diff --git a/Shorewall-docs/Documentation.htm b/Shorewall-docs/Documentation.htm
index 357fe5341..3fff0057c 100644
--- a/Shorewall-docs/Documentation.htm
+++ b/Shorewall-docs/Documentation.htm
@@ -2,306 +2,309 @@
-
+
-
+
-
+
Shorewall 1.4 Documentation
-
-
+
+
-
+
-
+
-
+
-
-
- |
+ |
+
+
-
+
Shorewall 1.4 Reference
- |
-
+
+
-
-
+
+
-
+
This documentation is intended primarily for reference.
- Step-by-step instructions for configuring Shorewall
-in common setups may be found in the QuickStart Guides.
-
+
Components
-
+
Shorewall consists of the following components:
-
+
-
+
/etc/shorewall/params
-
+
You may use the file /etc/shorewall/params file to set shell variables
- that you can then use in some of the other configuration
- files.
+ that you can then use in some of the other configuration
+ files.
-
+
It is suggested that variable names begin with an upper case letter to distinguish them from variables used internally
- within the Shorewall programs
+ within the Shorewall programs
-
+
Example:
-
+
NET_IF=eth0
NET_BCAST=130.252.100.255
NET_OPTIONS=blacklist,norfc1918
-
+
Example (/etc/shorewall/interfaces record):
-
+
net $NET_IF $NET_BCAST $NET_OPTIONS
-
+
The result will be the same as if the record had been written
-
+
net eth0 130.252.100.255 blacklist,norfc1918
-
+
Variables may be used anywhere in the other configuration
- files.
+ files.
-
+
/etc/shorewall/zones
-
+
This file is used to define the network zones. There is one entry
- in /etc/shorewall/zones for each zone; Columns in an entry
- are:
+ in /etc/shorewall/zones for each zone; Columns in an entry
+ are:
-
+
- - ZONE - short name for the
-zone. The name should be 5 characters or less in length and
-consist of lower-case letters or numbers. Short names must begin
- with a letter and the name assigned to the firewall is reserved
-for use by Shorewall itself. Note that the output produced
- by iptables is much easier to read if you select short names
+
- ZONE - short name for the
+ zone. The name should be 5 characters or less in length
+and consist of lower-case letters or numbers. Short names must
+begin with a letter and the name assigned to the firewall is
+reserved for use by Shorewall itself. Note that the output produced
+ by iptables is much easier to read if you select short names
that are three characters or less in length. The name "all"
may not be used as a zone name nor may the zone name assigned to
the firewall itself via the FW variable in /etc/shorewall/shorewall.conf.
- - DISPLAY - The name of the
-zone as displayed during Shorewall startup.
- - COMMENTS - Any comments that
- you want to make about the zone. Shorewall ignores these
- comments.
-
+ - DISPLAY - The name of the
+ zone as displayed during Shorewall startup.
+ - COMMENTS - Any comments
+that you want to make about the zone. Shorewall ignores
+these comments.
+
-
+
The /etc/shorewall/zones file released with Shorewall is as follows:
-
+
-
-
- | ZONE |
- DISPLAY |
- COMMENTS |
-
-
- | net |
- Net |
- Internet |
-
-
- | loc |
- Local |
- Local networks |
-
-
- | dmz |
- DMZ |
- Demilitarized zone |
-
+
+
+ | ZONE |
+ DISPLAY |
+ COMMENTS |
+
+
+ | net |
+ Net |
+ Internet |
+
+
+ | loc |
+ Local |
+ Local networks |
+
+
+ | dmz |
+ DMZ |
+ Demilitarized zone |
+
-
+
-
+
-
+
You may add, delete and modify entries in the /etc/shorewall/zones file
- as desired so long as you have at least one zone defined.
+ as desired so long as you have at least one zone defined.
-
+
Warning 1: If you rename or delete a zone, you should perform "shorewall
- stop; shorewall start" to install the change rather than
- "shorewall restart".
+ stop; shorewall start" to install the change rather than
+ "shorewall restart".
-
+
Warning 2: The order of entries in the /etc/shorewall/zones file is
- significant in some cases.
+ significant in some cases.
-
+
/etc/shorewall/interfaces
-
+
This file is used to tell the firewall which of your firewall's network
- interfaces are connected to which zone. There will be one
- entry in /etc/shorewall/interfaces for each of your interfaces.
- Columns in an entry are:
-
+ interfaces are connected to which zone. There will be
+one entry in /etc/shorewall/interfaces for each of your interfaces.
+ Columns in an entry are:
+
- - ZONE - A zone defined in
-the /etc/shorewall/zones file or
- "-". If you specify "-", you must use the
-/etc/shorewall/hosts file to define the zones
- accessed via this interface.
- - INTERFACE - the name of the
- interface (examples: eth0, ppp0, ipsec+). Each interface can
- be listed on only one record in this file. DO
- NOT INCLUDE THE LOOPBACK INTERFACE (lo) IN THIS FILE!!!
- - BROADCAST - the broadcast
-address(es) for the sub-network(s) attached to the interface.
-This should be left empty for P-T-P interfaces (ppp*, ippp*); if
- you need to specify options for such an interface, enter "-"
+
- ZONE - A zone defined in
+ the /etc/shorewall/zones file or
+ "-". If you specify "-", you must use the
+ /etc/shorewall/hosts file to define the zones
+ accessed via this interface.
+ - INTERFACE - the name of
+the interface (examples: eth0, ppp0, ipsec+). Each interface
+can be listed on only one record in this file. DO NOT INCLUDE THE LOOPBACK INTERFACE
+(lo) IN THIS FILE!!!
+ - BROADCAST - the broadcast
+ address(es) for the sub-network(s) attached to the interface.
+ This should be left empty for P-T-P interfaces (ppp*, ippp*);
+if you need to specify options for such an interface, enter "-"
in this column. If you supply the special value "detect" in this
column, the firewall will automatically determine the broadcast
- address. In order to use "detect":
+ address. In order to use "detect":
-
+
- - the
-interface must be up before you start your firewall
- - the interface must only be attached
-to a single sub-network (i.e., there must have a single broadcast
- address).
+ - the
+ interface must be up before you start your firewall
+ - the interface must only be attached
+ to a single sub-network (i.e., there must have a single broadcast
+ address).
-
+
-
- - OPTIONS - a comma-separated
- list of options. Possible options include:
+
+ - OPTIONS - a comma-separated
+ list of options. Possible options include:
-
+
tcpflags (added in version 1.3.11) - This option causes Shorewall
to make sanity checks on the header flags in TCP packets arriving on this
interface. Checks include Null flags, SYN+FIN, SYN+RST and FIN+URG+PSH; these
@@ -309,61 +312,62 @@ flag combinations are typically used for "silent" port scans. Packets failing
these checks are logged according to the TCP_FLAGS_LOG_LEVEL option in /etc/shorewall/shorewall.conf and are disposed of according
to the TCP_FLAGS_DISPOSITION option.
-
- blacklist - This option causes incoming packets
- on this interface to be checked against the
+ blacklist - This option causes incoming packets
+ on this interface to be checked against the blacklist.
-
- dhcp - The interface is assigned an
-IP address via DHCP or is used by a DHCP server running
-on the firewall. The firewall will be configured to allow
-DHCP traffic to and from the interface even when the firewall
- is stopped. You may also wish to use this option if you have a static
-IP but you are on a LAN segment that has a lot of Laptops that use
-DHCP and you select the norfc1918 option (see below).
+
+ dhcp - The interface is assigned an
+ IP address via DHCP or is used by a DHCP server running
+ on the firewall. The firewall will be configured to allow
+ DHCP traffic to and from the interface even when the firewall
+ is stopped. You may also wish to use this option if you have a
+static IP but you are on a LAN segment that has a lot of Laptops
+ that use DHCP and you select the norfc1918 option
+(see below).
-
+
norfc1918 - Packets arriving on this interface and that
have a source address that is reserved in RFC 1918 or in other
- RFCs will be dropped after being optionally logged. If packet mangling is enabled in /etc/shorewall/shorewall.conf
- , then packets arriving on this interface that have a
+ , then packets arriving on this interface that have a
destination address that is reserved by one of these RFCs will
also be logged and dropped.
-
- Addresses blocked by the standard
+ Addresses blocked by the standard rfc1918 file include those
- addresses reserved by RFC1918 plus other ranges reserved by
+ addresses reserved by RFC1918 plus other ranges reserved by
the IANA or by other RFCs.
-
+
Beware that as IPv4 addresses become in increasingly short supply,
- ISPs are beginning to use RFC 1918 addresses within their
- own infrastructure. Also, many cable and DSL "modems" have
- an RFC 1918 address that can be used through a web browser for
- management and monitoring functions. If you want to specify norfc1918
- on your external interface but need to allow access to certain
- addresses from the above list, see FAQ
-14.
+ ISPs are beginning to use RFC 1918 addresses within their
+ own infrastructure. Also, many cable and DSL "modems" have
+ an RFC 1918 address that can be used through a web browser for
+ management and monitoring functions. If you want to specify
+ norfc1918 on your external interface but need to allow
+access to certain addresses from the above list, see FAQ 14.
-
+
routefilter - Invoke the Kernel's route filtering
- (anti-spoofing) facility on this interface. The kernel
- will reject any packets incoming on this interface that have
- a source address that would be routed outbound through another
- interface on the firewall. Warning:
- If you specify this option for an interface then the
- interface must be up prior to starting the firewall.
+ (anti-spoofing) facility on this interface. The kernel
+ will reject any packets incoming on this interface that have
+ a source address that would be routed outbound through another
+ interface on the firewall. Warning:
+ If you specify this option for an interface then
+the interface must be up prior to starting the firewall.
-
+
dropunclean - Packets from this interface that
are selected by the 'unclean' match target in iptables will
be optionally logged and then dropped.
@@ -372,22 +376,22 @@ the IANA or by other RFCs.
kernel, either in the kernel itself or as a module. UNCLEAN
support is broken in some versions of the kernel
but appears to work ok in 2.4.17-rc1.
-
- Update 12/17/2001: The
- unclean match patch from 2.4.17-rc1 is
- available
- for download. I am currently running
- this patch applied to kernel 2.4.16.
+
+ Update 12/17/2001: The
+ unclean match patch from 2.4.17-rc1 is
+ available
+ for download. I am currently running
+ this patch applied to kernel 2.4.16.
-
+
Update 12/20/2001: I've
- seen a number of tcp connection requests
- with OPT (020405B40000080A...) being
- dropped in the badpkt chain. This appears to be
- a bug in the remote TCP stack whereby it is 8-byte aligning
- a timestamp (TCP option 8) but rather than padding
-with 0x01 it is padding with 0x00. It's a tough call
+ seen a number of tcp connection requests
+ with OPT (020405B40000080A...) being
+ dropped in the badpkt chain. This appears to be
+ a bug in the remote TCP stack whereby it is 8-byte aligning
+ a timestamp (TCP option 8) but rather than padding
+ with 0x01 it is padding with 0x00. It's a tough call
whether to deny people access to your servers because
of this rather minor bug in their networking software.
If you wish to disable the check that causes
@@ -396,626 +400,612 @@ these connections to be dropped, against 2.4.17-rc2.
-
+
logunclean - This option works like dropunclean
- with the exception that packets selected
- by the 'unclean' match target in iptables
-are logged but not dropped. The
-level at which the packets are logged is determined by
- the setting of LOGUNCLEAN
-and if LOGUNCLEAN has not been set, "info" is assumed.
+ with the exception that packets selected
+ by the 'unclean' match target in iptables
+ are logged but not dropped. The
+ level at which the packets are logged is determined by
+ the setting of LOGUNCLEAN
+ and if LOGUNCLEAN has not been set, "info" is assumed.
-
+
proxyarp (Added in version 1.3.5) - This option
causes Shorewall to set /proc/sys/net/ipv4/conf/<interface>/proxy_arp
- and is used when implementing Proxy ARP
- Sub-netting as described at
-
- http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/. Do
- not set this option if you are implementing
-Proxy ARP through entries in
+ and is used when implementing Proxy
+ARP Sub-netting as described at
+
+ http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/.
+Do not set this option if you are implementing
+ Proxy ARP through entries in
/etc/shorewall/proxyarp.
-
- maclist (Added in version 1.3.10) -
-If this option is specified, all connection requests from this
-interface are subject to MAC Verification.
- May only be specified for ethernet interfaces.
-
-
+
+ maclist (Added in version 1.3.10)
+- If this option is specified, all connection requests from this
+ interface are subject to MAC Verification.
+ May only be specified for ethernet interfaces.
+
+
-
+
My recommendations concerning options:
-
-
+
+
- - External Interface -- tcpflags,blacklist,norfc1918,routefilter
- - Wireless Interface -- maclist,routefilter,tcpflags
-
- - Don't use dropunclean -- It's broken in
- my opinion
- - Use logunclean only when you are trying
- to debug a problem
- - Use dhcp and proxyarp when needed.
