mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-15 10:08:43 +01:00
Shorewall-1.4.7a
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@774 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
f6c8974bda
commit
7bb80bf3fe
@ -27,69 +27,62 @@ Shorewall Traffic Accounting support was added in Shorewall release
|
|||||||
<br>
|
<br>
|
||||||
Shorewall accounting rules are described in the file
|
Shorewall accounting rules are described in the file
|
||||||
/etc/shorewall/accounting. By default, the accounting rules are placed
|
/etc/shorewall/accounting. By default, the accounting rules are placed
|
||||||
in a chain called "accounting" and can
|
in a chain called "accounting" and can thus be displayed using
|
||||||
thus be displayed using "shorewall show accounting". All traffic
|
"shorewall show accounting". All traffic passing into, out of or
|
||||||
passing into, out of or through the firewall traverses the accounting
|
through the firewall traverses the accounting chain including traffic
|
||||||
chain including traffic that will later be rejected by <a
|
that will later be rejected by <a href="Documentation.htm#Interfaces">interface
|
||||||
href="Documentation.htm#Interfaces">interface options</a> such as
|
options</a> such as "tcpflags" and "maclist". If your kernel doesn't
|
||||||
"tcpflags" and "maclist". If your kernel doesn't support the connection
|
support the connection tracking match extension (Kernel 2.4.21) then
|
||||||
tracking match extension (Kernel 2.4.21) then some traffic rejected
|
some traffic rejected under 'norfc1918' will not traverse the
|
||||||
under 'norfc1918' will not traverse the accounting chain.<br>
|
accounting chain.<br>
|
||||||
<br>
|
<br>
|
||||||
The columns in the accounting file are as follows:<br>
|
The columns in the accounting file are as follows:<br>
|
||||||
<ul>
|
<ul>
|
||||||
<li><span style="font-weight: bold;">ACTION</span> - What to do when
|
<li><span style="font-weight: bold;">ACTION</span> - What to do when a
|
||||||
a match is found. Possible values are:</li>
|
match is found. Possible values are:</li>
|
||||||
<ul>
|
<ul>
|
||||||
<li>COUNT- Simply count the match and continue trying to
|
<li>COUNT- Simply count the match and continue trying to match the
|
||||||
match the packet with the following accounting rules</li>
|
packet with the following accounting rules</li>
|
||||||
<li>DONE- Count the match and don't attempt to match any following
|
<li>DONE- Count the match and don't attempt to match any following
|
||||||
accounting rules.</li>
|
accounting rules.</li>
|
||||||
<li><<span style="font-style: italic;">chain</span>> - The
|
<li><<span style="font-style: italic;">chain</span>> - The
|
||||||
name of a chain to jump to. Shorewall will create the chain
|
name of a chain to jump to. Shorewall will create the chain
|
||||||
automatically. If the
|
automatically. If the name of the chain is followed by ":COUNT" then a
|
||||||
name of the chain is followed by ":COUNT" then a COUNT rule matching
|
COUNT rule matching this rule will automatically be added to <<span
|
||||||
this rule will automatically be added to <<span
|
|
||||||
style="font-style: italic;">chain</span>><br>
|
style="font-style: italic;">chain</span>><br>
|
||||||
</li>
|
</li>
|
||||||
</ul>
|
</ul>
|
||||||
<li><span style="font-weight: bold;">CHAIN </span>- The name of the
|
<li><span style="font-weight: bold;">CHAIN </span>- The name of the
|
||||||
chain where the accounting rule is to be added. If empty or "-" then
|
chain where the accounting rule is to be added. If empty or "-" then the
|
||||||
the "accounting" chain is assumed.<br>
|
"accounting" chain is assumed.<br>
|
||||||
</li>
|
</li>
|
||||||
<li><span style="font-weight: bold;">SOURCE</span> - Packet Source.
|
<li><span style="font-weight: bold;">SOURCE</span> - Packet Source.
|
||||||
The name of an interface, an address
|
The name of an interface, an address (host or net) or an interface name
|
||||||
(host or net) or an interface name followed by ":" and a host or net
|
followed by ":" and a host or net address.</li>
|
||||||
address.</li>
|
|
||||||
<li><span style="font-weight: bold;">DESTINATION</span> - Packet
|
<li><span style="font-weight: bold;">DESTINATION</span> - Packet
|
||||||
Destination Format the same as the SOURCE
|
Destination Format the same as the SOURCE column.</li>
|
||||||
column.</li>
|
<li><span style="font-weight: bold;">PROTOCOL</span> - A protocol name
|
||||||
<li><span style="font-weight: bold;">PROTOCOL</span> - A protocol
|
(from /etc/protocols) or a protocol number.</li>
|
||||||
name (from /etc/protocols) or a protocol
|
|
||||||
number.</li>
|
|
||||||
<li><span style="font-weight: bold;">DEST PORT</span> - Destination
|
<li><span style="font-weight: bold;">DEST PORT</span> - Destination
|
||||||
Port number. Service name from
|
Port number. Service name from /etc/services or port number. May only be
|
||||||
/etc/services or port number. May only be specified if the protocol is
|
specified if the protocol is TCP or UDP (6 or 17).</li>
|
||||||
TCP or UDP (6 or 17).</li>
|
|
||||||
<li><span style="font-weight: bold;">SOURCE PORT</span>- Source Port
|
<li><span style="font-weight: bold;">SOURCE PORT</span>- Source Port
|
||||||
number. Service name from /etc/services
|
number. Service name from /etc/services or port number. May only be
|
||||||
or port number. May only be specified if the protocol is TCP or UDP (6
|
specified if the protocol is TCP or UDP (6 or 17).<br>
|
||||||
or 17).<br>
|
|
||||||
</li>
|
</li>
|
||||||
</ul>
|
</ul>
|
||||||
In all columns except ACTION and CHAIN, the values "-","any" and
|
In all columns except ACTION and CHAIN, the values "-","any" and "all"
|
||||||
"all" are treated as wild-cards.<br>
|
are treated as wild-cards.<br>
|
||||||
<br>
|
<br>
|
||||||
The accounting rules are evaluated in the Netfilter 'filter' table.
|
The accounting rules are evaluated in the Netfilter 'filter' table.
|
||||||
This is the same environment where the 'rules' file rules are evaluated
|
This is the same environment where the 'rules' file rules are evaluated
|
||||||
and in this environment, DNAT has already occurred in inbound packets
|
and in this environment, DNAT has already occurred in inbound packets
|
||||||
and SNAT has not yet occurred on outbound ones.<br>
|
and SNAT has not yet occurred on outbound ones.<br>
|
||||||
<br>
|
<br>
|
||||||
Accounting rules are not stateful -- each rule only handles traffic in
|
Accounting rules are not stateful -- each rule only handles traffic in
|
||||||
one direction. For example, if eth0 is your internet interface and you
|
one direction. For example, if eth0 is your internet interface and you
|
||||||
have a web
|
have a web server in your DMZ connected to eth1 then to count HTTP
|
||||||
server in your DMZ connected to eth1 then to count HTTP traffic in
|
traffic in both directions requires two rules: <br>
|
||||||
both directions requires two rules: <br>
|
|
||||||
<pre> #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE<br> # PORT PORT<br> DONE - eth0 eth1 tcp 80<br> DONE - eth1 eth0 tcp - 80</pre>
|
<pre> #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE<br> # PORT PORT<br> DONE - eth0 eth1 tcp 80<br> DONE - eth1 eth0 tcp - 80</pre>
|
||||||
Associating a counter with a chain allows for nice reporting. For
|
Associating a counter with a chain allows for nice reporting. For
|
||||||
example:<br>
|
example:<br>
|
||||||
@ -103,8 +96,16 @@ Here's a slightly different example:<br>
|
|||||||
Now "shorewall show web" simply gives you a breakdown by input and
|
Now "shorewall show web" simply gives you a breakdown by input and
|
||||||
output:<br>
|
output:<br>
|
||||||
<br>
|
<br>
|
||||||
<pre style="margin-left: 40px;">[root@gateway shorewall]# shorewall show accounting web <br>Shorewall-1.4.6-20030821 Chains accounting web at gateway.shorewall.net - Wed Aug 20 10:27:21 PDT 2003<br> <br>Counters reset Wed Aug 20 10:24:33 PDT 2003<br> <br>Chain accounting (3 references)<br> pkts bytes target prot opt in out source destination<br> 8767 727K web tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:80<br> 0 0 web tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:443<br>11506 13M web tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:80<br> 0 0 web tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:443<br>Chain web (4 references)<br> pkts bytes target prot opt in out source destination<br> 8767 727K all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0<br>11506 13M all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0<br>[root@gateway shorewall]#<br><br></pre>
|
<pre style="margin-left: 40px;">[root@gateway shorewall]# shorewall show accounting web <br>Shorewall-1.4.6-20030821 Chains accounting web at gateway.shorewall.net - Wed Aug 20 10:27:21 PDT 2003<br> <br>Counters reset Wed Aug 20 10:24:33 PDT 2003<br> <br>Chain accounting (3 references)<br> pkts bytes target prot opt in out source destination<br> 8767 727K web tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:80<br> 0 0 web tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:443<br>11506 13M web tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:80<br> 0 0 web tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:443<br>Chain web (4 references)<br> pkts bytes target prot opt in out source destination<br> 8767 727K all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0<br>11506 13M all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0<br>[root@gateway shorewall]#<br></pre>
|
||||||
<p align="left"><font size="2">Last updated 8/20/2003 - <a
|
Here's how the same example would be constructed on a server with only
|
||||||
|
one interface (eth0):<br>
|
||||||
|
<pre style="margin-left: 40px;">#ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE<br># PORT PORT<br>web - eth0 - tcp 80<br>web - - eth0 tcp - 80<br>web - eth0 - tcp 443<br>web - - eth0 tcp - 443<br><br>COUNT web eth0 -<br>COUNT web - eth0<br></pre>
|
||||||
|
Note that with only one interface, only the SOURCE (for input rules) or
|
||||||
|
the DESTINATION (for output rules) is specified in each rule.<br>
|
||||||
|
<br>
|
||||||
|
Here's the output:<br>
|
||||||
|
<pre style="margin-left: 40px;">[root@mail shorewall]# shorewall show accounting web <br>Shorewall-1.4.7 Chains accounting web at mail.shorewall.net - Sun Oct 12 10:27:21 PDT 2003<br> <br>Counters reset Sat Oct 11 08:12:57 PDT 2003<br> <br>Chain accounting (3 references)<br> pkts bytes target prot opt in out source destination<br> 8767 727K web tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80<br> 0 0 web tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443<br>11506 13M web tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:80<br> 0 0 web tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:443<br>Chain web (4 references)<br> pkts bytes target prot opt in out source destination<br> 8767 727K all -- eth0 * 0.0.0.0/0 0.0.0.0/0<br>11506 13M all -- * eth0 0.0.0.0/0 0.0.0.0/0<br>[root@mail shorewall]#<br></pre>
|
||||||
|
<p align="left"><font size="2">Last updated 10/12/2003 - <a
|
||||||
href="support.htm">Tom Eastep</a></font></p>
|
href="support.htm">Tom Eastep</a></font></p>
|
||||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||||
© <font size="2">2003 Thomas M. Eastep.</font></a></font></p>
|
© <font size="2">2003 Thomas M. Eastep.</font></a></font></p>
|
||||||
|
|||||||
@ -173,7 +173,15 @@ only<b> from specific IP Addresses</b> on the internet?</a><br>
|
|||||||
options in nmap</b> on or behind the firewall, I get "<b>operation not
|
options in nmap</b> on or behind the firewall, I get "<b>operation not
|
||||||
permitted</b>". How can I use nmap with Shorewall?"</a><br>
|
permitted</b>". How can I use nmap with Shorewall?"</a><br>
|
||||||
<br>
|
<br>
|
||||||
<b>27. </b><a href="#faq27">I am compiling a <b>new kernel</b> for my
|
<b><span style="font-weight: bold;">26a. </span></b><a
|
||||||
|
href="#faq26a">When I try
|
||||||
|
to use the <span style="font-weight: bold;">"-O" option of nmap</span>
|
||||||
|
from the firewall system, I get "<span style="font-weight: bold;">operation
|
||||||
|
not permitted". </span>How to I allow this option?</a><b><span
|
||||||
|
style="font-weight: bold;"><a href="#faq26a"> </a><br>
|
||||||
|
<br>
|
||||||
|
</span>27. </b><a href="#faq27">I am compiling a <b>new kernel</b>
|
||||||
|
for my
|
||||||
firewall<b>.</b> What should I look out for?</a><br>
|
firewall<b>.</b> What should I look out for?</a><br>
|
||||||
<br>
|
<br>
|
||||||
<b>28. </b><a href="#faq28">How do I use Shorewall as a <b>Bridging
|
<b>28. </b><a href="#faq28">How do I use Shorewall as a <b>Bridging
|
||||||
@ -1079,13 +1087,22 @@ Shorewall</b> I am <b>running</b>?<br>
|
|||||||
At the shell prompt, type:<br>
|
At the shell prompt, type:<br>
|
||||||
<br>
|
<br>
|
||||||
<font color="#009900"><b> /sbin/shorewall
|
<font color="#009900"><b> /sbin/shorewall
|
||||||
version</b></font><br>
|
version<br>
|
||||||
|
</b></font>
|
||||||
<h4><a name="faq26"></a><b>26. </b>When I try to use any of the SYN
|
<h4><a name="faq26"></a><b>26. </b>When I try to use any of the SYN
|
||||||
options in nmap on or behind the firewall, I get "operation not
|
options in nmap on or behind the firewall, I get "operation not
|
||||||
permitted".
|
permitted".
|
||||||
How can I use nmap with Shorewall?"</h4>
|
How can I use nmap with Shorewall?"</h4>
|
||||||
Edit /etc/shorewall/shorewall.conf and change "NEWNOTSYN=No" to
|
Edit /etc/shorewall/shorewall.conf and change "NEWNOTSYN=No" to
|
||||||
"NEWNOTSYN=Yes" then restart Shorewall.<br>
|
"NEWNOTSYN=Yes" then restart Shorewall.<br>
|
||||||
|
<br>
|
||||||
|
<h4><a name="faq26a"></a><b><span style="font-weight: bold;">26a.
|
||||||
|
</span></b>When I try to use the <span style="font-weight: bold;">"-O"
|
||||||
|
option of nmap</span> from the firewall system, I get "<span
|
||||||
|
style="font-weight: bold;">operation not permitted". </span>How to I
|
||||||
|
allow this option?</h4>
|
||||||
|
Add this command to your /etc/shorewall/start file:<br>
|
||||||
|
<pre style="margin-left: 40px;"><tt>run_iptables -D OUTPUT -p ! icmp -m state --state INVALID -j DROP</tt><br></pre>
|
||||||
<h4><a name="faq27">27. I'm compiling a new kernel for my firewall.
|
<h4><a name="faq27">27. I'm compiling a new kernel for my firewall.
|
||||||
What
|
What
|
||||||
should I look out for?</a></h4>
|
should I look out for?</a></h4>
|
||||||
|
|||||||
@ -19,6 +19,54 @@
|
|||||||
</tr>
|
</tr>
|
||||||
</tbody>
|
</tbody>
|
||||||
</table>
|
</table>
|
||||||
|
<p><b>10/21/2003 - Shorewall 1.4.7a<br>
|
||||||
|
</b></p>
|
||||||
|
<p>This is a bugfix rollup of the following problem corrections:<br>
|
||||||
|
</p>
|
||||||
|
<ol>
|
||||||
|
<li>Tuomo Soini has supplied a correction to a problem that occurs
|
||||||
|
using some versions of 'ash'. The symptom is that "shorewall start"
|
||||||
|
fails with:<br>
|
||||||
|
<br>
|
||||||
|
local: --limit: bad variable name<br>
|
||||||
|
iptables v1.2.8: Couldn't load match
|
||||||
|
`-j':/lib/iptables/libipt_-j.so:<br>
|
||||||
|
cannot open shared object file: No such file or directory<br>
|
||||||
|
Try `iptables -h' or 'iptables --help' for more
|
||||||
|
information.<br>
|
||||||
|
<br>
|
||||||
|
</li>
|
||||||
|
<li>Andres Zhoglo has supplied a correction that avoids trying to use
|
||||||
|
the multiport match iptables facility on ICMP rules.<br>
|
||||||
|
<br>
|
||||||
|
Example of rule that previously caused "shorewall start"
|
||||||
|
to fail:<br>
|
||||||
|
<br>
|
||||||
|
|
||||||
|
ACCEPT loc $FW
|
||||||
|
icmp 0,8,11,12<br>
|
||||||
|
<br>
|
||||||
|
</li>
|
||||||
|
<li>Previously, if the following error message was issued, Shorewall
|
||||||
|
was left in an inconsistent state.<br>
|
||||||
|
<br>
|
||||||
|
Error: Unable to determine the routes routes through
|
||||||
|
interface xxx<br>
|
||||||
|
<br>
|
||||||
|
</li>
|
||||||
|
<li>Handling of the LOGUNCLEAN option in shorewall.conf has been
|
||||||
|
corrected.</li>
|
||||||
|
<li>In Shorewall 1.4.2, an optimization was added. This optimization
|
||||||
|
involved creating a chain named "<zone>_frwd" for most zones
|
||||||
|
defined using the /etc/shorewall/hosts file. It has since been
|
||||||
|
discovered that in many cases these new chains contain redundant rules
|
||||||
|
and that the "optimization" turns out to be less than optimal. The
|
||||||
|
implementation has now been corrected.</li>
|
||||||
|
<li>When the MARK value in a tcrules entry is followed by ":F" or
|
||||||
|
":P", the ":F" or ":P" was previously only applied to the first
|
||||||
|
Netfilter rule generated by the entry. It is now applied to all entries.<br>
|
||||||
|
</li>
|
||||||
|
</ol>
|
||||||
<p><b>10/06/2003 - Shorewall 1.4.7</b><b><br>
|
<p><b>10/06/2003 - Shorewall 1.4.7</b><b><br>
|
||||||
</b></p>
|
</b></p>
|
||||||
<b>Problems Corrected since version 1.4.6 (Those in bold font were
|
<b>Problems Corrected since version 1.4.6 (Those in bold font were
|
||||||
|
|||||||
@ -263,9 +263,15 @@ status)<br>
|
|||||||
esac</font></p>
|
esac</font></p>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
<h3><a name="ConfigFw"></a>Configuring Shorewall</h3>
|
<h3><a name="ConfigFw"></a>Configuring Shorewall</h3>
|
||||||
<p>I consider hosts connected to my PPTP server to be just like local
|
<p>Often there will be situations where you want multiple connections
|
||||||
systems.
