mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-15 10:08:43 +01:00
Shorewall-1.4.7a
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@774 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
f6c8974bda
commit
7bb80bf3fe
@ -27,69 +27,62 @@ Shorewall Traffic Accounting support was added in Shorewall release
|
||||
<br>
|
||||
Shorewall accounting rules are described in the file
|
||||
/etc/shorewall/accounting. By default, the accounting rules are placed
|
||||
in a chain called "accounting" and can
|
||||
thus be displayed using "shorewall show accounting". All traffic
|
||||
passing into, out of or through the firewall traverses the accounting
|
||||
chain including traffic that will later be rejected by <a
|
||||
href="Documentation.htm#Interfaces">interface options</a> such as
|
||||
"tcpflags" and "maclist". If your kernel doesn't support the connection
|
||||
tracking match extension (Kernel 2.4.21) then some traffic rejected
|
||||
under 'norfc1918' will not traverse the accounting chain.<br>
|
||||
in a chain called "accounting" and can thus be displayed using
|
||||
"shorewall show accounting". All traffic passing into, out of or
|
||||
through the firewall traverses the accounting chain including traffic
|
||||
that will later be rejected by <a href="Documentation.htm#Interfaces">interface
|
||||
options</a> such as "tcpflags" and "maclist". If your kernel doesn't
|
||||
support the connection tracking match extension (Kernel 2.4.21) then
|
||||
some traffic rejected under 'norfc1918' will not traverse the
|
||||
accounting chain.<br>
|
||||
<br>
|
||||
The columns in the accounting file are as follows:<br>
|
||||
<ul>
|
||||
<li><span style="font-weight: bold;">ACTION</span> - What to do when
|
||||
a match is found. Possible values are:</li>
|
||||
<li><span style="font-weight: bold;">ACTION</span> - What to do when a
|
||||
match is found. Possible values are:</li>
|
||||
<ul>
|
||||
<li>COUNT- Simply count the match and continue trying to
|
||||
match the packet with the following accounting rules</li>
|
||||
<li>COUNT- Simply count the match and continue trying to match the
|
||||
packet with the following accounting rules</li>
|
||||
<li>DONE- Count the match and don't attempt to match any following
|
||||
accounting rules.</li>
|
||||
<li><<span style="font-style: italic;">chain</span>> - The
|
||||
name of a chain to jump to. Shorewall will create the chain
|
||||
automatically. If the
|
||||
name of the chain is followed by ":COUNT" then a COUNT rule matching
|
||||
this rule will automatically be added to <<span
|
||||
automatically. If the name of the chain is followed by ":COUNT" then a
|
||||
COUNT rule matching this rule will automatically be added to <<span
|
||||
style="font-style: italic;">chain</span>><br>
|
||||
</li>
|
||||
</ul>
|
||||
<li><span style="font-weight: bold;">CHAIN </span>- The name of the
|
||||
chain where the accounting rule is to be added. If empty or "-" then
|
||||
the "accounting" chain is assumed.<br>
|
||||
chain where the accounting rule is to be added. If empty or "-" then the
|
||||
"accounting" chain is assumed.<br>
|
||||
</li>
|
||||
<li><span style="font-weight: bold;">SOURCE</span> - Packet Source.
|
||||
The name of an interface, an address
|
||||
(host or net) or an interface name followed by ":" and a host or net
|
||||
address.</li>
|
||||
The name of an interface, an address (host or net) or an interface name
|
||||
followed by ":" and a host or net address.</li>
|
||||
<li><span style="font-weight: bold;">DESTINATION</span> - Packet
|
||||
Destination Format the same as the SOURCE
|
||||
column.</li>
|
||||
<li><span style="font-weight: bold;">PROTOCOL</span> - A protocol
|
||||
name (from /etc/protocols) or a protocol
|
||||
number.</li>
|
||||
Destination Format the same as the SOURCE column.</li>
|
||||
<li><span style="font-weight: bold;">PROTOCOL</span> - A protocol name
|
||||
(from /etc/protocols) or a protocol number.</li>
|
||||
<li><span style="font-weight: bold;">DEST PORT</span> - Destination
|
||||
Port number. Service name from
|
||||
/etc/services or port number. May only be specified if the protocol is
|
||||
TCP or UDP (6 or 17).</li>
|
||||
Port number. Service name from /etc/services or port number. May only be
|
||||
specified if the protocol is TCP or UDP (6 or 17).</li>
|
||||
<li><span style="font-weight: bold;">SOURCE PORT</span>- Source Port
|
||||
number. Service name from /etc/services
|
||||
or port number. May only be specified if the protocol is TCP or UDP (6
|
||||
or 17).<br>
|
||||
number. Service name from /etc/services or port number. May only be
|
||||
specified if the protocol is TCP or UDP (6 or 17).<br>
|
||||
</li>
|
||||
</ul>
|
||||
In all columns except ACTION and CHAIN, the values "-","any" and
|
||||
"all" are treated as wild-cards.<br>
|
||||
<br>
|
||||
In all columns except ACTION and CHAIN, the values "-","any" and "all"
|
||||
are treated as wild-cards.<br>
|
||||
<br>
|
||||
The accounting rules are evaluated in the Netfilter 'filter' table.
|
||||
This is the same environment where the 'rules' file rules are evaluated
|
||||
and in this environment, DNAT has already occurred in inbound packets
|
||||
and SNAT has not yet occurred on outbound ones.<br>
|
||||
<br>
|
||||
<br>
|
||||
Accounting rules are not stateful -- each rule only handles traffic in
|
||||
one direction. For example, if eth0 is your internet interface and you
|
||||
have a web
|
||||
server in your DMZ connected to eth1 then to count HTTP traffic in
|
||||
both directions requires two rules: <br>
|
||||
have a web server in your DMZ connected to eth1 then to count HTTP
|
||||
traffic in both directions requires two rules: <br>
|
||||
<pre> #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE<br> # PORT PORT<br> DONE - eth0 eth1 tcp 80<br> DONE - eth1 eth0 tcp - 80</pre>
|
||||
Associating a counter with a chain allows for nice reporting. For
|
||||
example:<br>
|
||||
@ -103,8 +96,16 @@ Here's a slightly different example:<br>
|
||||
Now "shorewall show web" simply gives you a breakdown by input and
|
||||
output:<br>
|
||||
<br>
|
||||
<pre style="margin-left: 40px;">[root@gateway shorewall]# shorewall show accounting web <br>Shorewall-1.4.6-20030821 Chains accounting web at gateway.shorewall.net - Wed Aug 20 10:27:21 PDT 2003<br> <br>Counters reset Wed Aug 20 10:24:33 PDT 2003<br> <br>Chain accounting (3 references)<br> pkts bytes target prot opt in out source destination<br> 8767 727K web tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:80<br> 0 0 web tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:443<br>11506 13M web tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:80<br> 0 0 web tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:443<br>Chain web (4 references)<br> pkts bytes target prot opt in out source destination<br> 8767 727K all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0<br>11506 13M all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0<br>[root@gateway shorewall]#<br><br></pre>
|
||||
<p align="left"><font size="2">Last updated 8/20/2003 - <a
|
||||
<pre style="margin-left: 40px;">[root@gateway shorewall]# shorewall show accounting web <br>Shorewall-1.4.6-20030821 Chains accounting web at gateway.shorewall.net - Wed Aug 20 10:27:21 PDT 2003<br> <br>Counters reset Wed Aug 20 10:24:33 PDT 2003<br> <br>Chain accounting (3 references)<br> pkts bytes target prot opt in out source destination<br> 8767 727K web tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:80<br> 0 0 web tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:443<br>11506 13M web tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:80<br> 0 0 web tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:443<br>Chain web (4 references)<br> pkts bytes target prot opt in out source destination<br> 8767 727K all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0<br>11506 13M all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0<br>[root@gateway shorewall]#<br></pre>
|
||||
Here's how the same example would be constructed on a server with only
|
||||
one interface (eth0):<br>
|
||||
<pre style="margin-left: 40px;">#ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE<br># PORT PORT<br>web - eth0 - tcp 80<br>web - - eth0 tcp - 80<br>web - eth0 - tcp 443<br>web - - eth0 tcp - 443<br><br>COUNT web eth0 -<br>COUNT web - eth0<br></pre>
|
||||
Note that with only one interface, only the SOURCE (for input rules) or
|
||||
the DESTINATION (for output rules) is specified in each rule.<br>
|
||||
<br>
|
||||
Here's the output:<br>
|
||||
<pre style="margin-left: 40px;">[root@mail shorewall]# shorewall show accounting web <br>Shorewall-1.4.7 Chains accounting web at mail.shorewall.net - Sun Oct 12 10:27:21 PDT 2003<br> <br>Counters reset Sat Oct 11 08:12:57 PDT 2003<br> <br>Chain accounting (3 references)<br> pkts bytes target prot opt in out source destination<br> 8767 727K web tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80<br> 0 0 web tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443<br>11506 13M web tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:80<br> 0 0 web tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:443<br>Chain web (4 references)<br> pkts bytes target prot opt in out source destination<br> 8767 727K all -- eth0 * 0.0.0.0/0 0.0.0.0/0<br>11506 13M all -- * eth0 0.0.0.0/0 0.0.0.0/0<br>[root@mail shorewall]#<br></pre>
|
||||
<p align="left"><font size="2">Last updated 10/12/2003 - <a
|
||||
href="support.htm">Tom Eastep</a></font></p>
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2003 Thomas M. Eastep.</font></a></font></p>
|
||||
|
||||
@ -173,7 +173,15 @@ only<b> from specific IP Addresses</b> on the internet?</a><br>
|
||||
options in nmap</b> on or behind the firewall, I get "<b>operation not
|
||||
permitted</b>". How can I use nmap with Shorewall?"</a><br>
|
||||
<br>
|
||||
<b>27. </b><a href="#faq27">I am compiling a <b>new kernel</b> for my
|
||||
<b><span style="font-weight: bold;">26a. </span></b><a
|
||||
href="#faq26a">When I try
|
||||
to use the <span style="font-weight: bold;">"-O" option of nmap</span>
|
||||
from the firewall system, I get "<span style="font-weight: bold;">operation
|
||||
not permitted". </span>How to I allow this option?</a><b><span
|
||||
style="font-weight: bold;"><a href="#faq26a"> </a><br>
|
||||
<br>
|
||||
</span>27. </b><a href="#faq27">I am compiling a <b>new kernel</b>
|
||||
for my
|
||||
firewall<b>.</b> What should I look out for?</a><br>
|
||||
<br>
|
||||
<b>28. </b><a href="#faq28">How do I use Shorewall as a <b>Bridging
|
||||
@ -1079,13 +1087,22 @@ Shorewall</b> I am <b>running</b>?<br>
|
||||
At the shell prompt, type:<br>
|
||||
<br>
|
||||
<font color="#009900"><b> /sbin/shorewall
|
||||
version</b></font><br>
|
||||
version<br>
|
||||
</b></font>
|
||||
<h4><a name="faq26"></a><b>26. </b>When I try to use any of the SYN
|
||||
options in nmap on or behind the firewall, I get "operation not
|
||||
permitted".
|
||||
How can I use nmap with Shorewall?"</h4>
|
||||
Edit /etc/shorewall/shorewall.conf and change "NEWNOTSYN=No" to
|
||||
"NEWNOTSYN=Yes" then restart Shorewall.<br>
|
||||
<br>
|
||||
<h4><a name="faq26a"></a><b><span style="font-weight: bold;">26a.
|
||||
</span></b>When I try to use the <span style="font-weight: bold;">"-O"
|
||||
option of nmap</span> from the firewall system, I get "<span
|
||||
style="font-weight: bold;">operation not permitted". </span>How to I
|
||||
allow this option?</h4>
|
||||
Add this command to your /etc/shorewall/start file:<br>
|
||||
<pre style="margin-left: 40px;"><tt>run_iptables -D OUTPUT -p ! icmp -m state --state INVALID -j DROP</tt><br></pre>
|
||||
<h4><a name="faq27">27. I'm compiling a new kernel for my firewall.
|
||||
What
|
||||
should I look out for?</a></h4>
|
||||
|
||||
@ -19,6 +19,54 @@
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<p><b>10/21/2003 - Shorewall 1.4.7a<br>
|
||||
</b></p>
|
||||
<p>This is a bugfix rollup of the following problem corrections:<br>
|
||||
</p>
|
||||
<ol>
|
||||
<li>Tuomo Soini has supplied a correction to a problem that occurs
|
||||
using some versions of 'ash'. The symptom is that "shorewall start"
|
||||
fails with:<br>
|
||||
<br>
|
||||
local: --limit: bad variable name<br>
|
||||
iptables v1.2.8: Couldn't load match
|
||||
`-j':/lib/iptables/libipt_-j.so:<br>
|
||||
cannot open shared object file: No such file or directory<br>
|
||||
Try `iptables -h' or 'iptables --help' for more
|
||||
information.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Andres Zhoglo has supplied a correction that avoids trying to use
|
||||
the multiport match iptables facility on ICMP rules.<br>
|
||||
<br>
|
||||
Example of rule that previously caused "shorewall start"
|
||||
to fail:<br>
|
||||
<br>
|
||||
|
||||
ACCEPT loc $FW
|
||||
icmp 0,8,11,12<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Previously, if the following error message was issued, Shorewall
|
||||
was left in an inconsistent state.<br>
|
||||
<br>
|
||||
Error: Unable to determine the routes routes through
|
||||
interface xxx<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Handling of the LOGUNCLEAN option in shorewall.conf has been
|
||||
corrected.</li>
|
||||
<li>In Shorewall 1.4.2, an optimization was added. This optimization
|
||||
involved creating a chain named "<zone>_frwd" for most zones
|
||||
defined using the /etc/shorewall/hosts file. It has since been
|
||||
discovered that in many cases these new chains contain redundant rules
|
||||
and that the "optimization" turns out to be less than optimal. The
|
||||
implementation has now been corrected.</li>
|
||||
<li>When the MARK value in a tcrules entry is followed by ":F" or
|
||||
":P", the ":F" or ":P" was previously only applied to the first
|
||||
Netfilter rule generated by the entry. It is now applied to all entries.<br>
|
||||
</li>
|
||||
</ol>
|
||||
<p><b>10/06/2003 - Shorewall 1.4.7</b><b><br>
|
||||
</b></p>
|
||||
<b>Problems Corrected since version 1.4.6 (Those in bold font were
|
||||
|
||||
@ -263,9 +263,15 @@ status)<br>
|
||||
esac</font></p>
|
||||
</blockquote>
|
||||
<h3><a name="ConfigFw"></a>Configuring Shorewall</h3>
|
||||
<p>I consider hosts connected to my PPTP server to be just like local
|
||||
systems.