-
-
+ - External Interface -- tcpflags,blacklist,norfc1918,routefilter
+ - Wireless Interface -- maclist,routefilter,tcpflags
+
+ - Don't use dropunclean -- It's broken
+in my opinion
+ - Use logunclean only when you are trying
+ to debug a problem
+ - Use dhcp and proxyarp when needed.
+
+
-
+
-
+
Example 1: You have a conventional firewall setup in which eth0 connects
- to a Cable or DSL modem and eth1 connects to your local
-network and eth0 gets its IP address via DHCP. You want to
+ to a Cable or DSL modem and eth1 connects to your local
+ network and eth0 gets its IP address via DHCP. You want to
check all packets entering from the internet
against the black list. Your /etc/shorewall/interfaces
- file would be as follows:
-
-
-
-
-
-
-
- | ZONE |
- INTERFACE |
- BROADCAST |
- OPTIONS |
-
-
- | net |
- eth0 |
- detect |
- dhcp,norfc1918,blacklist |
-
-
- | loc |
- eth1 |
- detect |
-
- |
-
-
-
-
-
-
-
-
-
-
+ file would be as follows:
-Example 2: You have a standalone dialup GNU/Linux System. Your /etc/shorewall/interfaces
- file would be:
-
+
-
-
-
+
- | ZONE |
- INTERFACE |
- BROADCAST |
- OPTIONS |
-
-
- | net |
- ppp0 |
-
-
- |
-
- |
-
+ ZONE |
+ INTERFACE |
+ BROADCAST |
+ OPTIONS |
+
+
+ | net |
+ eth0 |
+ detect |
+ dhcp,norfc1918,blacklist |
+
+
+ | loc |
+ eth1 |
+ detect |
+
+ |
+
-
+
-
+
-
-Example 3: You have local interface eth1 with two IP
- addresses - 192.168.1.1/24 and 192.168.12.1/24
+
+Example 2: You have a standalone dialup GNU/Linux System. Your /etc/shorewall/interfaces
+ file would be:
-
+
-
+
-
-
- | ZONE |
- INTERFACE |
- BROADCAST |
- OPTIONS |
-
-
- | loc |
- eth1 |
+
+
+ | ZONE |
+ INTERFACE |
+ BROADCAST |
+ OPTIONS |
+
+
+ | net |
+ ppp0 |
- 192.168.1.255,192.168.12.255 |
-
- |
-
+
+ |
+
+ |
+
-
+
-
+
+
-
- /etc/shorewall/hosts
- Configuration
+
+Example 3: You have local interface eth1 with two IP
+ addresses - 192.168.1.1/24 and 192.168.12.1/24
-
+
+
+
+
+
+
+ | ZONE |
+ INTERFACE |
+ BROADCAST |
+ OPTIONS |
+
+
+ | loc |
+ eth1 |
+
+ 192.168.1.255,192.168.12.255 |
+
+ |
+
+
+
+
+
+
+
+
+
+
+
+ /etc/shorewall/hosts
+ Configuration
+
+
For most applications, specifying zones entirely in terms of network
interfaces is sufficient. There may be times though where you need to
define a zone to be a more general collection of hosts. This is the purpose
of the /etc/shorewall/hosts file.
-
-WARNING: 90% of
- Shorewall users don't need to put entries in this file and
- 80% of those who try to add such entries do it wrong.
- Unless you are ABSOLUTELY SURE that you need entries in
- this file, don't touch it.
-
-
+
+WARNING: The only times that you need
+entries in /etc/shorewall/hosts are:
+
+
+ - You have more than one zone connecting through a single interface;
+or
+ - You have a zone that has multiple subnetworks that connect through
+a single interface and you want the Shorewall box to route traffic between
+those subnetworks.
+
+
+IF YOU DON'T HAVE EITHER OF THOSE SITUATIONS THEN DON'T TOUCH THIS FILE!!
Columns in this file are:
-
-
- - ZONE - A zone defined in
-the /etc/shorewall/zones file.
- - HOST(S) - The name of a network
- interface followed by a colon (":") followed by either:
-
-
-
-
-
-
-
-
-
- - An IP address (example
- - eth1:192.168.1.3)
-
- - A subnet in CIDR notation
- (example - eth2:192.168.2.0/24)
-
-
-
-
-
-
-
- The interface name much match an entry in /etc/shorewall/interfaces.
-
-
-
-
- - OPTIONS - A comma-separated
- list of option
-
-
-
-
-
-
-
- maclist - Added in version 1.3.10. If specified, connection
- requests from the hosts specified in this entry are subject to
- MAC Verification. This option is only
- valid for ethernet interfaces.
-
-
-
-
-
-If you don't define any hosts for a zone, the hosts in the zone default
- to i0:0.0.0.0/0 , i1:0.0.0.0/0, ... where i0, i1, ... are
- the interfaces to the zone.
-
-
-
-Note: You probably DON'T
- want to specify any hosts for your internet zone since the hosts that
-you specify will be the only ones that you will be able to access without
-adding additional rules.
-
-
-
-
-Example:
-
-
-Your local interface is eth1 and you have two groups of local hosts that
- you want to make into separate zones:
-
- - 192.168.1.0/25
- - 192.168.1.128/25
-
+ - ZONE - A zone defined
+in the /etc/shorewall/zones file.
+ - HOST(S) - The name of a
+network interface followed by a colon (":") followed
+by either:
+
- Your /etc/shorewall/interfaces file might look like:
-
-
-
-
-
-
- | ZONE |
- INTERFACE |
- BROADCAST |
- OPTIONS |
-
-
- | net |
- eth0 |
- detect |
- dhcp,norfc1918 |
-
-
- | - |
- eth1 |
- detect |
-
- |
-
+
+
+
+
+ - An IP address (example
+ - eth1:192.168.1.3)
+
+ - A subnet in CIDR notation
+ (example - eth2:192.168.2.0/24)
-
-
-
-
-
-
-
+
+
-
- The '-' in the ZONE column for eth1 tells Shorewall that eth1 interfaces
- to multiple zones.
+
+ The interface name much match an entry in /etc/shorewall/interfaces.
+
-
-
- Your /etc/shorewall/hosts file might look like:
-
-
-
-
-
-
-
-
-
- | ZONE |
- HOST(S) |
- OPTIONS |
-
-
- | loc1 |
- eth1:192.168.1.0/25 |
-
- |
-
-
- | loc2 |
- eth1:192.168.1.128/25 |
-
- |
-
-
-
-
-
-
-
-
-
-
- Nested and Overlapping
-Zones
-
-
-
- The /etc/shorewall/interfaces and /etc/shorewall/hosts file allow
- you to define nested or overlapping zones. Such overlapping/nested zones
- are allowed and Shorewall processes zones in the order that
- they appear in the /etc/shorewall/zones file. So if you have
- nested zones, you want the sub-zone to appear before the super-zone
- and in the case of overlapping zones, the rules that will apply
- to hosts that belong to both zones is determined by which zone
-appears first in /etc/shorewall/zones.
-
-
-
- Hosts that belong to more than one zone may be managed by the rules
- of all of those zones. This is done through use of the special
- CONTINUE policy described below.
-
-
-
-
- /etc/shorewall/policy Configuration.
-
-
-This file is used to describe the firewall policy regarding establishment
- of connections. Connection establishment is described in
-terms of clients who initiate connections and servers
-who receive those connection requests. Policies defined
-in /etc/shorewall/policy describe which zones are allowed
-to establish connections with other zones.
-
-
-
-Policies established in /etc/shorewall/policy can be viewed as default
- policies. If no rule in /etc/shorewall/rules applies to
-a particular connection request then the policy from /etc/shorewall/policy
- is applied.
-
-
-
-Four policies are defined:
-
-
+
- - ACCEPT - The connection is
- allowed.
- - DROP - The connection request
- is ignored.
- - REJECT - The connection request
- is rejected with an RST (TCP) or an ICMP destination-unreachable
- packet being returned to the client.
- - CONTINUE - The connection
- is neither ACCEPTed, DROPped nor REJECTed. CONTINUE may
-be used when one or both of the zones named in the entry are
- sub-zones of or intersect with another zone. For more information,
- see below.
-
+ - OPTIONS - A comma-separated
+ list of option
+
-
- For each policy specified in /etc/shorewall/policy, you can indicate
- that you want a message sent to your system log each time
- that the policy is applied.
+
+
+
+ maclist - Added in version 1.3.10. If specified, connection
+ requests from the hosts specified in this entry are subject to
+ MAC Verification. This option is only
+ valid for ethernet interfaces.
+
+
-
- Entries in /etc/shorewall/policy have four columns as follows:
+
+If you don't define any hosts for a zone, the hosts in the zone default
+ to i0:0.0.0.0/0 , i1:0.0.0.0/0, ... where i0, i1, ...
+are the interfaces to the zone.
-
-
-
- - SOURCE
- - The name of a client zone (a zone defined in the /etc/shorewall/zones file , the name of the firewall zone or "all").
-
- - DEST
- - The name of a destination zone (a zone defined in the /etc/shorewall/zones file , the name of the firewall zone or "all"). Shorewall automatically
- allows all traffic from the firewall to itself so the name of the firewall zone cannot appear in both the
- SOURCE and DEST columns.
-
- - POLICY
- - The default policy for connection requests from the SOURCE
- zone to the DESTINATION zone.
-
- - LOG
- LEVEL - Optional. If left empty, no log message is generated
- when the policy is applied. Otherwise, this column should contain
- an integer or name indicating a syslog level.
-
- - LIMIT:BURST
- - Optional. If left empty, TCP connection requests
- from the SOURCE zone to the DEST zone will
- not be rate-limited. Otherwise, this column specifies the maximum
- rate at which TCP connection requests will be accepted followed
- by a colon (":") followed by the maximum burst size that will be
- tolerated. Example: 10/sec:40 specifies that the maximum
- rate of TCP connection requests allowed will be 10 per second and
- a burst of 40 connections will be tolerated. Connection requests
-in excess of these limits will be dropped.
+
+Note: You probably DON'T
+ want to specify any hosts for your internet zone since the hosts that
+ you specify will be the only ones that you will be able to access without
+ adding additional rules.
-
-
+
+
+Example 1:
-
- In the SOURCE and DEST columns, you can enter "all" to indicate all
- zones.
+
+Your local interface is eth1 and you have two groups of local hosts that
+ you want to make into separate zones:
+
+
+
+ - 192.168.1.0/25
+ - 192.168.1.128/
+
+
+
+
+Your /etc/shorewall/interfaces file might look like:
-
- The policy file installed by default is as follows:
-
-
-
-
-
-
+
+
+
-
-
- | SOURCE |
- DEST |
- POLICY |
- LOG LEVEL |
- LIMIT:BURST |
-
-
- | loc |
- net |
- ACCEPT |
-
- |
-
-
- |
-
-
- | net |
- all |
- DROP |
- info |
-
- |
-
-
- | all |
- all |
- REJECT |
- info |
-
- |
-
+
+
+ | ZONE |
+ INTERFACE |
+ BROADCAST |
+ OPTIONS |
+
+
+ | net |
+ eth0 |
+ detect |
+ dhcp,norfc1918 |
+
+
+ | - |
+ eth1 |
+ 192.168.1.127,192.168.1.255
+ |
+
+ |
+
-
+
-
+
-
- This table may be interpreted as follows:
+
+ The '-' in the ZONE column for eth1 tells Shorewall that eth1 interfaces
+ to multiple zones.
-
+
+
+ Your /etc/shorewall/hosts file might look like:
+
+
+
+
+
+
+
+
+
+
+ | ZONE |
+ HOST(S) |
+ OPTIONS |
+
+
+ | loc1 |
+ eth1:192.168.1.0/25 |
+
+ |
+
+
+ | loc2 |
+ eth1:192.168.1.128/25 |
+
+ |
+
+
+
+
+
+
+
+
+
+
+Example 2:
+
+
+
+Your local interface is eth1 and you have two groups of local hosts that
+you want to consider as one zone and you want Shorewall to route between
+them:
+
+
- - All connection requests from the local
- network to hosts on the internet are accepted.
- - All connection requests originating
-from the internet are ignored and logged at level KERNEL.INFO.
- - All other connection requests are rejected
- and logged.
-
+ - 192.168.1.0/25
+ - 192.168.1.128/25
-
- WARNING:
-
-
- The firewall script processes the
- /etc/shorewall/policy file from top to bottom and uses
- the first applicable policy that it finds. For example,
- in the following policy file, the policy for (loc, loc) connections
- would be ACCEPT as specified in the first entry even though the
- third entry in the file specifies REJECT.