|
from remote networks with these networks having different firewalling
|
||||||
My key Shorewall entries are:</p>
|
requirements.<br>
|
||||||
|
</p>
|
||||||
|
<div style="text-align: center;"><img src="images/MultiPPTP.png"
|
||||||
|
title="" alt="" style="width: 846px; height: 544px;"><br>
|
||||||
|
</div>
|
||||||
|
<p>Here's how you configure this in Shorewall:<br>
|
||||||
|
</p>
|
||||||
<h4>/etc/shorewall/zones:</h4>
|
<h4>/etc/shorewall/zones:</h4>
|
||||||
<blockquote>
|
<blockquote>
|
||||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||||
@ -283,7 +289,31 @@ My key Shorewall entries are:</p>
|
|||||||
<tr>
|
<tr>
|
||||||
<td>loc</td>
|
<td>loc</td>
|
||||||
<td>Local</td>
|
<td>Local</td>
|
||||||
<td>My Local Network including remote PPTP clients</td>
|
<td>Local Network <br>
|
||||||
|
</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td style="vertical-align: top;">vpn1</td>
|
||||||
|
<td style="vertical-align: top;">Remote1<br>
|
||||||
|
</td>
|
||||||
|
<td style="vertical-align: top;">Remote Network 1<br>
|
||||||
|
</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td style="vertical-align: top;">vpn2<br>
|
||||||
|
</td>
|
||||||
|
<td style="vertical-align: top;">Remote2<br>
|
||||||
|
</td>
|
||||||
|
<td style="vertical-align: top;">Remote Network 2<br>
|
||||||
|
</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td style="vertical-align: top;">vpn3<br>
|
||||||
|
</td>
|
||||||
|
<td style="vertical-align: top;">Remote3<br>
|
||||||
|
</td>
|
||||||
|
<td style="vertical-align: top;">Remote Network 3<br>
|
||||||
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
</tbody>
|
</tbody>
|
||||||
</table>
|
</table>
|
||||||
@ -307,13 +337,13 @@ My key Shorewall entries are:</p>
|
|||||||
<tr>
|
<tr>
|
||||||
<td>loc</td>
|
<td>loc</td>
|
||||||
<td>eth2</td>
|
<td>eth2</td>
|
||||||
<td>192.168.1.255</td>
|
<td>192.168.10.255</td>
|
||||||
<td> </td>
|
<td> </td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
<td>-</td>
|
<td>-</td>
|
||||||
<td>ppp+</td>
|
<td>ppp+</td>
|
||||||
<td> </td>
|
<td> -</td>
|
||||||
<td> </td>
|
<td> </td>
|
||||||
</tr>
|
</tr>
|
||||||
</tbody>
|
</tbody>
|
||||||
@ -335,145 +365,32 @@ My key Shorewall entries are:</p>
|
|||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
<td>loc</td>
|
<td>vpn1<br>
|
||||||
|
</td>
|
||||||
<td>ppp+:192.168.1.0/24</td>
|
<td>ppp+:192.168.1.0/24</td>
|
||||||
<td> </td>
|
<td> </td>
|
||||||
</tr>
|
</tr>
|
||||||
</tbody>
|
|
||||||
</table>
|
|
||||||
</blockquote>
|
|
||||||
<h4>/etc/shorewall/policy:</h4>
|
|
||||||
<blockquote>
|
|
||||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
|
||||||
<tbody>
|
|
||||||
<tr>
|
<tr>
|
||||||
<td><b>SOURCE</b></td>
|
<td style="vertical-align: top;">vpn2<br>
|
||||||
<td><b>DEST</b></td>
|
|
||||||
<td><b>POLICY</b></td>
|
|
||||||
<td><b>LOG LEVEL</b></td>
|
|
||||||
</tr>
|
|
||||||
<tr>
|
|
||||||
<td>loc</td>
|
|
||||||
<td>loc</td>
|
|
||||||
<td>ACCEPT</td>
|
|
||||||
<td> </td>
|
|
||||||
</tr>
|
|
||||||
</tbody>
|
|
||||||
</table>
|
|
||||||
</blockquote>
|
|
||||||
<h4>/etc/shorewall/rules (For Shorewall versions up to and including
|
|
||||||
1.3.9b):</h4>
|
|
||||||
<blockquote> <font face="Century Gothic, Arial, Helvetica"> </font>
|
|
||||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
|
||||||
<tbody>
|
|
||||||
<tr>
|
|
||||||
<td><b>ACTION</b></td>
|
|
||||||
<td><b>SOURCE</b></td>
|
|
||||||
<td><b>DEST</b></td>
|
|
||||||
<td><b> PROTO</b></td>
|
|
||||||
<td><b>DEST<br>
|
|
||||||
PORT(S)</b></td>
|
|
||||||
<td><b>SOURCE<br>
|
|
||||||
PORT(S)</b></td>
|
|
||||||
<td><b>ORIGINAL<br>
|
|
||||||
DEST</b></td>
|
|
||||||
</tr>
|
|
||||||
<tr>
|
|
||||||
<td>ACCEPT</td>
|
|
||||||
<td>net</td>
|
|
||||||
<td>fw</td>
|
|
||||||
<td>tcp</td>
|
|
||||||
<td>1723</td>
|
|
||||||
<td> </td>
|
|
||||||
<td> </td>
|
|
||||||
</tr>
|
|
||||||
<tr>
|
|
||||||
<td>ACCEPT</td>
|
|
||||||
<td>net</td>
|
|
||||||
<td>fw</td>
|
|
||||||
<td>47</td>
|
|
||||||
<td>-</td>
|
|
||||||
<td> </td>
|
|
||||||
<td> </td>
|
|
||||||
</tr>
|
|
||||||
<tr>
|
|
||||||
<td>ACCEPT</td>
|
|
||||||
<td>fw</td>
|
|
||||||
<td>net</td>
|
|
||||||
<td>47</td>
|
|
||||||
<td>-</td>
|
|
||||||
<td> </td>
|
|
||||||
<td> </td>
|
|
||||||
</tr>
|
|
||||||
</tbody>
|
|
||||||
</table>
|
|
||||||
</blockquote>
|
|
||||||
<p align="left"><b>/etc/shoreawll/tunnels (For Shorewall versions
|
|
||||||
1.3.10 and
|
|
||||||
later)<br>
|
|
||||||
</b></p>
|
|
||||||
<blockquote>
|
|
||||||
<table cellpadding="2" border="2" style="border-collapse: collapse;">
|
|
||||||
<tbody>
|
|
||||||
<tr>
|
|
||||||
<td valign="top"><b>TYPE<br>
|
|
||||||
</b></td>
|
|
||||||
<td valign="top"><b>ZONE<br>
|
|
||||||
</b></td>
|
|
||||||
<td valign="top"><b>GATEWAY<br>
|
|
||||||
</b></td>
|
|
||||||
<td valign="top"><b>GATEWAY ZONE<br>
|
|
||||||
</b></td>
|
|
||||||
</tr>
|
|
||||||
<tr>
|
|
||||||
<td valign="top">pptpserver<br>
|
|
||||||
</td>
|
</td>
|
||||||
<td valign="top">net<br>
|
<td style="vertical-align: top;">ppp+:192.168.2.0/24<br>
|
||||||
</td>
|
</td>
|
||||||
<td valign="top">0.0.0.0/0<br>
|
<td style="vertical-align: top;"><br>
|
||||||
</td>
|
</td>
|
||||||
<td valign="top"><br>
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td style="vertical-align: top;">vpn3<br>
|
||||||
|
</td>
|
||||||
|
<td style="vertical-align: top;">ppp+:192.168.3.0/24<br>
|
||||||
|
</td>
|
||||||
|
<td style="vertical-align: top;"><br>
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
</tbody>
|
</tbody>
|
||||||
</table>
|
</table>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
<p align="left"><br>
|
Your policies and rules can now be configured using separate zones
|
||||||
Note: I have multiple ppp interfaces on my firewall. If you have a
|
(vpn1, vpn2, and vpn3) for the three remote network.<br>
|
||||||
single
|
|
||||||
ppp interface, you probably want:</p>
|
|
||||||
<h4>/etc/shorewall/interfaces:</h4>
|
|
||||||
<blockquote>
|
|
||||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
|
||||||
<tbody>
|
|
||||||
<tr>
|
|
||||||
<td><b>ZONE</b></td>
|
|
||||||
<td><b>INTERFACE</b></td>
|
|
||||||
<td><b>BROADCAST</b></td>
|
|
||||||
<td><b>OPTIONS</b></td>
|
|
||||||
</tr>
|
|
||||||
<tr>
|
|
||||||
<td>net</td>
|
|
||||||
<td>eth0</td>
|
|
||||||
<td>206.124.146.255</td>
|
|
||||||
<td>norfc1918</td>
|
|
||||||
</tr>
|
|
||||||
<tr>
|
|
||||||
<td>loc</td>
|
|
||||||
<td>eth2</td>
|
|
||||||
<td>192.168.1.255</td>
|
|
||||||
<td> </td>
|
|
||||||
</tr>
|
|
||||||
<tr>
|
|
||||||
<td>loc</td>
|
|
||||||
<td>ppp0</td>
|
|
||||||
<td> </td>
|
|
||||||
<td> </td>
|
|
||||||
</tr>
|
|
||||||
</tbody>
|
|
||||||
</table>
|
|
||||||
</blockquote>
|
|
||||||
<p align="left">and <u><b>no</b></u> entries in /etc/shorewall/hosts.</p>
|
|
||||||
<h2 align="center"><a name="ServerBehind"></a>2. PPTP Server Running
|
<h2 align="center"><a name="ServerBehind"></a>2. PPTP Server Running
|
||||||
Behind
|
Behind
|
||||||
your Firewall</h2>
|
your Firewall</h2>
|
||||||
@ -968,7 +885,7 @@ as described in the QuickStart Guide corresponding to your setup.<br>
|
|||||||
That entry allows a PPTP tunnel to be established between your
|
That entry allows a PPTP tunnel to be established between your
|
||||||
Shorewall system and the PPTP server in the modem.<br>
|
Shorewall system and the PPTP server in the modem.<br>
|
||||||
</div>
|
</div>
|
||||||
<p><font size="2">Last modified 8/11/2003 - <a href="support.htm">Tom
|
<p><font size="2">Last modified 10/11/2003 - <a href="support.htm">Tom
|
||||||
Eastep</a></font></p>
|
Eastep</a></font></p>
|
||||||
<p><a href="copyright.htm"> <font size="2">Copyright</font> © <font
|
<p><a href="copyright.htm"> <font size="2">Copyright</font> © <font
|
||||||
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></p>
|
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></p>
|
||||||
|
|||||||
@ -30,18 +30,28 @@ application.</li>
|
|||||||
<li>Be used with an Operating System other than Linux (version >=
|
<li>Be used with an Operating System other than Linux (version >=
|
||||||
2.4.0)<br>
|
2.4.0)<br>
|
||||||
</li>
|
</li>
|
||||||
<li>Do content filtering -- better to use <a
|
<li>Do content filtering:</li>
|
||||||
href="Shorewall_Squid_Usage.html">Squid</a> for that.</li>
|
<ul>
|
||||||
|
<li>HTTP -- better to use <a href="Shorewall_Squid_Usage.html">Squid</a>
|
||||||
|
for that.</li>
|
||||||
|
<li>Email -- Install something like <a
|
||||||
|
href="http://www.postfix.org">Postfix</a> on your firewall and
|
||||||
|
integrate it with <a href="http://www.spamassassin.org">SpamAssassin</a>
|
||||||
|
and <a href="http://www.ijs.si/software/amavisd/">Amavisd-new</a>.<br>
|
||||||
|
</li>
|
||||||
|
</ul>
|
||||||
</ul>
|
</ul>
|
||||||
In addition:<br>
|
In addition:<br>
|
||||||
<ul>
|
<ul>
|
||||||
<li>Shorewall does not contain any support for Netfilter <span
|
<li>Shorewall does not contain any support for Netfilter <a
|
||||||
style="font-style: italic;">Patch-O-Matic</span> features -- Shorewall
|
href="http://www.netfilter.org/documentation/pomlist/pom-summary.html"><span
|
||||||
|
style="font-style: italic;">Patch-O-Matic</span></a> features --
|
||||||
|
Shorewall
|
||||||
only supports features from released kernels.<br>
|
only supports features from released kernels.<br>
|
||||||
</li>
|
</li>
|
||||||
</ul>
|
</ul>
|
||||||
<br>
|
<br>
|
||||||
<font size="2">Last updated 9/28/2003 - <a href="support.htm">Tom
|
<font size="2">Last updated 10/07/2003 - <a href="support.htm">Tom
|
||||||
Eastep</a></font>
|
Eastep</a></font>
|
||||||
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||||
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
|
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
|
||||||
|
|||||||
@ -28,10 +28,14 @@
|
|||||||
</table>
|
</table>
|
||||||
<br>
|
<br>
|
||||||
This page covers Shorewall configuration to use with <a
|
This page covers Shorewall configuration to use with <a
|
||||||
href="http://www.squid-cache.org/">Squid </a>running as a <u><b>Transparent
|
href="http://www.squid-cache.org/">Squid </a>running as a <a
|
||||||
Proxy</b></u>. If you are running Shorewall 1.3, please see <a
|
href="#Transparent">Transparent
|
||||||
href="1.3/Shorewall_Squid_Usage.html">this documentation</a>.<br>
|
Proxy</a> or as a <a href="#Manual">Manual Proxy</a>.<br>
|
||||||
<br>
|
<br>
|
||||||
|
If you are running Shorewall 1.3, please see <a
|
||||||
|
href="1.3/Shorewall_Squid_Usage.html">this documentation</a>.<br>
|
||||||
|
<h1><a name="Transparent"></a>Squid as a Transparent Proxy<br>
|
||||||
|
</h1>
|
||||||
<img border="0" src="images/j0213519.gif" width="60" height="60"
|
<img border="0" src="images/j0213519.gif" width="60" height="60"
|
||||||
alt="Caution" align="middle"> Please observe the
|
alt="Caution" align="middle"> Please observe the
|
||||||
following general requirements:<br>
|
following general requirements:<br>
|
||||||
@ -71,7 +75,7 @@ running on the Firewall.</a></li>
|
|||||||
local network</a></li>
|
local network</a></li>
|
||||||
<li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running in the DMZ</a></li>
|
<li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running in the DMZ</a></li>
|
||||||
</ol>
|
</ol>
|
||||||
<h2><a name="Firewall"></a>Squid Running on the Firewall</h2>
|
<h2><a name="Firewall"></a>Squid (transparent) Running on the Firewall</h2>
|
||||||
You want to redirect all local www connection requests
|
You want to redirect all local www connection requests
|
||||||
EXCEPT those to your own http server (206.124.146.177) to a Squid
|
EXCEPT those to your own http server (206.124.146.177) to a Squid
|
||||||
transparent proxy running on the firewall
|
transparent proxy running on the firewall
|
||||||
@ -123,15 +127,49 @@ DEST</b></td>
|
|||||||
There may be a requirement to exclude additional destination
|
There may be a requirement to exclude additional destination
|
||||||
hosts or networks from being redirected. For example, you might also
|
hosts or networks from being redirected. For example, you might also
|
||||||
want
|
want
|
||||||
requests destined for 130.252.100.0/24 to not be routed to Squid. In
|
requests destined for 130.252.100.0/24 to not be routed to Squid.<br>
|
||||||
that
|
<br>
|
||||||
case, you must add a manual rule in /etc/shorewall/start:<br>
|
If you are running Shorewall version 1.4.5 or later, you may just add
|
||||||
|
the additional hosts/networks to the ORIGINAL DEST column in your
|
||||||
|
REDIRECT rule:<br>
|
||||||
|
<br>
|
||||||
|
<div style="margin-left: 40px;">
|
||||||
|
<table border="1" cellpadding="2" style="border-collapse: collapse;">
|
||||||
|
<tbody>
|
||||||
|
<tr>
|
||||||
|
<td><b>ACTION</b></td>
|
||||||
|
<td><b>SOURCE</b></td>
|
||||||
|
<td><b>DEST</b></td>
|
||||||
|
<td><b> PROTO</b></td>
|
||||||
|
<td><b>DEST<br>
|
||||||
|
PORT(S)</b></td>
|
||||||
|
<td><b>SOURCE<br>
|
||||||
|
PORT(S)</b></td>
|
||||||
|
<td><b>ORIGINAL<br>
|
||||||
|
DEST</b></td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td>REDIRECT</td>
|
||||||
|
<td>loc</td>
|
||||||
|
<td>3128</td>
|
||||||
|
<td>tcp</td>
|
||||||
|
<td>www</td>
|
||||||
|
<td> -<br>
|
||||||
|
</td>
|
||||||
|
<td>!206.124.146.177,130.252.100.0/24</td>
|
||||||
|
</tr>
|
||||||
|
</tbody>
|
||||||
|
</table>
|
||||||
|
</div>
|
||||||
|
<br>
|
||||||
|
If you are running a Shorewall version earlier than 1.4.5, you must add
|
||||||
|
a manual rule in /etc/shorewall/start:<br>
|
||||||
<blockquote>
|
<blockquote>
|
||||||
<pre>run_iptables -t nat -I loc_dnat -p tcp --dport www -d 130.252.100.0/24 -j RETURN<br></pre>
|
<pre>run_iptables -t nat -I loc_dnat -p tcp --dport www -d 130.252.100.0/24 -j RETURN<br></pre>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
To exclude additional hosts or networks, just add additional
|
To exclude additional hosts or networks, just add additional
|
||||||
similar rules.<br>
|
similar rules.<br>
|
||||||
<h2><a name="Local"></a>Squid Running in the local network</h2>
|
<h2><a name="Local"></a>Squid (transparent) Running in the local network</h2>
|
||||||
You want to redirect all local www connection requests to a Squid
|
You want to redirect all local www connection requests to a Squid
|
||||||
transparent proxy running in your local zone at 192.168.1.3 and
|
transparent proxy running in your local zone at 192.168.1.3 and
|
||||||
listening
|
listening
|
||||||
@ -273,7 +311,8 @@ command above:<br>
|
|||||||
color="#009900"><b><br>chkconfig --level 35 iptables on<br></b></font></pre>
|
color="#009900"><b><br>chkconfig --level 35 iptables on<br></b></font></pre>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
<blockquote> </blockquote>
|
<blockquote> </blockquote>
|
||||||
<h2><a name="DMZ"></a>Squid Running in the DMZ (This is what I do)</h2>
|
<h2><a name="DMZ"></a>Squid (transparent) Running in the DMZ (This is
|
||||||
|
what I do)</h2>
|
||||||
You have a single Linux system in your DMZ with IP address 192.0.2.177.
|
You have a single Linux system in your DMZ with IP address 192.0.2.177.
|
||||||
You want to run both a web server and Squid on that system. Your DMZ
|
You want to run both a web server and Squid on that system. Your DMZ
|
||||||
interface is eth1 and your local interface is eth2.<br>
|
interface is eth1 and your local interface is eth2.<br>
|
||||||
@ -455,7 +494,133 @@ command above:<br>
|
|||||||
color="#009900"><b><br>chkconfig --level 35 iptables on<br></b></font></pre>
|
color="#009900"><b><br>chkconfig --level 35 iptables on<br></b></font></pre>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
<blockquote> </blockquote>
|
<blockquote> </blockquote>
|
||||||
<p><font size="-1"> Updated 8/9/2003 - <a href="support.htm">Tom Eastep</a>
|
<h1><a name="Manual"></a>Squid as a Manual Proxy</h1>
|
||||||
|
Assume that Squid is running in zone SZ and listening on port SP; all
|
||||||
|
web sites that are to be accessed through Squid are in the 'net' zone.
|
||||||
|
Then for each zone Z that needs access to the Squid server:<br>
|
||||||
|
<br>
|
||||||
|
<div style="margin-left: 40px;">
|
||||||
|
<table cellpadding="2" border="1" cellspacing="0">
|
||||||
|
<tbody>
|
||||||
|
<tr>
|
||||||
|
<td valign="top">ACTION<br>
|
||||||
|
</td>
|
||||||
|
<td valign="top">SOURCE<br>
|
||||||
|
</td>
|
||||||
|
<td valign="top">DEST<br>
|
||||||
|
</td>
|
||||||
|
<td valign="top">PROTO<br>
|
||||||
|
</td>
|
||||||
|
<td valign="top">DEST<br>
|
||||||
|
PORT(S)<br>
|
||||||
|
</td>
|
||||||
|
<td valign="top">CLIENT<br>
|
||||||
|
PORT(2)<br>
|
||||||
|
</td>
|
||||||
|
<td valign="top">ORIGINAL<br>
|
||||||
|
DEST<br>
|
||||||
|
</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td valign="top">ACCEPT<br>
|
||||||
|
</td>
|
||||||
|
<td valign="top">Z<br>
|
||||||
|
</td>
|
||||||
|
<td valign="top">SZ<br>
|
||||||
|
</td>
|
||||||
|
<td valign="top">tcp<br>
|
||||||
|
</td>
|
||||||
|
<td valign="top">SP<br>
|
||||||
|
</td>
|
||||||
|
<td valign="top"><br>
|
||||||
|
</td>
|
||||||
|
<td valign="top"><br>
|
||||||
|
</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td valign="top">ACCEPT<br>
|
||||||
|
</td>
|
||||||
|
<td valign="top">SZ<br>
|
||||||
|
</td>
|
||||||
|
<td valign="top">net<br>
|
||||||
|
</td>
|
||||||
|
<td valign="top">tcp<br>
|
||||||
|
</td>
|
||||||
|
<td valign="top">80<br>
|
||||||
|
</td>
|
||||||
|
<td valign="top"><br>
|
||||||
|
</td>
|
||||||
|
<td valign="top"><br>
|
||||||
|
</td>
|
||||||
|
</tr>
|
||||||
|
</tbody>
|
||||||
|
</table>
|
||||||
|
</div>
|
||||||
|
<br>
|
||||||
|
Example:<br>
|
||||||
|
<br>
|
||||||
|
<div style="margin-left: 40px;">Squid on the firewall listening on port
|
||||||
|
8080 with access from the 'loc' zone:<br>
|
||||||
|
<br>
|
||||||
|
<table cellpadding="2" border="1" cellspacing="0">
|
||||||
|
<tbody>
|
||||||
|
<tr>
|
||||||
|
<td valign="top">ACTION<br>
|
||||||
|
</td>
|
||||||
|
<td valign="top">SOURCE<br>
|
||||||
|
</td>
|
||||||
|
<td valign="top">DEST<br>
|
||||||
|
</td>
|
||||||
|
<td valign="top">PROTO<br>
|
||||||
|
</td>
|
||||||
|
<td valign="top">DEST<br>
|
||||||
|
PORT(S)<br>
|
||||||
|
</td>
|
||||||
|
<td valign="top">CLIENT<br>
|
||||||
|
PORT(2)<br>
|
||||||
|
</td>
|
||||||
|
<td valign="top">ORIGINAL<br>
|
||||||
|
DEST<br>
|
||||||
|
</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td valign="top">ACCEPT<br>
|
||||||
|
</td>
|
||||||
|
<td valign="top">loc<br>
|
||||||
|
</td>
|
||||||
|
<td valign="top">$FW<br>
|
||||||
|
</td>
|
||||||
|
<td valign="top">tcp<br>
|
||||||
|
</td>
|
||||||
|
<td valign="top">8080<br>
|
||||||
|
</td>
|
||||||
|
<td valign="top"><br>
|
||||||
|
</td>
|
||||||
|
<td valign="top"><br>
|
||||||
|
</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td valign="top">ACCEPT<br>
|
||||||
|
</td>
|
||||||
|
<td valign="top">$FW<br>
|
||||||
|
</td>
|
||||||
|
<td valign="top">net<br>
|
||||||
|
</td>
|
||||||
|
<td valign="top">tcp<br>
|
||||||
|
</td>
|
||||||
|
<td valign="top">80<br>
|
||||||
|
</td>
|
||||||
|
<td valign="top"><br>
|
||||||
|
</td>
|
||||||
|
<td valign="top"><br>
|
||||||
|
</td>
|
||||||
|
</tr>
|
||||||
|
</tbody>
|
||||||
|
</table>
|
||||||
|
<br>
|
||||||
|
</div>
|
||||||
|
<p><font size="-1">Updated 1017/2003 - <a href="support.htm">Tom
|
||||||
|
Eastep</a>
|
||||||
</font></p>
|
</font></p>
|
||||||
<a href="copyright.htm"><font size="2">Copyright</font> © <font
|
<a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||||
size="2">2003 Thomas M. Eastep.</font></a><br>
|
size="2">2003 Thomas M. Eastep.</font></a><br>
|
||||||
|
|||||||
@ -28,25 +28,25 @@ Issues</font></h1>
|
|||||||
<p align="left"> <b><u>I</u>f you use a Windows system to download
|
<p align="left"> <b><u>I</u>f you use a Windows system to download
|
||||||
a corrected script, be sure to run the script through <u> <a
|
a corrected script, be sure to run the script through <u> <a
|
||||||
href="http://www.megaloman.com/%7Ehany/software/hd2u/"
|
href="http://www.megaloman.com/%7Ehany/software/hd2u/"
|
||||||
style="text-decoration: none;"> dos2unix</a></u> after you have moved
|
style="text-decoration: none;"> dos2unix</a></u> after you have moved it
|
||||||
it to your Linux system.</b></p>
|
to your Linux system.</b></p>
|
||||||
</li>
|
</li>
|
||||||
<li>
|
<li>
|
||||||
<p align="left"> <b>If you are installing Shorewall for the first
|
<p align="left"> <b>If you are installing Shorewall for the first
|
||||||
time and plan to use the .tgz and install.sh script, you can untar
|
time and plan to use the .tgz and install.sh script, you can untar the
|
||||||
the archive, replace the 'firewall' script in the untarred directory
|
archive, replace the 'firewall' script in the untarred directory with
|
||||||
with the one you downloaded below, and then run install.sh.</b></p>
|
the one you downloaded below, and then run install.sh.</b></p>
|
||||||
</li>
|
</li>
|
||||||
<li>
|
<li>
|
||||||
<p align="left"> <b>When the instructions say to install a
|
<p align="left"> <b>When the instructions say to install a
|
||||||
corrected firewall script in /usr/share/shorewall/firewall,
|
corrected firewall script in /usr/share/shorewall/firewall, you may
|
||||||
you may rename the existing file before copying in the new file.</b></p>
|
rename the existing file before copying in the new file.</b></p>
|
||||||
</li>
|
</li>
|
||||||
<li>
|
<li>
|
||||||
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED
|
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED
|
||||||
COMPONENTS ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER
|
COMPONENTS ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER
|
||||||
BELOW. For example, do NOT install the 1.3.9a firewall script
|
BELOW. For example, do NOT install the 1.3.9a firewall script if you are
|
||||||
if you are running 1.3.7c.</font></b><br>
|
running 1.3.7c.</font></b><br>
|
||||||
</p>
|
</p>
|
||||||
</li>
|
</li>
|
||||||
</ol>
|
</ol>
|
||||||
@ -61,8 +61,7 @@ Version 1.1</a></font></b></li>
|
|||||||
<li> <b><font color="#660066"><a href="#iptables"> Problem with
|
<li> <b><font color="#660066"><a href="#iptables"> Problem with
|
||||||
iptables version 1.2.3 on RH7.2</a></font></b></li>
|
iptables version 1.2.3 on RH7.2</a></font></b></li>
|
||||||
<li> <b><a href="#Debug">Problems with kernels >= 2.4.18 and
|
<li> <b><a href="#Debug">Problems with kernels >= 2.4.18 and
|
||||||
RedHat
|
RedHat iptables</a></b></li>
|
||||||
iptables</a></b></li>
|
|
||||||
<li><b><a href="#SuSE">Problems installing/upgrading RPM on SuSE</a></b></li>
|
<li><b><a href="#SuSE">Problems installing/upgrading RPM on SuSE</a></b></li>
|
||||||
<li><b><a href="#Multiport">Problems with iptables version 1.2.7 and
|
<li><b><a href="#Multiport">Problems with iptables version 1.2.7 and
|
||||||
MULTIPORT=Yes</a></b></li>
|
MULTIPORT=Yes</a></b></li>
|
||||||
@ -75,12 +74,35 @@ REJECT (also applies to 2.4.21-RC1) <img src="images/new10.gif"
|
|||||||
<hr>
|
<hr>
|
||||||
<h2 align="left"><a name="V1.4"></a>Problems in Version 1.4</h2>
|
<h2 align="left"><a name="V1.4"></a>Problems in Version 1.4</h2>
|
||||||
<h3></h3>
|
<h3></h3>
|
||||||
|
<h3>1.4.7</h3>
|
||||||
|
<ul>
|
||||||
|
<li>Using some versions of 'ash' (such as from RH8) as the
|
||||||
|
SHOREWALL_SHELL causes "shorewall [re]start" to fail with:<br>
|
||||||
|
<br>
|
||||||
|
local: --limit: bad variable name<br>
|
||||||
|
iptables v1.2.8: Couldn't load match
|
||||||
|
`-j':/lib/iptables/libipt_-j.so: <br>
|
||||||
|
cannot open shared object file: No such file or directory<br>
|
||||||
|
Try `iptables -h' or 'iptables --help' for more information.</li>
|
||||||
|
<li>When more than one ICMP type is listed in a rule and your kernel
|
||||||
|
includes multiport match support, the firewall fails to start. </li>
|
||||||
|
<li>Regardless of the setting of LOGUNCLEAN, the value
|
||||||
|
LOGUNCLEAN=info was used.</li>
|
||||||
|
<li>After the following error message, Shorewall was left in an
|
||||||
|
inconsistent state:<br>
|
||||||
|
<br>
|
||||||
|
Error: Unable to determine the routes through interface xxx<br>
|
||||||
|
</li>
|
||||||
|
</ul>
|
||||||
|
These problems have been corrected in this <a
|
||||||
|
href="http://shorewall.net/pub/shorewall/errata/1.4.7/firewall">firewall
|
||||||
|
script</a> which may be installed in /var/share/shorewall/firewall as
|
||||||
|
described above.<br>
|
||||||
<h3>1.4.6</h3>
|
<h3>1.4.6</h3>
|
||||||
<ul>
|
<ul>
|
||||||
<li>If TC_ENABLED is set to yes in shorewall.conf then Shorewall
|
<li>If TC_ENABLED is set to yes in shorewall.conf then Shorewall
|
||||||
would fail to start with the error "ERROR: Traffic Control
|
would fail to start with the error "ERROR: Traffic Control requires
|
||||||
requires Mangle";
|
Mangle"; that problem has been corrected in <a
|
||||||
that problem has been corrected in <a
|
|
||||||
href="http://shorewall.net/pub/shorewall/errata/1.4.6/firewall">this
|
href="http://shorewall.net/pub/shorewall/errata/1.4.6/firewall">this
|
||||||
firewall script</a> which may be installed in
|
firewall script</a> which may be installed in
|
||||||
/var/share/shorewall/firewall as described above. This problem is also
|
/var/share/shorewall/firewall as described above. This problem is also
|
||||||
@ -89,40 +111,34 @@ corrected in bugfix release 1.4.6a.</li>
|
|||||||
If a MAC address is used in the SOURCE column, an error occurs as
|
If a MAC address is used in the SOURCE column, an error occurs as
|
||||||
follows:<br>
|
follows:<br>
|
||||||
<br>
|
<br>
|
||||||
<font size="3"><tt>iptables v1.2.8: Bad mac adress
|
<font size="3"><tt>iptables v1.2.8: Bad mac adress
|
||||||
`00:08:B5:35:52:E7-d`</tt></font><br>
|
`00:08:B5:35:52:E7-d`</tt></font><br>
|
||||||
<br>
|
<br>
|
||||||
For Shorewall 1.4.6 and 1.4.6a users, this problem has been corrected
|
For Shorewall 1.4.6 and 1.4.6a users, this problem has been corrected
|
||||||
in <a href="http://shorewall.net/pub/shorewall/errata/1.4.6/firewall">this
|
in <a href="http://shorewall.net/pub/shorewall/errata/1.4.6/firewall">this
|
||||||
firewall script</a> which may be installed in
|
firewall script</a> which may be installed in
|
||||||
/var/share/shorewall/firewall
|
/var/share/shorewall/firewall as described above. For all other
|
||||||
as described above. For all other versions, you will have to edit your
|
versions, you will have to edit your 'firewall' script (in versions
|
||||||
'firewall'
|
1.4.*, it is located in /usr/share/shorewall/firewall). Locate the
|
||||||
script (in versions 1.4.*, it is located in
|
function add_tcrule_() and in that function, replace this line:<br>
|
||||||
/usr/share/shorewall/firewall).