|
||||
My key Shorewall entries are:</p>
|
||||
<p>Often there will be situations where you want multiple connections
|
||||
from remote networks with these networks having different firewalling
|
||||
requirements.<br>
|
||||
</p>
|
||||
<div style="text-align: center;"><img src="images/MultiPPTP.png"
|
||||
title="" alt="" style="width: 846px; height: 544px;"><br>
|
||||
</div>
|
||||
<p>Here's how you configure this in Shorewall:<br>
|
||||
</p>
|
||||
<h4>/etc/shorewall/zones:</h4>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
@ -283,7 +289,31 @@ My key Shorewall entries are:</p>
|
||||
<tr>
|
||||
<td>loc</td>
|
||||
<td>Local</td>
|
||||
<td>My Local Network including remote PPTP clients</td>
|
||||
<td>Local Network <br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">vpn1</td>
|
||||
<td style="vertical-align: top;">Remote1<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">Remote Network 1<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">vpn2<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">Remote2<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">Remote Network 2<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">vpn3<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">Remote3<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">Remote Network 3<br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
@ -307,13 +337,13 @@ My key Shorewall entries are:</p>
|
||||
<tr>
|
||||
<td>loc</td>
|
||||
<td>eth2</td>
|
||||
<td>192.168.1.255</td>
|
||||
<td>192.168.10.255</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>-</td>
|
||||
<td>ppp+</td>
|
||||
<td> </td>
|
||||
<td> -</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
</tbody>
|
||||
@ -335,145 +365,32 @@ My key Shorewall entries are:</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>loc</td>
|
||||
<td>vpn1<br>
|
||||
</td>
|
||||
<td>ppp+:192.168.1.0/24</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<h4>/etc/shorewall/policy:</h4>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>SOURCE</b></td>
|
||||
<td><b>DEST</b></td>
|
||||
<td><b>POLICY</b></td>
|
||||
<td><b>LOG LEVEL</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>loc</td>
|
||||
<td>loc</td>
|
||||
<td>ACCEPT</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<h4>/etc/shorewall/rules (For Shorewall versions up to and including
|
||||
1.3.9b):</h4>
|
||||
<blockquote> <font face="Century Gothic, Arial, Helvetica"> </font>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>ACTION</b></td>
|
||||
<td><b>SOURCE</b></td>
|
||||
<td><b>DEST</b></td>
|
||||
<td><b> PROTO</b></td>
|
||||
<td><b>DEST<br>
|
||||
PORT(S)</b></td>
|
||||
<td><b>SOURCE<br>
|
||||
PORT(S)</b></td>
|
||||
<td><b>ORIGINAL<br>
|
||||
DEST</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ACCEPT</td>
|
||||
<td>net</td>
|
||||
<td>fw</td>
|
||||
<td>tcp</td>
|
||||
<td>1723</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ACCEPT</td>
|
||||
<td>net</td>
|
||||
<td>fw</td>
|
||||
<td>47</td>
|
||||
<td>-</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ACCEPT</td>
|
||||
<td>fw</td>
|
||||
<td>net</td>
|
||||
<td>47</td>
|
||||
<td>-</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<p align="left"><b>/etc/shoreawll/tunnels (For Shorewall versions
|
||||
1.3.10 and
|
||||
later)<br>
|
||||
</b></p>
|
||||
<blockquote>
|
||||
<table cellpadding="2" border="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="top"><b>TYPE<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>ZONE<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>GATEWAY<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>GATEWAY ZONE<br>
|
||||
</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">pptpserver<br>
|
||||
<td style="vertical-align: top;">vpn2<br>
|
||||
</td>
|
||||
<td valign="top">net<br>
|
||||
<td style="vertical-align: top;">ppp+:192.168.2.0/24<br>
|
||||
</td>
|
||||
<td valign="top">0.0.0.0/0<br>
|
||||
<td style="vertical-align: top;"><br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">vpn3<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">ppp+:192.168.3.0/24<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;"><br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<p align="left"><br>
|
||||
Note: I have multiple ppp interfaces on my firewall. If you have a
|
||||
single
|
||||
ppp interface, you probably want:</p>
|
||||
<h4>/etc/shorewall/interfaces:</h4>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>ZONE</b></td>
|
||||
<td><b>INTERFACE</b></td>
|
||||
<td><b>BROADCAST</b></td>
|
||||
<td><b>OPTIONS</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>net</td>
|
||||
<td>eth0</td>
|
||||
<td>206.124.146.255</td>
|
||||
<td>norfc1918</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>loc</td>
|
||||
<td>eth2</td>
|
||||
<td>192.168.1.255</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>loc</td>
|
||||
<td>ppp0</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<p align="left">and <u><b>no</b></u> entries in /etc/shorewall/hosts.</p>
|
||||
Your policies and rules can now be configured using separate zones
|
||||
(vpn1, vpn2, and vpn3) for the three remote network.<br>
|
||||
<h2 align="center"><a name="ServerBehind"></a>2. PPTP Server Running
|
||||
Behind
|
||||
your Firewall</h2>
|
||||
@ -968,7 +885,7 @@ as described in the QuickStart Guide corresponding to your setup.<br>
|
||||
That entry allows a PPTP tunnel to be established between your
|
||||
Shorewall system and the PPTP server in the modem.<br>
|
||||
</div>
|
||||
<p><font size="2">Last modified 8/11/2003 - <a href="support.htm">Tom
|
||||
<p><font size="2">Last modified 10/11/2003 - <a href="support.htm">Tom
|
||||
Eastep</a></font></p>
|
||||
<p><a href="copyright.htm"> <font size="2">Copyright</font> © <font
|
||||
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></p>
|
||||
|
||||
@ -30,18 +30,28 @@ application.</li>
|
||||
<li>Be used with an Operating System other than Linux (version >=
|
||||
2.4.0)<br>
|
||||
</li>
|
||||
<li>Do content filtering -- better to use <a
|
||||
href="Shorewall_Squid_Usage.html">Squid</a> for that.</li>
|
||||
<li>Do content filtering:</li>
|
||||
<ul>
|
||||
<li>HTTP -- better to use <a href="Shorewall_Squid_Usage.html">Squid</a>
|
||||
for that.</li>
|
||||
<li>Email -- Install something like <a
|
||||
href="http://www.postfix.org">Postfix</a> on your firewall and
|
||||
integrate it with <a href="http://www.spamassassin.org">SpamAssassin</a>
|
||||
and <a href="http://www.ijs.si/software/amavisd/">Amavisd-new</a>.<br>
|
||||
</li>
|
||||
</ul>
|
||||
</ul>
|
||||
In addition:<br>
|
||||
<ul>
|
||||
<li>Shorewall does not contain any support for Netfilter <span
|
||||
style="font-style: italic;">Patch-O-Matic</span> features -- Shorewall
|
||||
<li>Shorewall does not contain any support for Netfilter <a
|
||||
href="http://www.netfilter.org/documentation/pomlist/pom-summary.html"><span
|
||||
style="font-style: italic;">Patch-O-Matic</span></a> features --
|
||||
Shorewall
|
||||
only supports features from released kernels.<br>
|
||||
</li>
|
||||
</ul>
|
||||
<br>
|
||||
<font size="2">Last updated 9/28/2003 - <a href="support.htm">Tom
|
||||
<font size="2">Last updated 10/07/2003 - <a href="support.htm">Tom
|
||||
Eastep</a></font>
|
||||
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
|
||||
|
||||
@ -28,10 +28,14 @@
|
||||
</table>
|
||||
<br>
|
||||
This page covers Shorewall configuration to use with <a
|
||||
href="http://www.squid-cache.org/">Squid </a>running as a <u><b>Transparent
|
||||
Proxy</b></u>. If you are running Shorewall 1.3, please see <a
|
||||
href="1.3/Shorewall_Squid_Usage.html">this documentation</a>.<br>
|
||||
href="http://www.squid-cache.org/">Squid </a>running as a <a
|
||||
href="#Transparent">Transparent
|
||||
Proxy</a> or as a <a href="#Manual">Manual Proxy</a>.<br>
|
||||
<br>
|
||||
If you are running Shorewall 1.3, please see <a
|
||||
href="1.3/Shorewall_Squid_Usage.html">this documentation</a>.<br>
|
||||
<h1><a name="Transparent"></a>Squid as a Transparent Proxy<br>
|
||||
</h1>
|
||||
<img border="0" src="images/j0213519.gif" width="60" height="60"
|
||||
alt="Caution" align="middle"> Please observe the
|
||||
following general requirements:<br>
|
||||
@ -71,7 +75,7 @@ running on the Firewall.</a></li>
|
||||
local network</a></li>
|
||||
<li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running in the DMZ</a></li>
|
||||
</ol>
|
||||
<h2><a name="Firewall"></a>Squid Running on the Firewall</h2>
|
||||
<h2><a name="Firewall"></a>Squid (transparent) Running on the Firewall</h2>
|
||||
You want to redirect all local www connection requests
|
||||
EXCEPT those to your own http server (206.124.146.177) to a Squid
|
||||
transparent proxy running on the firewall
|
||||
@ -123,15 +127,49 @@ DEST</b></td>
|
||||
There may be a requirement to exclude additional destination
|
||||
hosts or networks from being redirected. For example, you might also
|
||||
want
|
||||
requests destined for 130.252.100.0/24 to not be routed to Squid. In
|
||||
that
|
||||
case, you must add a manual rule in /etc/shorewall/start:<br>
|
||||
requests destined for 130.252.100.0/24 to not be routed to Squid.<br>
|
||||
<br>
|
||||
If you are running Shorewall version 1.4.5 or later, you may just add
|
||||
the additional hosts/networks to the ORIGINAL DEST column in your
|
||||
REDIRECT rule:<br>
|
||||
<br>
|
||||
<div style="margin-left: 40px;">
|
||||
<table border="1" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>ACTION</b></td>
|
||||
<td><b>SOURCE</b></td>
|
||||
<td><b>DEST</b></td>
|
||||
<td><b> PROTO</b></td>
|
||||
<td><b>DEST<br>
|
||||
PORT(S)</b></td>
|
||||
<td><b>SOURCE<br>
|
||||
PORT(S)</b></td>
|
||||
<td><b>ORIGINAL<br>
|
||||
DEST</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>REDIRECT</td>
|
||||
<td>loc</td>
|
||||
<td>3128</td>
|
||||
<td>tcp</td>
|
||||
<td>www</td>
|
||||
<td> -<br>
|
||||
</td>
|
||||
<td>!206.124.146.177,130.252.100.0/24</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</div>
|
||||
<br>
|
||||
If you are running a Shorewall version earlier than 1.4.5, you must add
|
||||
a manual rule in /etc/shorewall/start:<br>
|
||||
<blockquote>
|
||||
<pre>run_iptables -t nat -I loc_dnat -p tcp --dport www -d 130.252.100.0/24 -j RETURN<br></pre>
|
||||
</blockquote>
|
||||
To exclude additional hosts or networks, just add additional
|
||||
similar rules.<br>
|
||||
<h2><a name="Local"></a>Squid Running in the local network</h2>
|
||||
<h2><a name="Local"></a>Squid (transparent) Running in the local network</h2>
|
||||
You want to redirect all local www connection requests to a Squid
|
||||
transparent proxy running in your local zone at 192.168.1.3 and
|
||||
listening
|
||||
@ -273,7 +311,8 @@ command above:<br>
|
||||
color="#009900"><b><br>chkconfig --level 35 iptables on<br></b></font></pre>
|
||||
</blockquote>
|
||||
<blockquote> </blockquote>
|
||||
<h2><a name="DMZ"></a>Squid Running in the DMZ (This is what I do)</h2>
|
||||
<h2><a name="DMZ"></a>Squid (transparent) Running in the DMZ (This is
|
||||
what I do)</h2>
|
||||
You have a single Linux system in your DMZ with IP address 192.0.2.177.
|
||||
You want to run both a web server and Squid on that system. Your DMZ
|
||||
interface is eth1 and your local interface is eth2.<br>
|
||||
@ -455,7 +494,133 @@ command above:<br>
|
||||
color="#009900"><b><br>chkconfig --level 35 iptables on<br></b></font></pre>
|
||||
</blockquote>
|
||||
<blockquote> </blockquote>
|
||||
<p><font size="-1"> Updated 8/9/2003 - <a href="support.htm">Tom Eastep</a>
|
||||
<h1><a name="Manual"></a>Squid as a Manual Proxy</h1>
|
||||
Assume that Squid is running in zone SZ and listening on port SP; all
|
||||
web sites that are to be accessed through Squid are in the 'net' zone.
|
||||
Then for each zone Z that needs access to the Squid server:<br>
|
||||
<br>
|
||||
<div style="margin-left: 40px;">
|
||||
<table cellpadding="2" border="1" cellspacing="0">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="top">ACTION<br>
|
||||
</td>
|
||||
<td valign="top">SOURCE<br>
|
||||
</td>
|
||||
<td valign="top">DEST<br>
|
||||
</td>
|
||||
<td valign="top">PROTO<br>
|
||||
</td>
|
||||
<td valign="top">DEST<br>
|
||||
PORT(S)<br>
|
||||
</td>
|
||||
<td valign="top">CLIENT<br>
|
||||
PORT(2)<br>
|
||||
</td>
|
||||
<td valign="top">ORIGINAL<br>
|
||||
DEST<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">ACCEPT<br>
|
||||
</td>
|
||||
<td valign="top">Z<br>
|
||||
</td>
|
||||
<td valign="top">SZ<br>
|
||||
</td>
|
||||
<td valign="top">tcp<br>
|
||||
</td>
|
||||
<td valign="top">SP<br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">ACCEPT<br>
|
||||
</td>
|
||||
<td valign="top">SZ<br>
|
||||
</td>
|
||||
<td valign="top">net<br>
|
||||
</td>
|
||||
<td valign="top">tcp<br>
|
||||
</td>
|
||||
<td valign="top">80<br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</div>
|
||||
<br>
|
||||
Example:<br>
|
||||
<br>
|
||||
<div style="margin-left: 40px;">Squid on the firewall listening on port
|
||||
8080 with access from the 'loc' zone:<br>
|
||||
<br>
|
||||
<table cellpadding="2" border="1" cellspacing="0">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="top">ACTION<br>
|
||||
</td>
|
||||
<td valign="top">SOURCE<br>
|
||||
</td>
|
||||
<td valign="top">DEST<br>
|
||||
</td>
|
||||
<td valign="top">PROTO<br>
|
||||
</td>
|
||||
<td valign="top">DEST<br>
|
||||
PORT(S)<br>
|
||||
</td>
|
||||
<td valign="top">CLIENT<br>
|
||||
PORT(2)<br>
|
||||
</td>
|
||||
<td valign="top">ORIGINAL<br>
|
||||
DEST<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">ACCEPT<br>
|
||||
</td>
|
||||
<td valign="top">loc<br>
|
||||
</td>
|
||||
<td valign="top">$FW<br>
|
||||
</td>
|
||||
<td valign="top">tcp<br>
|
||||
</td>
|
||||
<td valign="top">8080<br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">ACCEPT<br>
|
||||
</td>
|
||||
<td valign="top">$FW<br>
|
||||
</td>
|
||||
<td valign="top">net<br>
|
||||
</td>
|
||||
<td valign="top">tcp<br>
|
||||
</td>
|
||||
<td valign="top">80<br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
</div>
|
||||
<p><font size="-1">Updated 1017/2003 - <a href="support.htm">Tom
|
||||
Eastep</a>
|
||||
</font></p>
|
||||
<a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2003 Thomas M. Eastep.</font></a><br>
|
||||
|
||||
@ -28,25 +28,25 @@ Issues</font></h1>
|
||||
<p align="left"> <b><u>I</u>f you use a Windows system to download
|
||||
a corrected script, be sure to run the script through <u> <a
|
||||
href="http://www.megaloman.com/%7Ehany/software/hd2u/"
|
||||
style="text-decoration: none;"> dos2unix</a></u> after you have moved
|
||||
it to your Linux system.</b></p>
|
||||
style="text-decoration: none;"> dos2unix</a></u> after you have moved it
|
||||
to your Linux system.</b></p>
|
||||
</li>
|
||||
<li>
|
||||
<p align="left"> <b>If you are installing Shorewall for the first
|
||||
time and plan to use the .tgz and install.sh script, you can untar
|
||||
the archive, replace the 'firewall' script in the untarred directory
|
||||
with the one you downloaded below, and then run install.sh.</b></p>
|
||||
time and plan to use the .tgz and install.sh script, you can untar the
|
||||
archive, replace the 'firewall' script in the untarred directory with
|
||||
the one you downloaded below, and then run install.sh.</b></p>
|
||||
</li>
|
||||
<li>
|
||||
<p align="left"> <b>When the instructions say to install a
|
||||
corrected firewall script in /usr/share/shorewall/firewall,
|
||||
you may rename the existing file before copying in the new file.</b></p>
|
||||
corrected firewall script in /usr/share/shorewall/firewall, you may
|
||||
rename the existing file before copying in the new file.</b></p>
|
||||
</li>
|
||||
<li>
|
||||
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED
|
||||
COMPONENTS ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER
|
||||
BELOW. For example, do NOT install the 1.3.9a firewall script
|
||||
if you are running 1.3.7c.</font></b><br>
|
||||
BELOW. For example, do NOT install the 1.3.9a firewall script if you are
|
||||
running 1.3.7c.</font></b><br>
|
||||
</p>
|
||||
</li>
|
||||
</ol>
|
||||
@ -61,8 +61,7 @@ Version 1.1</a></font></b></li>
|
||||
<li> <b><font color="#660066"><a href="#iptables"> Problem with
|
||||
iptables version 1.2.3 on RH7.2</a></font></b></li>
|
||||
<li> <b><a href="#Debug">Problems with kernels >= 2.4.18 and
|
||||
RedHat
|
||||
iptables</a></b></li>
|
||||
RedHat iptables</a></b></li>
|
||||
<li><b><a href="#SuSE">Problems installing/upgrading RPM on SuSE</a></b></li>
|
||||
<li><b><a href="#Multiport">Problems with iptables version 1.2.7 and
|
||||
MULTIPORT=Yes</a></b></li>
|
||||
@ -75,12 +74,35 @@ REJECT (also applies to 2.4.21-RC1) <img src="images/new10.gif"
|
||||
<hr>
|
||||
<h2 align="left"><a name="V1.4"></a>Problems in Version 1.4</h2>
|
||||
<h3></h3>
|
||||
<h3>1.4.7</h3>
|
||||
<ul>
|
||||
<li>Using some versions of 'ash' (such as from RH8) as the
|
||||
SHOREWALL_SHELL causes "shorewall [re]start" to fail with:<br>
|
||||
<br>
|
||||
local: --limit: bad variable name<br>
|
||||
iptables v1.2.8: Couldn't load match
|
||||
`-j':/lib/iptables/libipt_-j.so: <br>
|
||||
cannot open shared object file: No such file or directory<br>
|
||||
Try `iptables -h' or 'iptables --help' for more information.</li>
|
||||
<li>When more than one ICMP type is listed in a rule and your kernel
|
||||
includes multiport match support, the firewall fails to start. </li>
|
||||
<li>Regardless of the setting of LOGUNCLEAN, the value
|
||||
LOGUNCLEAN=info was used.</li>
|
||||
<li>After the following error message, Shorewall was left in an
|
||||
inconsistent state:<br>
|
||||
<br>
|
||||
Error: Unable to determine the routes through interface xxx<br>
|
||||
</li>
|
||||
</ul>
|
||||
These problems have been corrected in this <a
|
||||
href="http://shorewall.net/pub/shorewall/errata/1.4.7/firewall">firewall
|
||||
script</a> which may be installed in /var/share/shorewall/firewall as
|
||||
described above.<br>
|
||||
<h3>1.4.6</h3>
|
||||
<ul>
|
||||
<li>If TC_ENABLED is set to yes in shorewall.conf then Shorewall
|
||||
would fail to start with the error "ERROR: Traffic Control
|
||||
requires Mangle";
|
||||
that problem has been corrected in <a
|
||||
would fail to start with the error "ERROR: Traffic Control requires
|
||||
Mangle"; that problem has been corrected in <a
|
||||
href="http://shorewall.net/pub/shorewall/errata/1.4.6/firewall">this
|
||||
firewall script</a> which may be installed in
|
||||
/var/share/shorewall/firewall as described above. This problem is also
|
||||
@ -89,40 +111,34 @@ corrected in bugfix release 1.4.6a.</li>
|
||||
If a MAC address is used in the SOURCE column, an error occurs as
|
||||
follows:<br>
|
||||
<br>
|
||||
<font size="3"><tt>iptables v1.2.8: Bad mac adress
|
||||
<font size="3"><tt>iptables v1.2.8: Bad mac adress
|
||||
`00:08:B5:35:52:E7-d`</tt></font><br>
|
||||
<br>
|
||||
For Shorewall 1.4.6 and 1.4.6a users, this problem has been corrected
|
||||
in <a href="http://shorewall.net/pub/shorewall/errata/1.4.6/firewall">this
|
||||
firewall script</a> which may be installed in
|
||||
/var/share/shorewall/firewall
|
||||
as described above. For all other versions, you will have to edit your
|
||||
'firewall'
|
||||
script (in versions 1.4.*, it is located in
|
||||
/usr/share/shorewall/firewall).