-
-
-
-
-
-
-
- | SOURCE |
- DEST |
- POLICY |
- LOG LEVEL |
- LIMIT:BURST |
-
-
- | loc |
- all |
- ACCEPT |
-
- |
-
- |
-
-
-
- | net |
- all |
- DROP |
- info |
-
- |
-
-
- | loc |
- loc |
- REJECT |
- info |
-
- |
-
+
+ Your /etc/shorewall/interfaces file might look like:
-
-
-
-
-
-
-
-
-
-
- The CONTINUE policy
-
-
- Where zones are nested or overlapping , the
- CONTINUE policy allows hosts that are within multiple zones
- to be managed under the rules of all of these zones. Let's look
- at an example:
-
-
- /etc/shorewall/zones:
-
-
-
+
+
+ | ZONE |
+ INTERFACE |
+ BROADCAST |
+ OPTIONS |
+
+
+ | net |
+ eth0 |
+ detect |
+ dhcp,norfc1918 |
+
+
+ loc
+ |
+ eth1 |
+ 192.168.1.127,192.168.1.255
+ |
+
+ |
+
-
- | ZONE |
- DISPLAY |
- COMMENTS |
-
-
- | sam |
- Sam |
- Sam's system at home |
-
-
- | net |
- Internet |
- The Internet |
-
-
- | loc |
- Loc |
- Local Network |
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Your /etc/shorewall/hosts file might look like:
+
+
+
+
+
+
+
+
+
+
+ | ZONE |
+ HOST(S) |
+ OPTIONS |
+
+
+ | loc |
+ eth1:192.168.1.0/25 |
+
+ |
+
+
+ | loc |
+ eth1:192.168.1.128/25 |
+
+ |
+
+
+
+
+
+
+
+
+
+
+ Nested and Overlapping
+Zones
+
+
+
+ The /etc/shorewall/interfaces and /etc/shorewall/hosts file allow
+ you to define nested or overlapping zones. Such overlapping/nested zones
+ are allowed and Shorewall processes zones in the order
+that they appear in the /etc/shorewall/zones file. So if you
+have nested zones, you want the sub-zone to appear before
+the super-zone and in the case of overlapping zones, the rules
+that will apply to hosts that belong to both zones is determined
+by which zone appears first in /etc/shorewall/zones.
+
+
+
+ Hosts that belong to more than one zone may be managed by the rules
+ of all of those zones. This is done through use of the special
+ CONTINUE policy described below.
+
+
+
+
+ /etc/shorewall/policy Configuration.
+
+
+This file is used to describe the firewall policy regarding establishment
+ of connections. Connection establishment is described in
+terms of clients who initiate connections and servers
+ who receive those connection requests. Policies defined
+ in /etc/shorewall/policy describe which zones are allowed
+to establish connections with other zones.
+
+
+
+Policies established in /etc/shorewall/policy can be viewed as default
+ policies. If no rule in /etc/shorewall/rules applies to
+ a particular connection request then the policy from /etc/shorewall/policy
+ is applied.
+
+
+
+Four policies are defined:
+
+
+
+ - ACCEPT - The connection
+is allowed.
+ - DROP - The connection request
+ is ignored.
+ - REJECT - The connection
+request is rejected with an RST (TCP) or an ICMP destination-unreachable
+ packet being returned to the client.
+ - CONTINUE - The connection
+ is neither ACCEPTed, DROPped nor REJECTed. CONTINUE may
+ be used when one or both of the zones named in the entry are
+ sub-zones of or intersect with another zone. For more information,
+ see below.
+ - NONE - (Added in version 1.4.1) - Shorewall should not set up
+any infrastructure for handling traffic from the SOURCE zone to the DEST
+zone. When this policy is specified, the LOG LEVEL and BURST:LIMIT
+ columns must be left blank.
+
+
+
+
+
+
+ For each policy specified in /etc/shorewall/policy, you can indicate
+ that you want a message sent to your system log each time
+ that the policy is applied.
+
+
+
+ Entries in /etc/shorewall/policy have four columns as follows:
+
+
+
+
+
+ -
+SOURCE - The name of a client zone (a zone defined in the
+ /etc/shorewall/zones file , the
+ name of the firewall zone or "all").
+
+ -
+DEST - The name of a destination zone (a zone defined in
+the /etc/shorewall/zones file , the
+ name of the firewall zone or "all"). Shorewall
+automatically allows all traffic from the firewall to itself so
+the name of the firewall zone cannot appear in both
+the SOURCE and DEST columns.
+
+ -
+POLICY - The default policy for connection requests from
+the SOURCE zone to the DESTINATION zone.
+
+ -
+LOG LEVEL - Optional. If left empty, no log message is
+generated when the policy is applied. Otherwise, this column
+should contain an integer or name indicating a syslog level.
+
+ - LIMIT:BURST
+ - Optional. If left empty, TCP connection requests
+ from the SOURCE zone to the DEST zone will
+ not be rate-limited. Otherwise, this column specifies the maximum
+ rate at which TCP connection requests will be accepted followed
+ by a colon (":") followed by the maximum burst size that will be
+ tolerated. Example: 10/sec:40 specifies that the maximum
+ rate of TCP connection requests allowed will be 10 per second and
+ a burst of 40 connections will be tolerated. Connection requests
+ in excess of these limits will be dropped.
+
+
+
+
+
+
+
+ In the SOURCE and DEST columns, you can enter "all" to indicate all
+ zones.
+
+
+
+ The policy file installed by default is as follows:
+
+
+
+
+
+
+
+
+
+
+ | SOURCE |
+ DEST |
+ POLICY |
+ LOG LEVEL |
+ LIMIT:BURST |
+
+
+ | loc |
+ net |
+ ACCEPT |
+
+ |
+
+
+ |
+
+
+ | net |
+ all |
+ DROP |
+ info |
+
+ |
+
+
+ | all |
+ all |
+ REJECT |
+ info |
+
+ |
+
@@ -1023,38 +1013,77 @@ from the internet are ignored and logged at level KERNEL.INFO
-
+
-
+
+
+
+
+ This table may be interpreted as follows:
+
+
+
+ - All connection requests from the
+local network to hosts on the internet are accepted.
+ - All connection requests originating
+ from the internet are ignored and logged at level KERNEL.INFO.
+ - All other connection requests are
+rejected and logged.
+
+
- /etc/shorewall/interfaces:
+WARNING:
-
-
+ The firewall script processes the
+ /etc/shorewall/policy file from top to bottom and uses
+ the first applicable policy that it finds. For example,
+ in the following policy file, the policy for (loc, loc) connections
+ would be ACCEPT as specified in the first entry even though the
+ third entry in the file specifies REJECT.
+
+
+
+
+
-
+
-
- | ZONE |
- INTERFACE |
- BROADCAST |
- OPTIONS |
-
-
- | - |
- eth0 |
- detect |
- dhcp,norfc1918 |
-
-
- | loc |
- eth1 |
- detect |
-
- |
-
+
+ | SOURCE |
+ DEST |
+ POLICY |
+ LOG LEVEL |
+ LIMIT:BURST |
+
+
+ | loc |
+ all |
+ ACCEPT |
+
+ |
+
+ |
+
+
+
+ | net |
+ all |
+ DROP |
+ info |
+
+ |
+
+
+ | loc |
+ loc |
+ REJECT |
+ info |
+
+ |
+
@@ -1062,38 +1091,70 @@ from the internet are ignored and logged at level KERNEL.INFO
-
+
-
+
- /etc/shorewall/hosts:
+IntraZone Traffic
+Shorewall allows a zone to be associated with more than one interface or
+with multiple networks that interface through a single interface. Beginning
+with Shorewall 1.4.1, Shorewall will ACCEPT all traffic from a zone to itself
+provided that there is no explicit policy governing traffic from that zone
+to itself (an explicit policy does not specify "all" in either the SOURCE
+or DEST column) and that there are no rules concerning connections from that
+zone to itself. If there is an explicit policy or if there are one or more
+rules, then traffic within the zone is handled just like traffic between
+zones is.
+Any time that you have multiple interfaces associated with a single zone,
+you should ask yourself if you really want traffic routed between those interfaces.
+Cases where you might not want that behavior are:
+
+
+ - Multiple 'net' interfaces to different ISPs. You don't want to route
+traffic from one ISP to the other through your firewall.
+ - Multiple VPN clients. You don't necessarily want them to all be able
+to communicate between themselves using your gateway/router.
+
+
+
+ The CONTINUE policy
-
+ Where zones are nested or overlapping , the
+ CONTINUE policy allows hosts that are within multiple zones
+ to be managed under the rules of all of these zones. Let's look
+ at an example:
+
+ /etc/shorewall/zones:
+
+
+
+
-
+
-
- | ZONE |
- HOST(S) |
- OPTIONS |
-
-
- | net |
- eth0:0.0.0.0/0 |
-
- |
-
-
-
- | sam |
- eth0:206.191.149.197 |
-
- |
-
+
+ | ZONE |
+ DISPLAY |
+ COMMENTS |
+
+
+ | sam |
+ Sam |
+ Sam's system at home |
+
+
+ | net |
+ Internet |
+ The Internet |
+
+
+ | loc |
+ Loc |
+ Local Network |
+
@@ -1102,519 +1163,238 @@ from the internet are ignored and logged at level KERNEL.INFO
-
-
+
- Note that Sam's home system is a member of both the sam zone
- and the net
- zone and as described above , that means
- that sam must be listed before net in /etc/shorewall/zones.
+ /etc/shorewall/interfaces:
- /etc/shorewall/policy:
-
-
-
+
-
+
-
- | SOURCE |
- DEST |
- POLICY |
- LOG LEVEL |
-
-
- | loc |
- net |
- ACCEPT |
-
- |
-
-
-
- | sam |
- all |
- CONTINUE |
-
- |
-
-
-
- | net |
- all |
- DROP |
- info |
-
-
- | all |
- all |
- REJECT |
- info |
-
+
+ | ZONE |
+ INTERFACE |
+ BROADCAST |
+ OPTIONS |
+
+
+ | - |
+ eth0 |
+ detect |
+ dhcp,norfc1918 |
+
+
+ | loc |
+ eth1 |
+ detect |
+
+ |
+
+
+
+
+
+
+
+
+
+ /etc/shorewall/hosts:
+
+
+
+
+
+
+
+
+
+ | ZONE |
+ HOST(S) |
+ OPTIONS |
+
+
+ | net |
+ eth0:0.0.0.0/0 |
+
+ |
+
+
+
+ | sam |
+ eth0:206.191.149.197 |
+
+ |
+
+
+
+
+
+
-
+
-
- The second entry above says that when Sam is the client, connection
- requests should first be process under rules where the source
- zone is sam and if there is no match then the connection
- request should be treated under rules where the source zone is
- net. It is important that this policy be listed BEFORE
-the next policy (net to all).
+
+ Note that Sam's home system is a member of both the sam zone
+ and the net
+ zone and as described above , that means
+ that sam must be listed before net in /etc/shorewall/zones.
-
- Partial /etc/shorewall/rules:
+
+ /etc/shorewall/policy:
-
-
+
-
+
- | ACTION |
- SOURCE |
- DEST |
- PROTO |
- DEST
- PORT(S) |
- SOURCE
- PORT(S) |
- ORIGINAL
- DEST |
-
-
-
- | ... |
-
- |
-
- |
-
- |
-
- |
-
- |
-
- |
-
+ SOURCE |
+ DEST |
+ POLICY |
+ LOG LEVEL |
+
+
+ | loc |
+ net |
+ ACCEPT |
+
+ |
+
- | DNAT |
- sam |
- loc:192.168.1.3 |
- tcp |
- ssh |
- - |
-
- |
-
-
- | DNAT |
- net |
- loc:192.168.1.5 |
- tcp |
- www |
- - |
-
- |
-
-
- | ... |
-
- |
-
- |
-
- |
-
- |
-
- |
-
- |
-
+ sam |
+ all |
+ CONTINUE |
+
+ |
+
+
+
+ | net |
+ all |
+ DROP |
+ info |
+
+
+ | all |
+ all |
+ REJECT |
+ info |
+
-
+
-
-
-
-
- Given these two rules, Sam can connect to the firewall's internet interface
- with ssh and the connection request will be forwarded to
-192.168.1.3. Like all hosts in the net zone, Sam can
-connect to the firewall's internet interface on TCP port 80
-and the connection request will be forwarded to 192.168.1.5. The
-order of the rules is not significant.
