at
<a href="http://sourceforge.net">Sourceforge</a>, please do the following:</p>
<ol>

9
Shorewall-docs/shorewall_mirrors.htm
View File

@ -6,12 +6,17 @@
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Mirrors</title>
<meta name="Microsoft Theme" content="boldstri 011, default">
</head>
<body>
<h1 align="center">Shorewall Mirrors</h1>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Shorewall Mirrors</font></h1>
</td>
</tr>
</table>
<p align="left"><b>Remember that updates to the mirrors are often delayed for
6-12 hours after an update to the primary site.</b></p>

10
Shorewall-docs/shorewall_prerequisites.htm
View File

@ -6,13 +6,17 @@
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Prerequisites</title>
<meta name="Microsoft Theme" content="boldstri 011, default">
</head>
<body>
<h1 align="center">Shorewall Requirements</h1>
<p align="center">&nbsp;</p>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Shorewall Requirements</font></h1>
</td>
</tr>
</table>
<ul>
<li>A kernel that supports netfilter. I've tested with 2.4.2 - 2.4.19. <a href="kernel.htm">
Check here for kernel configuration information.</a>

15
Shorewall-docs/shorewall_quickstart_guide.htm
View File

@ -6,13 +6,19 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Shorewall QuickStart Guide</title>
<meta name="Microsoft Theme" content="boldstri 011">
<meta name="Microsoft Theme" content="none">
</head>
<body>
<h1 align="center">Shorewall QuickStart Guides<br>
Version 3.0</h1>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Shorewall QuickStart Guides<br>
Version 3.0</font></h1>
</td>
</tr>
</table>
<p align="center">With thanks to Richard who reminded me once again that we must
all first walk before we can run.</p>
@ -69,7 +75,7 @@ explained in the single-address guides above.</p>
</ul>
<h2><a name="Documentation"></a>Additional Documentation</h2>
<p>The following documentation covers a variety of topics and supplements the
QuickStart Guides described above.</p>
<a href="shorewall_quickstart_guide.htm">QuickStart Guides</a> described above.</p>
<ul>
<li><a href="blacklisting_support.htm">Blacklisting</a><ul>
<li>Static Blacklisting using /etc/shorewall/blacklist</li>
@ -126,6 +132,7 @@ QuickStart Guides described above.</p>
<li><a href="samba.htm">Samba</a></li>
<li><font color="#000099"><a href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font></li>
<li><font color="#000099"><a href="NAT.htm">Static NAT</a></font></li>
<li><a href="traffic_shaping.htm">Traffic Shaping/Control</a></li>
<li>Tunnels<ul>
<li><a href="IPSEC.htm">IPSEC</a></li>
<li><a href="IPIP.htm">GRE and IPIP</a></li>

17
Shorewall-docs/shorewall_setup_guide.htm
View File

@ -6,7 +6,7 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Shorewall Setup Guide</title>
<meta name="Microsoft Theme" content="boldstri 011, default">
<meta name="Microsoft Theme" content="none">
</head>
<body>
@ -46,6 +46,10 @@ know more about Shorewall than is contained in the
guides</a>. Because the
range of possible applications is so broad, the Guide will give you general
guidelines and will point you to other resources as necessary.</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60">&nbsp;&nbsp;&nbsp;
If you run LEAF Bering, your Shorewall configuration is NOT what I release -- I
suggest that you consider installing a stock Shorewall lrp from the
shorewall.net site before you proceed.</p>
<p>This guide assumes that you have the iproute/iproute2 package installed (on
RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell if this
package is installed by the presence of an <b>ip</b> program on your firewall
@ -730,6 +734,13 @@ table but if we logically and that address with 255.255.255.0, the result is
<pre>192.168.1.0 0.0.0.0 255.255.255.0 U 40 0 0 eth2</pre>
</blockquote>
<p>So to route a packet to 192.168.1.5, the packet is sent directly over eth2.</div>
<p align="left">One more thing needs to be emphasized -- all outgoing packet are
sent using the routing table and reply packets are not a special case. There
seems to be a common mis-conception whereby people think that request packets
are like salmon and contain a genetic code that is magically transferred to
reply packets so that the replies follow the reverse route taken by the request.
That isn't the case; the replies may take a totally different route back to the
client than was taken by the requests -- they are totally independent.</p>
<h3 align="left"><a name="ARP"></a>4.4 Address Resolution Protocol</h3>
<p align="left">When sending packets over Ethernet, IP addresses aren't used.
Rather Ethernet addressing is based on <i>Media Access Control</i> (MAC)
@ -1123,7 +1134,7 @@ Destination Gateway Genmask Flags MSS Window irtt Iface
host routes thru eth2 to 192.0.2.177 and 192.0.2.178.</div>
<div align="left">
<p align="left">A word of warning is in order here. ISPs typically configure
there routers with a long ARP cache timeout. If you move a system from
their routers with a long ARP cache timeout. If you move a system from
parallel to your firewall to behind your firewall with Proxy ARP, it will
probably be HOURS before that system can communicate with the internet. You
can call your ISP and ask them to purge the stale ARP cache entry but many
@ -2347,7 +2358,7 @@ foobar.net. 86400 IN A 192.0.2.177
test it using the <a href="Documentation.htm#Starting">&quot;shorewall try&quot; command</a>.</div>
<p align="left"><font size="2">Last updated
8/10/2002 - <a href="support.htm">Tom
8/18/2002 - <a href="support.htm">Tom
Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas M. Eastep</font></a></p>