|
||||
Locate the function add_tcrule_() and in that function, replace this
|
||||
line:<br>
|
||||
/var/share/shorewall/firewall as described above. For all other
|
||||
versions, you will have to edit your 'firewall' script (in versions
|
||||
1.4.*, it is located in /usr/share/shorewall/firewall). Locate the
|
||||
function add_tcrule_() and in that function, replace this line:<br>
|
||||
<br>
|
||||
<span style="font-family: monospace;">r=`mac_match
|
||||
$source` </span><br>
|
||||
<span style="font-family: monospace;">r=`mac_match $source` </span><br>
|
||||
<br>
|
||||
with<br>
|
||||
<br>
|
||||
<span style="font-family: monospace;">r="`mac_match
|
||||
$source` "</span><br>
|
||||
<span style="font-family: monospace;">r="`mac_match $source` "</span><br>
|
||||
<br>
|
||||
Note that there must be a space before the ending quote!<br>
|
||||
</li>
|
||||
</ul>
|
||||
<h3>1.4.4b</h3>
|
||||
<ul>
|
||||
<li>Shorewall is ignoring records in /etc/shorewall/routestopped
|
||||
that have an empty second column (HOSTS). This problem may be corrected
|
||||
by installing <a
|
||||
<li>Shorewall is ignoring records in /etc/shorewall/routestopped that
|
||||
have an empty second column (HOSTS). This problem may be corrected by
|
||||
installing <a
|
||||
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4b/firewall"
|
||||
target="_top">this firewall script</a> in
|
||||
/usr/share/shorewall/firewall as
|
||||
described above.</li>
|
||||
target="_top">this firewall script</a> in /usr/share/shorewall/firewall
|
||||
as described above.</li>
|
||||
<li>The INCLUDE directive doesn't work when placed in the
|
||||
/etc/shorewall/zones file. This problem may be corrected by installing <a
|
||||
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4b/functions"
|
||||
@ -137,9 +153,8 @@ though the log level for the console is set properly according to <a
|
||||
href="FAQ.htm#faq16">FAQ 16</a>. This problem may be corrected by
|
||||
installing <a
|
||||
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4a/firewall"
|
||||
target="_top">this firewall script</a> in
|
||||
/usr/share/shorewall/firewall as
|
||||
described above.<br>
|
||||
target="_top">this firewall script</a> in /usr/share/shorewall/firewall
|
||||
as described above.<br>
|
||||
</li>
|
||||
</ul>
|
||||
<h3>1.4.4<br>
|
||||
@ -147,8 +162,7 @@ described above.<br>
|
||||
<ul>
|
||||
<li> If you have zone names that are 5 characters long, you may
|
||||
experience problems starting Shorewall because the --log-prefix in a
|
||||
logging rule is too long. Upgrade to Version 1.4.4a to fix this
|
||||
problem..</li>
|
||||
logging rule is too long. Upgrade to Version 1.4.4a to fix this problem..</li>
|
||||
</ul>
|
||||
<h3>1.4.3</h3>
|
||||
<ul>
|
||||
@ -157,8 +171,8 @@ to allow integration of Shorewall with Fireparse
|
||||
(http://www.firewparse.com). Unfortunately, LOGMARKER only solved part
|
||||
of the integration problem. I have implimented a new LOGFORMAT variable
|
||||
which will replace LOGMARKER which has completely solved this problem
|
||||
and is currently in production with fireparse here at shorewall.net.
|
||||
The updated files may be found at <a
|
||||
and is currently in production with fireparse here at shorewall.net. The
|
||||
updated files may be found at <a
|
||||
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/"
|
||||
target="_top">ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/</a>.
|
||||
See the 0README.txt file for details.<br>
|
||||
@ -170,9 +184,8 @@ See the 0README.txt file for details.<br>
|
||||
directory created in /tmp is not being removed. This problem may be
|
||||
corrected by installing <a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.2/firewall"
|
||||
target="_top">this firewall script</a> in
|
||||
/usr/share/shorewall/firewall as
|
||||
described above. <br>
|
||||
target="_top">this firewall script</a> in /usr/share/shorewall/firewall
|
||||
as described above. <br>
|
||||
</li>
|
||||
</ul>
|
||||
<h3>1.4.1a, 1.4.1 and 1.4.0</h3>
|
||||
@ -190,8 +203,8 @@ in /etc/shorewall/common.def.<br>
|
||||
<li>When a "shorewall check" command is executed, each "rule"
|
||||
produces the harmless additional message:<br>
|
||||
<br>
|
||||
/usr/share/shorewall/firewall: line 2174: [: =:
|
||||
unary operator expected<br>
|
||||
/usr/share/shorewall/firewall: line 2174: [: =: unary operator
|
||||
expected<br>
|
||||
<br>
|
||||
You may correct the problem by installing <a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1/firewall"
|
||||
@ -202,8 +215,8 @@ You may correct the problem by installing <a
|
||||
<h3>1.4.0</h3>
|
||||
<ul>
|
||||
<li>When running under certain shells Shorewall will attempt to
|
||||
create ECN rules even when /etc/shorewall/ecn is empty. You may
|
||||
either just remove /etc/shorewall/ecn or you can install <a
|
||||
create ECN rules even when /etc/shorewall/ecn is empty. You may either
|
||||
just remove /etc/shorewall/ecn or you can install <a
|
||||
href="http://www.shorewall.net/pub/shorewall/errata/1.4.0/firewall">this
|
||||
correct script</a> in /usr/share/shorewall/firewall as described above.<br>
|
||||
</li>
|
||||
@ -218,36 +231,35 @@ with iptables version 1.2.3</font></h3>
|
||||
<blockquote>
|
||||
<p align="left">There are a couple of serious bugs in iptables 1.2.3
|
||||
that prevent it from working with Shorewall. Regrettably, RedHat
|
||||
released this buggy iptables in RedHat 7.2. </p>
|
||||
released this buggy iptables in RedHat 7.2. </p>
|
||||
<p align="left"> I have built a <a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
|
||||
corrected 1.2.3 rpm which you can download here</a> and I have
|
||||
also built an <a
|
||||
corrected 1.2.3 rpm which you can download here</a> and I have also
|
||||
built an <a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
|
||||
iptables-1.2.4 rpm which you can download here</a>. If you are
|
||||
currently running RedHat 7.1, you can install either of these RPMs <b><u>before</u>
|
||||
</b>you upgrade to RedHat 7.2.</p>
|
||||
iptables-1.2.4 rpm which you can download here</a>. If you are currently
|
||||
running RedHat 7.1, you can install either of these RPMs <b><u>before</u> </b>you
|
||||
upgrade to RedHat 7.2.</p>
|
||||
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
|
||||
has released an iptables-1.2.4 RPM of their own which
|
||||
you can download from<font color="#ff6633"> <a
|
||||
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
|
||||
</font>I have installed this RPM on my firewall and
|
||||
it works fine.</p>
|
||||
has released an iptables-1.2.4 RPM of their own which you can download
|
||||
from<font color="#ff6633"> <a
|
||||
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.</font>I
|
||||
have installed this RPM on my firewall and it works fine.</p>
|
||||
<p align="left">If you would like to patch iptables 1.2.3 yourself,
|
||||
the patches are available for download. This <a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
|
||||
which corrects a problem with parsing of the --log-level specification
|
||||
while this <a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
|
||||
corrects a problem in handling the TOS target.</p>
|
||||
corrects a problem in handling the TOS target.</p>
|
||||
<p align="left">To install one of the above patches:</p>
|
||||
<ul>
|
||||
<li>cd iptables-1.2.3/extensions</li>
|
||||
<li>patch -p0 < <i>the-patch-file</i></li>
|
||||
</ul>
|
||||
</blockquote>
|
||||
<h3><a name="Debug"></a>Problems with kernels >= 2.4.18 and
|
||||
RedHat iptables</h3>
|
||||
<h3><a name="Debug"></a>Problems with kernels >= 2.4.18 and RedHat
|
||||
iptables</h3>
|
||||
<blockquote>
|
||||
<p>Users who use RedHat iptables RPMs and who upgrade to kernel
|
||||
2.4.18/19 may experience the following:</p>
|
||||
@ -256,13 +268,11 @@ RedHat iptables</h3>
|
||||
</blockquote>
|
||||
<p>The RedHat iptables RPM is compiled with debugging enabled but the
|
||||
user-space debugging code was not updated to reflect recent changes in
|
||||
the Netfilter 'mangle' table. You can correct the problem by installing
|
||||
<a
|
||||
the Netfilter 'mangle' table. You can correct the problem by installing <a
|
||||
href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
|
||||
this iptables RPM</a>. If you are already running a
|
||||
1.2.5 version of iptables, you will need to specify the
|
||||
--oldpackage option to rpm (e.g., "iptables -Uvh --oldpackage
|
||||
iptables-1.2.5-1.i386.rpm").</p>
|
||||
this iptables RPM</a>. If you are already running a 1.2.5 version of
|
||||
iptables, you will need to specify the --oldpackage option to rpm
|
||||
(e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
|
||||
</blockquote>
|
||||
<h3><a name="SuSE"></a>Problems installing/upgrading RPM on SuSE</h3>
|
||||
<p>If you find that rpm complains about a conflict with kernel <=
|
||||
@ -274,8 +284,8 @@ option to rpm.</p>
|
||||
MULTIPORT=Yes</b></h3>
|
||||
<p>The iptables 1.2.7 release of iptables has made an incompatible
|
||||
change to the syntax used to specify multiport match rules; as a
|
||||
consequence, if you install iptables 1.2.7 you must be running
|
||||
Shorewall 1.3.7a or later or:</p>
|
||||
consequence, if you install iptables 1.2.7 you must be running Shorewall
|
||||
1.3.7a or later or:</p>
|
||||
<ul>
|
||||
<li>set MULTIPORT=No in /etc/shorewall/shorewall.conf; or </li>
|
||||
<li>if you are running Shorewall 1.3.6 you may install <a
|
||||
@ -288,28 +298,25 @@ above.</li>
|
||||
/etc/shorewall/nat entries of the following form will result in
|
||||
Shorewall being unable to start:<br>
|
||||
<br>
|
||||
<pre>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL<br>192.0.2.22 eth0 192.168.9.22 yes yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
|
||||
<pre>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL<br>192.0.2.22 eth0 192.168.9.22 yes yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
|
||||
Error message is:<br>
|
||||
<pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
|
||||
The solution is to put "no" in the LOCAL column. Kernel support for
|
||||
LOCAL=yes has never worked properly and 2.4.18-10 has disabled it. The
|
||||
2.4.19 kernel contains corrected support
|
||||
under a new kernel configuraiton option; see <a
|
||||
href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
|
||||
2.4.19 kernel contains corrected support under a new kernel
|
||||
configuraiton option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
|
||||
<br>
|
||||
<h3><a name="REJECT"></a><b> Problems with RH Kernels after 2.4.20-9
|
||||
and REJECT
|
||||
(also applies to 2.4.21-RC1)</b></h3>
|
||||
<h3><a name="REJECT"></a><b> Problems with RH Kernels after 2.4.20-9 and
|
||||
REJECT (also applies to 2.4.21-RC1)</b></h3>
|
||||
Beginning with errata kernel 2.4.20-13.9, "REJECT --reject-with
|
||||
tcp-reset" is broken. The symptom most commonly seen is that REJECT
|
||||
rules act just like DROP rules when dealing with TCP. A kernel patch
|
||||
and precompiled modules to fix this problem are available at <a
|
||||
rules act just like DROP rules when dealing with TCP. A kernel patch and
|
||||
precompiled modules to fix this problem are available at <a
|
||||
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel"
|
||||
target="_top">ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel</a>.<br>
|
||||
<hr>
|
||||
<p><font size="2"> Last updated 7/23/2003 - <a href="support.htm">Tom
|
||||
Eastep</a></font>
|
||||
</p>
|
||||
<p><font size="2"> Last updated 10/11/2003 - <a href="support.htm">Tom
|
||||
Eastep</a></font> </p>
|
||||
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
|
||||
</p>
|
||||
|
||||
@ -40,10 +40,9 @@ and control that facility. Netfilter can be used in ipchains
|
||||
compatibility mode.<br>
|
||||
</li>
|
||||
<li>iptables - the utility program used to configure and
|
||||
control
|
||||
Netfilter. The term 'iptables' is often used to refer to the
|
||||
combination of iptables+Netfilter (with Netfilter not in
|
||||
ipchains compatibility mode).<br>
|
||||
control Netfilter. The term 'iptables' is often used to refer to the
|
||||
combination of iptables+Netfilter (with Netfilter not in ipchains
|
||||
compatibility mode).<br>
|
||||
</li>
|
||||
</ul>
|
||||
The Shoreline Firewall, more commonly known as "Shorewall", is
|
||||
@ -59,12 +58,13 @@ capabilities.<br>
|
||||
<br>
|
||||
This program is free software; you can redistribute it and/or modify it
|
||||
under the terms of <a href="http://www.gnu.org/licenses/gpl.html">Version
|
||||
2 of the GNU
|
||||
General Public License</a> as published by the Free Software Foundation.<br>
|
||||
2 of the GNU General Public License</a> as published by the Free
|
||||
Software Foundation.<br>
|
||||
<p> This program is distributed in the hope that it will be
|
||||
useful, but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
General Public License for more details.<br>
|
||||
General
|
||||
Public License for more details.<br>
|
||||
<br>
|
||||
You should have received a copy of the GNU General Public License along
|
||||
with this program; if not, write to the Free Software Foundation, Inc.,
|
||||
@ -84,23 +84,73 @@ Shorewall. For older versions:<br>
|
||||
<h2>Getting Started with Shorewall</h2>
|
||||
New to Shorewall? Start by selecting the <a
|
||||
href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most
|
||||
closely match your environment
|
||||
and follow the step by step instructions.<br>
|
||||
closely match your environment and follow the step by step instructions.<br>
|
||||
<h2>Looking for Information?</h2>
|
||||
The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
|
||||
Index</a> is a good place to start as is the Quick Search to your
|
||||
right.