-
-
- Sometimes it is necessary to suppress port forwarding
- for a sub-zone. For example, suppose that all hosts can
-SSH to the firewall and be forwarded to 192.168.1.5 EXCEPT
-Sam. When Sam connects to the firewall's external IP, he should
-be connected to the firewall itself. Because of the way that Netfilter
- is constructed, this requires two rules as follows:
-
-
-
-
-
-
-
-
-
-
-
- | ACTION |
- SOURCE |
- DEST |
- PROTO |
- DEST
- PORT(S) |
- SOURCE
- PORT(S) |
- ORIGINAL
- DEST |
-
-
-
-
- |
-
- |
-
- |
-
- |
-
- |
-
- |
-
- |
-
-
- | ... |
-
- |
-
- |
-
- |
-
- |
-
- |
-
- |
-
-
-
- | DNAT |
- sam |
- fw |
- tcp |
- ssh |
- - |
-
- |
-
-
- | DNAT |
- net!sam |
- loc:192.168.1.3 |
- tcp |
- ssh |
- - |
-
- |
-
-
- | ... |
-
- |
-
- |
-
- |
-
- |
-
- |
-
- |
-
-
-
-
-
-
-
-
-The first rule allows Sam SSH
- access to the firewall. The second
- rule says that any clients from the
- net zone with the exception of those
- in the 'sam' zone should have their
- connection port forwarded to
- 192.168.1.3. If you need to exclude
- more than one zone in this way,
- you can list
-the zones separated by
- commas (e.g., net!sam,joe,fred).
- This technique also may be used when
- the ACTION is REDIRECT.
+ The second entry above says that when Sam is the client, connection
+ requests should first be process under rules where the
+source zone is sam and if there is no match then the
+connection request should be treated under rules where the source
+zone is net. It is important that this policy be listed
+BEFORE the next policy (net to all).
+
+ Partial /etc/shorewall/rules:
-
-
- /etc/shorewall/rules
-
-
-
-The /etc/shorewall/rules file defines exceptions to the policies established
- in the /etc/shorewall/policy file. There is one entry in
- /etc/shorewall/rules for each of these rules.
-
-
-Shorewall automatically enables firewall->firewall traffic over the
- loopback interface (lo) -- that traffic cannot be regulated using
- rules and any rule that tries to regulate such traffic will generate
- a warning and will be ignored.
-
-
-
-
-Entries in the file have the following columns:
-
-
-
-
-
- Example 1. You wish to forward all
- ssh connection requests from the internet to local system
- 192.168.1.3.
-
-
-
+
-
+
-
- | ACTION |
- SOURCE |
- DEST |
- PROTO |
- DEST
- PORT(S) |
- SOURCE
- PORT(S) |
- ORIGINAL
- DEST |
+
+ | ACTION |
+ SOURCE |
+ DEST |
+ PROTO |
+ DEST
+ PORT(S) |
+ SOURCE
+ PORT(S) |
+ ORIGINAL
+ DEST |
-
-
- | DNAT |
- net |
- loc:192.168.1.3 |
- tcp |
- ssh |
-
- |
-
- |
-
+
+
+ | ... |
+
+ |
+
+ |
+
+ |
+
+ |
+
+ |
+
+ |
+
+
+
+ | DNAT |
+ sam |
+ loc:192.168.1.3 |
+ tcp |
+ ssh |
+ - |
+
+ |
+
+
+ | DNAT |
+ net |
+ loc:192.168.1.5 |
+ tcp |
+ www |
+ - |
+
+ |
+
+
+ | ... |
+
+ |
+
+ |
+
+ |
+
+ |
+
+ |
+
+ |
+
@@ -1623,16 +1403,387 @@ the scope of a rule by incoming interface.
-
+
-
+
-
+
+ Given these two rules, Sam can connect to the firewall's internet interface
+ with ssh and the connection request will be forwarded to
+ 192.168.1.3. Like all hosts in the net zone, Sam can
+ connect to the firewall's internet interface on TCP port 80
+ and the connection request will be forwarded to 192.168.1.5.
+The order of the rules is not significant.
+
+
+ Sometimes it is necessary to suppress port forwarding
+ for a sub-zone. For example, suppose that all hosts can
+ SSH to the firewall and be forwarded to 192.168.1.5 EXCEPT
+Sam. When Sam connects to the firewall's external IP, he should
+be connected to the firewall itself. Because of the way that Netfilter
+ is constructed, this requires two rules as follows:
+
+
+
+
+
+
+
+
+
+
+
+
+
+ | ACTION |
+ SOURCE |
+ DEST |
+ PROTO |
+ DEST
+ PORT(S) |
+ SOURCE
+ PORT(S) |
+ ORIGINAL
+ DEST |
+
+
+
+
+ |
+
+ |
+
+ |
+
+ |
+
+ |
+
+ |
+
+ |
+
+
+ | ... |
+
+ |
+
+ |
+
+ |
+
+ |
+
+ |
+
+ |
+
+
+
+ | DNAT |
+ sam |
+ fw |
+ tcp |
+ ssh |
+ - |
+
+ |
+
+
+ | DNAT |
+ net!sam |
+ loc:192.168.1.3 |
+ tcp |
+ ssh |
+ - |
+
+ |
+
+
+ | ... |
+
+ |
+
+ |
+
+ |
+
+ |
+
+ |
+
+ |
+
+
+
+
+
+
+
+
+
+
+
+
+The first rule allows Sam SSH
+ access to the firewall. The second
+ rule says that any clients from the
+ net zone with the exception of those
+ in the 'sam' zone should have their
+ connection port forwarded to
+ 192.168.1.3. If you need to exclude
+ more than one zone in this way,
+ you can list
+the zones separated by
+ commas (e.g., net!sam,joe,fred).
+ This technique also may be used when
+ the ACTION is REDIRECT.
+
+
+
+
+ /etc/shorewall/rules
+
+
+
+The /etc/shorewall/rules file defines exceptions to the policies established
+ in the /etc/shorewall/policy file. There is one entry in
+ /etc/shorewall/rules for each of these rules.
+
+
+Shorewall automatically enables firewall->firewall traffic over the
+ loopback interface (lo) -- that traffic cannot be regulated using
+ rules and any rule that tries to regulate such traffic will generate
+ a warning and will be ignored.
+
+
+
+
+Entries in the file have the following columns:
+
+
+
+
+
+ Example 1. You wish to forward all
+ ssh connection requests from the internet to local system
+ 192.168.1.3.
+
+
+
+
+
+
+
+
+
+ | ACTION |
+ SOURCE |
+ DEST |
+ PROTO |
+ DEST
+ PORT(S) |
+ SOURCE
+ PORT(S) |
+ ORIGINAL
+ DEST |
+
+
+
+ | DNAT |
+ net |
+ loc:192.168.1.3 |
+ tcp |
+ ssh |
+
+ |
+
+ |
+
+
+
+
+
+
+
+
+
+
+
+
+
+
Example 2. You want to redirect all local www connection requests
- EXCEPT those
- to your own http server
- (206.124.146.177) to a Squid
- transparent proxy running on the firewall
+ EXCEPT those
+ to your own http server
+ (206.124.146.177) to a Squid
+ transparent proxy running on the firewall
and listening on port 3128. Squid will of course require access
to remote web servers. This example shows yet
another use for the ORIGINAL
@@ -1644,556 +1795,191 @@ to remote web servers. This example shows yet
destined to 206.124.146.177 are
redirected to local port 3128.
-
+
+
-
-
-
- | ACTION |
- SOURCE |
- DEST |
- PROTO |
- DEST
- PORT(S) |
- SOURCE
- PORT(S) |
- ORIGINAL
- DEST |
-
-
-
- | REDIRECT |
- loc |
- 3128 |
- tcp |
- www |
- -
- |
- !206.124.146.177 |
-
-
- | ACCEPT |
- fw |
- net |
- tcp |
- www |
-
- |
-
- |
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Example 3. You want to run a web server at 155.186.235.222 in
-your DMZ and have it accessible remotely and locally. the DMZ is managed
- by Proxy ARP or by classical sub-netting.
-
-
-
-
-
-
+
- | ACTION |
- SOURCE |
- DEST |
- PROTO |
- DEST
- PORT(S) |
- SOURCE
- PORT(S) |
- ORIGINAL
- DEST |
+ ACTION |
+ SOURCE |
+ DEST |
+ PROTO |
+ DEST
+ PORT(S) |
+ SOURCE
+ PORT(S) |
+ ORIGINAL
+ DEST |
-
- | ACCEPT |
- net |
- dmz:155.186.235.222 |
- tcp |
- www |
- - |
-
- |
-
-
-
- | ACCEPT |
- loc |
- dmz:155.186.235.222 |
- tcp |
- www |
-
- |
-
- |
-
+
+ | REDIRECT |
+ loc |
+ 3128 |
+ tcp |
+ www |
+ -
+ |
+ !206.124.146.177 |
+
+
+ | ACCEPT |
+ fw |
+ net |
+ tcp |
+ www |
+
+ |
+
+ |
+
-
+
-
+
-
- Example 4. You want to run wu-ftpd on 192.168.2.2 in your masqueraded
- DMZ. Your internet interface address is 155.186.235.151
- and you want the FTP server to be accessible from the internet
- in addition to the local 192.168.1.0/24 and dmz 192.168.2.0/24
- subnetworks. Note that since the server is in the 192.168.2.0/24
- subnetwork, we can assume that access to the server from that subnet
- will not involve the firewall (but see FAQ
- 2). Note that unless you
- have more than one external
- IP address, you can leave
- the ORIGINAL DEST column
- blank in the first rule. You
- cannot leave it blank
-in the second rule though
- because then all
-ftp connections
- originating in the local
- subnet 192.168.1.0/24 would
- be sent to 192.168.2.2
- regardless of the site that
- the user was trying to
- connect to. That is
- clearly not what you
-want 
- .
+
+Example 3. You want to run a web server at 155.186.235.222 in
+your DMZ and have it accessible remotely and locally. the DMZ is managed
+ by Proxy ARP or by classical sub-netting.
-
-
+
-
+
- | ACTION |
- SOURCE |
- DEST |
- PROTO |
- DEST
- PORT(S) |
- SOURCE
- PORT(S) |
- ORIGINAL
- DEST |
+ ACTION |
+ SOURCE |
+ DEST |
+ PROTO |
+ DEST
+ PORT(S) |
+ SOURCE
+ PORT(S) |
+ ORIGINAL
+ DEST |
-
- | DNAT |
- net |
- dmz:192.168.2.2 |
- tcp |
- ftp |
-
- |
-
- |
-
-
- | DNAT |
- loc:192.168.1.0/24 |
- dmz:192.168.2.2 |
- tcp |
- ftp |
- - |
- 155.186.235.151 |
-
+
+ | ACCEPT |
+ net |
+ dmz:155.186.235.222 |
+ tcp |
+ www |
+ - |
+
+ |
+
+
+
+ | ACCEPT |
+ loc |
+ dmz:155.186.235.222 |
+ tcp |
+ www |
+
+ |
+
+ |
+
-
+
-
-
-
-
-
-
-If you are running wu-ftpd, you should restrict the range of passive
- in your /etc/ftpaccess file. I only need a few simultaneous FTP sessions
- so I use port range 65500-65535. In /etc/ftpaccess, this
- entry is appropriate:
-
-
-
-
-
-
-
-
- passive ports 0.0.0.0/0 65500 65534
-
-
-
-
-
-If you are running pure-ftpd, you would include "-p 65500:65534" on
- the pure-ftpd runline.
-
-
-
-
-The important point here is to ensure that the port range used for FTP
- passive connections is unique and will not overlap with
-any usage on the firewall system.
-
-
-
-
-Example 5. You
- wish to allow unlimited
- DMZ access to the host
- with MAC address
- 02:00:08:E3:FA:55.
-
-
-
-
-
-
-
-
-
-
- | ACTION |
- SOURCE |
- DEST |
- PROTO |
- DEST
- PORT(S) |
- SOURCE
- PORT(S) |
- ORIGINAL
- DEST |
-
-
-
- | ACCEPT |
- loc:~02-00-08-E3-FA-55 |
- dmz |
- all |
-
- |
-
- |
-
- |
-
-
-
-
-
-
-
-
+
+ Example 4. You want to run wu-ftpd on 192.168.2.2 in your masqueraded
+ DMZ. Your internet interface address is 155.186.235.151
+ and you want the FTP server to be accessible from the internet
+ in addition to the local 192.168.1.0/24 and dmz 192.168.2.0/24
+ subnetworks. Note that since the server is in the 192.168.2.0/24
+ subnetwork, we can assume that access to the server from that subnet
+ will not involve the firewall (but see FAQ
+ 2). Note that unless you
+ have more than one external
+ IP address, you can leave
+ the ORIGINAL DEST column
+ blank in the first rule. You
+ cannot leave it blank
+in the second rule though
+ because then all
+ ftp connections
+ originating in the local
+ subnet 192.168.1.0/24 would
+ be sent to 192.168.2.2
+ regardless of the site that
+ the user was trying to
+ connect to. That
+is clearly not what
+you want
+ .
- Example
- 6. You wish to allow access to the SMTP server in your DMZ
-from all zones.