11
Shorewall-docs/spam_filters.htm
View File

@ -6,12 +6,19 @@
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>SPAM Filters</title>
<meta name="Microsoft Theme" content="boldstri 011, default">
</head>
<body>
<h1 align="center">SPAM Filters<br>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">SPAM Filters</font></h1>
</td>
</tr>
</table>
<h1 align="center"><br>
<a href="http://ordb.org">
<img border="0" src="images/but3.png" hspace="3" width="88" height="31"></a></h1>
<p>Like all of you, I'm concerned about the increasing volume of Unsolicited

19
Shorewall-docs/standalone.htm
View File

@ -6,12 +6,19 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Standalone Firewall</title>
<meta name="Microsoft Theme" content="boldstri 011, default">
</head>
<body>
<h1 align="center">Standalone Firewall</h1>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber6" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Standalone Firewall</font></h1>
</td>
</tr>
</table>
<h2 align="center">Version 2.0.1</h2>
<p align="left">Setting up Shorewall on a standalone Linux system is very easy if you understand the basics and follow the
@ -93,7 +100,7 @@ file for you).</p>
<p>The /etc/shorewall/policy file included with the one-interface sample has the
following policies:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse" bordercolor="#111111" id="AutoNumber3">
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber3">
<tr>
<td><u><b>SOURCE ZONE</b></u></td>
<td><u><b>DESTINATION ZONE</b></u></td>
@ -185,7 +192,7 @@ use in private networks:</p>
<p align="left">If you wish to enable connections from the internet to your firewall, the general format is:</div>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse" bordercolor="#111111" id="AutoNumber4">
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber4">
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
@ -212,7 +219,7 @@ use in private networks:</p>
system:</div>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse" bordercolor="#111111" id="AutoNumber5">
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber5">
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
@ -252,7 +259,7 @@ use in private networks:</p>
access to your firewall from the internet, use SSH:</div>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse" bordercolor="#111111" id="AutoNumber4">
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber4">
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>

9
Shorewall-docs/starting_and_stopping_shorewall.htm
View File

@ -6,14 +6,19 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Starting and Stopping Shorewall</title>
<meta name="Microsoft Theme" content="boldstri 011, default">
</head>
<body>
<h1 align="center">Starting/Stopping and Monitoring the Firewall</h1>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Starting/Stopping and Monitoring the Firewall</font></h1>
</td>
</tr>
</table>

9
Shorewall-docs/subnet_masks.htm
View File

@ -6,12 +6,17 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Subnet Masks</title>
<meta name="Microsoft Theme" content="boldstri 011, default">
</head>
<body>
<h1 align="center">Subnet Masks/VLSM Notation</h1>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Subnet Masks/VLSM Notation</font></h1>
</td>
</tr>
</table>
<p align="left">IP addresses and subnet masks are 32-bit numbers. The notation
w.x.y.z refers to an address where the high-order byte has value &quot;w&quot;, the next
byte has value &quot;x&quot;, etc. If we take 255.255.255.0 and express it in