|
||||
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
|
||||
If so, the documentation<b> </b>on
|
||||
this site will not apply directly to your setup. If you want
|
||||
to use the documentation that you find here, you will want to consider
|
||||
uninstalling what you have and installing a setup that matches the
|
||||
documentation on this site. See the <a href="two-interface.htm">Two-interface
|
||||
QuickStart Guide</a> for details.<br>
|
||||
If so, the documentation<b> </b>on this site will not apply directly
|
||||
to
|
||||
your setup. If you want to use the documentation that you find here,
|
||||
you will want to consider uninstalling what you have and installing a
|
||||
setup that matches the documentation on this site. See the <a
|
||||
href="two-interface.htm">Two-interface QuickStart Guide</a> for
|
||||
details.<br>
|
||||
<h2>News</h2>
|
||||
<p><b>10/06/2003 - Shorewall 1.4.7</b><b> <img
|
||||
<p><b>10/21/2003 - Shorewall 1.4.7a</b><b> <img
|
||||
style="border: 0px solid ; width: 28px; height: 12px;"
|
||||
src="images/new10.gif" alt="(New)" title=""><br>
|
||||
src="images/new10.gif" alt="(New)" title=""></b></p>
|
||||
<p>This is a bugfix rollup of the following problem corrections:<br>
|
||||
</p>
|
||||
<ol>
|
||||
<li>Tuomo Soini has supplied a correction to a problem that
|
||||
occurs
|
||||
using some versions of 'ash'. The symptom is that "shorewall start"
|
||||
fails with:<br>
|
||||
<br>
|
||||
local: --limit: bad variable name<br>
|
||||
iptables v1.2.8: Couldn't load match
|
||||
`-j':/lib/iptables/libipt_-j.so:<br>
|
||||
cannot open shared object file: No such file or directory<br>
|
||||
Try `iptables -h' or 'iptables --help' for more
|
||||
information.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Andres Zhoglo has supplied a correction that avoids trying
|
||||
to use the multiport match iptables facility on ICMP rules.<br>
|
||||
<br>
|
||||
Example of rule that previously caused "shorewall start"
|
||||
to fail:<br>
|
||||
<br>
|
||||
|
||||
ACCEPT loc $FW
|
||||
icmp 0,8,11,12<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Previously, if the following error message was issued,
|
||||
Shorewall was left in an inconsistent state.<br>
|
||||
<br>
|
||||
Error: Unable to determine the routes routes through
|
||||
interface xxx<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Handling of the LOGUNCLEAN option in shorewall.conf has
|
||||
been corrected.</li>
|
||||
<li>In Shorewall 1.4.2, an optimization was added. This
|
||||
optimization
|
||||
involved creating a chain named "<zone>_frwd" for most zones
|
||||
defined using the /etc/shorewall/hosts file. It has since been
|
||||
discovered that in many cases these new chains contain redundant rules
|
||||
and that the "optimization" turns out to be less than optimal. The
|
||||
implementation has now been corrected.</li>
|
||||
<li>When the MARK value in a tcrules entry is followed by ":F"
|
||||
or
|
||||
":P", the ":F" or ":P" was previously only applied to the first
|
||||
Netfilter rule generated by the entry. It is now applied to all entries.<br>
|
||||
</li>
|
||||
</ol>
|
||||
<p><b>10/06/2003 - Shorewall 1.4.7</b><b><br>
|
||||
</b></p>
|
||||
<b>Problems Corrected since version 1.4.6 (Those in bold font
|
||||
were corrected since 1.4.7 RC2)</b><br>
|
||||
@ -119,62 +169,52 @@ were being added to a PPP interface; the addresses were successfully
|
||||
added in spite of the messages.<br>
|
||||
<br>
|
||||
The firewall script has been modified to eliminate the error messages</li>
|
||||
<li>Interface-specific dynamic blacklisting chains are
|
||||
now displayed by "shorewall monitor" on the "Dynamic Chains" page
|
||||
<li>Interface-specific dynamic blacklisting chains are now
|
||||
displayed by "shorewall monitor" on the "Dynamic Chains" page
|
||||
(previously named "Dynamic Chain").</li>
|
||||
<li>Thanks to Henry Yang, LOGRATE and LOGBURST now work again.</li>
|
||||
<li>The 'shorewall reject' and
|
||||
'shorewall drop' commands now delete any existing rules for the subject
|
||||
IP address before adding a new DROP or REJECT rule. Previously, there
|
||||
could be many rules for the same IP address in the dynamic chain so
|
||||
that multiple 'allow' commands were required to re-enable traffic
|
||||
to/from the address.</li>
|
||||
<li>When ADD_SNAT_ALIASES=Yes in
|
||||
shorewall.conf, the following entry in /etc/shorewall/masq resulted in
|
||||
a startup error:<br>
|
||||
<li>The 'shorewall reject' and 'shorewall drop' commands now
|
||||
delete any existing rules for the subject IP address before adding a
|
||||
new DROP or REJECT rule. Previously, there could be many rules for the
|
||||
same IP address in the dynamic chain so that multiple 'allow' commands
|
||||
were required to re-enable traffic to/from the address.</li>
|
||||
<li>When ADD_SNAT_ALIASES=Yes in shorewall.conf, the following
|
||||
entry in /etc/shorewall/masq resulted in a startup error:<br>
|
||||
<br>
|
||||
eth0 eth1
|
||||
206.124.146.20-206.124.146.24<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Shorewall previously choked over
|
||||
IPV6 addresses configured on interfaces in contexts where Shorewall
|
||||
needed to detect something about the interface (such as when "detect"
|
||||
appears in the BROADCAST column of the /etc/shorewall/interfaces file).</li>
|
||||
<li>Shorewall will now load
|
||||
module files that are formed from the module name by appending ".o.gz".</li>
|
||||
<li>When Shorewall adds a route to a
|
||||
proxy ARP host and such a route already exists, two routes resulted
|
||||
previously. This has been corrected so that the existing route is
|
||||
replaced if it already exists.</li>
|
||||
<li>The rfc1918 file has been
|
||||
updated to reflect recent allocations.</li>
|
||||
<li>The documentation of the
|
||||
USER SET column in the rules file has been corrected.</li>
|
||||
<li>If there is no policy
|
||||
defined for
|
||||
the zones specified in a rule, the firewall script previously
|
||||
encountered a shell syntax error:<br>
|
||||
|
||||
<br>
|
||||
<li>Shorewall previously choked over IPV6 addresses configured
|
||||
on interfaces in contexts where Shorewall needed to detect something
|
||||
about the interface (such as when "detect" appears in the BROADCAST
|
||||
column of the /etc/shorewall/interfaces file).</li>
|
||||
<li>Shorewall will now load module files that are formed from
|
||||
the module name by appending ".o.gz".</li>
|
||||
<li>When Shorewall adds a route to a proxy ARP host and such a
|
||||
route already exists, two routes resulted previously. This has been
|
||||
corrected so that the existing route is replaced if it already exists.</li>
|
||||
<li>The rfc1918 file has been updated to reflect recent
|
||||
allocations.</li>
|
||||
<li>The documentation of the USER SET column in the rules file
|
||||
has been corrected.</li>
|
||||
<li>If there is no policy defined for the zones specified in a
|
||||
rule, the firewall script previously encountered a shell syntax error:<br>
|
||||
<br>
|
||||
[: NONE: unexpected operator<br>
|
||||
|
||||
<br>
|
||||
<br>
|
||||
Now, the absence of a policy generates an error message and the
|
||||
firewall is stopped:<br>
|
||||
|
||||
<br>
|
||||
<br>
|
||||
No policy defined from zone
|
||||
<source> to zone <dest><br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Previously, if neither
|
||||
/etc/shorewall/common nor /etc/shorewall/common.def existed, Shorewall
|
||||
would fail to start and would not remove the lock file. Failure to
|
||||
remove the lock file resulted in the following during subsequent
|
||||
attempts to start:<br>
|
||||
|
||||
<br>
|
||||
<li>Previously, if neither /etc/shorewall/common nor
|
||||
/etc/shorewall/common.def existed, Shorewall would fail to start and
|
||||
would not remove the lock file. Failure to remove the lock file
|
||||
resulted in the following during subsequent attempts to start:<br>
|
||||
<br>
|
||||
Loading /usr/share/shorewall/functions...<br>
|
||||
Processing /etc/shorewall/params ...<br>
|
||||
Processing /etc/shorewall/shorewall.conf...<br>
|
||||
@ -183,19 +223,17 @@ attempts to start:<br>
|
||||
<br>
|
||||
Shorewall now reports a fatal error if neither of these two files exist
|
||||
and correctly removes the lock fille.</li>
|
||||
<li>The order of processing
|
||||
the
|
||||
various options has been changed such that blacklist entries now take
|
||||
precedence over the 'dhcp' interface setting.</li>
|
||||
<li>The log message generated
|
||||
from the
|
||||
'logunclean' interface option has been changed to reflect a disposition
|
||||
of LOG rather than DROP.</li>
|
||||
<li>The order of processing the various options has been
|
||||
changed such that blacklist entries now take precedence over the 'dhcp'
|
||||
interface setting.</li>
|
||||
<li>The log message generated from the 'logunclean' interface
|
||||
option has been changed to reflect a disposition of LOG rather than
|
||||
DROP.</li>
|
||||
<li><span style="font-weight: bold;">When a user name and/or a
|
||||
group
|
||||
name was specified in the USER SET column and the destination zone was
|
||||
qualified with a IP address, the user and/or group name was not being
|
||||
used to qualify the rule.<br>
|
||||
group name was specified in the USER SET column and the destination
|
||||
zone
|
||||
was qualified with a IP address, the user and/or group name was not
|
||||
being used to qualify the rule.<br>
|
||||
<br>
|
||||
Example:<br>
|
||||
<br>
|
||||
@ -225,8 +263,9 @@ command-specific help (e.g., shorewall help <command>).</li>
|
||||
<li>A new option "ADMINISABSENTMINDED" has been added to
|
||||
/etc/shorewall/shorewall.conf. This option has a default value of "No"
|
||||
for existing users which causes Shorewall's 'stopped' state to
|
||||
continue as it has been; namely, in the stopped state only traffic
|
||||
to/from hosts listed in /etc/shorewall/routestopped is accepted.<br>
|
||||
continue
|
||||
as it has been; namely, in the stopped state only traffic to/from hosts
|
||||
listed in /etc/shorewall/routestopped is accepted.<br>
|
||||
<br>
|
||||
With ADMINISABSENTMINDED=Yes (the default for new installs), in
|
||||
addition to traffic to/from the hosts listed in
|
||||
@ -234,7 +273,8 @@ addition to traffic to/from the hosts listed in
|
||||
<br>
|
||||
a) All traffic originating from the firewall itself; and<br>
|
||||
b) All traffic that is part of or related to an
|
||||
already-existing connection.<br>
|
||||
already-existing
|
||||
connection.<br>
|
||||
<br>
|
||||
In particular, with ADMINISABSENTMINDED=Yes, a "shorewall stop"
|
||||
entered through an ssh session will not kill the session.<br>
|
||||
@ -258,12 +298,9 @@ fw tcp 22<br>
|
||||
<br>
|
||||
From a remote system, I ssh to 206.124.146.178 which establishes an SSH
|
||||
connection with local system 192.168.1.5. I then create a second SSH
|
||||
connection
|
||||
from that computer to the firewall and confidently type "shorewall
|
||||
stop".
|
||||
As part of its stop processing, Shorewall removes eth0:0 which kills my
|
||||
SSH
|
||||
connection to 192.168.1.5!!!</li>
|
||||
connection from that computer to the firewall and confidently type
|
||||
"shorewall stop". As part of its stop processing, Shorewall removes
|
||||
eth0:0 which kills my SSH connection to 192.168.1.5!!!</li>
|
||||
<li>Given the wide range of VPN software, I can never hope to
|
||||
add specific support for all of it. I have therefore decided to add
|
||||
"generic" tunnel support.<br>
|
||||
@ -283,15 +320,17 @@ where:<br>
|
||||
<protocol> is the protocol
|
||||
used by the tunnel<br>
|
||||
<port> if the protocol
|
||||
is 'udp' or 'tcp' then this is the destination port number used by the
|
||||
tunnel.<br>
|
||||
is 'udp' or 'tcp' then this is the
|
||||
destination port number used by the tunnel.<br>
|
||||
<zone> is the zone of
|
||||
the remote tunnel gateway<br>
|
||||
<ip address> is the IP
|
||||
address of the remote tunnel gateway.<br>
|
||||
address of the remote tunnel
|
||||
gateway.<br>
|
||||
<gateway zone>
|
||||
Optional. A comma-separated list of zone names. If specified, the
|
||||
remote gateway is to be considered part of these zones.</li>
|
||||
Optional. A comma-separated list of zone
|
||||
names. If specified, the remote gateway is to be considered part of
|
||||
these zones.</li>
|
||||
<li>An 'arp_filter' option has been added to the
|
||||
/etc/shorewall/interfaces file. This option causes
|
||||
/proc/sys/net/ipv4/conf/<interface>/arp_filter to be set with the
|
||||
@ -301,7 +340,8 @@ facilitates testing of your firewall where multiple firewall interfaces
|
||||
are connected to the same HUB/Switch (all interfaces connected to the
|
||||
single HUB/Switch should have this option specified). Note that using
|
||||
such a configuration in a production environment is strongly
|
||||
recommended against.</li>
|
||||
recommended
|
||||
against.</li>
|
||||
<li>The ADDRESS column in /etc/shorewall/masq may now include a
|
||||
comma-separated list of addresses and/or address ranges. Netfilter will
|
||||
use all listed addresses/ranges in round-robin fashion. \</li>
|
||||
@ -320,8 +360,9 @@ separately.<br>
|
||||
<br>
|
||||
<span style="font-weight: bold;">Warning: </span>When rate
|
||||
limiting is specified on a rule with "all" in the SOURCE or DEST
|
||||
fields, the limit will apply to each pair of zones individually rather
|
||||
than as a single limit for all pairs of covered by the rule.<br>
|
||||
fields,
|
||||
the limit will apply to each pair of zones individually rather than as
|
||||
a single limit for all pairs of covered by the rule.<br>
|
||||
<br>
|
||||
To specify a rate limit, <br>
|
||||
<br>
|
||||
@ -330,15 +371,14 @@ a) Follow ACCEPT, DNAT[-], REDIRECT[-] or LOG with<br>
|
||||
<
|
||||
<rate>/<interval>[:<burst>] ><br>
|
||||
<br>
|
||||
|
||||
where<br>
|
||||
where<br>
|
||||
<br>
|
||||
<rate> is the sustained rate per
|
||||
<interval><br>
|
||||
<interval> is "sec" or "min"<br>
|
||||
<burst> is the largest burst
|
||||
accepted within an <interval>. If not given, the default of 5 is
|
||||
assumed.<br>
|
||||
accepted within an
|
||||
<interval>. If not given, the default of 5 is assumed.<br>
|
||||
<br>
|
||||
There may be no white space between the ACTION and "<" nor there may
|
||||
be any white space within the burst specification. If you want to
|
||||
@ -364,59 +404,16 @@ After this, it will be 500ms (1 second divided by the rate<br>
|
||||
of 2) before a packet will be accepted from this rule, regardless of
|
||||
how many packets reach it. Also, every 500ms which passes without
|
||||
matching a packet, one of the bursts will be regained; if no packets
|
||||
hit the rule for 2 second, the burst will be fully recharged; back
|
||||
where we started.<br>
|
||||
hit
|
||||
the rule for 2 second, the burst will be fully recharged; back where we
|
||||
started.<br>
|
||||
</li>
|
||||
<li>Multiple chains may now be displayed in one "shorewall
|
||||
show" command (e.g., shorewall show INPUT FORWARD OUTPUT).</li>
|
||||
<li>Output rules (those with $FW as the SOURCE) may now be
|
||||
limited to a set of local users and/or groups. See <a
|
||||
href="UserSets.html">http://shorewall.net/UserSets.html</a>
|
||||
for details.<br>
|
||||
<br>
|
||||
</li>
|
||||
</ol>
|
||||
<p><b>8/27/2003 - Shorewall Mirror in Australia </b></p>
|
||||
<p>Thanks to Dave Kempe and Solutions First (<a
|
||||
href="http://www.solutionsfirst.com.au"><font size="3">http://www.solutionsfirst.com.au</font></a>),
|
||||
there is now a Shorewall Mirror in Australia:</p>
|
||||
<p style="margin-left: 40px;"><a
|
||||
href="http://www.shorewall.com.au" target="_top"><font size="3">http://www.shorewall.com.au</font></a><font
|
||||
size="3"><br>
|
||||
<a href="ftp://ftp.shorewall.com.au">ftp://ftp.shorewall.com.au</a></font><br>
|
||||
</p>
|
||||
<p><b>8/26/2003 - French Version of the Shorewall Setup
|
||||
Guide </b></p>
|
||||
Thanks to Fabien <font size="3">Demassieux, there is now a <a
|
||||
href="shorewall_setup_guide_fr.htm">French translation of the
|
||||
Shorewall Setup Guide</a>. Merci Beacoup, Fabien!<br>
|
||||
</font>
|
||||
<p><b>8/5/2003 - Shorewall-1.4.6b</b><b> <br>
|
||||
</b></p>
|
||||
<b>Problems Corrected since version 1.4.6:</b><br>
|
||||
<ol>
|
||||
<li>Previously, if TC_ENABLED is set to yes in shorewall.conf
|
||||
then Shorewall would fail to start with the error "ERROR: Traffic
|
||||
Control requires Mangle"; that problem has been corrected.</li>
|
||||
<li>Corrected handling of MAC addresses in the SOURCE column of
|
||||
the
|
||||
tcrules file. Previously, these addresses resulted in an invalid
|
||||
iptables
|
||||
command.</li>
|
||||
<li>The "shorewall stop" command is now disabled when
|
||||
/etc/shorewall/startup_disabled
|
||||
exists. This prevents people from shooting themselves in the foot prior
|
||||
to
|
||||
having configured Shorewall.</li>
|
||||
<li>A change introduced in version 1.4.6 caused error messages
|
||||
during
|
||||
"shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses were
|
||||
being
|
||||
added to a PPP interface; the addresses were successfully added in
|
||||
spite
|
||||
of the messages.<br>
|
||||
<br>
|
||||
The firewall script has been modified to eliminate the error messages.<br>
|
||||
href="UserSets.html">http://shorewall.net/UserSets.html</a> for
|
||||
details.<br>
|
||||
</li>
|
||||
</ol>
|
||||
<p><b></b></p>
|
||||
@ -432,8 +429,8 @@ You can find their work at: <a
|
||||
href="http://leaf.sourceforge.net/devel/jnilo">
|
||||
http://leaf.sourceforge.net/devel/jnilo<br>
|
||||
</a></p>
|
||||
<b>Congratulations to Jacques
|
||||
and Eric on the recent release of Bering 1.2!!! </b><br>
|
||||
<b>Congratulations to Jacques and Eric on the recent release of
|
||||
Bering 1.2!!! </b><br>
|
||||
<h2><a name="Donations"></a>Donations</h2>
|
||||
</td>
|
||||
<td width="88" bgcolor="#3366ff" valign="top" align="center">
|
||||
@ -479,7 +476,7 @@ Children's Foundation.</font></a> Thanks!</font></font></p>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<p><font size="2">Updated 10/06/2003 - <a href="support.htm">Tom Eastep</a></font>
|
||||
<p><font size="2">Updated 10/21/2003 - <a href="support.htm">Tom Eastep</a></font>
|
||||
<br>
|
||||
</p>
|
||||
<br>
|
||||
|
||||
@ -1,119 +1,106 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<title>Shorewall Features</title>
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<body>
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Shorewall Features</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<ul>
|
||||
<li>Uses Netfilter's connection tracking facilities for stateful packet
|
||||
filtering.</li>
|
||||
<li>Can be used in a <b> wide range of router/firewall/gateway applications</b>.