-
-
-
-
-
-
- ACTION
- |
- SOURCE
- |
- DEST
- |
- PROTO
- |
- DEST
- PORT(S)
- |
- SOURCE
- PORT(S)
- |
- ORIGINAL
- DEST
- |
-
-
- ACCEPT
- |
- all
- |
- dmz
- |
- tcp
- |
- 25
- |
-
- |
-
- |
-
-
-
-
-
-
-
- Note: When 'all' is used as a source or destination,
- intra-zone traffic is not affected. In this example, if there were
- two DMZ interfaces then the above rule would NOT enable SMTP traffic
- between hosts on these interfaces.
-
- Example 7 (For advanced users running Shorewall version
- 1.3.13 or later). From the internet, you with to forward tcp
-port 25 directed to 192.0.2.178 and 192.0.2.179 to host 192.0.2.177
-in your DMZ. You also want to allow access from the internet directly
-to tcp port 25 on 192.0.2.177.
-
-
-
-
-
- ACTION
- |
- SOURCE
- |
- DEST
- |
- PROTO
- |
- DEST
- PORT(S)
- |
- SOURCE
- PORT(S)
- |
- ORIGINAL
- DEST
- |
-
-
- DNAT-
- |
- net
- |
- dmz:192.0.2.177
- |
- tcp
- |
- 25
- |
- 0
- |
- 192.0.2.178
- |
-
-
- DNAT-
- |
- net
- |
- dmz:192.0.2.177
- |
- tcp
- |
- 25
- |
- 0
- |
- 192.0.2.179
- |
-
-
- ACCEPT
- |
- net
- |
- dmz:192.0.2.177
- |
- tcp
- |
- 25
- |
-
- |
-
- |
-
-
-
-
-
-
- Using "DNAT-" rather than "DNAT" avoids two extra copies
- of the third rule from being generated.
-
-Look here for information on other services.
-
-
-
-
-
-
- /etc/shorewall/common
-
-
-
-
-Shorewall allows
- definition of rules that
- apply between all zones.
- By default, these rules
- are defined in the file
- /etc/shorewall/common.def
- but may be modified to
- suit individual
- requirements. Rather
- than
- modify
-/etc/shorewall/common.def,
- you should copy that
- file to
- /etc/shorewall/common
- and modify that
- file.
-
-
-
-
-The /etc/shorewall/common
- file
- is expected to
- contain iptables
- commands; rather than
- running iptables
- directly, you should run
- it indirectly using the
- Shorewall function
- 'run_iptables'.
- That way, if iptables
- encounters an error, the
- firewall will be safely
- stopped.
-
-
-
-
-
- /etc/shorewall/masq
-
-
-
-
-The /etc/shorewall/masq file is used to define classical IP Masquerading
- and Source Network Address Translation (SNAT). There is one
- entry in the file for each subnet that you want to masquerade.
- In order to make use of this feature, you must have NAT enabled .
-
-
-
-
- Columns are:
-
- - INTERFACE - The interface
-that will masquerade the subnet; this is normally your
-internet interface. This interface name can be optionally
- qualified by adding ":" and a subnet or host IP. When this
- qualification is added, only packets addressed to that host or subnet
- will be masqueraded. Beginning with Shorewall version 1.3.14, if
-you have set ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf,
- you can cause Shorewall to create an alias label of the form interfacename:digit
- (e.g., eth0:0) by placing that label in this column. See example
- 5 below. Alias labels created in this way allow the alias to be visible
- to the ipconfig utility. THAT IS THE ONLY THING THAT THIS LABEL
-IS GOOD FOR AND IT MAY NOT APPEAR ANYWHERE ELSE IN YOUR SHOREWALL CONFIGURATION.
- - SUBNET - The subnet that
-you want to have masqueraded through the INTERFACE. This
-may be expressed as a single IP address, a subnet or an interface
- name. In the latter instance, the interface must be configured and
- started before Shorewall is started as Shorewall will determine
- the subnet based on information obtained from the 'ip' utility.
- When using Shorewall 1.3.13 or earlier, when
- an interface name is specified, Shorewall will only masquerade traffic
-from the first subnetwork on the named interface; if the interface interfaces
- to more that one subnetwork, you will need to add additional entries to
- this file for each of those other subnetworks. Beginning with Shorewall
-1.3.14, shorewall will masquerade/SNAT traffic from any host that is routed
-through the named interface.
-
- The subnet may be optionally followed by
- "!' and a comma-separated list of addresses and/or subnets
- that are to be excluded from masquerading.
- - ADDRESS - The source address
-to be used for outgoing packets. This column is optional and
-if left blank, the current primary IP address of the interface
- in the first column is used. If you have a static IP on that interface,
- listing it here makes processing of output packets a little less
- expensive for the firewall. If you specify an address in this column,
-it must be an IP address configured on the INTERFACE or you must have ADD_SNAT_ALIASES
- enabled in /etc/shorewall/shorewall.conf.
-
-
+
-
-
- Example 1: You have eth0 connected to a cable modem and eth1
- connected to your local subnetwork 192.168.9.0/24. Your
-/etc/shorewall/masq file would look like:
-
-
-
-
-
+
-
+
-
- | INTERFACE |
- SUBNET |
- ADDRESS |
-
-
- | eth0 |
- 192.168.9.0/24 |
-
- |
-
+
+ | ACTION |
+ SOURCE |
+ DEST |
+ PROTO |
+ DEST
+ PORT(S) |
+ SOURCE
+ PORT(S) |
+ ORIGINAL
+ DEST |
+
+
+
+ | DNAT |
+ net |
+ dmz:192.168.2.2 |
+ tcp |
+ ftp |
+
+ |
+
+ |
+
+
+ | DNAT |
+ loc:192.168.1.0/24 |
+ dmz:192.168.2.2 |
+ tcp |
+ ftp |
+ - |
+ 155.186.235.151 |
+
@@ -2203,88 +1989,460 @@ it must be an IP address configured on the INTERFACE or you must have ADD_SNA
-
+
-
+
-
- Example 2: You have a number of IPSEC tunnels through ipsec0
- and you want to masquerade traffic from your 192.168.9.0/24
- subnet to the remote subnet 10.1.0.0/16 only.
+
+
+If you are running wu-ftpd, you should restrict the range of passive
+ in your /etc/ftpaccess file. I only need a few simultaneous FTP sessions
+ so I use port range 65500-65535. In /etc/ftpaccess, this
+ entry is appropriate:
-
+
+
-
+
+
+ passive ports 0.0.0.0/0 65500 65534
+
+
+
+
+
+If you are running pure-ftpd, you would include "-p 65500:65534" on
+ the pure-ftpd runline.
+
+
+
+
+The important point here is to ensure that the port range used for FTP
+ passive connections is unique and will not overlap with
+any usage on the firewall system.
+
+
+
+
+Example 5. You
+ wish to allow unlimited
+ DMZ access to the host
+ with MAC address
+ 02:00:08:E3:FA:55.
+
+
+
+
+
+
+
-
+
+
+
+ | ACTION |
+ SOURCE |
+ DEST |
+ PROTO |
+ DEST
+ PORT(S) |
+ SOURCE
+ PORT(S) |
+ ORIGINAL
+ DEST |
+
+
+
+ | ACCEPT |
+ loc:~02-00-08-E3-FA-55 |
+ dmz |
+ all |
+
+ |
+
+ |
+
+ |
+
+
+
+
+
+
+
+
+
+
+
+
+ Example
+ 6. You wish to allow access to the SMTP server in your DMZ
+from all zones.
+
+
+
+
+
+
+ ACTION
+ |
+ SOURCE
+ |
+ DEST
+ |
+ PROTO
+ |
+ DEST
+ PORT(S)
+ |
+ SOURCE
+ PORT(S)
+ |
+ ORIGINAL
+ DEST
+ |
+
+
+ ACCEPT
+ |
+ all
+ |
+ dmz
+ |
+ tcp
+ |
+ 25
+ |
+
+ |
+
+ |
+
+
+
+
+
+
+
+
+ Note: When 'all' is used as a source or destination,
+ intra-zone traffic is not affected. In this example, if there were
+ two DMZ interfaces then the above rule would NOT enable SMTP traffic
+ between hosts on these interfaces.
+
+ Example 7 (For advanced users running Shorewall version
+ 1.3.13 or later). From the internet, you with to forward tcp
+port 25 directed to 192.0.2.178 and 192.0.2.179 to host 192.0.2.177
+in your DMZ. You also want to allow access from the internet directly
+to tcp port 25 on 192.0.2.177.
+
+
+
+
+
+ ACTION
+ |
+ SOURCE
+ |
+ DEST
+ |
+ PROTO
+ |
+ DEST
+ PORT(S)
+ |
+ SOURCE
+ PORT(S)
+ |
+ ORIGINAL
+ DEST
+ |
+
+
+ DNAT-
+ |
+ net
+ |
+ dmz:192.0.2.177
+ |
+ tcp
+ |
+ 25
+ |
+ 0
+ |
+ 192.0.2.178
+ |
+
+
+ DNAT-
+ |
+ net
+ |
+ dmz:192.0.2.177
+ |
+ tcp
+ |
+ 25
+ |
+ 0
+ |
+ 192.0.2.179
+ |
+
+
+ ACCEPT
+ |
+ net
+ |
+ dmz:192.0.2.177
+ |
+ tcp
+ |
+ 25
+ |
+
+ |
+
+ |
+
+
+
+
+
+
+ Using "DNAT-" rather than "DNAT" avoids two extra copies
+ of the third rule from being generated.
+
+Look here for information on other services.
+
+
+
+
+
+
+ /etc/shorewall/common
+
+
+
+
+Shorewall allows
+ definition of rules that
+ apply between all zones.
+ By default, these rules
+ are defined in the file
+ /etc/shorewall/common.def
+ but may be modified to
+ suit individual
+ requirements. Rather
+
+than modify
+ /etc/shorewall/common.def,
+ you should copy that
+ file to
+ /etc/shorewall/common
+ and modify
+ that file.
+
+
+
+
+The /etc/shorewall/common
+
+file is expected to
+ contain iptables
+ commands; rather than
+ running iptables
+ directly, you should run
+ it indirectly using
+the Shorewall
+ function 'run_iptables'.
+ That way, if iptables
+ encounters an error, the
+ firewall will be safely
+ stopped.
+
+
+
+
+
+ /etc/shorewall/masq
+
+
+
+
+The /etc/shorewall/masq file is used to define classical IP Masquerading
+ and Source Network Address Translation (SNAT). There is
+one entry in the file for each subnet that you want to masquerade.
+ In order to make use of this feature, you must have NAT enabled .
+
+
+
+
+ Columns are:
+
+
+ - INTERFACE - The interface
+ that will masquerade the subnet; this is normally your
+ internet interface. This interface name can be optionally
+ qualified by adding ":" and a subnet or host IP. When this
+ qualification is added, only packets addressed to that host or
+subnet will be masqueraded. Beginning with Shorewall version 1.3.14,
+if you have set ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf,
+ you can cause Shorewall to create an alias label of the form
+ interfacename:digit (e.g., eth0:0) by placing that label
+in this column. See example 5 below. Alias labels created in this way
+allow the alias to be visible to the ipconfig utility. THAT IS
+THE ONLY THING THAT THIS LABEL IS GOOD FOR AND IT MAY NOT APPEAR ANYWHERE
+ELSE IN YOUR SHOREWALL CONFIGURATION.
+ - SUBNET - The subnet that
+ you want to have masqueraded through the INTERFACE. This
+ may be expressed as a single IP address, a subnet or an interface
+ name. In the latter instance, the interface must be configured
+and started before Shorewall is started as Shorewall will determine
+ the subnet based on information obtained from the 'ip' utility.
+ When using Shorewall 1.3.13 or earlier, when
+ an interface name is specified, Shorewall will only masquerade traffic
+ from the first subnetwork on the named interface; if the interface interfaces
+ to more that one subnetwork, you will need to add additional entries
+to this file for each of those other subnetworks. Beginning with Shorewall
+1.3.14, shorewall will masquerade/SNAT traffic from any host that is routed
+through the named interface.
+
+ The subnet may be optionally followed
+by "!' and a comma-separated list of addresses and/or subnets
+ that are to be excluded from masquerading.
+ - ADDRESS - The source address
+ to be used for outgoing packets. This column is optional and
+ if left blank, the current primary IP address of the interface
+ in the first column is used. If you have a static IP on that
+interface, listing it here makes processing of output packets
+a little less expensive for the firewall. If you specify an address in
+this column, it must be an IP address configured on the INTERFACE or
+you must have ADD_SNAT_ALIASES enabled in /etc/shorewall/shorewall.conf.
