mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-29 02:54:18 +01:00
Documentation Updages
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1492 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
e5d42a14a5
commit
7ae14b0e6a
@ -15,7 +15,7 @@
|
|||||||
</author>
|
</author>
|
||||||
</authorgroup>
|
</authorgroup>
|
||||||
|
|
||||||
<pubdate>2004-07-16</pubdate>
|
<pubdate>2004-07-20</pubdate>
|
||||||
|
|
||||||
<copyright>
|
<copyright>
|
||||||
<year>2001-2004</year>
|
<year>2001-2004</year>
|
||||||
@ -243,8 +243,7 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><ulink url="NAT.htm">One-to-one NAT</ulink> (Formerly referred to
|
<para><ulink url="NAT.htm">One-to-one NAT</ulink> (Static NAT)</para>
|
||||||
as Static NAT)</para>
|
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -344,6 +343,10 @@
|
|||||||
<para><ulink url="Shorewall_Squid_Usage.html">Squid with Shorewall</ulink></para>
|
<para><ulink url="Shorewall_Squid_Usage.html">Squid with Shorewall</ulink></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para><ulink url="NAT.htm">Static (one-to-one) NAT</ulink></para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><ulink url="Accounting.html">Traffic Accounting</ulink></para>
|
<para><ulink url="Accounting.html">Traffic Accounting</ulink></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
@ -15,7 +15,7 @@
|
|||||||
</author>
|
</author>
|
||||||
</authorgroup>
|
</authorgroup>
|
||||||
|
|
||||||
<pubdate>2004-02-14</pubdate>
|
<pubdate>2004-07-22</pubdate>
|
||||||
|
|
||||||
<copyright>
|
<copyright>
|
||||||
<year>2001-2004</year>
|
<year>2001-2004</year>
|
||||||
@ -33,10 +33,45 @@
|
|||||||
</legalnotice>
|
</legalnotice>
|
||||||
</articleinfo>
|
</articleinfo>
|
||||||
|
|
||||||
<para>Proxy ARP allows you to insert a firewall in front of a set of servers
|
<para>Proxy ARP (RFC 1027) is a way to make a machine physically located on
|
||||||
without changing their IP addresses and without having to re-subnet. Before
|
one network appear to be logically part of a different physical network
|
||||||
you try to use this technique, I strongly recommend that you read the <ulink
|
connected to the same router/firewall. Typically it allows us to hide a
|
||||||
url="shorewall_setup_guide.htm">Shorewall Setup Guide</ulink>.</para>
|
machine with a public IP address on a private network behind a router, and
|
||||||
|
still have the machine appear to be on the public network "in front
|
||||||
|
of" the router. The router "proxys" ARP requests and all network
|
||||||
|
traffic to and from the hidden machine to make this fiction possible.</para>
|
||||||
|
|
||||||
|
<para>Consider a router with two interface cards, one connected to a public
|
||||||
|
network PUBNET and one connected to a private network PRIVNET. We want to
|
||||||
|
hide a server machine on the PRIVNET network but have it accessible from the
|
||||||
|
PUBNET network. The IP address of the server machine lies in the PUBNET
|
||||||
|
network, even though we are placing the machine on the PRIVNET network
|
||||||
|
behind the router.</para>
|
||||||
|
|
||||||
|
<para>By enabling proxy ARP on the router, any machine on the PUBNET network
|
||||||
|
that issues an ARP "who has" request for the server's MAC
|
||||||
|
address will get a proxy ARP reply from the router containing the
|
||||||
|
router's MAC address. This tells machines on the PUBNET network that
|
||||||
|
they should be sending packets destined for the server via the router. The
|
||||||
|
router forwards the packets from the machines on the PUBNET network to the
|
||||||
|
server on the PRIVNET network.</para>
|
||||||
|
|
||||||
|
<para>Similarly, when the server on the PRIVNET network issues a "who
|
||||||
|
has" request for any machines on the PUBNET network, the router provides
|
||||||
|
its own MAC address via proxy ARP. This tells the server to send packets for
|
||||||
|
machines on the PUBNET network via the router. The router forwards the
|
||||||
|
packets from the server on the PRIVNET network to the machines on the PUBNET
|
||||||
|
network.</para>
|
||||||
|
|
||||||
|
<para>The proxy ARP provided by the router allows the server on the
|
||||||
|
PRIVNETnetwork to appear to be on the PUBNET network. It lets the router
|
||||||
|
pass ARP requests and other network packets in both directions between the
|
||||||
|
server machine and the PUBNET network, making the server machine appear to
|
||||||
|
be connected to the PUBNET network even though it is on the PRIVNET network
|
||||||
|
hidden behind the router. </para>
|
||||||
|
|
||||||
|
<para>Before you try to use this technique, I strongly recommend that you
|
||||||
|
read the <ulink url="shorewall_setup_guide.htm">Shorewall Setup Guide</ulink>.</para>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
<title>Example</title>
|
<title>Example</title>
|
||||||
|
@ -15,7 +15,7 @@
|
|||||||
</author>
|
</author>
|
||||||
</authorgroup>
|
</authorgroup>
|
||||||
|
|
||||||
<pubdate>2004-07-03</pubdate>
|
<pubdate>2004-07-21</pubdate>
|
||||||
|
|
||||||
<copyright>
|
<copyright>
|
||||||
<year>2004</year>
|
<year>2004</year>
|
||||||
@ -54,12 +54,14 @@
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Even numbered major releases (e.g., 1.4, 2.0, 2.2, ...) are
|
<para>Even numbered major releases (e.g., 1.4, 2.0, 2.2, ...) are
|
||||||
<firstterm>Stable Releases</firstterm>. No new features are added to
|
<firstterm>Stable Releases</firstterm>. No major new features are
|
||||||
stable releases and new minor releases of a stable release will only
|
added to stable releases and new minor releases of a stable release
|
||||||
contain bug fixes. Installing a new minor release for the major
|
will only contain bug fixes and simple low-risk enhancements.