|
||||
|
||||
<li>Uses Netfilter's connection tracking facilities for stateful
|
||||
packet filtering.</li>
|
||||
<li>Can be used in a <b> wide range of router/firewall/gateway
|
||||
applications</b>.
|
||||
<ul>
|
||||
<li>Completely customizable using configuration files.</li>
|
||||
<li>No limit on the number of network interfaces.</li>
|
||||
<li>Allows you to partitions the network into <i><a
|
||||
href="Documentation.htm#Zones">zones</a></i> and gives you complete
|
||||
control over the connections permitted between each pair of zones.</li>
|
||||
<li>Multiple interfaces per zone and multiple zones per interface
|
||||
permitted.</li>
|
||||
<li>Supports nested and overlapping zones.</li>
|
||||
|
||||
<li>Completely customizable using configuration files.</li>
|
||||
<li>No limit on the number of network interfaces.</li>
|
||||
<li>Allows you to partitions the network into <i><a
|
||||
href="Documentation.htm#Zones">zones</a></i> and gives you complete
|
||||
control over the connections permitted between each pair of
|
||||
zones.</li>
|
||||
<li>Multiple interfaces per zone and multiple zones per interface
|
||||
permitted.</li>
|
||||
<li>Supports nested and overlapping zones.</li>
|
||||
</ul>
|
||||
</li>
|
||||
<li> <a href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a>
|
||||
to help get your first firewall up and running quickly</li>
|
||||
<li>A <b>GUI</b> is available via Webmin 1.060 and later (<a
|
||||
</li>
|
||||
<li> <a href="shorewall_quickstart_guide.htm">QuickStart Guides
|
||||
(HOWTOs)</a> to help get your first firewall up and running quickly</li>
|
||||
<li>A <b>GUI</b> is available via Webmin 1.060 and later (<a
|
||||
href="http://www.webmin.com">http://www.webmin.com</a>)<br>
|
||||
</li>
|
||||
<li>Extensive <b> <a
|
||||
href="shorewall_quickstart_guide.htm#Documentation">documentation</a>
|
||||
</b> included in the .tgz and .rpm downloads.</li>
|
||||
<li><b>Flexible address management/routing support</b> (and you can
|
||||
use all types in the same firewall):
|
||||
</li>
|
||||
<li>Extensive <b> <a
|
||||
href="shorewall_quickstart_guide.htm#Documentation">documentation</a> </b>
|
||||
included in the .tgz and .rpm downloads.</li>
|
||||
<li><b>Flexible address management/routing support</b> (and you can
|
||||
use all types in the same firewall):
|
||||
<ul>
|
||||
<li><a href="Documentation.htm#Masq">Masquerading/SNAT</a></li>
|
||||
<li><a href="Documentation.htm#PortForward">Port Forwarding (DNAT)</a>.</li>
|
||||
<li><a href="Documentation.htm#NAT"> Static NAT</a>.</li>
|
||||
<li><a href="Documentation.htm#ProxyArp"> Proxy ARP</a>.</li>
|
||||
<li>Simple host/subnet Routing</li>
|
||||
|
||||
<li><a href="Documentation.htm#Masq">Masquerading/SNAT</a></li>
|
||||
<li><a href="Documentation.htm#PortForward">Port Forwarding (DNAT)</a>.</li>
|
||||
<li><a href="Documentation.htm#NAT"> Static NAT</a>.</li>
|
||||
<li><a href="Documentation.htm#ProxyArp"> Proxy ARP</a>.</li>
|
||||
<li>Simple host/subnet Routing</li>
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="blacklisting_support.htm"><b>Blacklisting</b></a> of
|
||||
individual IP addresses and subnetworks is supported.</li>
|
||||
<li><b><a href="starting_and_stopping_shorewall.htm">Operational support</a></b>:
|
||||
|
||||
</li>
|
||||
<li><a href="blacklisting_support.htm"><b>Blacklisting</b></a> of
|
||||
individual IP addresses and subnetworks is supported.</li>
|
||||
<li><b><a href="starting_and_stopping_shorewall.htm">Operational
|
||||
support</a></b>:
|
||||
<ul>
|
||||
<li>Commands to start, stop and clear the firewall</li>
|
||||
<li>Supports status monitoring with an audible
|
||||
alarm when an "interesting" packet is detected.</li>
|
||||
<li>Wide variety of informational commands.</li>
|
||||
|
||||
<li>Commands to start, stop and clear the firewall</li>
|
||||
<li>Supports status monitoring with an audible
|
||||
alarm when an "interesting" packet is detected.</li>
|
||||
<li>Wide variety of informational commands.</li>
|
||||
</ul>
|
||||
</li>
|
||||
<li><b>VPN Support</b>
|
||||
</li>
|
||||
<li><b>VPN Support</b>
|
||||
<ul>
|
||||
<li><a href="Documentation.htm#Tunnels">IPSEC, GRE, IPIP and
|
||||
<li><a href="Documentation.htm#Tunnels">IPSEC, GRE, IPIP and
|
||||
OpenVPN Tunnels</a>.</li>
|
||||
<li><a href="PPTP.htm">PPTP </a> clients and Servers.</li>
|
||||
|
||||
<li><a href="PPTP.htm">PPTP </a> clients and Servers.</li>
|
||||
</ul>
|
||||
</li>
|
||||
<li>Support for <a href="traffic_shaping.htm"><b>Traffic Control/Shaping</b></a>
|
||||
integration.</li>
|
||||
<li>Wide support for different <b>GNU/Linux Distributions</b>.
|
||||
|
||||
<ul>
|
||||
<li><a href="Install.htm#Install_RPM"><b>RPM</b></a> and <a
|
||||
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html"><b>Debian</b></a>
|
||||
packages available.</li>
|
||||
<li>Includes <a href="Install.htm"><b>automated install, upgrade,
|
||||
fallback and uninstall facilities</b></a> for users who can't use
|
||||
or choose not to use the RPM or Debian packages.</li>
|
||||
<li>Included as a standard part of<b> <a
|
||||
href="http://leaf.sourceforge.net/devel/jnilo"> LEAF/Bering</a> </b>(router/firewall
|
||||
on a floppy, CD or compact flash).</li>
|
||||
|
||||
</li>
|
||||
<li>Support for <a href="traffic_shaping.htm"><b>Traffic
|
||||
Control/Shaping</b></a> integration.</li>
|
||||
<li>Wide support for different <b>GNU/Linux Distributions</b>.
|
||||
<ul>
|
||||
<li><a href="Install.htm#Install_RPM"><b>RPM</b></a> and <a
|
||||
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html"><b>Debian</b></a>
|
||||
packages available.</li>
|
||||
<li>Includes <a href="Install.htm"><b>automated install,
|
||||
upgrade, fallback and uninstall facilities</b></a> for users
|
||||
who can't use or choose not to use the RPM or Debian packages.</li>
|
||||
<li>Included as a standard part of<b> <a
|
||||
href="http://leaf.sourceforge.net/devel/jnilo"> LEAF/Bering</a> </b>(router/firewall
|
||||
on a floppy, CD or compact flash).</li>
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="MAC_Validation.html">Media Access Control (<b>MAC</b>)
|
||||
Address <b>Verification</b><br>
|
||||
</a><br>
|
||||
</li>
|
||||
|
||||
</li>
|
||||
<li><a href="MAC_Validation.html">Media Access Control (<b>MAC</b>)
|
||||
Address <b>Verification</b></a></li>
|
||||
<li><a href="Accounting.html">Traffic Accounting<br>
|
||||
</a><br>
|
||||
</li>
|
||||
</ul>
|
||||
|
||||
<p><font size="2">Last updated 2/5/2003 - <a href="support.htm">Tom Eastep</a></font></p>
|
||||
|
||||
<p><font size="2">Last updated 10/12/2003 - <a href="support.htm">Tom
|
||||
Eastep</a></font></p>
|
||||
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
|
||||
size="2">Copyright</font> © <font size="2">2001-2003 Thomas M. Eastep.</font></a></font><br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
@ -24,8 +24,7 @@ Guides (HOWTO's)<br>
|
||||
</tbody>
|
||||
</table>
|
||||
<p align="center">With thanks to Richard who reminded me once again
|
||||
that we
|
||||
must all first walk before we can run.<br>
|
||||
that we must all first walk before we can run.<br>
|
||||
The French Translations of the single-IP guides are courtesy of Patrice
|
||||
Vetsel<br>
|
||||
The French Translation of the Shorewall Setup Guide is courtesy of
|
||||
@ -50,16 +49,15 @@ acting as a firewall/router for a small local network and a DMZ. (<a
|
||||
<p>The above guides are designed to get your first firewall up and
|
||||
running quickly in the three most common Shorewall configurations. If
|
||||
you want to learn more about Shorewall than is explained in the above
|
||||
simple guides, the <a href="shorewall_setup_guide.htm">Shorewall
|
||||
Setup Guide</a> (See Index Below) is for you.</p>
|
||||
simple guides, the <a href="shorewall_setup_guide.htm">Shorewall Setup
|
||||
Guide</a> (See Index Below) is for you.</p>
|
||||
</blockquote>
|
||||
<p>If you have <font color="#ff0000"><big><big><b>more than one public
|
||||
IP address</b></big></big></font>:<br>
|
||||
</p>
|
||||
<blockquote>The <a href="shorewall_setup_guide.htm">Shorewall Setup
|
||||
Guide</a> (See Index Below) outlines the steps necessary to set up a
|
||||
firewall where there are multiple public IP
|
||||
addresses involved or if you
|
||||
firewall where there are multiple public IP addresses involved or if you
|
||||
want to learn more about Shorewall than is explained in the
|
||||
single-address guides above (<a href="shorewall_setup_guide_fr.htm">Version
|
||||
Française</a>).</blockquote>
|
||||
@ -79,15 +77,13 @@ Interfaces (e.g., eth0:0)</a><br>
|
||||
<li><a href="blacklisting_support.htm">Blacklisting</a>
|
||||
<ul>
|
||||
<li>Static Blacklisting using /etc/shorewall/blacklist</li>
|
||||
<li>Dynamic Blacklisting using
|
||||
/sbin/shorewall</li>
|
||||
<li>Dynamic Blacklisting using /sbin/shorewall</li>
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="starting_and_stopping_shorewall.htm">Commands</a>
|
||||
(Description of
|
||||
all /sbin/shorewall commands)</li>
|
||||
(Description of all /sbin/shorewall commands)</li>
|
||||
<li><a href="configuration_file_basics.htm">Common configuration file
|
||||
features</a> </li>
|
||||
features</a> </li>
|
||||
<ul>
|
||||
<li><a href="configuration_file_basics.htm#Comments">Comments in
|
||||
configuration files</a></li>
|
||||
@ -142,14 +138,13 @@ in Shorewall</a> </li>
|
||||
</li>
|
||||
<li><font color="#000099"><a href="shorewall_extension_scripts.htm">Extension
|
||||
Scripts</a></font> (How to extend Shorewall without modifying Shorewall
|
||||
code through the use of files in /etc/shorewall --
|
||||
/etc/shorewall/start, /etc/shorewall/stopped, etc.)</li>
|
||||
code through the use of files in /etc/shorewall -- /etc/shorewall/start,
|
||||
/etc/shorewall/stopped, etc.)</li>
|
||||
<li><a href="fallback.htm">Fallback/Uninstall</a></li>
|
||||
<li><a href="FAQ.htm">FAQs</a><br>
|
||||
</li>
|
||||
<li><a href="shorewall_features.htm">Features</a><br>
|
||||
</li>
|
||||
<li><a href="shorewall_firewall_structure.htm">Firewall Structure</a></li>
|
||||
<li><a href="FTP.html">FTP and Shorewall</a><br>
|
||||
</li>
|
||||
<li><a href="support.htm">Getting help or answers to questions</a></li>
|
||||
@ -164,7 +159,8 @@ code through the use of files in /etc/shorewall --
|
||||
<li><a href="shorewall_logging.html">Logging</a><br>
|
||||
</li>
|
||||
<li><a href="MAC_Validation.html">MAC Verification</a></li>
|
||||
<li><a href="http://lists.shorewall.net">Mailing Lists</a><br>
|
||||
<li><a href="http://lists.shorewall.net">Mailing Lists</a></li>
|
||||
<li><a href="NetfilterOverview.html">Netfilter Overview</a><br>
|
||||
</li>
|
||||
<li><a href="myfiles.htm">My Shorewall Configuration (How I
|
||||
personally use Shorewall)</a></li>
|
||||
@ -178,8 +174,7 @@ personally use Shorewall)</a></li>
|
||||
<li>Ports used by Trojans</li>
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="ProxyARP.htm">Proxy
|
||||
ARP</a></li>
|
||||
<li><a href="ProxyARP.htm">Proxy ARP</a></li>
|
||||
<li><a href="shorewall_prerequisites.htm">Requirements</a><br>
|
||||
</li>
|
||||
<li><a href="samba.htm">Samba</a></li>
|
||||
@ -197,8 +192,7 @@ Subnets and Routing</a>
|
||||
<ul>
|
||||
<li><a href="shorewall_setup_guide.htm#Addresses">4.1 IP
|
||||
Addresses</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#Subnets">4.2
|
||||
Subnets</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#ARP">4.4 Address
|
||||
Resolution Protocol (ARP)</a></li>
|
||||
@ -235,8 +229,7 @@ Starting and Stopping the Firewall</a></li>
|
||||
href="starting_and_stopping_shorewall.htm">Starting/stopping the
|
||||
Firewall</a></font></li>
|
||||
<ul>
|
||||
<li>Description of all /sbin/shorewall
|
||||
commands</li>
|
||||
<li>Description of all /sbin/shorewall commands</li>
|
||||
<li>How to safely test a Shorewall configuration change<br>
|
||||
</li>
|
||||
</ul>
|
||||
@ -255,8 +248,7 @@ doesn't work)</a></li>
|
||||
<li>VPN
|
||||
<ul>
|
||||
<li><a href="IPSEC.htm">IPSEC</a></li>
|
||||
<li><a href="IPIP.htm">GRE and
|
||||
IPIP</a></li>
|
||||
<li><a href="IPIP.htm">GRE and IPIP</a></li>
|
||||
<li><a href="OPENVPN.html">OpenVPN</a><br>
|
||||
</li>
|
||||
<li><a href="PPTP.htm">PPTP</a></li>
|
||||
@ -270,9 +262,9 @@ firewall to a remote network.</li>
|
||||
</li>
|
||||
<li><a href="whitelisting_under_shorewall.htm">White List Creation</a></li>
|
||||
</ul>
|
||||
<p>If you use one of these guides and have a suggestion for improvement
|
||||
<a href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
|
||||
<p><font size="2">Last modified 9/23/2003 - <a href="support.htm">Tom
|
||||
<p>If you use one of these guides and have a suggestion for improvement <a
|
||||
href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
|
||||
<p><font size="2">Last modified 10/11/2003 - <a href="support.htm">Tom
|
||||
Eastep</a></font></p>
|
||||
<p><a href="copyright.htm"><font size="2">Copyright 2002, 2003 Thomas
|
||||
M. Eastep</font></a><br>
|
||||
|
||||
@ -37,14 +37,12 @@ and control that facility. Netfilter can be used in ipchains
|
||||
compatibility mode.<br>
|
||||
</li>
|
||||
<li>iptables - the utility program used to configure and
|
||||
control
|
||||
Netfilter. The term 'iptables' is often used to refer to the
|
||||
combination of iptables+Netfilter (with Netfilter not in
|
||||
ipchains compatibility mode).<br>
|
||||
control Netfilter. The term 'iptables' is often used to refer to the
|
||||
combination of iptables+Netfilter (with Netfilter not in ipchains
|
||||
compatibility mode).<br>
|
||||
</li>
|
||||
</ul>
|
||||
The
|
||||
Shoreline Firewall, more commonly known as "Shorewall", is
|
||||
The Shoreline Firewall, more commonly known as "Shorewall", is
|
||||
high-level tool for configuring Netfilter. You describe your
|
||||
firewall/gateway requirements using entries in a set of configuration
|
||||
files. Shorewall reads those configuration files and with the help of
|
||||
@ -56,14 +54,14 @@ and can thus take advantage of Netfilter's connection state tracking
|
||||
capabilities.