+
+
+
+
+
+ Example 1: You have eth0 connected to a cable modem and eth1
+ connected to your local subnetwork 192.168.9.0/24. Your
+ /etc/shorewall/masq file would look like:
+
+
+
+
+
+
+
- | INTERFACE |
- SUBNET |
- ADDRESS |
-
-
- | ipsec0:10.1.0.0/16 |
- 192.168.9.0/24 |
-
- |
-
+ INTERFACE |
+ SUBNET |
+ ADDRESS |
+
+
+ | eth0 |
+ 192.168.9.0/24 |
+
+ |
+
-
+
-
+
- Example 3: You have a DSL line connected on eth0 and a local
- network
- (192.168.10.0/24)
- connected to eth1. You
- want all local->net
- connections to use
- source address
- 206.124.146.176.
+ Example 2: You have a number of IPSEC tunnels through ipsec0
+ and you want to masquerade traffic from your 192.168.9.0/24
+ subnet to the remote subnet 10.1.0.0/16 only.
-
-
-
+
+
+
+
+
+
-
-
- | INTERFACE |
- SUBNET |
- ADDRESS |
-
-
- | eth0 |
- 192.168.10.0/24 |
- 206.124.146.176 |
-
+
+ | INTERFACE |
+ SUBNET |
+ ADDRESS |
+
+
+ | ipsec0:10.1.0.0/16 |
+ 192.168.9.0/24 |
+
+ |
+
-
+
-
+
+
+
-
+
+ Example 3: You have a DSL line connected on eth0 and a local
+ network
+ (192.168.10.0/24)
+ connected to eth1. You
+ want all local->net
+ connections to use
+ source address
+ 206.124.146.176.
+
+
+
+
+
+
+
+
+ | INTERFACE |
+ SUBNET |
+ ADDRESS |
+
+
+ | eth0 |
+ 192.168.10.0/24 |
+ 206.124.146.176 |
+
+
+
+
+
+
+
+
+
+
+
+
+
+
Example 4:
Same as example 3
except that you wish
@@ -2295,72 +2453,72 @@ it must be an IP address configured on the INTERFACE or you must have ADD_SNA
-
+
+
+
+
+
+
+ | INTERFACE |
+ SUBNET |
+ ADDRESS |
+
+
+ | eth0 |
+ 192.168.10.0/24!192.168.10.44,192.168.10.45 |
+ 206.124.146.176 |
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Example 5 (Shorewall version >= 1.3.14): You have a second
+ IP address (206.124.146.177) assigned to you and wish to use it for
+SNAT of the subnet 192.168.12.0/24. You want to give that address the
+name eth0:0. You must have ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf.
-
-
-
-
- | INTERFACE |
- SUBNET |
- ADDRESS |
-
-
- | eth0 |
- 192.168.10.0/24!192.168.10.44,192.168.10.45 |
- 206.124.146.176 |
-
-
-
-
-
-
-
-
-
-
-
-
-
-Example 5 (Shorewall version >= 1.3.14): You have a second
-IP address (206.124.146.177) assigned to you and wish to use it for SNAT
-of the subnet 192.168.12.0/24. You want to give that address the name
-eth0:0. You must have ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf.
-
-
+
-
-
- | INTERFACE |
- SUBNET |
- ADDRESS |
-
+
- | eth0:0 |
- 192.168.12.0/24 |
- 206.124.146.177 |
-
+ INTERFACE |
+ SUBNET |
+ ADDRESS |
+
+
+ | eth0:0 |
+ 192.168.12.0/24 |
+ 206.124.146.177 |
+
-
+
-
+
-
-
+
+
/etc/shorewall/proxyarp
-
+
If you want to
use proxy ARP on an
entire sub-network,
@@ -2370,30 +2528,30 @@ eth0:0. You must have ADD_SNAT_ALIASES=Yes in /etc/shorewall
href="http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/">
http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/.
- If you decide to use
- the technique
- described in that
- HOWTO, you can set
- the proxy_arp flag
- for an interface
- (/proc/sys/net/ipv4/conf/<interface>/proxy_arp)
+ If you decide to use
+ the technique
+ described in that
+ HOWTO, you can set
+ the proxy_arp flag
+ for an interface
+ (/proc/sys/net/ipv4/conf/<interface>/proxy_arp)
-by including the
- proxyarp option
- in the interface's
- record in
-
- /etc/shorewall/interfaces.
- When using
-Proxy ARP
- sub-netting, you do
- NOT include
- any entries in
- /etc/shorewall/proxyarp.
+ by including the
+ proxyarp option
+ in the interface's
+ record in
+
+ /etc/shorewall/interfaces.
+ When using
+ Proxy ARP
+ sub-netting, you do
+ NOT include
+ any entries in
+ /etc/shorewall/proxyarp.
-
+
The /etc/shorewall/proxyarp file is used to define Proxy ARP. The file is
typically used for
@@ -2401,52 +2559,52 @@ Proxy ARP
on a small set of
systems since you
need one entry
- in
- this file for each
- system using proxy
- ARP. Columns are:
-
+ in
+ this file for each
+ system using proxy
+ ARP. Columns are:
+
- - ADDRESS - address of the
-system.
- - INTERFACE - the interface
-that connects to the system. If the interface is obvious
-from the subnetting, you may enter "-" in this column.
- - EXTERNAL - the external interface
- that you want to honor ARP requests for the ADDRESS specified
- in the first column.
- - HAVEROUTE - If
- you already have
- a route through
- INTERFACE
- to ADDRESS,
- this
-column should
- contain
- "Yes"
- or
- "yes".
- If you want
- Shorewall to add
- the route, the
- column should
- contain
- "No"
- or
- "no".
-
+ - ADDRESS - address of the
+ system.
+ - INTERFACE - the interface
+ that connects to the system. If the interface is obvious
+ from the subnetting, you may enter "-" in this column.
+ - EXTERNAL - the external
+interface that you want to honor ARP requests for the
+ADDRESS specified in the first column.
+ - HAVEROUTE - If
+ you already have
+ a route through
+ INTERFACE
+ to ADDRESS,
+ this
+ column should
+ contain
+ "Yes"
+ or
+ "yes".
+ If you want
+ Shorewall to add
+ the route, the
+ column should
+ contain
+ "No"
+ or
+ "no".
+
-
+
Note: After you have made a change to the /etc/shorewall/proxyarp
- file, you may need to flush the ARP cache of all routers
-on the LAN segment connected to the interface specified in the
-EXTERNAL column of the change/added entry(s). If you are having
-problems communicating between an individual host (A) on that
-segment and a system whose entry has changed, you may need to
-flush the ARP cache on host A as well.
+ file, you may need to flush the ARP cache of all routers
+ on the LAN segment connected to the interface specified in the
+ EXTERNAL column of the change/added entry(s). If you are having
+ problems communicating between an individual host (A) on that
+ segment and a system whose entry has changed, you may need to
+ flush the ARP cache on host A as well.
-
+
ISPs typically have ARP configured with long
TTL (hours!) so if your ISPs router has a stale cache entry (as seen using
"tcpdump -nei <external interface> host <IP addr>"), it may
@@ -2456,106 +2614,108 @@ order after changing my proxy ARP settings.
-
+
Example:
You have public IP addresses 155.182.235.0/28. You configure your
- firewall as follows:
-
+ firewall as follows:
+
- - eth0 - 155.186.235.1 (internet connection)
- - eth1 - 192.168.9.0/24 (masqueraded
-local systems)
- - eth2 - 192.168.10.1 (interface to your
- DMZ)
-
+ - eth0 - 155.186.235.1 (internet connection)
+ - eth1 - 192.168.9.0/24 (masqueraded
+ local systems)
+ - eth2 - 192.168.10.1 (interface to
+your DMZ)
+
-
+
In your DMZ, you want to install a Web/FTP server with public address
- 155.186.235.4. On the Web server, you subnet just like the
- firewall's eth0 and you configure 155.186.235.1 as the default
- gateway. In your /etc/shorewall/proxyarp file, you will have:
+ 155.186.235.4. On the Web server, you subnet just like
+the firewall's eth0 and you configure 155.186.235.1 as the
+default gateway. In your /etc/shorewall/proxyarp file, you
+will have:
-
+
-
+
-
+
-
- | ADDRESS |
- INTERFACE |
- EXTERNAL |
- HAVEROUTE |
-
-
- | 155.186.235.4 |
- eth2 |
- eth0 |
- No |
-
+
+ | ADDRESS |
+ INTERFACE |
+ EXTERNAL |
+ HAVEROUTE |
+
+
+ | 155.186.235.4 |
+ eth2 |
+ eth0 |
+ No |
+
-
+
-
+
+
-
+
-
+
Note: You may want to configure the servers in your DMZ with a subnet
- that is smaller than the subnet of your internet interface.
- See the Proxy ARP Subnet Mini HOWTO (http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/)
- for details. In this case you will want to place "Yes" in
- the HAVEROUTE column.
+ for details. In this case you will want to place "Yes"
+in the HAVEROUTE column.
-
+
Warning: Do not use Proxy ARP and
FreeS/Wan on the same system unless you are prepared to suffer the consequences.
- If you start or restart Shorewall with an IPSEC tunnel active,
- the proxied IP addresses are mistakenly assigned to the IPSEC
- tunnel device (ipsecX) rather than to the interface that you
-specify in the INTERFACE column of /etc/shorewall/proxyarp. I haven't
-had the time to debug this problem so I can't say if it is a bug
+ If you start or restart Shorewall with an IPSEC tunnel active,
+ the proxied IP addresses are mistakenly assigned to the IPSEC
+ tunnel device (ipsecX) rather than to the interface that you
+ specify in the INTERFACE column of /etc/shorewall/proxyarp. I haven't
+ had the time to debug this problem so I can't say if it is a bug
in the Kernel or in FreeS/Wan.
-
+
You might be able to work around this problem using the following
- (I haven't tried it):
-
+ (I haven't tried it):
+
In /etc/shorewall/init, include:
-
+
qt service ipsec stop
-
+
In /etc/shorewall/start, include:
-
+
qt service ipsec start
-
+
/etc/shorewall/nat
-
+
The /etc/shorewall/nat file is used to define static NAT. There is one
- entry in the file for each static NAT relationship that
-you wish to define. In order to make use of this feature, you
-must have NAT enabled .
+ entry in the file for each static NAT relationship that
+ you wish to define. In order to make use of this feature,
+you must have NAT enabled .
-
+
IMPORTANT: If
@@ -2567,52 +2727,53 @@ must have NAT enabled .
static NAT. Port
forwarding
can be accomplished
- with
- simple entries in
- the
-
- rules file.
- Also, in most
- cases
-
- Proxy ARP
- provides a
- superior solution
- to static NAT
- because the
- internal systems
+ with
+ simple entries in
+ the
+
+ rules file.
+ Also, in most
+ cases
+
+ Proxy ARP
+ provides a
+ superior solution
+ to static NAT
+ because the
+ internal systems
are accessed
- using
- the same IP
- address internally
- and externally.
+ using
+ the same IP
+ address internally
+ and externally.
-
+
Columns in an entry are:
-
+
- - EXTERNAL - External IP address
- - This should NOT be the primary IP address of the
- interface named in the next column.
- - INTERFACE - Interface that
- you want the EXTERNAL IP address to appear on. Beginning
- with Shorewall version 1.3.14, if you have set ADD_IP_ALIASES=Yes in
+
- EXTERNAL - External IP
+address - This should NOT be the primary IP address
+of the interface named in the next column.
+ - INTERFACE - Interface that
+ you want the EXTERNAL IP address to appear on. Beginning
+ with Shorewall version 1.3.14, if you have set ADD_IP_ALIASES=Yes in
/etc/shorewall/shorewall.conf, you can specify
an alias label of the form interfacename:digit (e.g., eth0:0)
and Shorewall will create the alias with that label. Alias labels created
-in this way allow the alias to be visible to the ipconfig utility.
- THAT IS THE ONLY THING THAT THIS LABEL IS GOOD FOR AND IT MAY NOT APPEAR
-ANYWHERE ELSE IN YOUR SHOREWALL CONFIGURATION.
- - INTERNAL - Internal IP address.
- - ALL
- INTERFACES
- - If Yes
- or yes (or
- left
- empty),
- NAT
+ in this way allow the alias to be visible to the ipconfig utility.
+ THAT IS THE ONLY THING THAT THIS LABEL IS GOOD FOR AND IT MAY
+NOT APPEAR ANYWHERE ELSE IN YOUR SHOREWALL CONFIGURATION.
+ - INTERNAL - Internal IP
+address.
+ - ALL
+ INTERFACES
+ - If Yes
+ or yes (or
+ left
+ empty),
+ NAT
will
be
effective
@@ -2622,339 +2783,340 @@ ANYWHERE ELSE IN YOUR SHOREWALL CONFIGURATION.
then NAT
will be
effective
- only
- through
+ only
+ through
-the
- interface
- named in
- the
- INTERFACE
- column.