|
|
||||||
Locate the function add_tcrule_() and in that function, replace this
|
|
||||||
line:<br>
|
|
||||||
<br>
|
<br>
|
||||||
<span style="font-family: monospace;">r=`mac_match
|
<span style="font-family: monospace;">r=`mac_match $source` </span><br>
|
||||||
$source` </span><br>
|
|
||||||
<br>
|
<br>
|
||||||
with<br>
|
with<br>
|
||||||
<br>
|
<br>
|
||||||
<span style="font-family: monospace;">r="`mac_match
|
<span style="font-family: monospace;">r="`mac_match $source` "</span><br>
|
||||||
$source` "</span><br>
|
|
||||||
<br>
|
<br>
|
||||||
Note that there must be a space before the ending quote!<br>
|
Note that there must be a space before the ending quote!<br>
|
||||||
</li>
|
</li>
|
||||||
</ul>
|
</ul>
|
||||||
<h3>1.4.4b</h3>
|
<h3>1.4.4b</h3>
|
||||||
<ul>
|
<ul>
|
||||||
<li>Shorewall is ignoring records in /etc/shorewall/routestopped
|
<li>Shorewall is ignoring records in /etc/shorewall/routestopped that
|
||||||
that have an empty second column (HOSTS). This problem may be corrected
|
have an empty second column (HOSTS). This problem may be corrected by
|
||||||
by installing <a
|
installing <a
|
||||||
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4b/firewall"
|
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4b/firewall"
|
||||||
target="_top">this firewall script</a> in
|
target="_top">this firewall script</a> in /usr/share/shorewall/firewall
|
||||||
/usr/share/shorewall/firewall as
|
as described above.</li>
|
||||||
described above.</li>
|
|
||||||
<li>The INCLUDE directive doesn't work when placed in the
|
<li>The INCLUDE directive doesn't work when placed in the
|
||||||
/etc/shorewall/zones file. This problem may be corrected by installing <a
|
/etc/shorewall/zones file. This problem may be corrected by installing <a
|
||||||
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4b/functions"
|
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4b/functions"
|
||||||
@ -137,9 +153,8 @@ though the log level for the console is set properly according to <a
|
|||||||
href="FAQ.htm#faq16">FAQ 16</a>. This problem may be corrected by
|
href="FAQ.htm#faq16">FAQ 16</a>. This problem may be corrected by
|
||||||
installing <a
|
installing <a
|
||||||
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4a/firewall"
|
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4a/firewall"
|
||||||
target="_top">this firewall script</a> in
|
target="_top">this firewall script</a> in /usr/share/shorewall/firewall
|
||||||
/usr/share/shorewall/firewall as
|
as described above.<br>
|
||||||
described above.<br>
|
|
||||||
</li>
|
</li>
|
||||||
</ul>
|
</ul>
|
||||||
<h3>1.4.4<br>
|
<h3>1.4.4<br>
|
||||||
@ -147,8 +162,7 @@ described above.<br>
|
|||||||
<ul>
|
<ul>
|
||||||
<li> If you have zone names that are 5 characters long, you may
|
<li> If you have zone names that are 5 characters long, you may
|
||||||
experience problems starting Shorewall because the --log-prefix in a
|
experience problems starting Shorewall because the --log-prefix in a
|
||||||
logging rule is too long. Upgrade to Version 1.4.4a to fix this
|
logging rule is too long. Upgrade to Version 1.4.4a to fix this problem..</li>
|
||||||
problem..</li>
|
|
||||||
</ul>
|
</ul>
|
||||||
<h3>1.4.3</h3>
|
<h3>1.4.3</h3>
|
||||||
<ul>
|
<ul>
|
||||||
@ -157,8 +171,8 @@ to allow integration of Shorewall with Fireparse
|
|||||||
(http://www.firewparse.com). Unfortunately, LOGMARKER only solved part
|
(http://www.firewparse.com). Unfortunately, LOGMARKER only solved part
|
||||||
of the integration problem. I have implimented a new LOGFORMAT variable
|
of the integration problem. I have implimented a new LOGFORMAT variable
|
||||||
which will replace LOGMARKER which has completely solved this problem
|
which will replace LOGMARKER which has completely solved this problem
|
||||||
and is currently in production with fireparse here at shorewall.net.
|
and is currently in production with fireparse here at shorewall.net. The
|
||||||
The updated files may be found at <a
|
updated files may be found at <a
|
||||||
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/"
|
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/"
|
||||||
target="_top">ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/</a>.
|
target="_top">ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/</a>.
|
||||||
See the 0README.txt file for details.<br>
|
See the 0README.txt file for details.<br>
|
||||||
@ -170,9 +184,8 @@ See the 0README.txt file for details.<br>
|
|||||||
directory created in /tmp is not being removed. This problem may be
|
directory created in /tmp is not being removed. This problem may be
|
||||||
corrected by installing <a
|
corrected by installing <a
|
||||||
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.2/firewall"
|
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.2/firewall"
|
||||||
target="_top">this firewall script</a> in
|
target="_top">this firewall script</a> in /usr/share/shorewall/firewall
|
||||||
/usr/share/shorewall/firewall as
|
as described above. <br>
|
||||||
described above. <br>
|
|
||||||
</li>
|
</li>
|
||||||
</ul>
|
</ul>
|
||||||
<h3>1.4.1a, 1.4.1 and 1.4.0</h3>
|
<h3>1.4.1a, 1.4.1 and 1.4.0</h3>
|
||||||
@ -190,8 +203,8 @@ in /etc/shorewall/common.def.<br>
|
|||||||
<li>When a "shorewall check" command is executed, each "rule"
|
<li>When a "shorewall check" command is executed, each "rule"
|
||||||
produces the harmless additional message:<br>
|
produces the harmless additional message:<br>
|
||||||
<br>
|
<br>
|
||||||
/usr/share/shorewall/firewall: line 2174: [: =:
|
/usr/share/shorewall/firewall: line 2174: [: =: unary operator
|
||||||
unary operator expected<br>
|
expected<br>
|
||||||
<br>
|
<br>
|
||||||
You may correct the problem by installing <a
|
You may correct the problem by installing <a
|
||||||
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1/firewall"
|
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1/firewall"
|
||||||
@ -202,8 +215,8 @@ You may correct the problem by installing <a
|
|||||||
<h3>1.4.0</h3>
|
<h3>1.4.0</h3>
|
||||||
<ul>
|
<ul>
|
||||||
<li>When running under certain shells Shorewall will attempt to
|
<li>When running under certain shells Shorewall will attempt to
|
||||||
create ECN rules even when /etc/shorewall/ecn is empty. You may
|
create ECN rules even when /etc/shorewall/ecn is empty. You may either
|
||||||
either just remove /etc/shorewall/ecn or you can install <a
|
just remove /etc/shorewall/ecn or you can install <a
|
||||||
href="http://www.shorewall.net/pub/shorewall/errata/1.4.0/firewall">this
|
href="http://www.shorewall.net/pub/shorewall/errata/1.4.0/firewall">this
|
||||||
correct script</a> in /usr/share/shorewall/firewall as described above.<br>
|
correct script</a> in /usr/share/shorewall/firewall as described above.<br>
|
||||||
</li>
|
</li>
|
||||||
@ -218,36 +231,35 @@ with iptables version 1.2.3</font></h3>
|
|||||||
<blockquote>
|
<blockquote>
|
||||||
<p align="left">There are a couple of serious bugs in iptables 1.2.3
|
<p align="left">There are a couple of serious bugs in iptables 1.2.3
|
||||||
that prevent it from working with Shorewall. Regrettably, RedHat
|
that prevent it from working with Shorewall. Regrettably, RedHat
|
||||||
released this buggy iptables in RedHat 7.2. </p>
|
released this buggy iptables in RedHat 7.2. </p>
|
||||||
<p align="left"> I have built a <a
|
<p align="left"> I have built a <a
|
||||||
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
|
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
|
||||||
corrected 1.2.3 rpm which you can download here</a> and I have
|
corrected 1.2.3 rpm which you can download here</a> and I have also
|
||||||
also built an <a
|
built an <a
|
||||||
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
|
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
|
||||||
iptables-1.2.4 rpm which you can download here</a>. If you are
|
iptables-1.2.4 rpm which you can download here</a>. If you are currently
|
||||||
currently running RedHat 7.1, you can install either of these RPMs <b><u>before</u>
|
running RedHat 7.1, you can install either of these RPMs <b><u>before</u> </b>you
|
||||||
</b>you upgrade to RedHat 7.2.</p>
|
upgrade to RedHat 7.2.</p>
|
||||||
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
|
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
|
||||||
has released an iptables-1.2.4 RPM of their own which
|
has released an iptables-1.2.4 RPM of their own which you can download
|
||||||
you can download from<font color="#ff6633"> <a
|
from<font color="#ff6633"> <a
|
||||||
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
|
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.</font>I
|
||||||
</font>I have installed this RPM on my firewall and
|
have installed this RPM on my firewall and it works fine.</p>
|
||||||
it works fine.</p>
|
|
||||||
<p align="left">If you would like to patch iptables 1.2.3 yourself,
|
<p align="left">If you would like to patch iptables 1.2.3 yourself,
|
||||||
the patches are available for download. This <a
|
the patches are available for download. This <a
|
||||||
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
|
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
|
||||||
which corrects a problem with parsing of the --log-level specification
|
which corrects a problem with parsing of the --log-level specification
|
||||||
while this <a
|
while this <a
|
||||||
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
|
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
|
||||||
corrects a problem in handling the TOS target.</p>
|
corrects a problem in handling the TOS target.</p>
|
||||||
<p align="left">To install one of the above patches:</p>
|
<p align="left">To install one of the above patches:</p>
|
||||||
<ul>
|
<ul>
|
||||||
<li>cd iptables-1.2.3/extensions</li>
|
<li>cd iptables-1.2.3/extensions</li>
|
||||||
<li>patch -p0 < <i>the-patch-file</i></li>
|
<li>patch -p0 < <i>the-patch-file</i></li>
|
||||||
</ul>
|
</ul>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
<h3><a name="Debug"></a>Problems with kernels >= 2.4.18 and
|
<h3><a name="Debug"></a>Problems with kernels >= 2.4.18 and RedHat
|
||||||
RedHat iptables</h3>
|
iptables</h3>
|
||||||
<blockquote>
|
<blockquote>
|
||||||
<p>Users who use RedHat iptables RPMs and who upgrade to kernel
|
<p>Users who use RedHat iptables RPMs and who upgrade to kernel
|
||||||
2.4.18/19 may experience the following:</p>
|
2.4.18/19 may experience the following:</p>
|
||||||
@ -256,13 +268,11 @@ RedHat iptables</h3>
|
|||||||
</blockquote>
|
</blockquote>
|
||||||
<p>The RedHat iptables RPM is compiled with debugging enabled but the
|
<p>The RedHat iptables RPM is compiled with debugging enabled but the
|
||||||
user-space debugging code was not updated to reflect recent changes in
|
user-space debugging code was not updated to reflect recent changes in
|
||||||
the Netfilter 'mangle' table. You can correct the problem by installing
|
the Netfilter 'mangle' table. You can correct the problem by installing <a
|
||||||
<a
|
|
||||||
href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
|
href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
|
||||||
this iptables RPM</a>. If you are already running a
|
this iptables RPM</a>. If you are already running a 1.2.5 version of
|
||||||
1.2.5 version of iptables, you will need to specify the
|
iptables, you will need to specify the --oldpackage option to rpm
|
||||||
--oldpackage option to rpm (e.g., "iptables -Uvh --oldpackage
|
(e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
|
||||||
iptables-1.2.5-1.i386.rpm").</p>
|
|
||||||
</blockquote>
|
</blockquote>
|
||||||
<h3><a name="SuSE"></a>Problems installing/upgrading RPM on SuSE</h3>
|
<h3><a name="SuSE"></a>Problems installing/upgrading RPM on SuSE</h3>
|
||||||
<p>If you find that rpm complains about a conflict with kernel <=
|
<p>If you find that rpm complains about a conflict with kernel <=
|
||||||
@ -274,8 +284,8 @@ option to rpm.</p>
|
|||||||
MULTIPORT=Yes</b></h3>
|
MULTIPORT=Yes</b></h3>
|
||||||
<p>The iptables 1.2.7 release of iptables has made an incompatible
|
<p>The iptables 1.2.7 release of iptables has made an incompatible
|
||||||
change to the syntax used to specify multiport match rules; as a
|
change to the syntax used to specify multiport match rules; as a
|
||||||
consequence, if you install iptables 1.2.7 you must be running
|
consequence, if you install iptables 1.2.7 you must be running Shorewall
|
||||||
Shorewall 1.3.7a or later or:</p>
|
1.3.7a or later or:</p>
|
||||||
<ul>
|
<ul>
|
||||||
<li>set MULTIPORT=No in /etc/shorewall/shorewall.conf; or </li>
|
<li>set MULTIPORT=No in /etc/shorewall/shorewall.conf; or </li>
|
||||||
<li>if you are running Shorewall 1.3.6 you may install <a
|
<li>if you are running Shorewall 1.3.6 you may install <a
|
||||||
@ -288,28 +298,25 @@ above.</li>
|
|||||||
/etc/shorewall/nat entries of the following form will result in
|
/etc/shorewall/nat entries of the following form will result in
|
||||||
Shorewall being unable to start:<br>
|
Shorewall being unable to start:<br>
|
||||||
<br>
|
<br>
|
||||||
<pre>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL<br>192.0.2.22 eth0 192.168.9.22 yes yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
|
<pre>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL<br>192.0.2.22 eth0 192.168.9.22 yes yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
|
||||||
Error message is:<br>
|
Error message is:<br>
|
||||||
<pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
|
<pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
|
||||||
The solution is to put "no" in the LOCAL column. Kernel support for
|
The solution is to put "no" in the LOCAL column. Kernel support for
|
||||||
LOCAL=yes has never worked properly and 2.4.18-10 has disabled it. The
|
LOCAL=yes has never worked properly and 2.4.18-10 has disabled it. The
|
||||||
2.4.19 kernel contains corrected support
|
2.4.19 kernel contains corrected support under a new kernel
|
||||||
under a new kernel configuraiton option; see <a
|
configuraiton option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
|
||||||
href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
|
|
||||||
<br>
|
<br>
|
||||||
<h3><a name="REJECT"></a><b> Problems with RH Kernels after 2.4.20-9
|
<h3><a name="REJECT"></a><b> Problems with RH Kernels after 2.4.20-9 and
|
||||||
and REJECT
|
REJECT (also applies to 2.4.21-RC1)</b></h3>
|
||||||
(also applies to 2.4.21-RC1)</b></h3>
|
|
||||||
Beginning with errata kernel 2.4.20-13.9, "REJECT --reject-with
|
Beginning with errata kernel 2.4.20-13.9, "REJECT --reject-with
|
||||||
tcp-reset" is broken. The symptom most commonly seen is that REJECT
|
tcp-reset" is broken. The symptom most commonly seen is that REJECT
|
||||||
rules act just like DROP rules when dealing with TCP. A kernel patch
|
rules act just like DROP rules when dealing with TCP. A kernel patch and
|
||||||
and precompiled modules to fix this problem are available at <a
|
precompiled modules to fix this problem are available at <a
|
||||||
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel"
|
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel"
|
||||||
target="_top">ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel</a>.<br>
|
target="_top">ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel</a>.<br>
|
||||||
<hr>
|
<hr>
|
||||||
<p><font size="2"> Last updated 7/23/2003 - <a href="support.htm">Tom
|
<p><font size="2"> Last updated 10/11/2003 - <a href="support.htm">Tom
|
||||||
Eastep</a></font>
|
Eastep</a></font> </p>
|
||||||
</p>
|
|
||||||
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||||
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
|
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
|
||||||
</p>
|
</p>
|
||||||
|
|||||||
@ -40,10 +40,9 @@ and control that facility. Netfilter can be used in ipchains
|
|||||||
compatibility mode.<br>
|
compatibility mode.<br>
|
||||||
</li>
|
</li>
|
||||||
<li>iptables - the utility program used to configure and
|
<li>iptables - the utility program used to configure and
|
||||||
control
|
control Netfilter. The term 'iptables' is often used to refer to the
|
||||||
Netfilter. The term 'iptables' is often used to refer to the
|
combination of iptables+Netfilter (with Netfilter not in ipchains
|
||||||
combination of iptables+Netfilter (with Netfilter not in
|
compatibility mode).<br>
|
||||||
ipchains compatibility mode).<br>
|
|
||||||
</li>
|
</li>
|
||||||
</ul>
|
</ul>
|
||||||
The Shoreline Firewall, more commonly known as "Shorewall", is
|
The Shoreline Firewall, more commonly known as "Shorewall", is
|
||||||
@ -59,12 +58,13 @@ capabilities.<br>
|
|||||||
<br>
|
<br>
|
||||||
This program is free software; you can redistribute it and/or modify it
|
This program is free software; you can redistribute it and/or modify it
|
||||||
under the terms of <a href="http://www.gnu.org/licenses/gpl.html">Version
|
under the terms of <a href="http://www.gnu.org/licenses/gpl.html">Version
|
||||||
2 of the GNU
|
2 of the GNU General Public License</a> as published by the Free
|
||||||
General Public License</a> as published by the Free Software Foundation.<br>
|
Software Foundation.<br>
|
||||||
<p> This program is distributed in the hope that it will be
|
<p> This program is distributed in the hope that it will be
|
||||||
useful, but WITHOUT ANY WARRANTY; without even the implied warranty of
|
useful, but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||||
General Public License for more details.<br>
|
General
|
||||||
|
Public License for more details.<br>
|
||||||
<br>
|
<br>
|
||||||
You should have received a copy of the GNU General Public License along
|
You should have received a copy of the GNU General Public License along
|
||||||
with this program; if not, write to the Free Software Foundation, Inc.,
|
with this program; if not, write to the Free Software Foundation, Inc.,
|
||||||
@ -84,23 +84,73 @@ Shorewall. For older versions:<br>
|
|||||||
<h2>Getting Started with Shorewall</h2>
|
<h2>Getting Started with Shorewall</h2>
|
||||||
New to Shorewall? Start by selecting the <a
|
New to Shorewall? Start by selecting the <a
|
||||||
href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most
|
href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most
|
||||||
closely match your environment
|
closely match your environment and follow the step by step instructions.<br>
|
||||||
and follow the step by step instructions.<br>
|
|
||||||
<h2>Looking for Information?</h2>
|
<h2>Looking for Information?</h2>
|
||||||
The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
|
The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
|
||||||
Index</a> is a good place to start as is the Quick Search to your
|
Index</a> is a good place to start as is the Quick Search to your
|
||||||
right.