|
||||
<p>This program is free software; you can redistribute it and/or
|
||||
modify it under the terms of <a
|
||||
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the
|
||||
GNU General Public License</a> as published by the Free Software
|
||||
Foundation.<br>
|
||||
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
|
||||
General Public License</a> as published by the Free Software Foundation.<br>
|
||||
<br>
|
||||
This program is distributed in the hope that it will be useful, but
|
||||
WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
General Public License for more details.<br>
|
||||
General
|
||||
Public License for more details.<br>
|
||||
<br>
|
||||
You should have received a copy of the GNU General Public License along
|
||||
with this program; if not, write to the Free Software Foundation, Inc.,
|
||||
@ -81,30 +79,80 @@ Shorewall. For older versions:<br>
|
||||
</li>
|
||||
</ul>
|
||||
<h2>Getting Started with Shorewall</h2>
|
||||
New to Shorewall? Start by
|
||||
selecting the <a href="shorewall_quickstart_guide.htm">QuickStart Guide</a>
|
||||
that most closely match your environment and
|
||||
follow the step by step instructions.<br>
|
||||
New to Shorewall? Start by selecting the <a
|
||||
href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most
|
||||
closely match your environment and follow the step by step instructions.<br>
|
||||
<h2>Looking for Information?</h2>
|
||||
The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
|
||||
Index</a> is a good place to start as is the Quick Search to your
|
||||
right.
|
||||
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
|
||||
If so, the documentation<b> </b>on this site will not apply directly
|
||||
to your setup. If you want to
|
||||
use the documentation that you find here, you will want to consider
|
||||
uninstalling what you have and installing a setup that matches the
|
||||
documentation on this site. See the <a href="two-interface.htm">Two-interface
|
||||
QuickStart Guide</a> for
|
||||
to
|
||||
your setup. If you want to use the documentation that you find here,
|
||||
you will want to consider uninstalling what you have and installing a
|
||||
setup that matches the documentation on this site. See the <a
|
||||
href="two-interface.htm">Two-interface QuickStart Guide</a> for
|
||||
details.
|
||||
<h2></h2>
|
||||
<h2><b>News</b></h2>
|
||||
<p><b>10/21/2003 - Shorewall 1.4.7a</b><b> <img
|
||||
style="border: 0px solid ; width: 28px; height: 12px;"
|
||||
src="images/new10.gif" alt="(New)" title=""></b></p>
|
||||
<p>This is a bugfix rollup of the following problem corrections:<br>
|
||||
</p>
|
||||
<ol>
|
||||
<li>Tuomo Soini has supplied a correction to a problem that
|
||||
occurs
|
||||
using some versions of 'ash'. The symptom is that "shorewall start"
|
||||
fails with:<br>
|
||||
<br>
|
||||
local: --limit: bad variable name<br>
|
||||
iptables v1.2.8: Couldn't load match
|
||||
`-j':/lib/iptables/libipt_-j.so:<br>
|
||||
cannot open shared object file: No such file or directory<br>
|
||||
Try `iptables -h' or 'iptables --help' for more
|
||||
information.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Andres Zhoglo has supplied a correction that avoids trying
|
||||
to use the multiport match iptables facility on ICMP rules.<br>
|
||||
<br>
|
||||
Example of rule that previously caused "shorewall start"
|
||||
to fail:<br>
|
||||
<br>
|
||||
|
||||
ACCEPT loc $FW
|
||||
icmp 0,8,11,12<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Previously, if the following error message was issued,
|
||||
Shorewall was left in an inconsistent state.<br>
|
||||
<br>
|
||||
Error: Unable to determine the routes routes through
|
||||
interface xxx<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Handling of the LOGUNCLEAN option in shorewall.conf has
|
||||
been corrected.</li>
|
||||
<li>In Shorewall 1.4.2, an optimization was added. This
|
||||
optimization
|
||||
involved creating a chain named "<zone>_frwd" for most zones
|
||||
defined using the /etc/shorewall/hosts file. It has since been
|
||||
discovered that in many cases these new chains contain redundant rules
|
||||
and that the "optimization" turns out to be less than optimal. The
|
||||
implementation has now been corrected.</li>
|
||||
<li>When the MARK value in a tcrules entry is followed by ":F"
|
||||
or
|
||||
":P", the ":F" or ":P" was previously only applied to the first
|
||||
Netfilter rule generated by the entry. It is now applied to all entries.</li>
|
||||
</ol>
|
||||
<b>10/06/2003 - Shorewall 1.4.7</b><b> <img
|
||||
style="border: 0px solid ; width: 28px; height: 12px;"
|
||||
src="images/new10.gif" alt="(New)" title=""></b><br>
|
||||
<b><br>
|
||||
Problems Corrected since version 1.4.6 (Those in bold font
|
||||
were corrected since 1.4.7 RC2).</b><br>
|
||||
Problems Corrected since version 1.4.6 (Those in bold font were
|
||||
corrected since 1.4.7 RC2).</b><br>
|
||||
<ol>
|
||||
<li>Corrected problem in 1.4.6 where the MANGLE_ENABLED
|
||||
variable was being tested before it was set.</li>
|
||||
@ -120,65 +168,53 @@ were being added to a PPP interface; the addresses were successfully
|
||||
added in spite of the messages.<br>
|
||||
<br>
|
||||
The firewall script has been modified to eliminate the error messages</li>
|
||||
<li>Interface-specific dynamic blacklisting chains are
|
||||
now displayed by "shorewall monitor" on the "Dynamic Chains" page
|
||||
<li>Interface-specific dynamic blacklisting chains are now
|
||||
displayed by "shorewall monitor" on the "Dynamic Chains" page
|
||||
(previously named "Dynamic Chain").</li>
|
||||
<li>Thanks to Henry Yang, LOGRATE and LOGBURST now work again.</li>
|
||||
<li value="7">The 'shorewall reject'
|
||||
and
|
||||
'shorewall drop' commands now delete any existing rules for the subject
|
||||
IP address before adding a new DROP or REJECT rule. Previously, there
|
||||
could be many rules for the same IP address in the dynamic chain so
|
||||
that multiple 'allow' commands were required to re-enable traffic
|
||||
to/from the address.</li>
|
||||
<li>When ADD_SNAT_ALIASES=Yes in
|
||||
shorewall.conf, the following entry in /etc/shorewall/masq resulted in
|
||||
a startup error:<br>
|
||||
<li value="7">The 'shorewall reject' and 'shorewall drop'
|
||||
commands now delete any existing rules for the subject IP address
|
||||
before adding a new DROP or REJECT rule. Previously, there could be
|
||||
many rules for the same IP address in the dynamic chain so that
|
||||
multiple 'allow' commands were required to re-enable traffic to/from
|
||||
the address.</li>
|
||||
<li>When ADD_SNAT_ALIASES=Yes in shorewall.conf, the following
|
||||
entry in /etc/shorewall/masq resulted in a startup error:<br>
|
||||
<br>
|
||||
eth0 eth1
|
||||
206.124.146.20-206.124.146.24<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Shorewall previously choked over
|
||||
IPV6
|
||||
addresses configured on interfaces in contexts where Shorewall needed
|
||||
to detect something about the interface (such as when "detect" appears
|
||||
in the BROADCAST column of the /etc/shorewall/interfaces file).</li>
|
||||
<li>Shorewall will now load
|
||||
module files that are formed from the module name by appending ".o.gz".</li>
|
||||
<li>When Shorewall adds a route to a
|
||||
proxy
|
||||
ARP host and such a route already exists, two routes resulted
|
||||
previously. This has been corrected so that the existing route is
|
||||
replaced if it already exists.</li>
|
||||
<li>The rfc1918 file has been
|
||||
updated to reflect recent allocations.</li>
|
||||
<li>The documentation of the
|
||||
USER SET column in the rules file has been corrected.</li>
|
||||
<li>If there is no policy
|
||||
defined for
|
||||
the zones specified in a rule, the firewall script previously
|
||||
encountered a shell syntax error:<br>
|
||||
|
||||
<br>
|
||||
<li>Shorewall previously choked over IPV6 addresses configured
|
||||
on interfaces in contexts where Shorewall needed to detect something
|
||||
about the interface (such as when "detect" appears in the BROADCAST
|
||||
column of the /etc/shorewall/interfaces file).</li>
|
||||
<li>Shorewall will now load module files that are formed from
|
||||
the module name by appending ".o.gz".</li>
|
||||
<li>When Shorewall adds a route to a proxy ARP host and such a
|
||||
route already exists, two routes resulted previously. This has been
|
||||
corrected so that the existing route is replaced if it already exists.</li>
|
||||
<li>The rfc1918 file has been updated to reflect recent
|
||||
allocations.</li>
|
||||
<li>The documentation of the USER SET column in the rules file
|
||||
has been corrected.</li>
|
||||
<li>If there is no policy defined for the zones specified in a
|
||||
rule, the firewall script previously encountered a shell syntax error:<br>
|
||||
<br>
|
||||
[: NONE: unexpected operator<br>
|
||||
|
||||
<br>
|
||||
<br>
|
||||
Now, the absence of a policy generates an error message and the
|
||||
firewall is stopped:<br>
|
||||
|
||||
<br>
|
||||
<br>
|
||||
No policy defined from zone
|
||||
<source> to zone <dest><br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Previously, if neither
|
||||
/etc/shorewall/common nor /etc/shorewall/common.def existed, Shorewall
|
||||
would fail to start and would not remove the lock file. Failure to
|
||||
remove the lock file resulted in the following during subsequent
|
||||
attempts to start:<br>
|
||||
|
||||
<br>
|
||||
<li>Previously, if neither /etc/shorewall/common nor
|
||||
/etc/shorewall/common.def existed, Shorewall would fail to start and
|
||||
would not remove the lock file. Failure to remove the lock file
|
||||
resulted in the following during subsequent attempts to start:<br>
|
||||
<br>
|
||||
Loading /usr/share/shorewall/functions...<br>
|
||||
Processing /etc/shorewall/params ...<br>
|
||||
Processing /etc/shorewall/shorewall.conf...<br>
|
||||
@ -187,19 +223,17 @@ attempts to start:<br>
|
||||
<br>
|
||||
Shorewall now reports a fatal error if neither of these two files exist
|
||||
and correctly removes the lock fille.</li>
|
||||
<li>The order of processing
|
||||
the
|
||||
various options has been changed such that blacklist entries now take
|
||||
precedence over the 'dhcp' interface setting.</li>
|
||||
<li>The log message generated
|
||||
from the
|
||||
'logunclean' interface option has been changed to reflect a disposition
|
||||
of LOG rather than DROP.</li>
|
||||
<li>The order of processing the various options has been
|
||||
changed such that blacklist entries now take precedence over the 'dhcp'
|
||||
interface setting.</li>
|
||||
<li>The log message generated from the 'logunclean' interface
|
||||
option has been changed to reflect a disposition of LOG rather than
|
||||
DROP.</li>
|
||||
<li><span style="font-weight: bold;">When a user name and/or a
|
||||
group
|
||||
name was specified in the USER SET column and the destination zone was
|
||||
qualified with a IP address, the user and/or group name was not being
|
||||
used to qualify the rule.<br>
|
||||
group name was specified in the USER SET column and the destination
|
||||
zone
|
||||
was qualified with a IP address, the user and/or group name was not
|
||||
being used to qualify the rule.<br>
|
||||
<br>
|
||||
Example:<br>
|
||||
<br>
|
||||
@ -217,10 +251,9 @@ details.</li>
|
||||
<li>The Uset Set capability introduced in SnapShot 20030821 has
|
||||
changed -- see the <a href="UserSets.html">User Set page</a> for
|
||||
details.</li>
|
||||
<li>The
|
||||
per-interface Dynamic Blacklisting facility introduced in the first
|
||||
post-1.4.6 Snapshot has been removed. The facility had too many
|
||||
idiosyncrasies for dial-up users to be a viable part of Shorewall.<br>
|
||||
<li>The per-interface Dynamic Blacklisting facility introduced
|
||||
in the first post-1.4.6 Snapshot has been removed. The facility had too
|
||||
many idiosyncrasies for dial-up users to be a viable part of Shorewall.<br>
|
||||
</li>
|
||||
</ol>
|
||||
<b></b><b>New Features:</b><br>
|
||||
@ -239,8 +272,9 @@ command-specific help (e.g., shorewall help <command>).</li>
|
||||
<li>A new option "ADMINISABSENTMINDED" has been added to
|
||||
/etc/shorewall/shorewall.conf. This option has a default value of "No"
|
||||
for existing users which causes Shorewall's 'stopped' state to
|
||||
continue as it has been; namely, in the stopped state only traffic
|
||||
to/from hosts listed in /etc/shorewall/routestopped is accepted.<br>
|
||||
continue
|
||||
as it has been; namely, in the stopped state only traffic to/from hosts
|
||||
listed in /etc/shorewall/routestopped is accepted.<br>
|
||||
<br>
|
||||
With ADMINISABSENTMINDED=Yes (the default for new installs), in
|
||||
addition to traffic to/from the hosts listed in
|
||||
@ -248,7 +282,8 @@ addition to traffic to/from the hosts listed in
|
||||
<br>
|
||||
a) All traffic originating from the firewall itself; and<br>
|
||||
b) All traffic that is part of or related to an
|
||||
already-existing connection.<br>
|
||||
already-existing
|
||||
connection.<br>
|
||||
<br>
|
||||
In particular, with ADMINISABSENTMINDED=Yes, a "shorewall stop"
|
||||
entered through an ssh session will not kill the session.<br>
|
||||
@ -272,12 +307,9 @@ fw tcp 22<br>
|
||||
<br>
|
||||
From a remote system, I ssh to 206.124.146.178 which establishes an SSH
|
||||
connection with local system 192.168.1.5. I then create a second SSH
|
||||
connection
|
||||
from that computer to the firewall and confidently type "shorewall
|
||||
stop".