17
Shorewall-docs/support.htm
View File

@ -6,12 +6,18 @@
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Support</title>
<meta name="Microsoft Theme" content="boldstri 011, default">
<meta name="Microsoft Theme" content="none">
</head>
<body>
<h1 align="center">Shorewall Support</h1>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Shorewall Support</font></h1>
</td>
</tr>
</table>
<h3 align="left">Before Reporting a Problem</h3>
<blockquote>
@ -92,7 +98,10 @@ isn't working? For example, if "ssh" isn't able to connect, using the
</ul>
<h3>Where to Send your Problem
Report or to Ask for Help</h3>
<p>Please post your question or problem to the
<h4>If you run Shorewall under Bering -- <span style="font-weight: 400">please
post your question or problem to the
<a href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing list</a>.</span></h4>
<p>Otherwise, please post your question or problem to the
<a href="mailto:shorewall-users@shorewall.net">Shorewall users mailing list</a>;
there are lots of folks there who are willing to help you. Your question/problem
description and their responses will be placed in the mailing list archives to
@ -107,7 +116,7 @@ to respond promptly to mailing list posts.&nbsp;&nbsp; <a href="mailto:teastep@s
<p>To Subscribe to the mailing list go to <a href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a>
.</p>
<p align="left"><font size="2">Last Updated 8/5/2002 - Tom
<p align="left"><font size="2">Last Updated 8/17/2002 - Tom
Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm">

9
Shorewall-docs/three-interface.htm
View File

@ -6,12 +6,17 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Three-Interface Firewall</title>
<meta name="Microsoft Theme" content="boldstri 011, default">
</head>
<body>
<h1 align="center">Three-Interface Firewall</h1>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber5" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Three-Interface Firewall</font></h1>
</td>
</tr>
</table>
<h2 align="center">Version 2.0.1</h2>
<p align="left">Setting up a Linux system as a firewall for a small network with

9
Shorewall-docs/traffic_shaping.htm
View File

@ -6,12 +6,17 @@
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Traffic Shaping</title>
<meta name="Microsoft Theme" content="boldstri 011, default">
</head>
<body>
<h1 align="center">Traffic Shaping/Control</h1>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Traffic Shaping/Control</font></h1>
</td>
</tr>
</table>
<p align="left">Beginning with version 1.2.0, Shorewall has limited support for traffic
shaping/control. In order to use traffic shaping under Shorewall, it is
essential that you get a copy of the <a href="http://ds9a.nl/lartc">Linux Advanced Routing

11
Shorewall-docs/troubleshoot.htm
View File

@ -10,13 +10,18 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="boldstri 011, default">
</head>
</head>
<body>
<h1 align="center">Shorewall Troubleshooting</h1>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Shorewall Troubleshooting</font></h1>
</td>
</tr>
</table>

13
Shorewall-docs/two-interface.htm
View File

@ -6,12 +6,18 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Two-Interface Firewall</title>
<meta name="Microsoft Theme" content="boldstri 011, default">
<meta name="Microsoft Theme" content="none">
</head>
<body>
<h1 align="center">Basic Two-Interface Firewall</h1>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber5" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Basic Two-Interface Firewall</font></h1>
</td>
</tr>
</table>
<p align="left">Setting up a Linux system as a firewall for a small network is a
fairly straight-forward task if you understand the basics and follow the
documentation.</p>
@ -53,8 +59,7 @@ copy before using it with Shorewall.</p>
<p>The configuration files for Shorewall are contained in the directory
/etc/shorewall -- for simple setups, you will only need to deal with a few of
these as described in this guide. After you have <a href="Install.htm">installed Shorewall</a>,
download the <a href="/pub/shorewall/LATEST.samples/two-interfaces.tgz">
two-interface sample</a>, un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files to /etc/shorewall
download the <a href="/pub/shorewall/LATEST.samples/two-interfaces.tgz">two-interface sample</a>, un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files to /etc/shorewall
(these files will replace files with the same name).</p>
<p>As each file is introduced, I suggest that you
look through the actual file on your system -- each file contains detailed

9
Shorewall-docs/whitelisting_under_shorewall.htm
View File

@ -6,12 +6,17 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Whitelisting under Shorewall</title>
<meta name="Microsoft Theme" content="boldstri 011, default">
</head>
<body>
<h1 align="center">Whitelisting under Shorewall</h1>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Whitelisting under Shorewall</font></h1>
</td>
</tr>
</table>
<p align="left">For a brief time, the 1.2 version of Shorewall supported an
/etc/shorewall/whitelist file. This file was intended to contain a list of IP
addresses of hosts whose POLICY to all zones was ACCEPT. The whitelist file was