|
||||||
release that you are currently running involves no migration issues
|
Installing a new minor release for the major release that you are
|
||||||
(for example, if you are running 1.4.10 and I release 1.4.11, your
|
currently running involves no migration issues unless you want to take
|
||||||
current configuration is 100% compatible with the new release).</para>
|
advantage of an enhancement (for example, if you are running 1.4.10
|
||||||
|
and I release 1.4.11, your current configuration is 100% compatible
|
||||||
|
with the new release).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -123,9 +125,9 @@
|
|||||||
<section>
|
<section>
|
||||||
<title>Old Release Model</title>
|
<title>Old Release Model</title>
|
||||||
|
|
||||||
<para>This release model described above was adopted on 2003-07-03. Prior
|
<para>This release model described above was adopted on 2004-07-03 and
|
||||||
to that time, a different release model was followed. Highlights of that
|
modified 2004-07-21. Prior to 2004-07-03, a different release model was
|
||||||
model were:</para>
|
followed. Highlights of that model were:</para>
|
||||||
|
|
||||||
<orderedlist>
|
<orderedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -134,9 +136,9 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>New functionality was added in minor releases of the current
|
<para>Major new functionality was added in minor releases of the
|
||||||
major release. There was no concept of Stable vs Development major
|
current major release. There was no concept of Stable vs Development
|
||||||
releases.</para>
|
major releases.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -144,8 +146,8 @@
|
|||||||
of a major release and had identifications of the form
|
of a major release and had identifications of the form
|
||||||
<emphasis>x.y.zX</emphasis> (e.g., 2.0.3c) where <emphasis>X</emphasis>=1,b,c,...
|
<emphasis>x.y.zX</emphasis> (e.g., 2.0.3c) where <emphasis>X</emphasis>=1,b,c,...
|
||||||
. Consequently, if a user required a bug fix but was not running the
|
. Consequently, if a user required a bug fix but was not running the
|
||||||
last minor release of the associated major release then it was
|
last minor release of the associated major release then it might be
|
||||||
necessary to accept new functionailty along with the bug fix.</para>
|
necessary to accept major new functionailty along with the bug fix.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</orderedlist>
|
</orderedlist>
|
||||||
</section>
|
</section>
|
||||||
|
@ -15,7 +15,7 @@
|
|||||||
</author>
|
</author>
|
||||||
</authorgroup>
|
</authorgroup>
|
||||||
|
|
||||||
<pubdate>2004-07-16</pubdate>
|
<pubdate>2004-07-20</pubdate>
|
||||||
|
|
||||||
<copyright>
|
<copyright>
|
||||||
<year>2003-2004</year>
|
<year>2003-2004</year>
|
||||||
@ -80,6 +80,13 @@ MANGLE_ENABLED=Yes</programlisting>
|
|||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</caution>
|
</caution>
|
||||||
|
|
||||||
|
<caution>
|
||||||
|
<para>In the instructions below, only TCP Port 80 is opened from the
|
||||||
|
system running Squid to the internet. If your users require browsing
|
||||||
|
sites that use a port other than 80 (e.g., http://www.domain.tld:<emphasis
|
||||||
|
role="bold">8080</emphasis>) then you must open those ports as well.</para>
|
||||||
|
</caution>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
@ -301,7 +308,7 @@ chkconfig --level 35 iptables on</command></programlisting>
|
|||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||||
ACCEPT Z SZ tcp SP
|
ACCEPT Z SZ tcp SP
|
||||||
ACCEPT SZ net tcp 80</programlisting>
|
ACCEPT SZ net tcp 80,443</programlisting>
|
||||||
|
|
||||||
<example>
|
<example>
|
||||||
<title>Squid on the firewall listening on port 8080 with access from the
|
<title>Squid on the firewall listening on port 8080 with access from the
|
||||||
@ -309,7 +316,7 @@ ACCEPT SZ net tcp 80</programlisting>
|
|||||||
|
|
||||||
<para><filename>/etc/shorewall/rules:</filename><programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
<para><filename>/etc/shorewall/rules:</filename><programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||||
ACCEPT loc fw tcp 8080
|
ACCEPT loc fw tcp 8080
|
||||||
ACCEPT fw net tcp 80</programlisting></para>
|
ACCEPT fw net tcp 80,443</programlisting></para>
|
||||||
</example>
|
</example>
|
||||||
</section>
|
</section>
|
||||||
</article>
|
</article>
|
Binary file not shown.