|
right.
|
||||||
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
|
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
|
||||||
If so, the documentation<b> </b>on
|
If so, the documentation<b> </b>on this site will not apply directly
|
||||||
this site will not apply directly to your setup. If you want
|
to
|
||||||
to use the documentation that you find here, you will want to consider
|
your setup. If you want to use the documentation that you find here,
|
||||||
uninstalling what you have and installing a setup that matches the
|
you will want to consider uninstalling what you have and installing a
|
||||||
documentation on this site. See the <a href="two-interface.htm">Two-interface
|
setup that matches the documentation on this site. See the <a
|
||||||
QuickStart Guide</a> for details.<br>
|
href="two-interface.htm">Two-interface QuickStart Guide</a> for
|
||||||
|
details.<br>
|
||||||
<h2>News</h2>
|
<h2>News</h2>
|
||||||
<p><b>10/06/2003 - Shorewall 1.4.7</b><b> <img
|
<p><b>10/21/2003 - Shorewall 1.4.7a</b><b> <img
|
||||||
style="border: 0px solid ; width: 28px; height: 12px;"
|
style="border: 0px solid ; width: 28px; height: 12px;"
|
||||||
src="images/new10.gif" alt="(New)" title=""><br>
|
src="images/new10.gif" alt="(New)" title=""></b></p>
|
||||||
|
<p>This is a bugfix rollup of the following problem corrections:<br>
|
||||||
|
</p>
|
||||||
|
<ol>
|
||||||
|
<li>Tuomo Soini has supplied a correction to a problem that
|
||||||
|
occurs
|
||||||
|
using some versions of 'ash'. The symptom is that "shorewall start"
|
||||||
|
fails with:<br>
|
||||||
|
<br>
|
||||||
|
local: --limit: bad variable name<br>
|
||||||
|
iptables v1.2.8: Couldn't load match
|
||||||
|
`-j':/lib/iptables/libipt_-j.so:<br>
|
||||||
|
cannot open shared object file: No such file or directory<br>
|
||||||
|
Try `iptables -h' or 'iptables --help' for more
|
||||||
|
information.<br>
|
||||||
|
<br>
|
||||||
|
</li>
|
||||||
|
<li>Andres Zhoglo has supplied a correction that avoids trying
|
||||||
|
to use the multiport match iptables facility on ICMP rules.<br>
|
||||||
|
<br>
|
||||||
|
Example of rule that previously caused "shorewall start"
|
||||||
|
to fail:<br>
|
||||||
|
<br>
|
||||||
|
|
||||||
|
ACCEPT loc $FW
|
||||||
|
icmp 0,8,11,12<br>
|
||||||
|
<br>
|
||||||
|
</li>
|
||||||
|
<li>Previously, if the following error message was issued,
|
||||||
|
Shorewall was left in an inconsistent state.<br>
|
||||||
|
<br>
|
||||||
|
Error: Unable to determine the routes routes through
|
||||||
|
interface xxx<br>
|
||||||
|
<br>
|
||||||
|
</li>
|
||||||
|
<li>Handling of the LOGUNCLEAN option in shorewall.conf has
|
||||||
|
been corrected.</li>
|
||||||
|
<li>In Shorewall 1.4.2, an optimization was added. This
|
||||||
|
optimization
|
||||||
|
involved creating a chain named "<zone>_frwd" for most zones
|
||||||
|
defined using the /etc/shorewall/hosts file. It has since been
|
||||||
|
discovered that in many cases these new chains contain redundant rules
|
||||||
|
and that the "optimization" turns out to be less than optimal. The
|
||||||
|
implementation has now been corrected.</li>
|
||||||
|
<li>When the MARK value in a tcrules entry is followed by ":F"
|
||||||
|
or
|
||||||
|
":P", the ":F" or ":P" was previously only applied to the first
|
||||||
|
Netfilter rule generated by the entry. It is now applied to all entries.<br>
|
||||||
|
</li>
|
||||||
|
</ol>
|
||||||
|
<p><b>10/06/2003 - Shorewall 1.4.7</b><b><br>
|
||||||
</b></p>
|
</b></p>
|
||||||
<b>Problems Corrected since version 1.4.6 (Those in bold font
|
<b>Problems Corrected since version 1.4.6 (Those in bold font
|
||||||
were corrected since 1.4.7 RC2)</b><br>
|
were corrected since 1.4.7 RC2)</b><br>
|
||||||
@ -119,62 +169,52 @@ were being added to a PPP interface; the addresses were successfully
|
|||||||
added in spite of the messages.<br>
|
added in spite of the messages.<br>
|
||||||
<br>
|
<br>
|
||||||
The firewall script has been modified to eliminate the error messages</li>
|
The firewall script has been modified to eliminate the error messages</li>
|
||||||
<li>Interface-specific dynamic blacklisting chains are
|
<li>Interface-specific dynamic blacklisting chains are now
|
||||||
now displayed by "shorewall monitor" on the "Dynamic Chains" page
|
displayed by "shorewall monitor" on the "Dynamic Chains" page
|
||||||
(previously named "Dynamic Chain").</li>
|
(previously named "Dynamic Chain").</li>
|
||||||
<li>Thanks to Henry Yang, LOGRATE and LOGBURST now work again.</li>
|
<li>Thanks to Henry Yang, LOGRATE and LOGBURST now work again.</li>
|
||||||
<li>The 'shorewall reject' and
|
<li>The 'shorewall reject' and 'shorewall drop' commands now
|
||||||
'shorewall drop' commands now delete any existing rules for the subject
|
delete any existing rules for the subject IP address before adding a
|
||||||
IP address before adding a new DROP or REJECT rule. Previously, there
|
new DROP or REJECT rule. Previously, there could be many rules for the
|
||||||
could be many rules for the same IP address in the dynamic chain so
|
same IP address in the dynamic chain so that multiple 'allow' commands
|
||||||
that multiple 'allow' commands were required to re-enable traffic
|
were required to re-enable traffic to/from the address.</li>
|
||||||
to/from the address.</li>
|
<li>When ADD_SNAT_ALIASES=Yes in shorewall.conf, the following
|
||||||
<li>When ADD_SNAT_ALIASES=Yes in
|
entry in /etc/shorewall/masq resulted in a startup error:<br>
|
||||||
shorewall.conf, the following entry in /etc/shorewall/masq resulted in
|
|
||||||
a startup error:<br>
|
|
||||||
<br>
|
<br>
|
||||||
eth0 eth1
|
eth0 eth1
|
||||||
206.124.146.20-206.124.146.24<br>
|
206.124.146.20-206.124.146.24<br>
|
||||||
<br>
|
<br>
|
||||||
</li>
|
</li>
|
||||||
<li>Shorewall previously choked over
|
<li>Shorewall previously choked over IPV6 addresses configured
|
||||||
IPV6 addresses configured on interfaces in contexts where Shorewall
|
on interfaces in contexts where Shorewall needed to detect something
|
||||||
needed to detect something about the interface (such as when "detect"
|
about the interface (such as when "detect" appears in the BROADCAST
|
||||||
appears in the BROADCAST column of the /etc/shorewall/interfaces file).</li>
|
column of the /etc/shorewall/interfaces file).</li>
|
||||||
<li>Shorewall will now load
|
<li>Shorewall will now load module files that are formed from
|
||||||
module files that are formed from the module name by appending ".o.gz".</li>
|
the module name by appending ".o.gz".</li>
|
||||||
<li>When Shorewall adds a route to a
|
<li>When Shorewall adds a route to a proxy ARP host and such a
|
||||||
proxy ARP host and such a route already exists, two routes resulted
|
route already exists, two routes resulted previously. This has been
|
||||||
previously. This has been corrected so that the existing route is
|
corrected so that the existing route is replaced if it already exists.</li>
|
||||||
replaced if it already exists.</li>
|
<li>The rfc1918 file has been updated to reflect recent
|
||||||
<li>The rfc1918 file has been
|
allocations.</li>
|
||||||
updated to reflect recent allocations.</li>
|
<li>The documentation of the USER SET column in the rules file
|
||||||
<li>The documentation of the
|
has been corrected.</li>
|
||||||
USER SET column in the rules file has been corrected.</li>
|
<li>If there is no policy defined for the zones specified in a
|
||||||
<li>If there is no policy
|
rule, the firewall script previously encountered a shell syntax error:<br>
|
||||||
defined for
|
<br>
|
||||||
the zones specified in a rule, the firewall script previously
|
|
||||||
encountered a shell syntax error:<br>
|
|
||||||
|
|
||||||
<br>
|
|
||||||
[: NONE: unexpected operator<br>
|
[: NONE: unexpected operator<br>
|
||||||
|
<br>
|
||||||
<br>
|
|
||||||
Now, the absence of a policy generates an error message and the
|
Now, the absence of a policy generates an error message and the
|
||||||
firewall is stopped:<br>
|
firewall is stopped:<br>
|
||||||
|
<br>
|
||||||
<br>
|
|
||||||
No policy defined from zone
|
No policy defined from zone
|
||||||
<source> to zone <dest><br>
|
<source> to zone <dest><br>
|
||||||
<br>
|
<br>
|
||||||
</li>
|
</li>
|
||||||
<li>Previously, if neither
|
<li>Previously, if neither /etc/shorewall/common nor
|
||||||
/etc/shorewall/common nor /etc/shorewall/common.def existed, Shorewall
|
/etc/shorewall/common.def existed, Shorewall would fail to start and
|
||||||
would fail to start and would not remove the lock file. Failure to
|
would not remove the lock file. Failure to remove the lock file
|
||||||
remove the lock file resulted in the following during subsequent
|
resulted in the following during subsequent attempts to start:<br>
|
||||||
attempts to start:<br>
|
<br>
|
||||||
|
|
||||||
<br>
|
|
||||||
Loading /usr/share/shorewall/functions...<br>
|
Loading /usr/share/shorewall/functions...<br>
|
||||||
Processing /etc/shorewall/params ...<br>
|
Processing /etc/shorewall/params ...<br>
|
||||||
Processing /etc/shorewall/shorewall.conf...<br>
|
Processing /etc/shorewall/shorewall.conf...<br>
|
||||||
@ -183,19 +223,17 @@ attempts to start:<br>
|
|||||||
<br>
|
<br>
|
||||||
Shorewall now reports a fatal error if neither of these two files exist
|
Shorewall now reports a fatal error if neither of these two files exist
|
||||||
and correctly removes the lock fille.</li>
|
and correctly removes the lock fille.</li>
|
||||||
<li>The order of processing
|
<li>The order of processing the various options has been
|
||||||
the
|
changed such that blacklist entries now take precedence over the 'dhcp'
|
||||||
various options has been changed such that blacklist entries now take
|
interface setting.</li>
|
||||||
precedence over the 'dhcp' interface setting.</li>
|
<li>The log message generated from the 'logunclean' interface
|
||||||
<li>The log message generated
|
option has been changed to reflect a disposition of LOG rather than
|
||||||
from the
|
DROP.</li>
|
||||||
'logunclean' interface option has been changed to reflect a disposition
|
|
||||||
of LOG rather than DROP.</li>
|
|
||||||
<li><span style="font-weight: bold;">When a user name and/or a
|
<li><span style="font-weight: bold;">When a user name and/or a
|
||||||
group
|
group name was specified in the USER SET column and the destination
|
||||||
name was specified in the USER SET column and the destination zone was
|
zone
|
||||||
qualified with a IP address, the user and/or group name was not being
|
was qualified with a IP address, the user and/or group name was not
|
||||||
used to qualify the rule.<br>
|
being used to qualify the rule.<br>
|
||||||
<br>
|
<br>
|
||||||
Example:<br>
|
Example:<br>
|
||||||
<br>
|
<br>
|
||||||
@ -225,8 +263,9 @@ command-specific help (e.g., shorewall help <command>).</li>
|
|||||||
<li>A new option "ADMINISABSENTMINDED" has been added to
|
<li>A new option "ADMINISABSENTMINDED" has been added to
|
||||||
/etc/shorewall/shorewall.conf. This option has a default value of "No"
|
/etc/shorewall/shorewall.conf. This option has a default value of "No"
|
||||||
for existing users which causes Shorewall's 'stopped' state to
|
for existing users which causes Shorewall's 'stopped' state to
|
||||||
continue as it has been; namely, in the stopped state only traffic
|
continue
|
||||||
to/from hosts listed in /etc/shorewall/routestopped is accepted.<br>
|
as it has been; namely, in the stopped state only traffic to/from hosts
|
||||||
|
listed in /etc/shorewall/routestopped is accepted.<br>
|
||||||
<br>
|
<br>
|
||||||
With ADMINISABSENTMINDED=Yes (the default for new installs), in
|
With ADMINISABSENTMINDED=Yes (the default for new installs), in
|
||||||
addition to traffic to/from the hosts listed in
|
addition to traffic to/from the hosts listed in
|
||||||
@ -234,7 +273,8 @@ addition to traffic to/from the hosts listed in
|
|||||||
<br>
|
<br>
|
||||||
a) All traffic originating from the firewall itself; and<br>
|
a) All traffic originating from the firewall itself; and<br>
|
||||||
b) All traffic that is part of or related to an
|
b) All traffic that is part of or related to an
|
||||||
already-existing connection.<br>
|
already-existing
|
||||||
|
connection.<br>
|
||||||
<br>
|
<br>
|
||||||
In particular, with ADMINISABSENTMINDED=Yes, a "shorewall stop"
|
In particular, with ADMINISABSENTMINDED=Yes, a "shorewall stop"
|
||||||
entered through an ssh session will not kill the session.<br>
|
entered through an ssh session will not kill the session.<br>
|
||||||
@ -258,12 +298,9 @@ fw tcp 22<br>
|
|||||||
<br>
|
<br>
|
||||||
From a remote system, I ssh to 206.124.146.178 which establishes an SSH
|
From a remote system, I ssh to 206.124.146.178 which establishes an SSH
|
||||||
connection with local system 192.168.1.5. I then create a second SSH
|
connection with local system 192.168.1.5. I then create a second SSH
|
||||||
connection
|
connection from that computer to the firewall and confidently type
|
||||||
from that computer to the firewall and confidently type "shorewall
|
"shorewall stop". As part of its stop processing, Shorewall removes
|
||||||
stop".
|
eth0:0 which kills my SSH connection to 192.168.1.5!!!</li>
|
||||||
As part of its stop processing, Shorewall removes eth0:0 which kills my
|
|
||||||
SSH
|
|
||||||
connection to 192.168.1.5!!!</li>
|
|
||||||
<li>Given the wide range of VPN software, I can never hope to
|
<li>Given the wide range of VPN software, I can never hope to
|
||||||
add specific support for all of it. I have therefore decided to add
|
add specific support for all of it. I have therefore decided to add
|
||||||
"generic" tunnel support.<br>
|
"generic" tunnel support.<br>
|
||||||
@ -283,15 +320,17 @@ where:<br>
|
|||||||
<protocol> is the protocol
|
<protocol> is the protocol
|
||||||
used by the tunnel<br>
|
used by the tunnel<br>
|
||||||
<port> if the protocol
|
<port> if the protocol
|
||||||
is 'udp' or 'tcp' then this is the destination port number used by the
|
is 'udp' or 'tcp' then this is the
|
||||||
tunnel.<br>
|
destination port number used by the tunnel.<br>
|
||||||
<zone> is the zone of
|
<zone> is the zone of
|
||||||
the remote tunnel gateway<br>
|
the remote tunnel gateway<br>
|
||||||
<ip address> is the IP
|
<ip address> is the IP
|
||||||
address of the remote tunnel gateway.<br>
|
address of the remote tunnel
|
||||||
|
gateway.<br>
|
||||||
<gateway zone>
|
<gateway zone>
|
||||||
Optional. A comma-separated list of zone names. If specified, the
|
Optional. A comma-separated list of zone
|
||||||
remote gateway is to be considered part of these zones.</li>
|
names. If specified, the remote gateway is to be considered part of
|
||||||
|
these zones.</li>
|
||||||
<li>An 'arp_filter' option has been added to the
|
<li>An 'arp_filter' option has been added to the
|
||||||
/etc/shorewall/interfaces file. This option causes
|
/etc/shorewall/interfaces file. This option causes
|
||||||
/proc/sys/net/ipv4/conf/<interface>/arp_filter to be set with the
|
/proc/sys/net/ipv4/conf/<interface>/arp_filter to be set with the
|
||||||
@ -301,7 +340,8 @@ facilitates testing of your firewall where multiple firewall interfaces
|
|||||||
are connected to the same HUB/Switch (all interfaces connected to the
|
are connected to the same HUB/Switch (all interfaces connected to the
|
||||||
single HUB/Switch should have this option specified). Note that using
|
single HUB/Switch should have this option specified). Note that using
|
||||||
such a configuration in a production environment is strongly
|
such a configuration in a production environment is strongly
|
||||||
recommended against.</li>
|
recommended
|
||||||
|
against.</li>
|
||||||
<li>The ADDRESS column in /etc/shorewall/masq may now include a
|
<li>The ADDRESS column in /etc/shorewall/masq may now include a
|
||||||
comma-separated list of addresses and/or address ranges. Netfilter will
|
comma-separated list of addresses and/or address ranges. Netfilter will
|
||||||
use all listed addresses/ranges in round-robin fashion. \</li>
|
use all listed addresses/ranges in round-robin fashion. \</li>
|
||||||
@ -320,8 +360,9 @@ separately.<br>
|
|||||||
<br>
|
<br>
|
||||||
<span style="font-weight: bold;">Warning: </span>When rate
|
<span style="font-weight: bold;">Warning: </span>When rate
|
||||||
limiting is specified on a rule with "all" in the SOURCE or DEST
|
limiting is specified on a rule with "all" in the SOURCE or DEST
|
||||||
fields, the limit will apply to each pair of zones individually rather
|
fields,
|
||||||
than as a single limit for all pairs of covered by the rule.<br>
|
the limit will apply to each pair of zones individually rather than as
|
||||||
|
a single limit for all pairs of covered by the rule.<br>
|
||||||
<br>
|
<br>
|
||||||
To specify a rate limit, <br>
|
To specify a rate limit, <br>
|
||||||
<br>
|
<br>
|
||||||
@ -330,15 +371,14 @@ a) Follow ACCEPT, DNAT[-], REDIRECT[-] or LOG with<br>
|
|||||||
<
|
<
|
||||||
<rate>/<interval>[:<burst>] ><br>
|
<rate>/<interval>[:<burst>] ><br>
|
||||||
<br>
|
<br>
|
||||||
|
where<br>
|
||||||
where<br>
|
|
||||||
<br>
|
<br>
|
||||||
<rate> is the sustained rate per
|
<rate> is the sustained rate per
|
||||||
<interval><br>
|
<interval><br>
|
||||||
<interval> is "sec" or "min"<br>
|
<interval> is "sec" or "min"<br>
|
||||||
<burst> is the largest burst
|
<burst> is the largest burst
|
||||||
accepted within an <interval>. If not given, the default of 5 is
|
accepted within an
|
||||||
assumed.<br>
|
<interval>. If not given, the default of 5 is assumed.<br>
|
||||||
<br>
|
<br>
|
||||||
There may be no white space between the ACTION and "<" nor there may
|
There may be no white space between the ACTION and "<" nor there may
|
||||||
be any white space within the burst specification. If you want to
|
be any white space within the burst specification. If you want to
|
||||||
@ -364,59 +404,16 @@ After this, it will be 500ms (1 second divided by the rate<br>
|
|||||||
of 2) before a packet will be accepted from this rule, regardless of
|
of 2) before a packet will be accepted from this rule, regardless of
|
||||||
how many packets reach it. Also, every 500ms which passes without
|
how many packets reach it. Also, every 500ms which passes without
|
||||||
matching a packet, one of the bursts will be regained; if no packets
|
matching a packet, one of the bursts will be regained; if no packets
|
||||||
hit the rule for 2 second, the burst will be fully recharged; back
|
hit
|
||||||
where we started.<br>
|
the rule for 2 second, the burst will be fully recharged; back where we
|
||||||
|
started.<br>
|
||||||
</li>
|
</li>
|
||||||
<li>Multiple chains may now be displayed in one "shorewall
|
<li>Multiple chains may now be displayed in one "shorewall
|
||||||
show" command (e.g., shorewall show INPUT FORWARD OUTPUT).</li>
|
show" command (e.g., shorewall show INPUT FORWARD OUTPUT).</li>
|
||||||
<li>Output rules (those with $FW as the SOURCE) may now be
|
<li>Output rules (those with $FW as the SOURCE) may now be
|
||||||
limited to a set of local users and/or groups. See <a
|
limited to a set of local users and/or groups. See <a
|
||||||
href="UserSets.html">http://shorewall.net/UserSets.html</a>
|
href="UserSets.html">http://shorewall.net/UserSets.html</a> for
|
||||||
for details.<br>
|
details.<br>
|
||||||
<br>
|
|
||||||
</li>
|
|
||||||
</ol>
|
|
||||||
<p><b>8/27/2003 - Shorewall Mirror in Australia </b></p>
|
|
||||||
<p>Thanks to Dave Kempe and Solutions First (<a
|
|
||||||
href="http://www.solutionsfirst.com.au"><font size="3">http://www.solutionsfirst.com.au</font></a>),
|
|
||||||
there is now a Shorewall Mirror in Australia:</p>
|
|
||||||
<p style="margin-left: 40px;"><a
|
|
||||||
href="http://www.shorewall.com.au" target="_top"><font size="3">http://www.shorewall.com.au</font></a><font
|
|
||||||
size="3"><br>
|
|
||||||
<a href="ftp://ftp.shorewall.com.au">ftp://ftp.shorewall.com.au</a></font><br>
|
|
||||||
</p>
|
|
||||||
<p><b>8/26/2003 - French Version of the Shorewall Setup
|
|
||||||
Guide </b></p>
|
|
||||||
Thanks to Fabien <font size="3">Demassieux, there is now a <a
|
|
||||||
href="shorewall_setup_guide_fr.htm">French translation of the
|
|
||||||
Shorewall Setup Guide</a>. Merci Beacoup, Fabien!<br>
|
|
||||||
</font>
|
|
||||||
<p><b>8/5/2003 - Shorewall-1.4.6b</b><b> <br>
|
|
||||||
</b></p>
|
|
||||||
<b>Problems Corrected since version 1.4.6:</b><br>
|
|
||||||
<ol>
|
|
||||||
<li>Previously, if TC_ENABLED is set to yes in shorewall.conf
|
|
||||||
then Shorewall would fail to start with the error "ERROR: Traffic
|
|
||||||
Control requires Mangle"; that problem has been corrected.</li>
|
|
||||||
<li>Corrected handling of MAC addresses in the SOURCE column of
|
|
||||||
the
|
|
||||||
tcrules file. Previously, these addresses resulted in an invalid
|
|
||||||
iptables
|
|
||||||
command.</li>
|
|
||||||
<li>The "shorewall stop" command is now disabled when
|
|
||||||
/etc/shorewall/startup_disabled
|
|
||||||
exists. This prevents people from shooting themselves in the foot prior
|
|
||||||
to
|
|
||||||
having configured Shorewall.</li>
|
|
||||||
<li>A change introduced in version 1.4.6 caused error messages
|
|
||||||
during
|
|
||||||
"shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses were
|
|
||||||
being
|
|
||||||
added to a PPP interface; the addresses were successfully added in
|
|
||||||
spite
|
|
||||||
of the messages.<br>
|
|
||||||
<br>
|
|
||||||
The firewall script has been modified to eliminate the error messages.<br>
|
|
||||||
</li>
|
</li>
|
||||||
</ol>
|
</ol>
|
||||||
<p><b></b></p>
|
<p><b></b></p>
|
||||||
@ -432,8 +429,8 @@ You can find their work at: <a
|
|||||||
href="http://leaf.sourceforge.net/devel/jnilo">
|
href="http://leaf.sourceforge.net/devel/jnilo">
|
||||||
http://leaf.sourceforge.net/devel/jnilo<br>
|
http://leaf.sourceforge.net/devel/jnilo<br>
|
||||||
</a></p>
|
</a></p>
|
||||||
<b>Congratulations to Jacques
|
<b>Congratulations to Jacques and Eric on the recent release of
|
||||||
and Eric on the recent release of Bering 1.2!!! </b><br>
|
Bering 1.2!!! </b><br>
|
||||||
<h2><a name="Donations"></a>Donations</h2>
|
<h2><a name="Donations"></a>Donations</h2>
|
||||||
</td>
|
</td>
|
||||||
<td width="88" bgcolor="#3366ff" valign="top" align="center">
|
<td width="88" bgcolor="#3366ff" valign="top" align="center">
|
||||||
@ -479,7 +476,7 @@ Children's Foundation.</font></a> Thanks!</font></font></p>
|
|||||||
</tr>
|
</tr>
|
||||||
</tbody>
|
</tbody>
|
||||||
</table>
|
</table>
|
||||||
<p><font size="2">Updated 10/06/2003 - <a href="support.htm">Tom Eastep</a></font>
|
<p><font size="2">Updated 10/21/2003 - <a href="support.htm">Tom Eastep</a></font>
|
||||||
<br>
|
<br>
|
||||||
</p>
|
</p>
|
||||||
<br>
|
<br>
|
||||||
|
|||||||
@ -1,119 +1,106 @@
|
|||||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||||
<html>
|
<html>
|
||||||
<head>
|
<head>
|
||||||
|
|
||||||
<meta http-equiv="Content-Language" content="en-us">
|
<meta http-equiv="Content-Language" content="en-us">
|
||||||
|
|
||||||
<meta http-equiv="Content-Type"
|
<meta http-equiv="Content-Type"
|
||||||
content="text/html; charset=windows-1252">
|
content="text/html; charset=windows-1252">
|
||||||
|
|
||||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||||
|
|
||||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||||
<title>Shorewall Features</title>
|
<title>Shorewall Features</title>
|
||||||
</head>
|
</head>
|
||||||
<body>
|
<body>
|
||||||
|
|
||||||
<table border="0" cellpadding="0" cellspacing="0"
|
<table border="0" cellpadding="0" cellspacing="0"
|
||||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||||
id="AutoNumber1" bgcolor="#3366ff" height="90">
|
id="AutoNumber1" bgcolor="#3366ff" height="90">
|
||||||
<tbody>
|
<tbody>
|
||||||
<tr>
|
<tr>
|
||||||
<td width="100%">
|
<td width="100%">
|
||||||
<h1 align="center"><font color="#ffffff">Shorewall Features</font></h1>
|
<h1 align="center"><font color="#ffffff">Shorewall Features</font></h1>
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
|
</tbody>
|
||||||
</tbody>
|
|
||||||
</table>
|
</table>
|
||||||
|
|
||||||
<ul>
|
<ul>
|
||||||
<li>Uses Netfilter's connection tracking facilities for stateful packet
|
<li>Uses Netfilter's connection tracking facilities for stateful
|
||||||
filtering.</li>
|
packet filtering.</li>
|
||||||
<li>Can be used in a <b> wide range of router/firewall/gateway applications</b>.