- - LOCAL - If Yes or yes and the
- ALL INTERFACES column contains Yes or yes, NAT will be
-effective from the firewall system. Note: For
+ the
+ interface
+ named in
+ the
+ INTERFACE
+ column.
+ - LOCAL - If Yes or yes and
+the ALL INTERFACES column contains Yes or yes, NAT will
+be effective from the firewall system. Note: For
this to work, you must be running kernel 2.4.19 or later and
iptables 1.2.6a or later and you must have enabled CONFIG_IP_NF_NAT_LOCAL
- in your kernel.
-
+ in your kernel.
+
-
+
Look here for additional information and an example.
-
+
-
+
/etc/shorewall/tunnels
-
+
The /etc/shorewall/tunnels file allows you to define IPSec, GRE, IPIP,
- OpenVPN and PPTP
- tunnels with end-points on your firewall. To use ipsec, you must
- install version 1.9, 1.91 or the current OpenVPN and PPTP
+ tunnels with end-points on your firewall. To use ipsec, you must
+ install version 1.9, 1.91 or the current FreeS/WAN development
snapshot.
-
+
Note: For kernels 2.4.4 and above, you will need to use version 1.91
- or a development snapshot as patching with version 1.9
+ or a development snapshot as patching with version 1.9
results in kernel compilation errors.
-
+
Instructions for setting up IPSEC tunnels may
- be found here, instructions
- for IPIP and GRE tunnels are here, instructions
+ for IPIP and GRE tunnels are here, instructions for OpenVPN tunnels are here, and
- instructions for PPTP tunnels are here.
-
+ instructions for PPTP tunnels are here.
+
/etc/shorewall/shorewall.conf
-
+
This file is used to set the following firewall parameters:
-
+
- - CLEAR_TC - Added at version
- 1.3.13
- If this option is set to 'No' then Shorewall won't clear the
-current traffic control rules during [re]start. This setting is intended
-for use by people that prefer to configure traffic shaping when the network
-interfaces come up rather than when the firewall is started. If that
-is what you want to do, set TC_ENABLED=Yes and CLEAR_TC=No and do not supply
-an /etc/shorewall/tcstart file. That way, your traffic shaping rules
-can still use the 'fwmark' classifier based on packet marking defined
-in /etc/shorewall/tcrules. If not specified, CLEAR_TC=Yes is assumed.
-
- - MARK_IN_FORWARD_CHAIN - Added at version 1.3.12
- If your kernel has a FORWARD chain in the mangle table,
- you may set MARK_IN_FORWARD_CHAIN=Yes to cause the marking specified
- in the tcrules file to occur
- in that chain rather than in the PREROUTING chain. This permits you
- to mark inbound traffic based on its destination address when SNAT
-or Masquerading are in use. To determine if your kernel has a FORWARD
+ - CLEAR_TC - Added at
+version 1.3.13
+ If this option is set to 'No' then Shorewall won't clear the
+ current traffic control rules during [re]start. This setting is intended
+ for use by people that prefer to configure traffic shaping when the
+network interfaces come up rather than when the firewall is started.
+If that is what you want to do, set TC_ENABLED=Yes and CLEAR_TC=No and
+do not supply an /etc/shorewall/tcstart file. That way, your traffic
+shaping rules can still use the 'fwmark' classifier based on packet marking
+defined in /etc/shorewall/tcrules. If not specified, CLEAR_TC=Yes is assumed.
+
+ - MARK_IN_FORWARD_CHAIN - Added at version 1.3.12
+ If your kernel has a FORWARD chain in the mangle table,
+ you may set MARK_IN_FORWARD_CHAIN=Yes to cause the marking specified
+ in the tcrules file to
+occur in that chain rather than in the PREROUTING chain. This permits
+you to mark inbound traffic based on its destination address when
+SNAT or Masquerading are in use. To determine if your kernel has a FORWARD
chain in the mangle table, use the "/sbin/shorewall show mangle" command;
-if a FORWARD chain is displayed then your kernel will support this
+ if a FORWARD chain is displayed then your kernel will support this
option. If this option is not specified or if it is given the empty
value (e.g., MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No
is assumed.
-
- - RFC1918_LOG_LEVEL - Added at version 1.3.12
- This parameter determines the level at which packets
-logged under the 'norfc1918'
- mechanism are logged. The value must be a valid
+ - RFC1918_LOG_LEVEL - Added at version 1.3.12
+ This parameter determines the level at which packets
+ logged under the 'norfc1918'
+ mechanism are logged. The value must be a valid syslog level and if no level is given,
- then info is assumed. Prior to Shorewall version 1.3.12, these packets
- are always logged at the info level.
- - TCP_FLAGS_DISPOSITION - Added in Version
-1.3.11
- Determines the disposition of TCP packets that fail the
- checks enabled by the tcpflags interface
- option and must have a value of ACCEPT (accept the packet), REJECT
- (send an RST response) or DROP (ignore the packet). If not set or
-if set to the empty value (e.g., TCP_FLAGS_DISPOSITION="") then TCP_FLAGS_DISPOSITION=DROP
- is assumed.
- - TCP_FLAGS_LOG_LEVEL - Added in Version
+ then info is assumed. Prior to Shorewall version 1.3.12, these packets
+ are always logged at the info level.
+ - TCP_FLAGS_DISPOSITION - Added in Version
1.3.11
- Determines the syslog
- level for logging packets that fail the checks enabled by the
+ Determines the disposition of TCP packets that fail
+the checks enabled by the tcpflags
+interface option and must have a value of ACCEPT (accept the packet),
+REJECT (send an RST response) or DROP (ignore the packet). If not
+set or if set to the empty value (e.g., TCP_FLAGS_DISPOSITION="")
+then TCP_FLAGS_DISPOSITION=DROP is assumed.
+ - TCP_FLAGS_LOG_LEVEL - Added in Version
+ 1.3.11
+ Determines the syslog
+ level for logging packets that fail the checks enabled by the
tcpflags interface option.The value must
be a valid syslogd log level. If you don't want to log these packets,
set to the empty value (e.g., TCP_FLAGS_LOG_LEVEL="").
-
- - MACLIST_DISPOSITION - Added in Version
- 1.3.10
- Determines the disposition of connections requests
- that fail MAC Verification and
- must have the value ACCEPT (accept the connection request anyway), REJECT
- (reject the connection request) or DROP (ignore the connection request).
- If not set or if set to the empty value (e.g., MACLIST_DISPOSITION="")
- then MACLIST_DISPOSITION=REJECT is assumed.
- - MACLIST_LOG_LEVEL - Added in Version
- 1.3.10
- Determines the
+ - MACLIST_DISPOSITION - Added in Version
+ 1.3.10
+ Determines the disposition of connections requests
+ that fail MAC Verification and
+ must have the value ACCEPT (accept the connection request anyway), REJECT
+ (reject the connection request) or DROP (ignore the connection request).
+ If not set or if set to the empty value (e.g., MACLIST_DISPOSITION="")
+ then MACLIST_DISPOSITION=REJECT is assumed.
+ - MACLIST_LOG_LEVEL - Added in Version
+ 1.3.10
+ Determines the syslog level for logging connection
-requests that fail MAC Verification.
-The value must be a valid syslogd log level. If you don't want
-to log these connection requests, set to the empty value (e.g.,
+ requests that fail MAC Verification.
+ The value must be a valid syslogd log level. If you don't want
+ to log these connection requests, set to the empty value (e.g.,
MACLIST_LOG_LEVEL="").
-
- - NEWNOTSYN - Added in Version 1.3.8
- When set to "Yes" or "yes", Shorewall will filter
- TCP packets that are not part of an established connention
-and that are not SYN packets (SYN flag on - ACK flag off). If set
-to "No", Shorewall will silently drop such packets. If not set
-or set to the empty value (e.g., "NEWNOTSYN="), NEWNOTSYN=No is
-assumed.
-
- If you have a HA setup with failover to another
- firewall, you should have NEWNOTSYN=Yes on both firewalls.
+
+ - NEWNOTSYN - Added in Version 1.3.8
+ When set to "Yes" or "yes", Shorewall will
+filter TCP packets that are not part of an established connention
+ and that are not SYN packets (SYN flag on - ACK flag off). If
+set to "No", Shorewall will silently drop such packets. If not
+set or set to the empty value (e.g., "NEWNOTSYN="), NEWNOTSYN=No
+ is assumed.
+
+ If you have a HA setup with failover to another
+ firewall, you should have NEWNOTSYN=Yes on both firewalls.
You should also select NEWNOTSYN=Yes if you have asymmetric routing.
-
- - LOGNEWNOTSYN - Added in Version
-1.3.6
- Beginning with version 1.3.6, Shorewall
-drops non-SYN TCP packets that are not part of an existing
-connection. If you would like to log these packets, set LOGNEWNOTSYN
-to the syslog level at which
-you want the packets logged. Example: LOGNEWNOTSYN=ULOG|
-
- Note: Packets logged under this
-option are usually the result of broken remote IP stacks
-rather than the result of any sort of attempt to breach your
-firewall.
- - DETECT_DNAT_ADDRS
- - Added in Version 1.3.4
- If set to "Yes" or "yes", Shorewall will detect the IP address(es)
- of the interface(es) to the source zone and will include this
+
+ - LOGNEWNOTSYN - Added in Version
+ 1.3.6
+ Beginning with version 1.3.6, Shorewall
+ drops non-SYN TCP packets that are not part of an existing
+ connection. If you would like to log these packets, set LOGNEWNOTSYN
+ to the syslog level at which
+ you want the packets logged. Example: LOGNEWNOTSYN=ULOG|
+
+ Note: Packets logged under this
+ option are usually the result of broken remote IP stacks
+ rather than the result of any sort of attempt to breach your
+ firewall.
+ - DETECT_DNAT_ADDRS
+ - Added in Version 1.3.4
+ If set to "Yes" or "yes", Shorewall will detect the IP address(es)
+ of the interface(es) to the source zone and will include this
(these) address(es) in DNAT rules as the original destination
IP address. If set to "No" or "no", Shorewall will not detect this
(these) address(es) and any destination IP address will match the
DNAT rule. If not specified or empty, "DETECT_DNAT_ADDRS=Yes" is
assumed.
-
- - MULTIPORT - Added in Version
- 1.3.2
- If set to "Yes" or "yes", Shorewall will
- use the Netfilter multiport facility. In order to use
+
+ - MULTIPORT - Added in
+Version 1.3.2
+ If set to "Yes" or "yes", Shorewall will
+ use the Netfilter multiport facility. In order to use
this facility, your kernel must have multiport support
(CONFIG_IP_NF_MATCH_MULTIPORT). When this support is used, Shorewall
will generate a single rule from each record in the /etc/shorewall/rules
file that meets these criteria:
-
+
- - No port range(s) specified
- - Specifies 15 or fewer ports
+ - No port range(s) specified
+ - Specifies 15 or fewer ports
-
+
-
+
Rules not meeting those criteria will continue to generate an individual
- rule for each listed port or port range.
-
- - NAT_BEFORE_RULES
- If set to "No" or "no", port forwarding
-rules can override the contents of the /etc/shorewall/nat
- file. If set to "Yes" or "yes", port forwarding rules cannot
- override static NAT. If not set or set to an empty value, "Yes"
- is assumed.
- - FW
+ rule for each listed port or port range.
+
+ - NAT_BEFORE_RULES
+ If set to "No" or "no", port forwarding
+ rules can override the contents of the /etc/shorewall/nat
+ file. If set to "Yes" or "yes", port forwarding rules cannot
+ override static NAT. If not set or set to an empty value, "Yes"
+ is assumed.
+ - FW
- This
- parameter
- specifies the
- name of the
- firewall zone.
- If not set
- or if
-set to an
- empty string,
- the value
- "fw"
- is assumed.
- - SUBSYSLOCK
- This parameter should be set to the
- name of a file that the firewall should create if it starts
- successfully and remove when it stops. Creating and removing
- this file allows Shorewall to work with your distribution's
- initscripts. For RedHat, this should be set to /var/lock/subsys/shorewall.
- For Debian, the value is /var/state/shorewall and in LEAF it
- is /var/run/shorwall.
-
- Example: SUBSYSLOCK=/var/lock/subsys/shorewall.
- - STATEDIR
- This parameter specifies the name
-of a directory where Shorewall stores state information.
- If the directory doesn't exist when Shorewall starts,
- it will create the directory. Example: STATEDIR=/tmp/shorewall.
-
- NOTE: If you change the STATEDIR
-variable while the firewall is running, create the new directory
+ This
+ parameter
+ specifies the
+ name of the
+ firewall zone.
+ If not set
+ or if
+ set to an
+ empty string,
+ the value
+ "fw"
+ is assumed.