File diff suppressed because it is too large
Load Diff
Binary file not shown.
File diff suppressed because it is too large
Load Diff
@ -15,7 +15,7 @@
|
|||||||
</author>
|
</author>
|
||||||
</authorgroup>
|
</authorgroup>
|
||||||
|
|
||||||
<pubdate>2004-07-15</pubdate>
|
<pubdate>2004-07-22</pubdate>
|
||||||
|
|
||||||
<copyright>
|
<copyright>
|
||||||
<year>2001-2004</year>
|
<year>2001-2004</year>
|
||||||
@ -1365,18 +1365,23 @@ DNAT net loc:192.168.201.4 tcp www</programlisting>
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The firewall responds to ARP <quote>who has</quote> requests
|
<para>The firewall responds to ARP <quote>who has</quote> requests
|
||||||
for <emphasis role="bold">A</emphasis>.</para>
|
for <emphasis role="bold">A</emphasis> from machines outside of
|
||||||
|
the firewall.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>When <emphasis role="bold">H</emphasis> <emphasis
|
<para>When <emphasis role="bold">H</emphasis> issues an ARP
|
||||||
role="bold">A </emphasis>andissues an ARP <quote>who has</quote>
|
<quote>who has</quote> request for a machine with an address in
|
||||||
request for an address in the subnetwork defined by <emphasis
|
the network defined by <emphasis role="bold">M</emphasis> where
|
||||||
role="bold">M</emphasis>, the firewall will respond (with the MAC
|
the target machine is outside of the firewall, the firewall will
|
||||||
if the firewall interface) to <emphasis role="bold">H</emphasis>.</para>
|
respond to <emphasis role="bold">H</emphasis> (with the MAC of the
|
||||||
|
firewall interface).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
|
<para>For a more complete description of how Proxy ARP works, please
|
||||||
|
see the <ulink url="ProxyARP.htm">Shorewall Proxy Documentation</ulink>.</para>
|
||||||
|
|
||||||
<para>Let us suppose that we decide to use Proxy ARP on the DMZ in our
|
<para>Let us suppose that we decide to use Proxy ARP on the DMZ in our
|
||||||
example network.</para>
|
example network.</para>
|
||||||
|
|
||||||
|
@ -410,9 +410,9 @@ DROP net fw icmp echo-request</programlist
|
|||||||
<appendix>
|
<appendix>
|
||||||
<title>Revision History</title>
|
<title>Revision History</title>
|
||||||
|
|
||||||
<para><revhistory><revision><revnumber>1.8</revnumber><date>2005-04-03</date><authorinitials>TE</authorinitials><revremark>Point
|
<para><revhistory><revision><revnumber>1.8</revnumber><date>2004-04-03</date><authorinitials>TE</authorinitials><revremark>Point
|
||||||
out that firewall addresses are in the $FW zone.</revremark></revision><revision><revnumber>1.7</revnumber><date>2005-02-02</date><authorinitials>TE</authorinitials><revremark>Add
|
out that firewall addresses are in the $FW zone.</revremark></revision><revision><revnumber>1.7</revnumber><date>2004-02-02</date><authorinitials>TE</authorinitials><revremark>Add
|
||||||
hint about testing from inside the firewall.</revremark></revision><revision><revnumber>1.6</revnumber><date>2005-01-06</date><authorinitials>TE</authorinitials><revremark>Add
|
hint about testing from inside the firewall.</revremark></revision><revision><revnumber>1.6</revnumber><date>2004-01-06</date><authorinitials>TE</authorinitials><revremark>Add
|
||||||
pointer to Site and Mailing List Archives Searches.</revremark></revision><revision><revnumber>1.5</revnumber><date>2004-01-01</date><authorinitials>TE</authorinitials><revremark>Added
|
pointer to Site and Mailing List Archives Searches.</revremark></revision><revision><revnumber>1.5</revnumber><date>2004-01-01</date><authorinitials>TE</authorinitials><revremark>Added
|
||||||
information about eliminating ping-generated log messages.</revremark></revision><revision><revnumber>1.4</revnumber><date>2003-12-22</date><authorinitials>TE</authorinitials><revremark>Initial
|
information about eliminating ping-generated log messages.</revremark></revision><revision><revnumber>1.4</revnumber><date>2003-12-22</date><authorinitials>TE</authorinitials><revremark>Initial
|
||||||
Docbook Conversion</revremark></revision></revhistory></para>
|
Docbook Conversion</revremark></revision></revhistory></para>
|
||||||
|
Loading…
Reference in New Issue
Block a user