|
<li>Can be used in a <b> wide range of router/firewall/gateway
|
||||||
|
applications</b>.
|
||||||
<ul>
|
<ul>
|
||||||
<li>Completely customizable using configuration files.</li>
|
<li>Completely customizable using configuration files.</li>
|
||||||
<li>No limit on the number of network interfaces.</li>
|
<li>No limit on the number of network interfaces.</li>
|
||||||
<li>Allows you to partitions the network into <i><a
|
<li>Allows you to partitions the network into <i><a
|
||||||
href="Documentation.htm#Zones">zones</a></i> and gives you complete
|
href="Documentation.htm#Zones">zones</a></i> and gives you complete
|
||||||
control over the connections permitted between each pair of zones.</li>
|
control over the connections permitted between each pair of
|
||||||
<li>Multiple interfaces per zone and multiple zones per interface
|
zones.</li>
|
||||||
permitted.</li>
|
<li>Multiple interfaces per zone and multiple zones per interface
|
||||||
<li>Supports nested and overlapping zones.</li>
|
permitted.</li>
|
||||||
|
<li>Supports nested and overlapping zones.</li>
|
||||||
</ul>
|
</ul>
|
||||||
</li>
|
</li>
|
||||||
<li> <a href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a>
|
<li> <a href="shorewall_quickstart_guide.htm">QuickStart Guides
|
||||||
to help get your first firewall up and running quickly</li>
|
(HOWTOs)</a> to help get your first firewall up and running quickly</li>
|
||||||
<li>A <b>GUI</b> is available via Webmin 1.060 and later (<a
|
<li>A <b>GUI</b> is available via Webmin 1.060 and later (<a
|
||||||
href="http://www.webmin.com">http://www.webmin.com</a>)<br>
|
href="http://www.webmin.com">http://www.webmin.com</a>)<br>
|
||||||
</li>
|
</li>
|
||||||
<li>Extensive <b> <a
|
<li>Extensive <b> <a
|
||||||
href="shorewall_quickstart_guide.htm#Documentation">documentation</a>
|
href="shorewall_quickstart_guide.htm#Documentation">documentation</a> </b>
|
||||||
</b> included in the .tgz and .rpm downloads.</li>
|
included in the .tgz and .rpm downloads.</li>
|
||||||
<li><b>Flexible address management/routing support</b> (and you can
|
<li><b>Flexible address management/routing support</b> (and you can
|
||||||
use all types in the same firewall):
|
use all types in the same firewall):
|
||||||
<ul>
|
<ul>
|
||||||
<li><a href="Documentation.htm#Masq">Masquerading/SNAT</a></li>
|
<li><a href="Documentation.htm#Masq">Masquerading/SNAT</a></li>
|
||||||
<li><a href="Documentation.htm#PortForward">Port Forwarding (DNAT)</a>.</li>
|
<li><a href="Documentation.htm#PortForward">Port Forwarding (DNAT)</a>.</li>
|
||||||
<li><a href="Documentation.htm#NAT"> Static NAT</a>.</li>
|
<li><a href="Documentation.htm#NAT"> Static NAT</a>.</li>
|
||||||
<li><a href="Documentation.htm#ProxyArp"> Proxy ARP</a>.</li>
|
<li><a href="Documentation.htm#ProxyArp"> Proxy ARP</a>.</li>
|
||||||
<li>Simple host/subnet Routing</li>
|
<li>Simple host/subnet Routing</li>
|
||||||
|
|
||||||
</ul>
|
</ul>
|
||||||
</li>
|
</li>
|
||||||
<li><a href="blacklisting_support.htm"><b>Blacklisting</b></a> of
|
<li><a href="blacklisting_support.htm"><b>Blacklisting</b></a> of
|
||||||
individual IP addresses and subnetworks is supported.</li>
|
individual IP addresses and subnetworks is supported.</li>
|
||||||
<li><b><a href="starting_and_stopping_shorewall.htm">Operational support</a></b>:
|
<li><b><a href="starting_and_stopping_shorewall.htm">Operational
|
||||||
|
support</a></b>:
|
||||||
<ul>
|
<ul>
|
||||||
<li>Commands to start, stop and clear the firewall</li>
|
<li>Commands to start, stop and clear the firewall</li>
|
||||||
<li>Supports status monitoring with an audible
|
<li>Supports status monitoring with an audible
|
||||||
alarm when an "interesting" packet is detected.</li>
|
alarm when an "interesting" packet is detected.</li>
|
||||||
<li>Wide variety of informational commands.</li>
|
<li>Wide variety of informational commands.</li>
|
||||||
|
|
||||||
</ul>
|
</ul>
|
||||||
</li>
|
</li>
|
||||||
<li><b>VPN Support</b>
|
<li><b>VPN Support</b>
|
||||||
<ul>
|
<ul>
|
||||||
<li><a href="Documentation.htm#Tunnels">IPSEC, GRE, IPIP and
|
<li><a href="Documentation.htm#Tunnels">IPSEC, GRE, IPIP and
|
||||||
OpenVPN Tunnels</a>.</li>
|
OpenVPN Tunnels</a>.</li>
|
||||||
<li><a href="PPTP.htm">PPTP </a> clients and Servers.</li>
|
<li><a href="PPTP.htm">PPTP </a> clients and Servers.</li>
|
||||||
|
|
||||||
</ul>
|
</ul>
|
||||||
</li>
|
</li>
|
||||||
<li>Support for <a href="traffic_shaping.htm"><b>Traffic Control/Shaping</b></a>
|
<li>Support for <a href="traffic_shaping.htm"><b>Traffic
|
||||||
integration.</li>
|
Control/Shaping</b></a> integration.</li>
|
||||||
<li>Wide support for different <b>GNU/Linux Distributions</b>.
|
<li>Wide support for different <b>GNU/Linux Distributions</b>.
|
||||||
|
<ul>
|
||||||
<ul>
|
<li><a href="Install.htm#Install_RPM"><b>RPM</b></a> and <a
|
||||||
<li><a href="Install.htm#Install_RPM"><b>RPM</b></a> and <a
|
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html"><b>Debian</b></a>
|
||||||
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html"><b>Debian</b></a>
|
packages available.</li>
|
||||||
packages available.</li>
|
<li>Includes <a href="Install.htm"><b>automated install,
|
||||||
<li>Includes <a href="Install.htm"><b>automated install, upgrade,
|
upgrade, fallback and uninstall facilities</b></a> for users
|
||||||
fallback and uninstall facilities</b></a> for users who can't use
|
who can't use or choose not to use the RPM or Debian packages.</li>
|
||||||
or choose not to use the RPM or Debian packages.</li>
|
<li>Included as a standard part of<b> <a
|
||||||
<li>Included as a standard part of<b> <a
|
href="http://leaf.sourceforge.net/devel/jnilo"> LEAF/Bering</a> </b>(router/firewall
|
||||||
href="http://leaf.sourceforge.net/devel/jnilo"> LEAF/Bering</a> </b>(router/firewall
|
on a floppy, CD or compact flash).</li>
|
||||||
on a floppy, CD or compact flash).</li>
|
|
||||||
|
|
||||||
</ul>
|
</ul>
|
||||||
</li>
|
</li>
|
||||||
<li><a href="MAC_Validation.html">Media Access Control (<b>MAC</b>)
|
<li><a href="MAC_Validation.html">Media Access Control (<b>MAC</b>)
|
||||||
Address <b>Verification</b><br>
|
Address <b>Verification</b></a></li>
|
||||||
</a><br>
|
<li><a href="Accounting.html">Traffic Accounting<br>
|
||||||
</li>
|
</a><br>
|
||||||
|
</li>
|
||||||
</ul>
|
</ul>
|
||||||
|
<p><font size="2">Last updated 10/12/2003 - <a href="support.htm">Tom
|
||||||
<p><font size="2">Last updated 2/5/2003 - <a href="support.htm">Tom Eastep</a></font></p>
|
Eastep</a></font></p>
|
||||||
|
|
||||||
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
|
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
|
||||||
size="2">Copyright</font> © <font size="2">2001-2003 Thomas M. Eastep.</font></a></font><br>
|
size="2">Copyright</font> © <font size="2">2001-2003 Thomas M. Eastep.</font></a></font><br>
|
||||||
</p>
|
</p>
|
||||||
<br>
|
<br>
|
||||||
<br>
|
<br>
|
||||||
<br>
|
<br>
|
||||||
</body>
|
</body>
|
||||||
</html>
|
</html>
|
||||||
|
|||||||
@ -24,8 +24,7 @@ Guides (HOWTO's)<br>
|
|||||||
</tbody>
|
</tbody>
|
||||||
</table>
|
</table>
|
||||||
<p align="center">With thanks to Richard who reminded me once again
|
<p align="center">With thanks to Richard who reminded me once again
|
||||||
that we
|
that we must all first walk before we can run.<br>
|
||||||
must all first walk before we can run.<br>
|
|
||||||
The French Translations of the single-IP guides are courtesy of Patrice
|
The French Translations of the single-IP guides are courtesy of Patrice
|
||||||
Vetsel<br>
|
Vetsel<br>
|
||||||
The French Translation of the Shorewall Setup Guide is courtesy of
|
The French Translation of the Shorewall Setup Guide is courtesy of
|
||||||
@ -50,16 +49,15 @@ acting as a firewall/router for a small local network and a DMZ. (<a
|
|||||||
<p>The above guides are designed to get your first firewall up and
|
<p>The above guides are designed to get your first firewall up and
|
||||||
running quickly in the three most common Shorewall configurations. If
|
running quickly in the three most common Shorewall configurations. If
|
||||||
you want to learn more about Shorewall than is explained in the above
|
you want to learn more about Shorewall than is explained in the above
|
||||||
simple guides, the <a href="shorewall_setup_guide.htm">Shorewall
|
simple guides, the <a href="shorewall_setup_guide.htm">Shorewall Setup
|
||||||
Setup Guide</a> (See Index Below) is for you.</p>
|
Guide</a> (See Index Below) is for you.</p>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
<p>If you have <font color="#ff0000"><big><big><b>more than one public
|
<p>If you have <font color="#ff0000"><big><big><b>more than one public
|
||||||
IP address</b></big></big></font>:<br>
|
IP address</b></big></big></font>:<br>
|
||||||
</p>
|
</p>
|
||||||
<blockquote>The <a href="shorewall_setup_guide.htm">Shorewall Setup
|
<blockquote>The <a href="shorewall_setup_guide.htm">Shorewall Setup
|
||||||
Guide</a> (See Index Below) outlines the steps necessary to set up a
|
Guide</a> (See Index Below) outlines the steps necessary to set up a
|
||||||
firewall where there are multiple public IP
|
firewall where there are multiple public IP addresses involved or if you
|
||||||
addresses involved or if you
|
|
||||||
want to learn more about Shorewall than is explained in the
|
want to learn more about Shorewall than is explained in the
|
||||||
single-address guides above (<a href="shorewall_setup_guide_fr.htm">Version
|
single-address guides above (<a href="shorewall_setup_guide_fr.htm">Version
|
||||||
Française</a>).</blockquote>
|
Française</a>).</blockquote>
|
||||||
@ -79,15 +77,13 @@ Interfaces (e.g., eth0:0)</a><br>
|
|||||||
<li><a href="blacklisting_support.htm">Blacklisting</a>
|
<li><a href="blacklisting_support.htm">Blacklisting</a>
|
||||||
<ul>
|
<ul>
|
||||||
<li>Static Blacklisting using /etc/shorewall/blacklist</li>
|
<li>Static Blacklisting using /etc/shorewall/blacklist</li>
|
||||||
<li>Dynamic Blacklisting using
|
<li>Dynamic Blacklisting using /sbin/shorewall</li>
|
||||||
/sbin/shorewall</li>
|
|
||||||
</ul>
|
</ul>
|
||||||
</li>
|
</li>
|
||||||
<li><a href="starting_and_stopping_shorewall.htm">Commands</a>
|
<li><a href="starting_and_stopping_shorewall.htm">Commands</a>
|
||||||
(Description of
|
(Description of all /sbin/shorewall commands)</li>
|
||||||
all /sbin/shorewall commands)</li>
|
|
||||||
<li><a href="configuration_file_basics.htm">Common configuration file
|
<li><a href="configuration_file_basics.htm">Common configuration file
|
||||||
features</a> </li>
|
features</a> </li>
|
||||||
<ul>
|
<ul>
|
||||||
<li><a href="configuration_file_basics.htm#Comments">Comments in
|
<li><a href="configuration_file_basics.htm#Comments">Comments in
|
||||||
configuration files</a></li>
|
configuration files</a></li>
|
||||||
@ -142,14 +138,13 @@ in Shorewall</a> </li>
|
|||||||
</li>
|
</li>
|
||||||
<li><font color="#000099"><a href="shorewall_extension_scripts.htm">Extension
|
<li><font color="#000099"><a href="shorewall_extension_scripts.htm">Extension
|
||||||
Scripts</a></font> (How to extend Shorewall without modifying Shorewall
|
Scripts</a></font> (How to extend Shorewall without modifying Shorewall
|
||||||
code through the use of files in /etc/shorewall --
|
code through the use of files in /etc/shorewall -- /etc/shorewall/start,
|
||||||
/etc/shorewall/start, /etc/shorewall/stopped, etc.)</li>
|
/etc/shorewall/stopped, etc.)</li>
|
||||||
<li><a href="fallback.htm">Fallback/Uninstall</a></li>
|
<li><a href="fallback.htm">Fallback/Uninstall</a></li>
|
||||||
<li><a href="FAQ.htm">FAQs</a><br>
|
<li><a href="FAQ.htm">FAQs</a><br>
|
||||||
</li>
|
</li>
|
||||||
<li><a href="shorewall_features.htm">Features</a><br>
|
<li><a href="shorewall_features.htm">Features</a><br>
|
||||||
</li>
|
</li>
|
||||||
<li><a href="shorewall_firewall_structure.htm">Firewall Structure</a></li>
|
|
||||||
<li><a href="FTP.html">FTP and Shorewall</a><br>
|
<li><a href="FTP.html">FTP and Shorewall</a><br>
|
||||||
</li>
|
</li>
|
||||||
<li><a href="support.htm">Getting help or answers to questions</a></li>
|
<li><a href="support.htm">Getting help or answers to questions</a></li>
|
||||||
@ -164,7 +159,8 @@ code through the use of files in /etc/shorewall --
|
|||||||
<li><a href="shorewall_logging.html">Logging</a><br>
|
<li><a href="shorewall_logging.html">Logging</a><br>
|
||||||
</li>
|
</li>
|
||||||
<li><a href="MAC_Validation.html">MAC Verification</a></li>
|
<li><a href="MAC_Validation.html">MAC Verification</a></li>
|
||||||
<li><a href="http://lists.shorewall.net">Mailing Lists</a><br>
|
<li><a href="http://lists.shorewall.net">Mailing Lists</a></li>
|
||||||
|
<li><a href="NetfilterOverview.html">Netfilter Overview</a><br>
|
||||||
</li>
|
</li>
|
||||||
<li><a href="myfiles.htm">My Shorewall Configuration (How I
|
<li><a href="myfiles.htm">My Shorewall Configuration (How I
|
||||||
personally use Shorewall)</a></li>
|
personally use Shorewall)</a></li>
|
||||||
@ -178,8 +174,7 @@ personally use Shorewall)</a></li>
|
|||||||
<li>Ports used by Trojans</li>
|
<li>Ports used by Trojans</li>
|
||||||
</ul>
|
</ul>
|
||||||
</li>
|
</li>
|
||||||
<li><a href="ProxyARP.htm">Proxy
|
<li><a href="ProxyARP.htm">Proxy ARP</a></li>
|
||||||
ARP</a></li>
|
|
||||||
<li><a href="shorewall_prerequisites.htm">Requirements</a><br>
|
<li><a href="shorewall_prerequisites.htm">Requirements</a><br>
|
||||||
</li>
|
</li>
|
||||||
<li><a href="samba.htm">Samba</a></li>
|
<li><a href="samba.htm">Samba</a></li>
|
||||||
@ -197,8 +192,7 @@ Subnets and Routing</a>
|
|||||||
<ul>
|
<ul>
|
||||||
<li><a href="shorewall_setup_guide.htm#Addresses">4.1 IP
|
<li><a href="shorewall_setup_guide.htm#Addresses">4.1 IP
|
||||||
Addresses</a></li>
|
Addresses</a></li>
|
||||||
<li><a href="shorewall_setup_guide.htm#Subnets">4.2
|
<li><a href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
|
||||||
Subnets</a></li>
|
|
||||||
<li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
|
<li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
|
||||||
<li><a href="shorewall_setup_guide.htm#ARP">4.4 Address
|
<li><a href="shorewall_setup_guide.htm#ARP">4.4 Address
|
||||||
Resolution Protocol (ARP)</a></li>
|
Resolution Protocol (ARP)</a></li>
|
||||||
@ -235,8 +229,7 @@ Starting and Stopping the Firewall</a></li>
|
|||||||
href="starting_and_stopping_shorewall.htm">Starting/stopping the
|
href="starting_and_stopping_shorewall.htm">Starting/stopping the
|
||||||
Firewall</a></font></li>
|
Firewall</a></font></li>
|
||||||
<ul>
|
<ul>
|
||||||
<li>Description of all /sbin/shorewall
|
<li>Description of all /sbin/shorewall commands</li>
|
||||||
commands</li>
|
|
||||||
<li>How to safely test a Shorewall configuration change<br>
|
<li>How to safely test a Shorewall configuration change<br>
|
||||||
</li>
|
</li>
|
||||||
</ul>
|
</ul>
|
||||||
@ -255,8 +248,7 @@ doesn't work)</a></li>
|
|||||||
<li>VPN
|
<li>VPN
|
||||||
<ul>
|
<ul>
|
||||||
<li><a href="IPSEC.htm">IPSEC</a></li>
|
<li><a href="IPSEC.htm">IPSEC</a></li>
|
||||||
<li><a href="IPIP.htm">GRE and
|
<li><a href="IPIP.htm">GRE and IPIP</a></li>
|
||||||
IPIP</a></li>
|
|
||||||
<li><a href="OPENVPN.html">OpenVPN</a><br>
|
<li><a href="OPENVPN.html">OpenVPN</a><br>
|
||||||
</li>
|
</li>
|
||||||
<li><a href="PPTP.htm">PPTP</a></li>
|
<li><a href="PPTP.htm">PPTP</a></li>
|
||||||
@ -270,9 +262,9 @@ firewall to a remote network.</li>
|
|||||||
</li>
|
</li>
|
||||||
<li><a href="whitelisting_under_shorewall.htm">White List Creation</a></li>
|
<li><a href="whitelisting_under_shorewall.htm">White List Creation</a></li>
|
||||||
</ul>
|
</ul>
|
||||||
<p>If you use one of these guides and have a suggestion for improvement
|
<p>If you use one of these guides and have a suggestion for improvement <a
|
||||||
<a href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
|
href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
|
||||||
<p><font size="2">Last modified 9/23/2003 - <a href="support.htm">Tom
|
<p><font size="2">Last modified 10/11/2003 - <a href="support.htm">Tom
|
||||||
Eastep</a></font></p>
|
Eastep</a></font></p>
|
||||||
<p><a href="copyright.htm"><font size="2">Copyright 2002, 2003 Thomas
|
<p><a href="copyright.htm"><font size="2">Copyright 2002, 2003 Thomas
|
||||||
M. Eastep</font></a><br>
|
M. Eastep</font></a><br>
|
||||||
|
|||||||
@ -37,14 +37,12 @@ and control that facility. Netfilter can be used in ipchains
|
|||||||
compatibility mode.<br>
|
compatibility mode.<br>
|
||||||
</li>
|
</li>
|
||||||
<li>iptables - the utility program used to configure and
|
<li>iptables - the utility program used to configure and
|
||||||
control
|
control Netfilter. The term 'iptables' is often used to refer to the
|
||||||
Netfilter. The term 'iptables' is often used to refer to the
|
combination of iptables+Netfilter (with Netfilter not in ipchains
|
||||||
combination of iptables+Netfilter (with Netfilter not in
|
compatibility mode).<br>
|
||||||
ipchains compatibility mode).<br>
|
|
||||||
</li>
|
</li>
|
||||||
</ul>
|
</ul>
|
||||||
The
|
The Shoreline Firewall, more commonly known as "Shorewall", is
|
||||||
Shoreline Firewall, more commonly known as "Shorewall", is
|
|
||||||
high-level tool for configuring Netfilter. You describe your
|
high-level tool for configuring Netfilter. You describe your
|
||||||
firewall/gateway requirements using entries in a set of configuration
|
firewall/gateway requirements using entries in a set of configuration
|
||||||
files. Shorewall reads those configuration files and with the help of
|
files. Shorewall reads those configuration files and with the help of
|
||||||
@ -56,14 +54,14 @@ and can thus take advantage of Netfilter's connection state tracking
|
|||||||
capabilities.