|
||||
As part of its stop processing, Shorewall removes eth0:0 which kills my
|
||||
SSH
|
||||
connection to 192.168.1.5!!!</li>
|
||||
connection from that computer to the firewall and confidently type
|
||||
"shorewall stop". As part of its stop processing, Shorewall removes
|
||||
eth0:0 which kills my SSH connection to 192.168.1.5!!!</li>
|
||||
<li>Given the wide range of VPN software, I can never hope to
|
||||
add specific support for all of it. I have therefore decided to add
|
||||
"generic" tunnel support.<br>
|
||||
@ -297,15 +329,17 @@ where:<br>
|
||||
<protocol> is the protocol
|
||||
used by the tunnel<br>
|
||||
<port> if the protocol
|
||||
is 'udp' or 'tcp' then this is the destination port number used by the
|
||||
tunnel.<br>
|
||||
is 'udp' or 'tcp' then this is the
|
||||
destination port number used by the tunnel.<br>
|
||||
<zone> is the zone of
|
||||
the remote tunnel gateway<br>
|
||||
<ip address> is the IP
|
||||
address of the remote tunnel gateway.<br>
|
||||
address of the remote tunnel
|
||||
gateway.<br>
|
||||
<gateway zone>
|
||||
Optional. A comma-separated list of zone names. If specified, the
|
||||
remote gateway is to be considered part of these zones.</li>
|
||||
Optional. A comma-separated list of zone
|
||||
names. If specified, the remote gateway is to be considered part of
|
||||
these zones.</li>
|
||||
<li>An 'arp_filter' option has been added to the
|
||||
/etc/shorewall/interfaces file. This option causes
|
||||
/proc/sys/net/ipv4/conf/<interface>/arp_filter to be set with the
|
||||
@ -315,7 +349,8 @@ facilitates testing of your firewall where multiple firewall interfaces
|
||||
are connected to the same HUB/Switch (all interfaces connected to the
|
||||
single HUB/Switch should have this option specified). Note that using
|
||||
such a configuration in a production environment is strongly
|
||||
recommended against.</li>
|
||||
recommended
|
||||
against.</li>
|
||||
<li>The ADDRESS column in /etc/shorewall/masq may now include a
|
||||
comma-separated list of addresses and/or address ranges. Netfilter will
|
||||
use all listed addresses/ranges in round-robin fashion. \</li>
|
||||
@ -334,8 +369,9 @@ separately.<br>
|
||||
<br>
|
||||
<span style="font-weight: bold;">Warning: </span>When rate
|
||||
limiting is specified on a rule with "all" in the SOURCE or DEST
|
||||
fields, the limit will apply to each pair of zones individually rather
|
||||
than as a single limit for all pairs of covered by the rule.<br>
|
||||
fields,
|
||||
the limit will apply to each pair of zones individually rather than as
|
||||
a single limit for all pairs of covered by the rule.<br>
|
||||
<br>
|
||||
To specify a rate limit, <br>
|
||||
<br>
|
||||
@ -344,15 +380,14 @@ a) Follow ACCEPT, DNAT[-], REDIRECT[-] or LOG with<br>
|
||||
<
|
||||
<rate>/<interval>[:<burst>] ><br>
|
||||
<br>
|
||||
|
||||
where<br>
|
||||
where<br>
|
||||
<br>
|
||||
<rate> is the sustained rate per
|
||||
<interval><br>
|
||||
<interval> is "sec" or "min"<br>
|
||||
<burst> is the largest burst
|
||||
accepted within an <interval>. If not given, the default of 5 is
|
||||
assumed.<br>
|
||||
accepted within an
|
||||
<interval>. If not given, the default of 5 is assumed.<br>
|
||||
<br>
|
||||
There may be no white space between the ACTION and "<" nor there may
|
||||
be any white space within the burst specification. If you want to
|
||||
@ -378,8 +413,9 @@ After this, it will be 500ms (1 second divided by the rate<br>
|
||||
of 2) before a packet will be accepted from this rule, regardless of
|
||||
how many packets reach it. Also, every 500ms which passes without
|
||||
matching a packet, one of the bursts will be regained; if no packets
|
||||
hit the rule for 2 second, the burst will be fully recharged; back
|
||||
where we started.<br>
|
||||
hit
|
||||
the rule for 2 second, the burst will be fully recharged; back where we
|
||||
started.<br>
|
||||
</li>
|
||||
<li>Multiple chains may now be displayed in one "shorewall
|
||||
show" command (e.g., shorewall show INPUT FORWARD OUTPUT).</li>
|
||||
@ -387,50 +423,6 @@ show" command (e.g., shorewall show INPUT FORWARD OUTPUT).</li>
|
||||
limited to a set of local users and/or groups. See <a
|
||||
href="UserSets.html">http://shorewall.net/UserSets.html</a> for
|
||||
details.</li>
|
||||
</ol>
|
||||
<p><b>8/27/2003 - Shorewall Mirror in Australia </b></p>
|
||||
<p>Thanks to Dave Kempe and Solutions First (<a
|
||||
href="http://www.solutionsfirst.com.au"><font size="3">http://www.solutionsfirst.com.au</font></a>),
|
||||
there is now a Shorewall Mirror in Australia:</p>
|
||||
<div style="margin-left: 40px;"><a
|
||||
href="http://www.shorewall.com.au" target="_top"><font size="3">http://www.shorewall.com.au</font></a><br>
|
||||
<font size="3"><a href="ftp://ftp.shorewall.com.au">ftp://ftp.shorewall.com.au</a></font></div>
|
||||
<p><b>8/26/2003 - French Version of the Shorewall Setup
|
||||
Guide </b></p>
|
||||
Thanks to Fabien <font size="3">Demassieux, there is now a <a
|
||||
href="shorewall_setup_guide_fr.htm">French translation of the
|
||||
Shorewall Setup Guide</a>. Merci Beacoup, Fabien!</font> <b>9/15/2003
|
||||
- Shorewall 1.4.7 Beta 2</b><b> <img
|
||||
style="border: 0px solid ; width: 28px; height: 12px;"
|
||||
src="file:///vfat/Shorewall-docs/images/new10.gif" alt="(New)" title=""></b>
|
||||
<p><b>8/5/2003 - Shorewall-1.4.6b</b><b> <img
|
||||
style="border: 0px solid ; width: 28px; height: 12px;"
|
||||
src="images/new10.gif" alt="(New)" title=""> <br>
|
||||
</b></p>
|
||||
<b>Problems Corrected since version 1.4.6:</b><br>
|
||||
<ol>
|
||||
<li>Previously, if TC_ENABLED is set to yes in shorewall.conf
|
||||
then Shorewall would fail to start with the error "ERROR: Traffic
|
||||
Control requires Mangle"; that problem has been corrected.</li>
|
||||
<li>Corrected handling of MAC addresses in the SOURCE column of
|
||||
the
|
||||
tcrules file. Previously, these addresses resulted in an invalid
|
||||
iptables
|
||||
command.</li>
|
||||
<li>The "shorewall stop" command is now disabled when
|
||||
/etc/shorewall/startup_disabled
|
||||
exists. This prevents people from shooting themselves in the foot prior
|
||||
to
|
||||
having configured Shorewall.</li>
|
||||
<li>A change introduced in version 1.4.6 caused error messages
|
||||
during
|
||||
"shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses were
|
||||
being
|
||||
added to a PPP interface; the addresses were successfully added in
|
||||
spite
|
||||
of the messages.<br>
|
||||
<br>
|
||||
The firewall script has been modified to eliminate the error messages.</li>
|
||||
</ol>
|
||||
<p><b><a href="News.htm">More News</a></b></p>
|
||||
<b> </b>
|
||||
@ -503,7 +495,7 @@ Children's Foundation.</font></a> Thanks!</font></font></p>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<p><font size="2">Updated 10/06/2003 - <a href="support.htm">Tom Eastep</a></font>
|
||||
<p><font size="2">Updated 10/21/2003 - <a href="support.htm">Tom Eastep</a></font>
|
||||
<br>
|
||||
</p>
|
||||
</body>
|
||||
|
||||
@ -1,341 +1,315 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<title>Traffic Shaping</title>
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<body>
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Traffic Shaping/Control</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<p align="left">Shorewall has limited support for traffic shaping/control.
|
||||
In order to use traffic shaping under Shorewall, it is essential that
|
||||
you get a copy of the <a href="http://ds9a.nl/lartc">Linux Advanced Routing
|
||||
and Shaping HOWTO</a>, version 0.3.0 or later. It is also necessary
|
||||
to be running Linux Kernel 2.4.18 or later.</p>
|
||||
|
||||
<p align="left">Shorewall traffic shaping support consists of the following:</p>
|
||||
|
||||
<p align="left">Shorewall has limited support for traffic
|
||||
shaping/control. In order to use traffic shaping under Shorewall, it is
|
||||
essential that you get a copy of the <a href="http://ds9a.nl/lartc">Linux
|
||||
Advanced Routing and Shaping HOWTO</a>, version 0.3.0 or later. It is
|
||||
also necessary to be running Linux Kernel 2.4.18 or later.</p>
|
||||
<p align="left">Shorewall traffic shaping support consists of the
|
||||
following:</p>
|
||||
<ul>
|
||||
<li>A new <b>TC_ENABLED</b> parameter in /etc/shorewall.conf.
|
||||
Traffic Shaping also requires that you enable packet mangling.</li>
|
||||
<li>A new <b>CLEAR_TC </b>parameter in /etc/shorewall.conf (Added
|
||||
in Shorewall 1.3.13). When Traffic Shaping is enabled (TC_ENABLED=Yes),
|
||||
the setting of this variable determines whether Shorewall clears the traffic
|
||||
shaping configuration during Shorewall [re]start and Shorewall stop. <br>
|
||||
</li>
|
||||
<li><b>/etc/shorewall/tcrules</b> - A file where you
|
||||
can specify firewall marking of packets. The firewall mark value
|
||||
may be used to classify packets for traffic shaping/control.<br>
|
||||
</li>
|
||||
<li><b>/etc/shorewall/tcstart </b>- A user-supplied file
|
||||
that is sourced by Shorewall during "shorewall start" and which
|
||||
you can use to define your traffic shaping disciplines and classes.
|
||||
I have provided a <a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/cbq">sample</a> that does
|
||||
table-driven CBQ shaping but if you read the traffic shaping sections
|
||||
of the HOWTO mentioned above, you can probably code your own faster
|
||||
than you can learn how to use my sample. I personally use
|
||||
<a href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB</a> (see below).
|
||||
HTB support may eventually become an integral part of Shorewall
|
||||
since HTB is a lot simpler and better-documented than CBQ. As of 2.4.20,
|
||||
HTB is a standard part of the kernel but iproute2 must be patched in
|
||||
order to use it.<br>
|
||||
<br>
|
||||
In tcstart, when you want to run the 'tc' utility,
|
||||
use the run_tc function supplied by shorewall if you want tc errors
|
||||
to stop the firewall.<br>
|
||||
<br>
|
||||
You can generally use off-the-shelf traffic shaping scripts by
|
||||
simply copying them to /etc/shorewall/tcstart. I use <a
|
||||
href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (HTB version)
|
||||
that way (i.e., I just copied wshaper.htb to /etc/shorewall/tcstart
|
||||
and modified it according to the Wonder Shaper README). <b>WARNING: </b>If
|
||||
you use use Masquerading or SNAT (i.e., you only have one external IP address)
|
||||
then listing internal hosts in the NOPRIOHOSTSRC variable in the wshaper[.htb]
|
||||
script won't work. Traffic shaping occurs after SNAT has already been
|
||||
applied so when traffic shaping happens, all outbound traffic will have
|
||||
as a source address the IP addresss of your firewall's external interface.<br>
|
||||
</li>
|
||||
<li><b>/etc/shorewall/tcclear</b> - A user-supplied file
|
||||
that is sourced by Shorewall when it is clearing traffic shaping.
|
||||
This file is normally not required as Shorewall's method of clearing
|
||||
qdisc and filter definitions is pretty general.</li>
|
||||
|
||||
</ul>
|
||||
Shorewall allows you to start traffic shaping when Shorewall itself
|
||||
starts or it allows you to bring up traffic shaping when you bring up your
|
||||
interfaces.<br>
|
||||
<br>
|
||||
To start traffic shaping when Shorewall starts:<br>
|
||||
|
||||
<ol>
|
||||
<li>Set TC_ENABLED=Yes and CLEAR_TC=Yes</li>
|
||||
<li>Supply an /etc/shorewall/tcstart script to configure your traffic
|
||||
shaping rules.</li>
|
||||
<li>Optionally supply an /etc/shorewall/tcclear script to stop
|
||||
traffic shaping. That is usually unnecessary.</li>
|
||||
<li>If your tcstart script uses the 'fwmark' classifier, you can
|
||||
mark packets using entries in /etc/shorewall/tcrules.</li>
|
||||
|
||||
</ol>
|
||||
To start traffic shaping when you bring up your network interfaces,
|
||||
you will have to arrange for your traffic shaping configuration script
|
||||
to be run at that time. How you do that is distribution dependent and will
|
||||
not be covered here. You then should:<br>
|
||||
|
||||
<ol>
|
||||
<li>Set TC_ENABLED=Yes and CLEAR_TC=No</li>
|
||||
<li>Do not supply /etc/shorewall/tcstart or /etc/shorewall/tcclear
|
||||
scripts.</li>
|
||||
<li value="4">If your tcstart script uses the 'fwmark' classifier,
|
||||
you can mark packets using entries in /etc/shorewall/tcrules.</li>
|
||||
|
||||
</ol>
|
||||
|
||||
<h3 align="left">Kernel Configuration</h3>
|
||||
|
||||
<p align="left">This screen shot show how I've configured QoS in my Kernel:</p>
|
||||
|
||||
<p align="center"><img border="0" src="images/QoS.png" width="590"
|
||||
height="764">
|
||||
</p>
|
||||
|
||||
<h3 align="left"><a name="tcrules"></a>/etc/shorewall/tcrules</h3>
|
||||
|
||||
<p align="left">The fwmark classifier provides a convenient way to classify
|
||||
packets for traffic shaping. The /etc/shorewall/tcrules file provides
|
||||
a means for specifying these marks in a tabular fashion.<br>
|
||||
</p>
|
||||
|
||||
<p align="left">Normally, packet marking occurs in the PREROUTING chain before
|
||||
any address rewriting takes place. This makes it impossible to mark inbound
|
||||
packets based on their destination address when SNAT or Masquerading
|
||||
are being used. Beginning with Shorewall 1.3.12, you can cause packet
|
||||
marking to occur in the FORWARD chain by using the MARK_IN_FORWARD_CHAIN
|
||||
option in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
|
||||
</p>
|
||||
|
||||
<p align="left">Columns in the file are as follows:</p>
|
||||
|
||||
<ul>
|
||||
<li>MARK - Specifies the mark value is to be assigned
|
||||
in case of a match. This is an integer in the range 1-255. Beginning
|
||||
with Shorewall version 1.3.14, this value may be optionally followed by
|
||||
":" and either 'F' or 'P' to designate that the marking will occur in the
|
||||
FORWARD or PREROUTING chains respectively. If this additional specification
|
||||
is omitted, the chain used to mark packets will be determined by the setting
|
||||
of the MARK_IN_FORWARD_CHAIN option in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
|
||||
<br>
|
||||
Example - 5<br>
|
||||
</li>
|
||||
<li>SOURCE - The source of the packet. If the packet
|
||||
originates on the firewall, place "fw" in this column. Otherwise,
|
||||
this is a comma-separated list of interface names, IP addresses, MAC
|
||||
addresses in <a href="Documentation.htm#MAC">Shorewall Format</a> and/or
|
||||
Subnets.<br>
|
||||
<br>
|
||||
Examples<br>
|
||||
eth0<br>
|
||||
192.168.2.4,192.168.1.0/24<br>
|
||||
</li>
|
||||
<li>DEST -- Destination of the packet. Comma-separated
|
||||
list of IP addresses and/or subnets.<br>
|
||||
</li>
|
||||
<li>PROTO - Protocol - Must be the name of a protocol
|
||||
from /etc/protocol, a number or "all"<br>
|
||||
</li>
|
||||
<li>PORT(S) - Destination Ports. A comma-separated list
|
||||
of Port names (from /etc/services), port numbers or port ranges (e.g.,
|
||||
21:22); if the protocol is "icmp", this column is interpreted as
|
||||
the destination icmp type(s).<br>
|
||||
</li>
|
||||
<li>CLIENT PORT(S) - (Optional) Port(s) used by the client.