|
capabilities.
|
||||||
<p>This program is free software; you can redistribute it and/or
|
<p>This program is free software; you can redistribute it and/or
|
||||||
modify it under the terms of <a
|
modify it under the terms of <a
|
||||||
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the
|
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
|
||||||
GNU General Public License</a> as published by the Free Software
|
General Public License</a> as published by the Free Software Foundation.<br>
|
||||||
Foundation.<br>
|
|
||||||
<br>
|
<br>
|
||||||
This program is distributed in the hope that it will be useful, but
|
This program is distributed in the hope that it will be useful, but
|
||||||
WITHOUT ANY WARRANTY; without even the implied warranty of
|
WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||||
General Public License for more details.<br>
|
General
|
||||||
|
Public License for more details.<br>
|
||||||
<br>
|
<br>
|
||||||
You should have received a copy of the GNU General Public License along
|
You should have received a copy of the GNU General Public License along
|
||||||
with this program; if not, write to the Free Software Foundation, Inc.,
|
with this program; if not, write to the Free Software Foundation, Inc.,
|
||||||
@ -81,30 +79,80 @@ Shorewall. For older versions:<br>
|
|||||||
</li>
|
</li>
|
||||||
</ul>
|
</ul>
|
||||||
<h2>Getting Started with Shorewall</h2>
|
<h2>Getting Started with Shorewall</h2>
|
||||||
New to Shorewall? Start by
|
New to Shorewall? Start by selecting the <a
|
||||||
selecting the <a href="shorewall_quickstart_guide.htm">QuickStart Guide</a>
|
href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most
|
||||||
that most closely match your environment and
|
closely match your environment and follow the step by step instructions.<br>
|
||||||
follow the step by step instructions.<br>
|
|
||||||
<h2>Looking for Information?</h2>
|
<h2>Looking for Information?</h2>
|
||||||
The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
|
The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
|
||||||
Index</a> is a good place to start as is the Quick Search to your
|
Index</a> is a good place to start as is the Quick Search to your
|
||||||
right.
|
right.
|
||||||
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
|
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
|
||||||
If so, the documentation<b> </b>on this site will not apply directly
|
If so, the documentation<b> </b>on this site will not apply directly
|
||||||
to your setup. If you want to
|
to
|
||||||
use the documentation that you find here, you will want to consider
|
your setup. If you want to use the documentation that you find here,
|
||||||
uninstalling what you have and installing a setup that matches the
|
you will want to consider uninstalling what you have and installing a
|
||||||
documentation on this site. See the <a href="two-interface.htm">Two-interface
|
setup that matches the documentation on this site. See the <a
|
||||||
QuickStart Guide</a> for
|
href="two-interface.htm">Two-interface QuickStart Guide</a> for
|
||||||
details.
|
details.
|
||||||
<h2></h2>
|
<h2></h2>
|
||||||
<h2><b>News</b></h2>
|
<h2><b>News</b></h2>
|
||||||
|
<p><b>10/21/2003 - Shorewall 1.4.7a</b><b> <img
|
||||||
|
style="border: 0px solid ; width: 28px; height: 12px;"
|
||||||
|
src="images/new10.gif" alt="(New)" title=""></b></p>
|
||||||
|
<p>This is a bugfix rollup of the following problem corrections:<br>
|
||||||
|
</p>
|
||||||
|
<ol>
|
||||||
|
<li>Tuomo Soini has supplied a correction to a problem that
|
||||||
|
occurs
|
||||||
|
using some versions of 'ash'. The symptom is that "shorewall start"
|
||||||
|
fails with:<br>
|
||||||
|
<br>
|
||||||
|
local: --limit: bad variable name<br>
|
||||||
|
iptables v1.2.8: Couldn't load match
|
||||||
|
`-j':/lib/iptables/libipt_-j.so:<br>
|
||||||
|
cannot open shared object file: No such file or directory<br>
|
||||||
|
Try `iptables -h' or 'iptables --help' for more
|
||||||
|
information.<br>
|
||||||
|
<br>
|
||||||
|
</li>
|
||||||
|
<li>Andres Zhoglo has supplied a correction that avoids trying
|
||||||
|
to use the multiport match iptables facility on ICMP rules.<br>
|
||||||
|
<br>
|
||||||
|
Example of rule that previously caused "shorewall start"
|
||||||
|
to fail:<br>
|
||||||
|
<br>
|
||||||
|
|
||||||
|
ACCEPT loc $FW
|
||||||
|
icmp 0,8,11,12<br>
|
||||||
|
<br>
|
||||||
|
</li>
|
||||||
|
<li>Previously, if the following error message was issued,
|
||||||
|
Shorewall was left in an inconsistent state.<br>
|
||||||
|
<br>
|
||||||
|
Error: Unable to determine the routes routes through
|
||||||
|
interface xxx<br>
|
||||||
|
<br>
|
||||||
|
</li>
|
||||||
|
<li>Handling of the LOGUNCLEAN option in shorewall.conf has
|
||||||
|
been corrected.</li>
|
||||||
|
<li>In Shorewall 1.4.2, an optimization was added. This
|
||||||
|
optimization
|
||||||
|
involved creating a chain named "<zone>_frwd" for most zones
|
||||||
|
defined using the /etc/shorewall/hosts file. It has since been
|
||||||
|
discovered that in many cases these new chains contain redundant rules
|
||||||
|
and that the "optimization" turns out to be less than optimal. The
|
||||||
|
implementation has now been corrected.</li>
|
||||||
|
<li>When the MARK value in a tcrules entry is followed by ":F"
|
||||||
|
or
|
||||||
|
":P", the ":F" or ":P" was previously only applied to the first
|
||||||
|
Netfilter rule generated by the entry. It is now applied to all entries.</li>
|
||||||
|
</ol>
|
||||||
<b>10/06/2003 - Shorewall 1.4.7</b><b> <img
|
<b>10/06/2003 - Shorewall 1.4.7</b><b> <img
|
||||||
style="border: 0px solid ; width: 28px; height: 12px;"
|
style="border: 0px solid ; width: 28px; height: 12px;"
|
||||||
src="images/new10.gif" alt="(New)" title=""></b><br>
|
src="images/new10.gif" alt="(New)" title=""></b><br>
|
||||||
<b><br>
|
<b><br>
|
||||||
Problems Corrected since version 1.4.6 (Those in bold font
|
Problems Corrected since version 1.4.6 (Those in bold font were
|
||||||
were corrected since 1.4.7 RC2).</b><br>
|
corrected since 1.4.7 RC2).</b><br>
|
||||||
<ol>
|
<ol>
|
||||||
<li>Corrected problem in 1.4.6 where the MANGLE_ENABLED
|
<li>Corrected problem in 1.4.6 where the MANGLE_ENABLED
|
||||||
variable was being tested before it was set.</li>
|
variable was being tested before it was set.</li>
|
||||||
@ -120,65 +168,53 @@ were being added to a PPP interface; the addresses were successfully
|
|||||||
added in spite of the messages.<br>
|
added in spite of the messages.<br>
|
||||||
<br>
|
<br>
|
||||||
The firewall script has been modified to eliminate the error messages</li>
|
The firewall script has been modified to eliminate the error messages</li>
|
||||||
<li>Interface-specific dynamic blacklisting chains are
|
<li>Interface-specific dynamic blacklisting chains are now
|
||||||
now displayed by "shorewall monitor" on the "Dynamic Chains" page
|
displayed by "shorewall monitor" on the "Dynamic Chains" page
|
||||||
(previously named "Dynamic Chain").</li>
|
(previously named "Dynamic Chain").</li>
|
||||||
<li>Thanks to Henry Yang, LOGRATE and LOGBURST now work again.</li>
|
<li>Thanks to Henry Yang, LOGRATE and LOGBURST now work again.</li>
|
||||||
<li value="7">The 'shorewall reject'
|
<li value="7">The 'shorewall reject' and 'shorewall drop'
|
||||||
and
|
commands now delete any existing rules for the subject IP address
|
||||||
'shorewall drop' commands now delete any existing rules for the subject
|
before adding a new DROP or REJECT rule. Previously, there could be
|
||||||
IP address before adding a new DROP or REJECT rule. Previously, there
|
many rules for the same IP address in the dynamic chain so that
|
||||||
could be many rules for the same IP address in the dynamic chain so
|
multiple 'allow' commands were required to re-enable traffic to/from
|
||||||
that multiple 'allow' commands were required to re-enable traffic
|
the address.</li>
|
||||||
to/from the address.</li>
|
<li>When ADD_SNAT_ALIASES=Yes in shorewall.conf, the following
|
||||||
<li>When ADD_SNAT_ALIASES=Yes in
|
entry in /etc/shorewall/masq resulted in a startup error:<br>
|
||||||
shorewall.conf, the following entry in /etc/shorewall/masq resulted in
|
|
||||||
a startup error:<br>
|
|
||||||
<br>
|
<br>
|
||||||
eth0 eth1
|
eth0 eth1
|
||||||
206.124.146.20-206.124.146.24<br>
|
206.124.146.20-206.124.146.24<br>
|
||||||
<br>
|
<br>
|
||||||
</li>
|
</li>
|
||||||
<li>Shorewall previously choked over
|
<li>Shorewall previously choked over IPV6 addresses configured
|
||||||
IPV6
|
on interfaces in contexts where Shorewall needed to detect something
|
||||||
addresses configured on interfaces in contexts where Shorewall needed
|
about the interface (such as when "detect" appears in the BROADCAST
|
||||||
to detect something about the interface (such as when "detect" appears
|
column of the /etc/shorewall/interfaces file).</li>
|
||||||
in the BROADCAST column of the /etc/shorewall/interfaces file).</li>
|
<li>Shorewall will now load module files that are formed from
|
||||||
<li>Shorewall will now load
|
the module name by appending ".o.gz".</li>
|
||||||
module files that are formed from the module name by appending ".o.gz".</li>
|
<li>When Shorewall adds a route to a proxy ARP host and such a
|
||||||
<li>When Shorewall adds a route to a
|
route already exists, two routes resulted previously. This has been
|
||||||
proxy
|
corrected so that the existing route is replaced if it already exists.</li>
|
||||||
ARP host and such a route already exists, two routes resulted
|
<li>The rfc1918 file has been updated to reflect recent
|
||||||
previously. This has been corrected so that the existing route is
|
allocations.</li>
|
||||||
replaced if it already exists.</li>
|
<li>The documentation of the USER SET column in the rules file
|
||||||
<li>The rfc1918 file has been
|
has been corrected.</li>
|
||||||
updated to reflect recent allocations.</li>
|
<li>If there is no policy defined for the zones specified in a
|
||||||
<li>The documentation of the
|
rule, the firewall script previously encountered a shell syntax error:<br>
|
||||||
USER SET column in the rules file has been corrected.</li>
|
<br>
|
||||||
<li>If there is no policy
|
|
||||||
defined for
|
|
||||||
the zones specified in a rule, the firewall script previously
|
|
||||||
encountered a shell syntax error:<br>
|
|
||||||
|
|
||||||
<br>
|
|
||||||
[: NONE: unexpected operator<br>
|
[: NONE: unexpected operator<br>
|
||||||
|
<br>
|
||||||
<br>
|
|
||||||
Now, the absence of a policy generates an error message and the
|
Now, the absence of a policy generates an error message and the
|
||||||
firewall is stopped:<br>
|
firewall is stopped:<br>
|
||||||
|
<br>
|
||||||
<br>
|
|
||||||
No policy defined from zone
|
No policy defined from zone
|
||||||
<source> to zone <dest><br>
|
<source> to zone <dest><br>
|
||||||
<br>
|
<br>
|
||||||
</li>
|
</li>
|
||||||
<li>Previously, if neither
|
<li>Previously, if neither /etc/shorewall/common nor
|
||||||
/etc/shorewall/common nor /etc/shorewall/common.def existed, Shorewall
|
/etc/shorewall/common.def existed, Shorewall would fail to start and
|
||||||
would fail to start and would not remove the lock file. Failure to
|
would not remove the lock file. Failure to remove the lock file
|
||||||
remove the lock file resulted in the following during subsequent
|
resulted in the following during subsequent attempts to start:<br>
|
||||||
attempts to start:<br>
|
<br>
|
||||||
|
|
||||||
<br>
|
|
||||||
Loading /usr/share/shorewall/functions...<br>
|
Loading /usr/share/shorewall/functions...<br>
|
||||||
Processing /etc/shorewall/params ...<br>
|
Processing /etc/shorewall/params ...<br>
|
||||||
Processing /etc/shorewall/shorewall.conf...<br>
|
Processing /etc/shorewall/shorewall.conf...<br>
|
||||||
@ -187,19 +223,17 @@ attempts to start:<br>
|
|||||||
<br>
|
<br>
|
||||||
Shorewall now reports a fatal error if neither of these two files exist
|
Shorewall now reports a fatal error if neither of these two files exist
|
||||||
and correctly removes the lock fille.</li>
|
and correctly removes the lock fille.</li>
|
||||||
<li>The order of processing
|
<li>The order of processing the various options has been
|
||||||
the
|
changed such that blacklist entries now take precedence over the 'dhcp'
|
||||||
various options has been changed such that blacklist entries now take
|
interface setting.</li>
|
||||||
precedence over the 'dhcp' interface setting.</li>
|
<li>The log message generated from the 'logunclean' interface
|
||||||
<li>The log message generated
|
option has been changed to reflect a disposition of LOG rather than
|
||||||
from the
|
DROP.</li>
|
||||||
'logunclean' interface option has been changed to reflect a disposition
|
|
||||||
of LOG rather than DROP.</li>
|
|
||||||
<li><span style="font-weight: bold;">When a user name and/or a
|
<li><span style="font-weight: bold;">When a user name and/or a
|
||||||
group
|
group name was specified in the USER SET column and the destination
|
||||||
name was specified in the USER SET column and the destination zone was
|
zone
|
||||||
qualified with a IP address, the user and/or group name was not being
|
was qualified with a IP address, the user and/or group name was not
|
||||||
used to qualify the rule.<br>
|
being used to qualify the rule.<br>
|
||||||
<br>
|
<br>
|
||||||
Example:<br>
|
Example:<br>
|
||||||
<br>
|
<br>
|
||||||
@ -217,10 +251,9 @@ details.</li>
|
|||||||
<li>The Uset Set capability introduced in SnapShot 20030821 has
|
<li>The Uset Set capability introduced in SnapShot 20030821 has
|
||||||
changed -- see the <a href="UserSets.html">User Set page</a> for
|
changed -- see the <a href="UserSets.html">User Set page</a> for
|
||||||
details.</li>
|
details.</li>
|
||||||
<li>The
|
<li>The per-interface Dynamic Blacklisting facility introduced
|
||||||
per-interface Dynamic Blacklisting facility introduced in the first
|
in the first post-1.4.6 Snapshot has been removed. The facility had too
|
||||||
post-1.4.6 Snapshot has been removed. The facility had too many
|
many idiosyncrasies for dial-up users to be a viable part of Shorewall.<br>
|
||||||
idiosyncrasies for dial-up users to be a viable part of Shorewall.<br>
|
|
||||||
</li>
|
</li>
|
||||||
</ol>
|
</ol>
|
||||||
<b></b><b>New Features:</b><br>
|
<b></b><b>New Features:</b><br>
|
||||||
@ -239,8 +272,9 @@ command-specific help (e.g., shorewall help <command>).</li>
|
|||||||
<li>A new option "ADMINISABSENTMINDED" has been added to
|
<li>A new option "ADMINISABSENTMINDED" has been added to
|
||||||
/etc/shorewall/shorewall.conf. This option has a default value of "No"
|
/etc/shorewall/shorewall.conf. This option has a default value of "No"
|
||||||
for existing users which causes Shorewall's 'stopped' state to
|
for existing users which causes Shorewall's 'stopped' state to
|
||||||
continue as it has been; namely, in the stopped state only traffic
|
continue
|
||||||
to/from hosts listed in /etc/shorewall/routestopped is accepted.<br>
|
as it has been; namely, in the stopped state only traffic to/from hosts
|
||||||
|
listed in /etc/shorewall/routestopped is accepted.<br>
|
||||||
<br>
|
<br>
|
||||||
With ADMINISABSENTMINDED=Yes (the default for new installs), in
|
With ADMINISABSENTMINDED=Yes (the default for new installs), in
|
||||||
addition to traffic to/from the hosts listed in
|
addition to traffic to/from the hosts listed in
|
||||||
@ -248,7 +282,8 @@ addition to traffic to/from the hosts listed in
|
|||||||
<br>
|
<br>
|
||||||
a) All traffic originating from the firewall itself; and<br>
|
a) All traffic originating from the firewall itself; and<br>
|
||||||
b) All traffic that is part of or related to an
|
b) All traffic that is part of or related to an
|
||||||
already-existing connection.<br>
|
already-existing
|
||||||
|
connection.<br>
|
||||||
<br>
|
<br>
|
||||||
In particular, with ADMINISABSENTMINDED=Yes, a "shorewall stop"
|
In particular, with ADMINISABSENTMINDED=Yes, a "shorewall stop"
|
||||||
entered through an ssh session will not kill the session.<br>
|
entered through an ssh session will not kill the session.<br>
|
||||||
@ -272,12 +307,9 @@ fw tcp 22<br>
|
|||||||
<br>
|
<br>
|
||||||
From a remote system, I ssh to 206.124.146.178 which establishes an SSH
|
From a remote system, I ssh to 206.124.146.178 which establishes an SSH
|
||||||
connection with local system 192.168.1.5. I then create a second SSH
|
connection with local system 192.168.1.5. I then create a second SSH
|
||||||
connection
|
connection from that computer to the firewall and confidently type
|
||||||
from that computer to the firewall and confidently type "shorewall
|
"shorewall stop". As part of its stop processing, Shorewall removes
|
||||||
stop".
|
eth0:0 which kills my SSH connection to 192.168.1.5!!!</li>
|
||||||
As part of its stop processing, Shorewall removes eth0:0 which kills my
|
|
||||||
SSH
|
|
||||||
connection to 192.168.1.5!!!</li>
|
|
||||||
<li>Given the wide range of VPN software, I can never hope to
|
<li>Given the wide range of VPN software, I can never hope to
|
||||||
add specific support for all of it. I have therefore decided to add
|
add specific support for all of it. I have therefore decided to add
|
||||||
"generic" tunnel support.<br>
|
"generic" tunnel support.<br>
|
||||||
@ -297,15 +329,17 @@ where:<br>
|
|||||||
<protocol> is the protocol
|
<protocol> is the protocol
|
||||||
used by the tunnel<br>
|
used by the tunnel<br>
|
||||||
<port> if the protocol
|
<port> if the protocol
|
||||||
is 'udp' or 'tcp' then this is the destination port number used by the
|
is 'udp' or 'tcp' then this is the
|
||||||
tunnel.<br>
|
destination port number used by the tunnel.<br>
|
||||||
<zone> is the zone of
|
<zone> is the zone of
|
||||||
the remote tunnel gateway<br>
|
the remote tunnel gateway<br>
|
||||||
<ip address> is the IP
|
<ip address> is the IP
|
||||||
address of the remote tunnel gateway.<br>
|
address of the remote tunnel
|
||||||
|
gateway.<br>
|
||||||
<gateway zone>
|
<gateway zone>
|
||||||
Optional. A comma-separated list of zone names. If specified, the
|
Optional. A comma-separated list of zone
|
||||||
remote gateway is to be considered part of these zones.</li>
|
names. If specified, the remote gateway is to be considered part of
|
||||||
|
these zones.</li>
|
||||||
<li>An 'arp_filter' option has been added to the
|
<li>An 'arp_filter' option has been added to the
|
||||||
/etc/shorewall/interfaces file. This option causes
|
/etc/shorewall/interfaces file. This option causes
|
||||||
/proc/sys/net/ipv4/conf/<interface>/arp_filter to be set with the
|
/proc/sys/net/ipv4/conf/<interface>/arp_filter to be set with the
|
||||||
@ -315,7 +349,8 @@ facilitates testing of your firewall where multiple firewall interfaces
|
|||||||
are connected to the same HUB/Switch (all interfaces connected to the
|
are connected to the same HUB/Switch (all interfaces connected to the
|
||||||
single HUB/Switch should have this option specified). Note that using
|
single HUB/Switch should have this option specified). Note that using
|
||||||
such a configuration in a production environment is strongly
|
such a configuration in a production environment is strongly
|
||||||
recommended against.</li>
|
recommended
|
||||||
|
against.</li>
|
||||||
<li>The ADDRESS column in /etc/shorewall/masq may now include a
|
<li>The ADDRESS column in /etc/shorewall/masq may now include a
|
||||||
comma-separated list of addresses and/or address ranges. Netfilter will
|
comma-separated list of addresses and/or address ranges. Netfilter will
|
||||||
use all listed addresses/ranges in round-robin fashion. \</li>
|
use all listed addresses/ranges in round-robin fashion. \</li>
|
||||||
@ -334,8 +369,9 @@ separately.<br>
|
|||||||
<br>
|
<br>
|
||||||
<span style="font-weight: bold;">Warning: </span>When rate
|
<span style="font-weight: bold;">Warning: </span>When rate
|
||||||
limiting is specified on a rule with "all" in the SOURCE or DEST
|
limiting is specified on a rule with "all" in the SOURCE or DEST
|
||||||
fields, the limit will apply to each pair of zones individually rather
|
fields,
|
||||||
than as a single limit for all pairs of covered by the rule.<br>
|
the limit will apply to each pair of zones individually rather than as
|
||||||
|
a single limit for all pairs of covered by the rule.<br>
|
||||||
<br>
|
<br>
|
||||||
To specify a rate limit, <br>
|
To specify a rate limit, <br>
|
||||||
<br>
|
<br>
|
||||||
@ -344,15 +380,14 @@ a) Follow ACCEPT, DNAT[-], REDIRECT[-] or LOG with<br>
|
|||||||
<
|
<
|
||||||
<rate>/<interval>[:<burst>] ><br>
|
<rate>/<interval>[:<burst>] ><br>
|
||||||
<br>
|
<br>
|
||||||
|
where<br>
|
||||||
where<br>
|
|
||||||
<br>
|
<br>
|
||||||
<rate> is the sustained rate per
|
<rate> is the sustained rate per
|
||||||
<interval><br>
|
<interval><br>
|
||||||
<interval> is "sec" or "min"<br>
|
<interval> is "sec" or "min"<br>
|
||||||
<burst> is the largest burst
|
<burst> is the largest burst
|
||||||
accepted within an <interval>. If not given, the default of 5 is
|
accepted within an
|
||||||
assumed.<br>
|
<interval>. If not given, the default of 5 is assumed.<br>
|
||||||
<br>
|
<br>
|
||||||
There may be no white space between the ACTION and "<" nor there may
|
There may be no white space between the ACTION and "<" nor there may
|
||||||
be any white space within the burst specification. If you want to
|
be any white space within the burst specification. If you want to
|
||||||
@ -378,8 +413,9 @@ After this, it will be 500ms (1 second divided by the rate<br>
|
|||||||
of 2) before a packet will be accepted from this rule, regardless of
|
of 2) before a packet will be accepted from this rule, regardless of
|
||||||
how many packets reach it. Also, every 500ms which passes without
|
how many packets reach it. Also, every 500ms which passes without
|
||||||
matching a packet, one of the bursts will be regained; if no packets
|
matching a packet, one of the bursts will be regained; if no packets
|
||||||
hit the rule for 2 second, the burst will be fully recharged; back
|
hit
|
||||||
where we started.<br>
|
the rule for 2 second, the burst will be fully recharged; back where we
|
||||||
|
started.<br>
|
||||||
</li>
|
</li>
|
||||||
<li>Multiple chains may now be displayed in one "shorewall
|
<li>Multiple chains may now be displayed in one "shorewall
|
||||||
show" command (e.g., shorewall show INPUT FORWARD OUTPUT).</li>
|
show" command (e.g., shorewall show INPUT FORWARD OUTPUT).</li>
|
||||||
@ -387,50 +423,6 @@ show" command (e.g., shorewall show INPUT FORWARD OUTPUT).</li>
|
|||||||
limited to a set of local users and/or groups. See <a
|
limited to a set of local users and/or groups. See <a
|
||||||
href="UserSets.html">http://shorewall.net/UserSets.html</a> for
|
href="UserSets.html">http://shorewall.net/UserSets.html</a> for
|
||||||
details.</li>
|
details.</li>
|
||||||
</ol>
|
|
||||||
<p><b>8/27/2003 - Shorewall Mirror in Australia </b></p>
|
|
||||||
<p>Thanks to Dave Kempe and Solutions First (<a
|
|
||||||
href="http://www.solutionsfirst.com.au"><font size="3">http://www.solutionsfirst.com.au</font></a>),
|
|
||||||
there is now a Shorewall Mirror in Australia:</p>
|
|
||||||
<div style="margin-left: 40px;"><a
|
|
||||||
href="http://www.shorewall.com.au" target="_top"><font size="3">http://www.shorewall.com.au</font></a><br>
|
|
||||||
<font size="3"><a href="ftp://ftp.shorewall.com.au">ftp://ftp.shorewall.com.au</a></font></div>
|
|
||||||
<p><b>8/26/2003 - French Version of the Shorewall Setup
|
|
||||||
Guide </b></p>
|
|
||||||
Thanks to Fabien <font size="3">Demassieux, there is now a <a
|
|
||||||
href="shorewall_setup_guide_fr.htm">French translation of the
|
|
||||||
Shorewall Setup Guide</a>. Merci Beacoup, Fabien!</font> <b>9/15/2003
|
|
||||||
- Shorewall 1.4.7 Beta 2</b><b> <img
|
|
||||||
style="border: 0px solid ; width: 28px; height: 12px;"
|
|
||||||
src="file:///vfat/Shorewall-docs/images/new10.gif" alt="(New)" title=""></b>
|
|
||||||
<p><b>8/5/2003 - Shorewall-1.4.6b</b><b> <img
|
|
||||||
style="border: 0px solid ; width: 28px; height: 12px;"
|
|
||||||
src="images/new10.gif" alt="(New)" title=""> <br>
|
|
||||||
</b></p>
|
|
||||||
<b>Problems Corrected since version 1.4.6:</b><br>
|
|
||||||
<ol>
|
|
||||||
<li>Previously, if TC_ENABLED is set to yes in shorewall.conf
|
|
||||||
then Shorewall would fail to start with the error "ERROR: Traffic
|
|
||||||
Control requires Mangle"; that problem has been corrected.</li>
|
|
||||||
<li>Corrected handling of MAC addresses in the SOURCE column of
|
|
||||||
the
|
|
||||||
tcrules file. Previously, these addresses resulted in an invalid
|
|
||||||
iptables
|
|
||||||
command.</li>
|
|
||||||
<li>The "shorewall stop" command is now disabled when
|
|
||||||
/etc/shorewall/startup_disabled
|
|
||||||
exists. This prevents people from shooting themselves in the foot prior
|
|
||||||
to
|
|
||||||
having configured Shorewall.</li>
|
|
||||||
<li>A change introduced in version 1.4.6 caused error messages
|
|
||||||
during
|
|
||||||
"shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses were
|
|
||||||
being
|
|
||||||
added to a PPP interface; the addresses were successfully added in
|
|
||||||
spite
|
|
||||||
of the messages.<br>
|
|
||||||
<br>
|
|
||||||
The firewall script has been modified to eliminate the error messages.</li>
|
|
||||||
</ol>
|
</ol>
|
||||||
<p><b><a href="News.htm">More News</a></b></p>
|
<p><b><a href="News.htm">More News</a></b></p>
|
||||||
<b> </b>
|
<b> </b>
|
||||||
@ -503,7 +495,7 @@ Children's Foundation.</font></a> Thanks!</font></font></p>
|
|||||||
</tr>
|
</tr>
|
||||||
</tbody>
|
</tbody>
|
||||||
</table>
|
</table>
|
||||||
<p><font size="2">Updated 10/06/2003 - <a href="support.htm">Tom Eastep</a></font>
|
<p><font size="2">Updated 10/21/2003 - <a href="support.htm">Tom Eastep</a></font>
|
||||||
<br>
|
<br>
|
||||||
</p>
|
</p>
|
||||||
</body>
|
</body>
|
||||||
|
|||||||
@ -1,341 +1,315 @@
|
|||||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||||
<html>
|
<html>
|
||||||
<head>
|
<head>
|
||||||
|
|
||||||
<meta http-equiv="Content-Language" content="en-us">
|
<meta http-equiv="Content-Language" content="en-us">
|
||||||
|
|
||||||
<meta http-equiv="Content-Type"
|
<meta http-equiv="Content-Type"
|
||||||
content="text/html; charset=windows-1252">
|
content="text/html; charset=windows-1252">
|
||||||
|
|
||||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||||
|
|
||||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||||
<title>Traffic Shaping</title>
|
<title>Traffic Shaping</title>
|
||||||
</head>
|
</head>
|
||||||
<body>
|
<body>
|
||||||
|
|
||||||
<table border="0" cellpadding="0" cellspacing="0"
|
<table border="0" cellpadding="0" cellspacing="0"
|
||||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||||
id="AutoNumber1" bgcolor="#3366ff" height="90">
|
id="AutoNumber1" bgcolor="#3366ff" height="90">
|
||||||
<tbody>
|
<tbody>
|
||||||
<tr>
|
<tr>
|
||||||
<td width="100%">
|
<td width="100%">
|
||||||
<h1 align="center"><font color="#ffffff">Traffic Shaping/Control</font></h1>
|
<h1 align="center"><font color="#ffffff">Traffic Shaping/Control</font></h1>
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
|
</tbody>
|
||||||
</tbody>
|
|
||||||
</table>
|
</table>
|
||||||
|
<p align="left">Shorewall has limited support for traffic
|
||||||
<p align="left">Shorewall has limited support for traffic shaping/control.
|
shaping/control. In order to use traffic shaping under Shorewall, it is
|
||||||
In order to use traffic shaping under Shorewall, it is essential that
|
essential that you get a copy of the <a href="http://ds9a.nl/lartc">Linux
|
||||||
you get a copy of the <a href="http://ds9a.nl/lartc">Linux Advanced Routing
|
Advanced Routing and Shaping HOWTO</a>, version 0.3.0 or later. It is
|
||||||
and Shaping HOWTO</a>, version 0.3.0 or later. It is also necessary
|
also necessary to be running Linux Kernel 2.4.18 or later.</p>
|
||||||
to be running Linux Kernel 2.4.18 or later.</p>
|
<p align="left">Shorewall traffic shaping support consists of the
|
||||||
|
following:</p>
|
||||||
<p align="left">Shorewall traffic shaping support consists of the following:</p>
|
|
||||||
|
|
||||||
<ul>
|
<ul>
|
||||||
<li>A new <b>TC_ENABLED</b> parameter in /etc/shorewall.conf.
|
<li>A new <b>TC_ENABLED</b> parameter in /etc/shorewall.conf.
|
||||||
Traffic Shaping also requires that you enable packet mangling.</li>
|
Traffic Shaping also requires that you enable packet mangling.</li>
|
||||||
<li>A new <b>CLEAR_TC </b>parameter in /etc/shorewall.conf (Added
|
<li>A new <b>CLEAR_TC </b>parameter in /etc/shorewall.conf (Added
|
||||||
in Shorewall 1.3.13). When Traffic Shaping is enabled (TC_ENABLED=Yes),
|
in Shorewall 1.3.13). When Traffic Shaping is enabled (TC_ENABLED=Yes),
|
||||||
the setting of this variable determines whether Shorewall clears the traffic
|
the setting of this variable determines whether Shorewall clears the
|
||||||
shaping configuration during Shorewall [re]start and Shorewall stop. <br>
|
traffic shaping configuration during Shorewall [re]start and Shorewall
|
||||||
</li>
|
stop. <br>
|
||||||
<li><b>/etc/shorewall/tcrules</b> - A file where you
|
</li>
|
||||||
can specify firewall marking of packets. The firewall mark value
|
<li><b>/etc/shorewall/tcrules</b> - A file where you
|
||||||
may be used to classify packets for traffic shaping/control.<br>
|
can specify firewall marking of packets. The firewall mark value
|
||||||
</li>
|
may be used to classify packets for traffic shaping/control.<br>
|
||||||
<li><b>/etc/shorewall/tcstart </b>- A user-supplied file
|
</li>
|
||||||
that is sourced by Shorewall during "shorewall start" and which
|
<li><b>/etc/shorewall/tcstart </b>- A user-supplied file that is
|
||||||
you can use to define your traffic shaping disciplines and classes.
|
sourced by Shorewall during "shorewall start" and which you can use to
|
||||||
I have provided a <a
|
define your traffic shaping disciplines and classes. I have provided a <a
|
||||||
href="ftp://ftp.shorewall.net/pub/shorewall/cbq">sample</a> that does
|
href="ftp://ftp.shorewall.net/pub/shorewall/cbq">sample</a> that does
|
||||||
table-driven CBQ shaping but if you read the traffic shaping sections
|
table-driven CBQ shaping but if you read the traffic shaping sections
|
||||||
of the HOWTO mentioned above, you can probably code your own faster
|
of the HOWTO mentioned above, you can probably code your own faster
|
||||||
than you can learn how to use my sample. I personally use
|
than you can learn how to use my sample. I personally use <a
|
||||||
<a href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB</a> (see below).
|
href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB</a> (see below). HTB
|
||||||
HTB support may eventually become an integral part of Shorewall
|
support may eventually become an integral part of Shorewall since HTB
|
||||||
since HTB is a lot simpler and better-documented than CBQ. As of 2.4.20,
|
is a lot simpler and better-documented than CBQ. As of 2.4.20, HTB is a
|
||||||
HTB is a standard part of the kernel but iproute2 must be patched in
|
standard part of the kernel but iproute2 must be patched in order to
|
||||||
order to use it.<br>
|
use it.<br>
|
||||||
<br>
|
|
||||||
In tcstart, when you want to run the 'tc' utility,
|
|
||||||
use the run_tc function supplied by shorewall if you want tc errors
|
|
||||||
to stop the firewall.<br>
|
|
||||||
<br>
|
|
||||||
You can generally use off-the-shelf traffic shaping scripts by
|
|
||||||
simply copying them to /etc/shorewall/tcstart. I use <a
|
|
||||||
href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (HTB version)
|
|
||||||
that way (i.e., I just copied wshaper.htb to /etc/shorewall/tcstart
|
|
||||||
and modified it according to the Wonder Shaper README). <b>WARNING: </b>If
|
|
||||||
you use use Masquerading or SNAT (i.e., you only have one external IP address)
|
|
||||||
then listing internal hosts in the NOPRIOHOSTSRC variable in the wshaper[.htb]
|
|
||||||
script won't work. Traffic shaping occurs after SNAT has already been
|
|
||||||
applied so when traffic shaping happens, all outbound traffic will have
|
|
||||||
as a source address the IP addresss of your firewall's external interface.<br>
|
|
||||||
</li>
|
|
||||||
<li><b>/etc/shorewall/tcclear</b> - A user-supplied file
|
|
||||||
that is sourced by Shorewall when it is clearing traffic shaping.
|
|
||||||
This file is normally not required as Shorewall's method of clearing
|
|
||||||
qdisc and filter definitions is pretty general.</li>
|
|
||||||
|
|
||||||
</ul>
|
|
||||||
Shorewall allows you to start traffic shaping when Shorewall itself
|
|
||||||
starts or it allows you to bring up traffic shaping when you bring up your
|
|
||||||
interfaces.<br>
|
|
||||||
<br>
|
|
||||||
To start traffic shaping when Shorewall starts:<br>
|
|
||||||
|
|
||||||
<ol>
|
|
||||||
<li>Set TC_ENABLED=Yes and CLEAR_TC=Yes</li>
|
|
||||||
<li>Supply an /etc/shorewall/tcstart script to configure your traffic
|
|
||||||
shaping rules.</li>
|
|
||||||
<li>Optionally supply an /etc/shorewall/tcclear script to stop
|
|
||||||
traffic shaping. That is usually unnecessary.</li>
|
|
||||||
<li>If your tcstart script uses the 'fwmark' classifier, you can
|
|
||||||
mark packets using entries in /etc/shorewall/tcrules.</li>
|
|
||||||
|
|
||||||
</ol>
|
|
||||||
To start traffic shaping when you bring up your network interfaces,
|
|
||||||
you will have to arrange for your traffic shaping configuration script
|
|
||||||
to be run at that time. How you do that is distribution dependent and will
|
|
||||||
not be covered here. You then should:<br>
|
|
||||||
|
|
||||||
<ol>
|
|
||||||
<li>Set TC_ENABLED=Yes and CLEAR_TC=No</li>
|
|
||||||
<li>Do not supply /etc/shorewall/tcstart or /etc/shorewall/tcclear
|
|
||||||
scripts.</li>
|
|
||||||
<li value="4">If your tcstart script uses the 'fwmark' classifier,
|
|
||||||
you can mark packets using entries in /etc/shorewall/tcrules.</li>
|
|
||||||
|
|
||||||
</ol>
|
|
||||||
|
|
||||||
<h3 align="left">Kernel Configuration</h3>
|
|
||||||
|
|
||||||
<p align="left">This screen shot show how I've configured QoS in my Kernel:</p>
|
|
||||||
|
|
||||||
<p align="center"><img border="0" src="images/QoS.png" width="590"
|
|
||||||
height="764">
|
|
||||||
</p>
|
|
||||||
|
|
||||||
<h3 align="left"><a name="tcrules"></a>/etc/shorewall/tcrules</h3>
|
|
||||||
|
|
||||||
<p align="left">The fwmark classifier provides a convenient way to classify
|
|
||||||
packets for traffic shaping. The /etc/shorewall/tcrules file provides
|
|
||||||
a means for specifying these marks in a tabular fashion.<br>
|
|
||||||
</p>
|
|
||||||
|
|
||||||
<p align="left">Normally, packet marking occurs in the PREROUTING chain before
|
|
||||||
any address rewriting takes place. This makes it impossible to mark inbound
|
|
||||||
packets based on their destination address when SNAT or Masquerading
|
|
||||||
are being used. Beginning with Shorewall 1.3.12, you can cause packet
|
|
||||||
marking to occur in the FORWARD chain by using the MARK_IN_FORWARD_CHAIN
|
|
||||||
option in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
|
|
||||||
</p>
|
|
||||||
|
|
||||||
<p align="left">Columns in the file are as follows:</p>
|
|
||||||
|
|
||||||
<ul>
|
|
||||||
<li>MARK - Specifies the mark value is to be assigned
|
|
||||||
in case of a match. This is an integer in the range 1-255. Beginning
|
|
||||||
with Shorewall version 1.3.14, this value may be optionally followed by
|
|
||||||
":" and either 'F' or 'P' to designate that the marking will occur in the
|
|
||||||
FORWARD or PREROUTING chains respectively. If this additional specification
|
|
||||||
is omitted, the chain used to mark packets will be determined by the setting
|
|
||||||
of the MARK_IN_FORWARD_CHAIN option in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
|
|
||||||
<br>
|
|
||||||
Example - 5<br>
|
|
||||||
</li>
|
|
||||||
<li>SOURCE - The source of the packet. If the packet
|
|
||||||
originates on the firewall, place "fw" in this column. Otherwise,
|
|
||||||
this is a comma-separated list of interface names, IP addresses, MAC
|
|
||||||
addresses in <a href="Documentation.htm#MAC">Shorewall Format</a> and/or
|
|
||||||
Subnets.<br>
|
|
||||||
<br>
|
|
||||||
Examples<br>
|
|
||||||
eth0<br>
|
|
||||||
192.168.2.4,192.168.1.0/24<br>
|
|
||||||
</li>
|
|
||||||
<li>DEST -- Destination of the packet. Comma-separated
|
|
||||||
list of IP addresses and/or subnets.<br>
|
|
||||||
</li>
|
|
||||||
<li>PROTO - Protocol - Must be the name of a protocol
|
|
||||||
from /etc/protocol, a number or "all"<br>
|
|
||||||
</li>
|
|
||||||
<li>PORT(S) - Destination Ports. A comma-separated list
|
|
||||||
of Port names (from /etc/services), port numbers or port ranges (e.g.,
|
|
||||||
21:22); if the protocol is "icmp", this column is interpreted as
|
|
||||||
the destination icmp type(s).<br>
|
|
||||||
</li>
|
|
||||||
<li>CLIENT PORT(S) - (Optional) Port(s) used by the client.