|
||||
If omitted, any source port is acceptable. Specified as a comma-separate
|
||||
list of port names, port numbers or port ranges.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<p align="left">Example 1 - All packets arriving on eth1 should be marked
|
||||
with 1. All packets arriving on eth2 and eth3 should be marked with
|
||||
2. All packets originating on the firewall itself should be marked with
|
||||
3.</p>
|
||||
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>MARK</b></td>
|
||||
<td><b>SOURCE</b></td>
|
||||
<td><b>DEST</b></td>
|
||||
<td><b>PROTO</b></td>
|
||||
<td><b>PORT(S)</b></td>
|
||||
<td><b>CLIENT PORT(S)</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>1</td>
|
||||
<td>eth1</td>
|
||||
<td>0.0.0.0/0</td>
|
||||
<td>all</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>2</td>
|
||||
<td>eth2</td>
|
||||
<td>0.0.0.0/0</td>
|
||||
<td>all</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">2<br>
|
||||
</td>
|
||||
<td valign="top">eth3<br>
|
||||
</td>
|
||||
<td valign="top">0.0.0.0/0<br>
|
||||
</td>
|
||||
<td valign="top">all<br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>3</td>
|
||||
<td>fw</td>
|
||||
<td>0.0.0.0/0</td>
|
||||
<td>all</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<p align="left">Example 2 - All GRE (protocol 47) packets not originating
|
||||
on the firewall and destined for 155.186.235.151 should be marked
|
||||
with 12.</p>
|
||||
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>MARK</b></td>
|
||||
<td><b>SOURCE</b></td>
|
||||
<td><b>DEST</b></td>
|
||||
<td><b>PROTO</b></td>
|
||||
<td><b>PORT(S)</b></td>
|
||||
<td><b>CLIENT PORT(S)</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>12</td>
|
||||
<td>0.0.0.0/0</td>
|
||||
<td>155.186.235.151</td>
|
||||
<td>47</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<p align="left">Example 3 - All SSH packets originating in 192.168.1.0/24
|
||||
and destined for 155.186.235.151 should be marked with 22.</p>
|
||||
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>MARK</b></td>
|
||||
<td><b>SOURCE</b></td>
|
||||
<td><b>DEST</b></td>
|
||||
<td><b>PROTO</b></td>
|
||||
<td><b>PORT(S)</b></td>
|
||||
<td><b>CLIENT PORT(S)</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>22</td>
|
||||
<td>192.168.1.0/24</td>
|
||||
<td>155.186.235.151</td>
|
||||
<td>tcp</td>
|
||||
<td>22</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<h3>My Setup<br>
|
||||
</h3>
|
||||
|
||||
<p>While I am currently using the HTB version of <a
|
||||
href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (I just copied
|
||||
wshaper.htb to <b>/etc/shorewall/tcstart</b> and modified it as shown
|
||||
in the Wondershaper README), I have also run with the following set of
|
||||
hand-crafted rules in my <b>/etc/shorewall/tcstart</b> file:<br>
|
||||
</p>
|
||||
|
||||
<blockquote>
|
||||
<pre>run_tc qdisc add dev eth0 root handle 1: htb default 30<br><br>run_tc class add dev eth0 parent 1: classid 1:1 htb rate 384kbit burst 15k<br><br>echo " Added Top Level Class -- rate 384kbit"</pre>
|
||||
|
||||
<pre>run_tc class add dev eth0 parent 1:1 classid 1:10 htb rate 140kbit ceil 384kbit burst 15k prio 1<br>run_tc class add dev eth0 parent 1:1 classid 1:20 htb rate 224kbit ceil 384kbit burst 15k prio 0<br>run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 20kbit ceil 384kbit burst 15k quantum 1500 prio 1</pre>
|
||||
|
||||
<pre>echo " Added Second Level Classes -- rates 140kbit, 224kbit, 20kbit"</pre>
|
||||
|
||||
<pre>run_tc qdisc add dev eth0 parent 1:10 pfifo limit 5<br>run_tc qdisc add dev eth0 parent 1:20 pfifo limit 10<br>run_tc qdisc add dev eth0 parent 1:30 pfifo limit 5</pre>
|
||||
|
||||
<pre>echo " Enabled PFIFO on Second Level Classes"</pre>
|
||||
|
||||
<pre>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 0 handle 2 fw classid 1:20<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30</pre>
|
||||
|
||||
<pre>echo " Defined fwmark filters"<br></pre>
|
||||
</blockquote>
|
||||
|
||||
<p>My tcrules file that went with this tcstart file is shown in Example 1
|
||||
above. You can look at <a href="myfiles.htm">my configuration</a> to
|
||||
see why I wanted shaping of this type.<br>
|
||||
</p>
|
||||
|
||||
<ol>
|
||||
<li>I wanted to allow up to 140kbits/second for traffic outbound
|
||||
from my DMZ (note that the ceiling is set to 384kbit so outbound DMZ
|
||||
traffic can use all available bandwidth if there is no traffic from the
|
||||
local systems or from my laptop or firewall).</li>
|
||||
<li>My laptop and local systems could use up to 224kbits/second.</li>
|
||||
<li>My firewall could use up to 20kbits/second.</li>
|
||||
|
||||
</ol>
|
||||
You see <a href="myfiles.htm">the rest of my Shorewall configuration</a>
|
||||
to see how this fit in. <br>
|
||||
|
||||
<p><font size="2">Last Updated 3/19/2003 - <a href="support.htm">Tom Eastep</a></font></p>
|
||||
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
<li>A new <b>TC_ENABLED</b> parameter in /etc/shorewall.conf.
|
||||
Traffic Shaping also requires that you enable packet mangling.</li>
|
||||
<li>A new <b>CLEAR_TC </b>parameter in /etc/shorewall.conf (Added
|
||||
in Shorewall 1.3.13). When Traffic Shaping is enabled (TC_ENABLED=Yes),
|
||||
the setting of this variable determines whether Shorewall clears the
|
||||
traffic shaping configuration during Shorewall [re]start and Shorewall
|
||||
stop. <br>
|
||||
</li>
|
||||
<li><b>/etc/shorewall/tcrules</b> - A file where you
|
||||
can specify firewall marking of packets. The firewall mark value
|
||||
may be used to classify packets for traffic shaping/control.<br>
|
||||
</li>
|
||||
<li><b>/etc/shorewall/tcstart </b>- A user-supplied file that is
|
||||
sourced by Shorewall during "shorewall start" and which you can use to
|
||||
define your traffic shaping disciplines and classes. I have provided a <a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/cbq">sample</a> that does
|
||||
table-driven CBQ shaping but if you read the traffic shaping sections
|
||||
of the HOWTO mentioned above, you can probably code your own faster
|
||||
than you can learn how to use my sample. I personally use <a
|
||||
href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB</a> (see below). HTB
|
||||
support may eventually become an integral part of Shorewall since HTB
|
||||
is a lot simpler and better-documented than CBQ. As of 2.4.20, HTB is a
|
||||
standard part of the kernel but iproute2 must be patched in order to
|
||||
use it.<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
In tcstart, when you want to run the 'tc' utility,
|
||||
use the run_tc function supplied by shorewall if you want tc errors to
|
||||
stop the firewall.<br>
|
||||
<br>
|
||||
You can generally use off-the-shelf traffic shaping scripts by simply
|
||||
copying them to /etc/shorewall/tcstart. I use <a
|
||||
href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (HTB
|
||||
version) that way (i.e., I just copied wshaper.htb to
|
||||
/etc/shorewall/tcstart
|
||||
and modified it according to the Wonder Shaper README). <b>WARNING: </b>If
|
||||
you use use Masquerading or SNAT (i.e., you only have one external IP
|
||||
address) then listing internal hosts in the NOPRIOHOSTSRC variable in
|
||||
the wshaper[.htb] script won't work. Traffic shaping occurs after SNAT
|
||||
has already been
|
||||
applied so when traffic shaping happens, all outbound traffic will have
|
||||
as a source address the IP addresss of your firewall's external
|
||||
interface.<br>
|
||||
</li>
|
||||
<li><b>/etc/shorewall/tcclear</b> - A user-supplied file that is
|
||||
sourced by Shorewall when it is clearing traffic shaping. This file is
|
||||
normally not required as Shorewall's method of clearing qdisc and
|
||||
filter definitions is pretty general.</li>
|
||||
</ul>
|
||||
Shorewall allows you to start traffic shaping when Shorewall itself
|
||||
starts or it allows you to bring up traffic shaping when you bring up
|
||||
your interfaces.<br>
|
||||
<br>
|
||||
To start traffic shaping when Shorewall starts:<br>
|
||||
<ol>
|
||||
<li>Set TC_ENABLED=Yes and CLEAR_TC=Yes</li>
|
||||
<li>Supply an /etc/shorewall/tcstart script to configure your traffic
|
||||
shaping rules.</li>
|
||||
<li>Optionally supply an /etc/shorewall/tcclear script to stop
|
||||
traffic shaping. That is usually unnecessary.</li>
|
||||
<li>If your tcstart script uses the 'fwmark' classifier, you can mark
|
||||
packets using entries in /etc/shorewall/tcrules.</li>
|
||||
</ol>
|
||||
To start traffic shaping when you bring up your network interfaces, you
|
||||
will have to arrange for your traffic shaping configuration script to
|
||||
be run at that time. How you do that is distribution dependent and will
|
||||
not be covered here. You then should:<br>
|
||||
<ol>
|
||||
<li>Set TC_ENABLED=Yes and CLEAR_TC=No</li>
|
||||
<li>Do not supply /etc/shorewall/tcstart or /etc/shorewall/tcclear
|
||||
scripts.</li>
|
||||
<li value="4">If your tcstart script uses the 'fwmark' classifier,
|
||||
you can mark packets using entries in /etc/shorewall/tcrules.</li>
|
||||
</ol>
|
||||
<h3 align="left">Kernel Configuration</h3>
|
||||
<p align="left">This screen shot show how I've configured QoS in my
|
||||
Kernel:</p>
|
||||
<p align="center"><img border="0" src="images/QoS.png" width="590"
|
||||
height="764"> </p>
|
||||
<h3 align="left"><a name="tcrules"></a>/etc/shorewall/tcrules</h3>
|
||||
<p align="left">The fwmark classifier provides a convenient way to
|
||||
classify packets for traffic shaping. The /etc/shorewall/tcrules file
|
||||
provides a means for specifying these marks in a tabular fashion.<br>
|
||||
</p>
|
||||
<p align="left">Normally, packet marking occurs in the PREROUTING chain
|
||||
before any address rewriting takes place. This makes it impossible to
|
||||
mark inbound packets based on their destination address when SNAT or
|
||||
Masquerading
|
||||
are being used. Beginning with Shorewall 1.3.12, you can cause packet
|
||||
marking to occur in the FORWARD chain by using the
|
||||
MARK_IN_FORWARD_CHAIN
|
||||
option in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
|
||||
</p>
|
||||
<p align="left">Columns in the file are as follows:</p>
|
||||
<ul>
|
||||
<li>MARK - Specifies the mark value is to be assigned in case of a
|
||||
match. This is an integer in the range 1-255. Beginning with Shorewall
|
||||
version 1.3.14, this value may be optionally followed by
|
||||
":" and either 'F' or 'P' to designate that the marking will occur in
|
||||
the
|
||||
FORWARD or PREROUTING chains respectively. If this additional
|
||||
specification
|
||||
is omitted, the chain used to mark packets will be determined by the
|
||||
setting
|
||||
of the MARK_IN_FORWARD_CHAIN option in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
|
||||
<br>
|
||||
Example - 5<br>
|
||||
</li>
|
||||
<li>SOURCE - The source of the packet. If the packet
|
||||
originates on the firewall, place "fw" in this column. Otherwise,
|
||||
this is a comma-separated list of interface names, IP addresses, MAC
|
||||
addresses in <a href="Documentation.htm#MAC">Shorewall Format</a>
|
||||
and/or
|
||||
Subnets.<br>
|
||||
<br>
|
||||
Examples<br>
|
||||
eth0<br>
|
||||
192.168.2.4,192.168.1.0/24<br>
|
||||
</li>
|
||||
<li>DEST -- Destination of the packet. Comma-separated list of IP
|
||||
addresses and/or subnets.<br>
|
||||
</li>
|
||||
<li>PROTO - Protocol - Must be the name of a protocol from
|
||||
/etc/protocol, a number or "all"<br>
|
||||
</li>
|
||||
<li>PORT(S) - Destination Ports. A comma-separated list of Port names
|
||||
(from /etc/services), port numbers or port ranges (e.g., 21:22); if the
|
||||
protocol is "icmp", this column is interpreted as the destination icmp
|
||||
type(s).<br>
|
||||
</li>
|
||||
<li>CLIENT PORT(S) - (Optional) Port(s) used by the client. If
|
||||
omitted, any source port is acceptable. Specified as a comma-separate
|
||||
list of port names, port numbers or port ranges.</li>
|
||||
</ul>
|
||||
<p align="left">Example 1 - All packets arriving on eth1 should be
|
||||
marked with 1. All packets arriving on eth2 and eth3 should be marked
|
||||
with 2. All packets originating on the firewall itself should be marked
|
||||
with 3.</p>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>MARK</b></td>
|
||||
<td><b>SOURCE</b></td>
|
||||
<td><b>DEST</b></td>
|
||||
<td><b>PROTO</b></td>
|
||||
<td><b>PORT(S)</b></td>
|
||||
<td><b>CLIENT PORT(S)</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>1</td>
|
||||
<td>eth1</td>
|
||||
<td>0.0.0.0/0</td>
|
||||
<td>all</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>2</td>
|
||||
<td>eth2</td>
|
||||
<td>0.0.0.0/0</td>
|
||||
<td>all</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">2<br>
|
||||
</td>
|
||||
<td valign="top">eth3<br>
|
||||
</td>
|
||||
<td valign="top">0.0.0.0/0<br>
|
||||
</td>
|
||||
<td valign="top">all<br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>3</td>
|
||||
<td>fw</td>
|
||||
<td>0.0.0.0/0</td>
|
||||
<td>all</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<p align="left">Example 2 - All GRE (protocol 47) packets not
|
||||
originating on the firewall and destined for 155.186.235.151 should be
|
||||
marked with 12.</p>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>MARK</b></td>
|
||||
<td><b>SOURCE</b></td>
|
||||
<td><b>DEST</b></td>
|
||||
<td><b>PROTO</b></td>
|
||||
<td><b>PORT(S)</b></td>
|
||||
<td><b>CLIENT PORT(S)</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>12</td>
|
||||
<td>0.0.0.0/0</td>
|
||||
<td>155.186.235.151</td>
|
||||
<td>47</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<p align="left">Example 3 - All SSH packets originating in
|
||||
192.168.1.0/24 and destined for 155.186.235.151 should be marked with
|
||||
22.</p>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>MARK</b></td>
|
||||
<td><b>SOURCE</b></td>
|
||||
<td><b>DEST</b></td>
|
||||
<td><b>PROTO</b></td>
|
||||
<td><b>PORT(S)</b></td>
|
||||
<td><b>CLIENT PORT(S)</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>22</td>
|
||||
<td>192.168.1.0/24</td>
|
||||
<td>155.186.235.151</td>
|
||||
<td>tcp</td>
|
||||
<td>22</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<h3>My Current Setup<br>
|
||||
</h3>
|
||||
<p>I am currently using the HTB version of <a
|
||||
href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (I just
|
||||
copied wshaper.htb to <b>/etc/shorewall/tcstart</b> and modified it as
|
||||
shown in the Wondershaper README).<span style="font-weight: bold;"> </span>WonderShaper
|
||||
DOES NOT USE THE
|
||||
/etc/shorewall/tcrules file. While I currently have entries in
|
||||
/etc/shorewall/tcrules, I do so for <a
|
||||
href="Shorewall_Squid_Usage.html">policy routing for Squid</a> and not
|
||||
for Traffic Shaping.</p>
|
||||
<h3>My Old Setup<br>
|
||||
</h3>
|
||||
<p>I have also run with the following set of hand-crafted rules in my <b>/etc/shorewall/tcstart</b>
|
||||
file.<br>
|
||||
</p>
|
||||
<blockquote>
|
||||
<pre>run_tc qdisc add dev eth0 root handle 1: htb default 30<br><br>run_tc class add dev eth0 parent 1: classid 1:1 htb rate 384kbit burst 15k<br><br>echo " Added Top Level Class -- rate 384kbit"</pre>
|
||||
<pre>run_tc class add dev eth0 parent 1:1 classid 1:10 htb rate 140kbit ceil 384kbit burst 15k prio 1<br>run_tc class add dev eth0 parent 1:1 classid 1:20 htb rate 224kbit ceil 384kbit burst 15k prio 0<br>run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 20kbit ceil 384kbit burst 15k quantum 1500 prio 1</pre>
|
||||
<pre>echo " Added Second Level Classes -- rates 140kbit, 224kbit, 20kbit"</pre>
|
||||
<pre>run_tc qdisc add dev eth0 parent 1:10 pfifo limit 5<br>run_tc qdisc add dev eth0 parent 1:20 pfifo limit 10<br>run_tc qdisc add dev eth0 parent 1:30 pfifo limit 5</pre>
|
||||
<pre>echo " Enabled PFIFO on Second Level Classes"</pre>
|
||||
<pre>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 0 handle 2 fw classid 1:20<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30</pre>
|
||||
<pre>echo " Defined fwmark filters"<br></pre>
|
||||
</blockquote>
|
||||
<p>My tcrules file that went with this tcstart file is shown in Example
|
||||
1 above. When I was using these rules:<br>
|
||||
</p>
|
||||
<ol>
|
||||
<li>I wanted to allow up to 140kbits/second for traffic outbound from
|
||||
my DMZ (eth1 -- note that the ceiling is set to 384kbit so outbound DMZ
|
||||
traffic can use all available bandwidth if there is no traffic from the
|
||||
local systems or from my laptop or firewall).</li>
|
||||
<li>My laptop (which at that time connected via eth3) and local
|
||||
systems (eth2) could use up to 224kbits/second.</li>
|
||||
<li>My firewall could use up to 20kbits/second.</li>
|
||||
</ol>
|
||||
Once www.shorewall.net was moved off-site, I no longer needed these
|
||||
shaping rules and The Wonder Shaper does all that I now require.<br>
|
||||
<p><font size="2">Last Updated 10/21/2003 - <a href="support.htm">Tom
|
||||
Eastep</a></font></p>
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
@ -28,7 +28,7 @@
|
||||
# shown below. Simply run this script to revert to your prior version of
|
||||
# Shoreline Firewall.
|
||||
|
||||
VERSION=1.4.7
|
||||
VERSION=1.4.7a
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
||||
@ -54,7 +54,7 @@
|
||||
# /etc/rc.d/rc.local file is modified to start the firewall.
|
||||
#
|
||||
|
||||
VERSION=1.4.7
|
||||
VERSION=1.4.7a
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
%define name shorewall
|
||||
%define version 1.4.7
|
||||
%define version 1.4.7a
|
||||
%define release 1
|
||||
%define prefix /usr
|
||||
|
||||
@ -108,6 +108,8 @@ fi
|
||||
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
|
||||
|
||||
%changelog
|
||||
* Tue Oct 21 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.7a-1
|
||||
* Sat Oct 04 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.7-1
|
||||
- Removed conflict with 2.2 Kernels
|
||||
|
||||
@ -26,7 +26,7 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Seattle Firewall
|
||||
|
||||
VERSION=1.4.7
|
||||
VERSION=1.4.7a
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
||||
Loading…
Reference in New Issue
Block a user