|
|
||||||
If omitted, any source port is acceptable. Specified as a comma-separate
|
|
||||||
list of port names, port numbers or port ranges.</li>
|
|
||||||
|
|
||||||
</ul>
|
|
||||||
|
|
||||||
<p align="left">Example 1 - All packets arriving on eth1 should be marked
|
|
||||||
with 1. All packets arriving on eth2 and eth3 should be marked with
|
|
||||||
2. All packets originating on the firewall itself should be marked with
|
|
||||||
3.</p>
|
|
||||||
|
|
||||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
|
||||||
<tbody>
|
|
||||||
<tr>
|
|
||||||
<td><b>MARK</b></td>
|
|
||||||
<td><b>SOURCE</b></td>
|
|
||||||
<td><b>DEST</b></td>
|
|
||||||
<td><b>PROTO</b></td>
|
|
||||||
<td><b>PORT(S)</b></td>
|
|
||||||
<td><b>CLIENT PORT(S)</b></td>
|
|
||||||
</tr>
|
|
||||||
<tr>
|
|
||||||
<td>1</td>
|
|
||||||
<td>eth1</td>
|
|
||||||
<td>0.0.0.0/0</td>
|
|
||||||
<td>all</td>
|
|
||||||
<td> </td>
|
|
||||||
<td> </td>
|
|
||||||
</tr>
|
|
||||||
<tr>
|
|
||||||
<td>2</td>
|
|
||||||
<td>eth2</td>
|
|
||||||
<td>0.0.0.0/0</td>
|
|
||||||
<td>all</td>
|
|
||||||
<td> </td>
|
|
||||||
<td> </td>
|
|
||||||
</tr>
|
|
||||||
<tr>
|
|
||||||
<td valign="top">2<br>
|
|
||||||
</td>
|
|
||||||
<td valign="top">eth3<br>
|
|
||||||
</td>
|
|
||||||
<td valign="top">0.0.0.0/0<br>
|
|
||||||
</td>
|
|
||||||
<td valign="top">all<br>
|
|
||||||
</td>
|
|
||||||
<td valign="top"><br>
|
|
||||||
</td>
|
|
||||||
<td valign="top"><br>
|
|
||||||
</td>
|
|
||||||
</tr>
|
|
||||||
<tr>
|
|
||||||
<td>3</td>
|
|
||||||
<td>fw</td>
|
|
||||||
<td>0.0.0.0/0</td>
|
|
||||||
<td>all</td>
|
|
||||||
<td> </td>
|
|
||||||
<td> </td>
|
|
||||||
</tr>
|
|
||||||
|
|
||||||
</tbody>
|
|
||||||
</table>
|
|
||||||
|
|
||||||
<p align="left">Example 2 - All GRE (protocol 47) packets not originating
|
|
||||||
on the firewall and destined for 155.186.235.151 should be marked
|
|
||||||
with 12.</p>
|
|
||||||
|
|
||||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
|
||||||
<tbody>
|
|
||||||
<tr>
|
|
||||||
<td><b>MARK</b></td>
|
|
||||||
<td><b>SOURCE</b></td>
|
|
||||||
<td><b>DEST</b></td>
|
|
||||||
<td><b>PROTO</b></td>
|
|
||||||
<td><b>PORT(S)</b></td>
|
|
||||||
<td><b>CLIENT PORT(S)</b></td>
|
|
||||||
</tr>
|
|
||||||
<tr>
|
|
||||||
<td>12</td>
|
|
||||||
<td>0.0.0.0/0</td>
|
|
||||||
<td>155.186.235.151</td>
|
|
||||||
<td>47</td>
|
|
||||||
<td> </td>
|
|
||||||
<td> </td>
|
|
||||||
</tr>
|
|
||||||
|
|
||||||
</tbody>
|
|
||||||
</table>
|
|
||||||
|
|
||||||
<p align="left">Example 3 - All SSH packets originating in 192.168.1.0/24
|
|
||||||
and destined for 155.186.235.151 should be marked with 22.</p>
|
|
||||||
|
|
||||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
|
||||||
<tbody>
|
|
||||||
<tr>
|
|
||||||
<td><b>MARK</b></td>
|
|
||||||
<td><b>SOURCE</b></td>
|
|
||||||
<td><b>DEST</b></td>
|
|
||||||
<td><b>PROTO</b></td>
|
|
||||||
<td><b>PORT(S)</b></td>
|
|
||||||
<td><b>CLIENT PORT(S)</b></td>
|
|
||||||
</tr>
|
|
||||||
<tr>
|
|
||||||
<td>22</td>
|
|
||||||
<td>192.168.1.0/24</td>
|
|
||||||
<td>155.186.235.151</td>
|
|
||||||
<td>tcp</td>
|
|
||||||
<td>22</td>
|
|
||||||
<td> </td>
|
|
||||||
</tr>
|
|
||||||
|
|
||||||
</tbody>
|
|
||||||
</table>
|
|
||||||
|
|
||||||
<h3>My Setup<br>
|
|
||||||
</h3>
|
|
||||||
|
|
||||||
<p>While I am currently using the HTB version of <a
|
|
||||||
href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (I just copied
|
|
||||||
wshaper.htb to <b>/etc/shorewall/tcstart</b> and modified it as shown
|
|
||||||
in the Wondershaper README), I have also run with the following set of
|
|
||||||
hand-crafted rules in my <b>/etc/shorewall/tcstart</b> file:<br>
|
|
||||||
</p>
|
|
||||||
|
|
||||||
<blockquote>
|
|
||||||
<pre>run_tc qdisc add dev eth0 root handle 1: htb default 30<br><br>run_tc class add dev eth0 parent 1: classid 1:1 htb rate 384kbit burst 15k<br><br>echo " Added Top Level Class -- rate 384kbit"</pre>
|
|
||||||
|
|
||||||
<pre>run_tc class add dev eth0 parent 1:1 classid 1:10 htb rate 140kbit ceil 384kbit burst 15k prio 1<br>run_tc class add dev eth0 parent 1:1 classid 1:20 htb rate 224kbit ceil 384kbit burst 15k prio 0<br>run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 20kbit ceil 384kbit burst 15k quantum 1500 prio 1</pre>
|
|
||||||
|
|
||||||
<pre>echo " Added Second Level Classes -- rates 140kbit, 224kbit, 20kbit"</pre>
|
|
||||||
|
|
||||||
<pre>run_tc qdisc add dev eth0 parent 1:10 pfifo limit 5<br>run_tc qdisc add dev eth0 parent 1:20 pfifo limit 10<br>run_tc qdisc add dev eth0 parent 1:30 pfifo limit 5</pre>
|
|
||||||
|
|
||||||
<pre>echo " Enabled PFIFO on Second Level Classes"</pre>
|
|
||||||
|
|
||||||
<pre>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 0 handle 2 fw classid 1:20<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30</pre>
|
|
||||||
|
|
||||||
<pre>echo " Defined fwmark filters"<br></pre>
|
|
||||||
</blockquote>
|
|
||||||
|
|
||||||
<p>My tcrules file that went with this tcstart file is shown in Example 1
|
|
||||||
above. You can look at <a href="myfiles.htm">my configuration</a> to
|
|
||||||
see why I wanted shaping of this type.<br>
|
|
||||||
</p>
|
|
||||||
|
|
||||||
<ol>
|
|
||||||
<li>I wanted to allow up to 140kbits/second for traffic outbound
|
|
||||||
from my DMZ (note that the ceiling is set to 384kbit so outbound DMZ
|
|
||||||
traffic can use all available bandwidth if there is no traffic from the
|
|
||||||
local systems or from my laptop or firewall).</li>
|
|
||||||
<li>My laptop and local systems could use up to 224kbits/second.</li>
|
|
||||||
<li>My firewall could use up to 20kbits/second.</li>
|
|
||||||
|
|
||||||
</ol>
|
|
||||||
You see <a href="myfiles.htm">the rest of my Shorewall configuration</a>
|
|
||||||
to see how this fit in. <br>
|
|
||||||
|
|
||||||
<p><font size="2">Last Updated 3/19/2003 - <a href="support.htm">Tom Eastep</a></font></p>
|
|
||||||
|
|
||||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
|
||||||
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
|
|
||||||
</p>
|
|
||||||
<br>
|
|
||||||
<br>
|
|
||||||
<br>
|
<br>
|
||||||
<br>
|
In tcstart, when you want to run the 'tc' utility,
|
||||||
<br>
|
use the run_tc function supplied by shorewall if you want tc errors to
|
||||||
<br>
|
stop the firewall.<br>
|
||||||
|
<br>
|
||||||
|
You can generally use off-the-shelf traffic shaping scripts by simply
|
||||||
|
copying them to /etc/shorewall/tcstart. I use <a
|
||||||
|
href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (HTB
|
||||||
|
version) that way (i.e., I just copied wshaper.htb to
|
||||||
|
/etc/shorewall/tcstart
|
||||||
|
and modified it according to the Wonder Shaper README). <b>WARNING: </b>If
|
||||||
|
you use use Masquerading or SNAT (i.e., you only have one external IP
|
||||||
|
address) then listing internal hosts in the NOPRIOHOSTSRC variable in
|
||||||
|
the wshaper[.htb] script won't work. Traffic shaping occurs after SNAT
|
||||||
|
has already been
|
||||||
|
applied so when traffic shaping happens, all outbound traffic will have
|
||||||
|
as a source address the IP addresss of your firewall's external
|
||||||
|
interface.<br>
|
||||||
|
</li>
|
||||||
|
<li><b>/etc/shorewall/tcclear</b> - A user-supplied file that is
|
||||||
|
sourced by Shorewall when it is clearing traffic shaping. This file is
|
||||||
|
normally not required as Shorewall's method of clearing qdisc and
|
||||||
|
filter definitions is pretty general.</li>
|
||||||
|
</ul>
|
||||||
|
Shorewall allows you to start traffic shaping when Shorewall itself
|
||||||
|
starts or it allows you to bring up traffic shaping when you bring up
|
||||||
|
your interfaces.<br>
|
||||||
|
<br>
|
||||||
|
To start traffic shaping when Shorewall starts:<br>
|
||||||
|
<ol>
|
||||||
|
<li>Set TC_ENABLED=Yes and CLEAR_TC=Yes</li>
|
||||||
|
<li>Supply an /etc/shorewall/tcstart script to configure your traffic
|
||||||
|
shaping rules.</li>
|
||||||
|
<li>Optionally supply an /etc/shorewall/tcclear script to stop
|
||||||
|
traffic shaping. That is usually unnecessary.</li>
|
||||||
|
<li>If your tcstart script uses the 'fwmark' classifier, you can mark
|
||||||
|
packets using entries in /etc/shorewall/tcrules.</li>
|
||||||
|
</ol>
|
||||||
|
To start traffic shaping when you bring up your network interfaces, you
|
||||||
|
will have to arrange for your traffic shaping configuration script to
|
||||||
|
be run at that time. How you do that is distribution dependent and will
|
||||||
|
not be covered here. You then should:<br>
|
||||||
|
<ol>
|
||||||
|
<li>Set TC_ENABLED=Yes and CLEAR_TC=No</li>
|
||||||
|
<li>Do not supply /etc/shorewall/tcstart or /etc/shorewall/tcclear
|
||||||
|
scripts.</li>
|
||||||
|
<li value="4">If your tcstart script uses the 'fwmark' classifier,
|
||||||
|
you can mark packets using entries in /etc/shorewall/tcrules.</li>
|
||||||
|
</ol>
|
||||||
|
<h3 align="left">Kernel Configuration</h3>
|
||||||
|
<p align="left">This screen shot show how I've configured QoS in my
|
||||||
|
Kernel:</p>
|
||||||
|
<p align="center"><img border="0" src="images/QoS.png" width="590"
|
||||||
|
height="764"> </p>
|
||||||
|
<h3 align="left"><a name="tcrules"></a>/etc/shorewall/tcrules</h3>
|
||||||
|
<p align="left">The fwmark classifier provides a convenient way to
|
||||||
|
classify packets for traffic shaping. The /etc/shorewall/tcrules file
|
||||||
|
provides a means for specifying these marks in a tabular fashion.<br>
|
||||||
|
</p>
|
||||||
|
<p align="left">Normally, packet marking occurs in the PREROUTING chain
|
||||||
|
before any address rewriting takes place. This makes it impossible to
|
||||||
|
mark inbound packets based on their destination address when SNAT or
|
||||||
|
Masquerading
|
||||||
|
are being used. Beginning with Shorewall 1.3.12, you can cause packet
|
||||||
|
marking to occur in the FORWARD chain by using the
|
||||||
|
MARK_IN_FORWARD_CHAIN
|
||||||
|
option in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
|
||||||
|
</p>
|
||||||
|
<p align="left">Columns in the file are as follows:</p>
|
||||||
|
<ul>
|
||||||
|
<li>MARK - Specifies the mark value is to be assigned in case of a
|
||||||
|
match. This is an integer in the range 1-255. Beginning with Shorewall
|
||||||
|
version 1.3.14, this value may be optionally followed by
|
||||||
|
":" and either 'F' or 'P' to designate that the marking will occur in
|
||||||
|
the
|
||||||
|
FORWARD or PREROUTING chains respectively. If this additional
|
||||||
|
specification
|
||||||
|
is omitted, the chain used to mark packets will be determined by the
|
||||||
|
setting
|
||||||
|
of the MARK_IN_FORWARD_CHAIN option in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
|
||||||
|
<br>
|
||||||
|
Example - 5<br>
|
||||||
|
</li>
|
||||||
|
<li>SOURCE - The source of the packet. If the packet
|
||||||
|
originates on the firewall, place "fw" in this column. Otherwise,
|
||||||
|
this is a comma-separated list of interface names, IP addresses, MAC
|
||||||
|
addresses in <a href="Documentation.htm#MAC">Shorewall Format</a>
|
||||||
|
and/or
|
||||||
|
Subnets.<br>
|
||||||
|
<br>
|
||||||
|
Examples<br>
|
||||||
|
eth0<br>
|
||||||
|
192.168.2.4,192.168.1.0/24<br>
|
||||||
|
</li>
|
||||||
|
<li>DEST -- Destination of the packet. Comma-separated list of IP
|
||||||
|
addresses and/or subnets.<br>
|
||||||
|
</li>
|
||||||
|
<li>PROTO - Protocol - Must be the name of a protocol from
|
||||||
|
/etc/protocol, a number or "all"<br>
|
||||||
|
</li>
|
||||||
|
<li>PORT(S) - Destination Ports. A comma-separated list of Port names
|
||||||
|
(from /etc/services), port numbers or port ranges (e.g., 21:22); if the
|
||||||
|
protocol is "icmp", this column is interpreted as the destination icmp
|
||||||
|
type(s).<br>
|
||||||
|
</li>
|
||||||
|
<li>CLIENT PORT(S) - (Optional) Port(s) used by the client. If
|
||||||
|
omitted, any source port is acceptable. Specified as a comma-separate
|
||||||
|
list of port names, port numbers or port ranges.</li>
|
||||||
|
</ul>
|
||||||
|
<p align="left">Example 1 - All packets arriving on eth1 should be
|
||||||
|
marked with 1. All packets arriving on eth2 and eth3 should be marked
|
||||||
|
with 2. All packets originating on the firewall itself should be marked
|
||||||
|
with 3.</p>
|
||||||
|
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||||
|
<tbody>
|
||||||
|
<tr>
|
||||||
|
<td><b>MARK</b></td>
|
||||||
|
<td><b>SOURCE</b></td>
|
||||||
|
<td><b>DEST</b></td>
|
||||||
|
<td><b>PROTO</b></td>
|
||||||
|
<td><b>PORT(S)</b></td>
|
||||||
|
<td><b>CLIENT PORT(S)</b></td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td>1</td>
|
||||||
|
<td>eth1</td>
|
||||||
|
<td>0.0.0.0/0</td>
|
||||||
|
<td>all</td>
|
||||||
|
<td> </td>
|
||||||
|
<td> </td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td>2</td>
|
||||||
|
<td>eth2</td>
|
||||||
|
<td>0.0.0.0/0</td>
|
||||||
|
<td>all</td>
|
||||||
|
<td> </td>
|
||||||
|
<td> </td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td valign="top">2<br>
|
||||||
|
</td>
|
||||||
|
<td valign="top">eth3<br>
|
||||||
|
</td>
|
||||||
|
<td valign="top">0.0.0.0/0<br>
|
||||||
|
</td>
|
||||||
|
<td valign="top">all<br>
|
||||||
|
</td>
|
||||||
|
<td valign="top"><br>
|
||||||
|
</td>
|
||||||
|
<td valign="top"><br>
|
||||||
|
</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td>3</td>
|
||||||
|
<td>fw</td>
|
||||||
|
<td>0.0.0.0/0</td>
|
||||||
|
<td>all</td>
|
||||||
|
<td> </td>
|
||||||
|
<td> </td>
|
||||||
|
</tr>
|
||||||
|
</tbody>
|
||||||
|
</table>
|
||||||
|
<p align="left">Example 2 - All GRE (protocol 47) packets not
|
||||||
|
originating on the firewall and destined for 155.186.235.151 should be
|
||||||
|
marked with 12.</p>
|
||||||
|
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||||
|
<tbody>
|
||||||
|
<tr>
|
||||||
|
<td><b>MARK</b></td>
|
||||||
|
<td><b>SOURCE</b></td>
|
||||||
|
<td><b>DEST</b></td>
|
||||||
|
<td><b>PROTO</b></td>
|
||||||
|
<td><b>PORT(S)</b></td>
|
||||||
|
<td><b>CLIENT PORT(S)</b></td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td>12</td>
|
||||||
|
<td>0.0.0.0/0</td>
|
||||||
|
<td>155.186.235.151</td>
|
||||||
|
<td>47</td>
|
||||||
|
<td> </td>
|
||||||
|
<td> </td>
|
||||||
|
</tr>
|
||||||
|
</tbody>
|
||||||
|
</table>
|
||||||
|
<p align="left">Example 3 - All SSH packets originating in
|
||||||
|
192.168.1.0/24 and destined for 155.186.235.151 should be marked with
|
||||||
|
22.</p>
|
||||||
|
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||||
|
<tbody>
|
||||||
|
<tr>
|
||||||
|
<td><b>MARK</b></td>
|
||||||
|
<td><b>SOURCE</b></td>
|
||||||
|
<td><b>DEST</b></td>
|
||||||
|
<td><b>PROTO</b></td>
|
||||||
|
<td><b>PORT(S)</b></td>
|
||||||
|
<td><b>CLIENT PORT(S)</b></td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td>22</td>
|
||||||
|
<td>192.168.1.0/24</td>
|
||||||
|
<td>155.186.235.151</td>
|
||||||
|
<td>tcp</td>
|
||||||
|
<td>22</td>
|
||||||
|
<td> </td>
|
||||||
|
</tr>
|
||||||
|
</tbody>
|
||||||
|
</table>
|
||||||
|
<h3>My Current Setup<br>
|
||||||
|
</h3>
|
||||||
|
<p>I am currently using the HTB version of <a
|
||||||
|
href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (I just
|
||||||
|
copied wshaper.htb to <b>/etc/shorewall/tcstart</b> and modified it as
|
||||||
|
shown in the Wondershaper README).<span style="font-weight: bold;"> </span>WonderShaper
|
||||||
|
DOES NOT USE THE
|
||||||
|
/etc/shorewall/tcrules file. While I currently have entries in
|
||||||
|
/etc/shorewall/tcrules, I do so for <a
|
||||||
|
href="Shorewall_Squid_Usage.html">policy routing for Squid</a> and not
|
||||||
|
for Traffic Shaping.</p>
|
||||||
|
<h3>My Old Setup<br>
|
||||||
|
</h3>
|
||||||
|
<p>I have also run with the following set of hand-crafted rules in my <b>/etc/shorewall/tcstart</b>
|
||||||
|
file.<br>
|
||||||
|
</p>
|
||||||
|
<blockquote>
|
||||||
|
<pre>run_tc qdisc add dev eth0 root handle 1: htb default 30<br><br>run_tc class add dev eth0 parent 1: classid 1:1 htb rate 384kbit burst 15k<br><br>echo " Added Top Level Class -- rate 384kbit"</pre>
|
||||||
|
<pre>run_tc class add dev eth0 parent 1:1 classid 1:10 htb rate 140kbit ceil 384kbit burst 15k prio 1<br>run_tc class add dev eth0 parent 1:1 classid 1:20 htb rate 224kbit ceil 384kbit burst 15k prio 0<br>run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 20kbit ceil 384kbit burst 15k quantum 1500 prio 1</pre>
|
||||||
|
<pre>echo " Added Second Level Classes -- rates 140kbit, 224kbit, 20kbit"</pre>
|
||||||
|
<pre>run_tc qdisc add dev eth0 parent 1:10 pfifo limit 5<br>run_tc qdisc add dev eth0 parent 1:20 pfifo limit 10<br>run_tc qdisc add dev eth0 parent 1:30 pfifo limit 5</pre>
|
||||||
|
<pre>echo " Enabled PFIFO on Second Level Classes"</pre>
|
||||||
|
<pre>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 0 handle 2 fw classid 1:20<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30</pre>
|
||||||
|
<pre>echo " Defined fwmark filters"<br></pre>
|
||||||
|
</blockquote>
|
||||||
|
<p>My tcrules file that went with this tcstart file is shown in Example
|
||||||
|
1 above. When I was using these rules:<br>
|
||||||
|
</p>
|
||||||
|
<ol>
|
||||||
|
<li>I wanted to allow up to 140kbits/second for traffic outbound from
|
||||||
|
my DMZ (eth1 -- note that the ceiling is set to 384kbit so outbound DMZ
|
||||||
|
traffic can use all available bandwidth if there is no traffic from the
|
||||||
|
local systems or from my laptop or firewall).</li>
|
||||||
|
<li>My laptop (which at that time connected via eth3) and local
|
||||||
|
systems (eth2) could use up to 224kbits/second.</li>
|
||||||
|
<li>My firewall could use up to 20kbits/second.</li>
|
||||||
|
</ol>
|
||||||
|
Once www.shorewall.net was moved off-site, I no longer needed these
|
||||||
|
shaping rules and The Wonder Shaper does all that I now require.<br>
|
||||||
|
<p><font size="2">Last Updated 10/21/2003 - <a href="support.htm">Tom
|
||||||
|
Eastep</a></font></p>
|
||||||
|
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||||
|
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
|
||||||
|
</p>
|
||||||
|
<br>
|
||||||
|
<br>
|
||||||
|
<br>
|
||||||
|
<br>
|
||||||
|
<br>
|
||||||
|
<br>
|
||||||
</body>
|
</body>
|
||||||
</html>
|
</html>
|
||||||
|
|||||||
@ -28,7 +28,7 @@
|
|||||||
# shown below. Simply run this script to revert to your prior version of
|
# shown below. Simply run this script to revert to your prior version of
|
||||||
# Shoreline Firewall.
|
# Shoreline Firewall.
|
||||||
|
|
||||||
VERSION=1.4.7
|
VERSION=1.4.7a
|
||||||
|
|
||||||
usage() # $1 = exit status
|
usage() # $1 = exit status
|
||||||
{
|
{
|
||||||
|
|||||||
@ -54,7 +54,7 @@
|
|||||||
# /etc/rc.d/rc.local file is modified to start the firewall.
|
# /etc/rc.d/rc.local file is modified to start the firewall.
|
||||||
#
|
#
|
||||||
|
|
||||||
VERSION=1.4.7
|
VERSION=1.4.7a
|
||||||
|
|
||||||
usage() # $1 = exit status
|
usage() # $1 = exit status
|
||||||
{
|
{
|
||||||
|
|||||||
@ -1,5 +1,5 @@
|
|||||||
%define name shorewall
|
%define name shorewall
|
||||||
%define version 1.4.7
|
%define version 1.4.7a
|
||||||
%define release 1
|
%define release 1
|
||||||
%define prefix /usr
|
%define prefix /usr
|
||||||
|
|
||||||
@ -108,6 +108,8 @@ fi
|
|||||||
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
|
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Oct 21 2003 Tom Eastep <tom@shorewall.net>
|
||||||
|
- Changed version to 1.4.7a-1
|
||||||
* Sat Oct 04 2003 Tom Eastep <tom@shorewall.net>
|
* Sat Oct 04 2003 Tom Eastep <tom@shorewall.net>
|
||||||
- Changed version to 1.4.7-1
|
- Changed version to 1.4.7-1
|
||||||
- Removed conflict with 2.2 Kernels
|
- Removed conflict with 2.2 Kernels
|
||||||
|
|||||||
@ -26,7 +26,7 @@
|
|||||||
# You may only use this script to uninstall the version
|
# You may only use this script to uninstall the version
|
||||||
# shown below. Simply run this script to remove Seattle Firewall
|
# shown below. Simply run this script to remove Seattle Firewall
|
||||||
|
|
||||||
VERSION=1.4.7
|
VERSION=1.4.7a
|
||||||
|
|
||||||
usage() # $1 = exit status
|
usage() # $1 = exit status
|
||||||
{
|
{
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user