+ - SUBSYSLOCK
+ This parameter should be set to
+the name of a file that the firewall should create if
+it starts successfully and remove when it stops. Creating
+ and removing this file allows Shorewall to work with your distribution's
+ initscripts. For RedHat, this should be set to /var/lock/subsys/shorewall.
+ For Debian, the value is /var/state/shorewall and in LEAF
+it is
+ /var/run/shorwall.
+ Example: SUBSYSLOCK=/var/lock/subsys/shorewall.
+ - STATEDIR
+ This parameter specifies the name
+ of a directory where Shorewall stores state information.
+ If the directory doesn't exist when Shorewall starts,
+ it will create the directory. Example: STATEDIR=/tmp/shorewall.
+
+ NOTE: If you change the STATEDIR
+ variable while the firewall is running, create the new directory
if necessary then copy the contents of the old directory
to the new directory.
- - MODULESDIR
- This parameter specifies the directory
- where your kernel netfilter modules may be found. If
-you leave the variable empty, Shorewall will supply the
- value "/lib/modules/`uname -r`/kernel/net/ipv4/netfilter.
- - LOGRATE and LOGBURST
- These parameters set the match rate
- and initial burst size for logged packets. Please see the
- iptables man page for a description of the behavior of these
- parameters (the iptables option --limit is set by LOGRATE and
- --limit-burst is set by LOGBURST). If both parameters are set
- empty, no rate-limiting will occur.
-
- Example:
- LOGRATE=10/minute
- LOGBURST=5
-
- - LOGFILE
+ - MODULESDIR
+ This parameter specifies the directory
+ where your kernel netfilter modules may be found. If
+ you leave the variable empty, Shorewall will supply the
+ value "/lib/modules/`uname -r`/kernel/net/ipv4/netfilter.
+ - LOGRATE and LOGBURST
+ These parameters set the match
+rate and initial burst size for logged packets. Please
+see the iptables man page for a description of the behavior
+ of these parameters (the iptables option --limit is set by
+LOGRATE and --limit-burst is set by LOGBURST). If both parameters
+ are set empty, no rate-limiting will occur.
+
+ Example:
+ LOGRATE=10/minute
+ LOGBURST=5
+
+ - LOGFILE
- This parameter
- tells the
- /sbin/shorewall
- program where
- to look for
- Shorewall
- messages
-when
-processing the
- "show
- log",
- "monitor",
- "status"
- and
- "hits"
- commands. If
- not assigned
- or if assigned
- an empty
+ This parameter
+ tells the
+ /sbin/shorewall
+ program where
+ to look for
+ Shorewall
+ messages
+ when
+ processing the
+ "show
+ log",
+ "monitor",
+ "status"
+ and
+ "hits"
+ commands. If
+ not assigned
+ or if assigned
+ an empty
value,
/var/log/messages
- is assumed.
- - NAT_ENABLED
- This parameter determines whether
-Shorewall supports NAT operations. NAT operations include:
-
- Static NAT
- Port Forwarding
- Port Redirection
- Masquerading
-
- If the parameter has no value or
-has a value of "Yes" or "yes" then NAT is enabled. If the
-parameter has a value of "no" or "No" then NAT is disabled.
-
- - MANGLE_ENABLED
- This parameter determines if packet
- mangling is enabled. If the parameter has no value or
-has a value of "Yes" or "yes" than packet mangling is enabled.
- If the parameter has a value of "no" or "No" then packet mangling
+ is
+assumed.
+ - NAT_ENABLED
+ This parameter determines whether
+ Shorewall supports NAT operations. NAT operations include:
+
+ Static NAT
+ Port Forwarding
+ Port Redirection
+ Masquerading
+
+ If the parameter has no value or
+ has a value of "Yes" or "yes" then NAT is enabled. If
+the parameter has a value of "no" or "No" then NAT is disabled.
+
+ - MANGLE_ENABLED
+ This parameter determines if packet
+ mangling is enabled. If the parameter has no value or
+ has a value of "Yes" or "yes" than packet mangling is enabled.
+ If the parameter has a value of "no" or "No" then packet mangling
is disabled. If packet mangling is disabled, the /etc/shorewall/tos
file is ignored.
-
- - IP_FORWARDING
- This parameter determines whether
-Shorewall enables or disables IPV4 Packet Forwarding
-(/proc/sys/net/ipv4/ip_forward). Possible values are:
-
- On or on - packet forwarding
-will be enabled.
- Off or off - packet forwarding
- will be disabled.
- Keep or keep - Shorewall will
-neither enable nor disable packet forwarding.
-
- If this variable is not set or is
-given an empty value (IP_FORWARD="") then IP_FORWARD=On
-is assumed.
-
- - ADD_IP_ALIASES
- This parameter determines whether
-Shorewall automatically adds the
- external address(es)
-in /etc/shorewall/nat . If the variable
- is set to "Yes" or "yes" then Shorewall automatically
- adds these aliases. If it is set to "No" or "no", you must
- add these aliases yourself using your distribution's network
-configuration tools.
-
- If this variable is not set or is
-given an empty value (ADD_IP_ALIASES="") then ADD_IP_ALIASES=Yes
- is assumed.
- - ADD_SNAT_ALIASES
- This parameter determines whether Shorewall
- automatically adds the SNAT ADDRESS in
+ - IP_FORWARDING
+ This parameter determines whether
+ Shorewall enables or disables IPV4 Packet Forwarding
+ (/proc/sys/net/ipv4/ip_forward). Possible values are:
+
+ On or on - packet forwarding
+ will be enabled.
+ Off or off - packet forwarding
+ will be disabled.
+ Keep or keep - Shorewall will
+ neither enable nor disable packet forwarding.
+
+ If this variable is not set or
+is given an empty value (IP_FORWARD="") then IP_FORWARD=On
+ is assumed.
+
+ - ADD_IP_ALIASES
+ This parameter determines whether
+ Shorewall automatically adds the
+ external address(es)
+ in /etc/shorewall/nat . If the variable
+ is set to "Yes" or "yes" then Shorewall automatically
+ adds these aliases. If it is set to "No" or "no", you must
+ add these aliases yourself using your distribution's network
+ configuration tools.
+
+ If this variable is not set or is
+ given an empty value (ADD_IP_ALIASES="") then ADD_IP_ALIASES=Yes
+ is assumed.
+ - ADD_SNAT_ALIASES
+ This parameter determines whether Shorewall
+ automatically adds the SNAT ADDRESS in /etc/shorewall/masq. If the variable is set
to "Yes" or "yes" then Shorewall automatically adds these addresses.
If it is set to "No" or "no", you must add these addresses yourself
using your distribution's network configuration tools.
-
- If this variable is not set or is
-given an empty value (ADD_SNAT_ALIASES="") then ADD_SNAT_ALIASES=No
- is assumed.
-
- - LOGUNCLEAN
+
+ If this variable is not set or is
+ given an empty value (ADD_SNAT_ALIASES="") then ADD_SNAT_ALIASES=No
+ is assumed.
+
+ - LOGUNCLEAN
- This parameter
- determines the
- logging level
- of
- mangled/invalid
- packets
- controlled by
- the 'dropunclean
and logunclean'
interface
@@ -2981,75 +3143,75 @@ empty
level
(Example:
LOGUNCLEAN=debug).
- - BLACKLIST_DISPOSITION
+ - BLACKLIST_DISPOSITION
- This parameter
- determines the
- disposition of
- packets from
- blacklisted
- hosts. It
-may have
-the value
- DROP if the
- packets are to
- be dropped or
- REJECT if the
- packets are to
- be replied
- with an ICMP
- port
- unreachable
- reply or
- a TCP
-RST (tcp
- only). If you
- do not assign
- a value or if
- you assign an
- empty value
- then DROP is
- assumed.
- - BLACKLIST_LOGLEVEL
+ This parameter
+ determines the
+ disposition of
+ packets from
+ blacklisted
+ hosts. It
+ may
+have the value
+ DROP if the
+ packets are to
+ be dropped or
+ REJECT if the
+ packets are to
+ be replied
+ with an
+ICMP port
+ unreachable
+ reply
+or a TCP
+ RST (tcp
+ only). If you
+ do not assign
+ a value or if
+ you assign an
+ empty value
+ then DROP is
+ assumed.
+ - BLACKLIST_LOGLEVEL
- This paremter
- determines if
- packets from
- blacklisted
- hosts are
- logged and it
- determines
- the
-syslog level
- that they are
- to be logged
- at. Its value
- is a syslog level
(Example:
BLACKLIST_LOGLEVEL=debug).
-If you do not
- assign a value
- or if you
- assign an
- empty value
- then packets
- from
- blacklisted
- hosts are not
- logged.
- - CLAMPMSS
+ If you do not
+ assign a value
+ or if you
+ assign an
+ empty value
+ then packets
+ from
+ blacklisted
+ hosts are not
+ logged.
+ - CLAMPMSS
- This parameter
- enables the
- TCP Clamp MSS
- to PMTU
- feature of
- Netfilter and
- is usually
- required when
- your
+ This parameter
+ enables the
+ TCP Clamp MSS
+ to PMTU
+ feature of
+ Netfilter and
+ is usually
+ required
+when your
internet
connection is
through PPPoE
@@ -3075,126 +3237,126 @@ to "No"
in
your kernel.
- - ROUTE_FILTER
- If this parameter is given the value "Yes"
- or "yes" then route filtering (anti-spoofing) is enabled
- on all network interfaces. The default value is "no".
-
+ - ROUTE_FILTER
+ If this parameter is given the value
+"Yes" or "yes" then route filtering (anti-spoofing) is
+ enabled on all network interfaces. The default value is "no".
+
-
+
/etc/shorewall/modules Configuration
-
+
The file /etc/shorewall/modules contains commands for loading the kernel
- modules required by Shorewall-defined firewall rules. Shorewall
- will source this file during start/restart provided that
-it exists and that the directory specified by the MODULESDIR
+ modules required by Shorewall-defined firewall rules.
+Shorewall will source this file during start/restart provided
+that it exists and that the directory specified by the MODULESDIR
parameter exists (see /etc/shorewall/shorewall.conf
above).
-
+
The file that is released with Shorewall calls the Shorewall function
- "loadmodule" for the set of modules that I load.
+ "loadmodule" for the set of modules that I load.
-
+
The loadmodule function is called as follows:
-
+
-
+
loadmodule
<modulename>
[ <module parameters> ]
-
+
-
+
where
-
+
-
+
<modulename>
-
+
-
+
is the name of the modules without the trailing ".o" (example
ip_conntrack).
-
+
-
+
<module parameters>
-
+
-
+
Optional parameters to the insmod utility.
+
-
-
+
The function determines if the module named by <modulename>
- is already loaded and if not then the function determines
- if the ".o" file corresponding to the module exists in the
- moduledirectory; if so, then the following command
-is executed:
+ is already loaded and if not then the function determines
+ if the ".o" file corresponding to the module exists in the
+ moduledirectory; if so, then the following command
+ is executed:
-
+
-
+
insmod moduledirectory/<modulename>.o <module
- parameters>
-
+ parameters>
+
-
+
If the file doesn't exist, the function determines of the ".o.gz"
file corresponding to the module exists in the moduledirectory.
If it does, the function assumes that the running configuration supports
@@ -3202,218 +3364,223 @@ compressed modules and execute the following command:
-
+
-
+
insmod moduledirectory/<modulename>.o.gz <module
- parameters>
-
+ parameters>
+
-
+
+
/etc/shorewall/tos Configuration
+
The /etc/shorewall/tos file allows you to set the Type of Service field
- in packet headers based on packet source, packet destination,
- protocol, source port and destination port. In order for
- this file to be processed by Shorewall, you must have mangle support enabled .
+
Entries in the file have the following columns:
-
+
+
- - SOURCE -- The source zone.
- May be qualified by following the zone name with a colon
- (":") and either an IP address, an IP subnet, a MAC address
- in Shorewall Format or the name of an
+
- SOURCE -- The source zone.
+ May be qualified by following the zone name with a colon
+ (":") and either an IP address, an IP subnet, a MAC address
+ in Shorewall Format or the name of an
interface. This column may also contain the name of
the firewall
zone
to indicate packets originating on the firewall itself or "all"
to indicate any source.
- - DEST -- The destination zone.
- May be qualified by following the zone name with a colon
- (":") and either an IP address or an IP subnet. Because packets
- are marked prior to routing, you may not specify the name
- of an interface. This column may also contain "all" to indicate
- any destination.
- - PROTOCOL -- The name of a
-protocol in /etc/protocols or the protocol's number.
- - SOURCE PORT(S) -- The source
- port or a port range. For all ports, place a hyphen ("-")
- in this column.
- - DEST PORT(S) -- The destination
- port or a port range. To indicate all ports, place a hyphen
- ("-") in this column.
- - TOS -- The type of service.
- Must be one of the following:
-
+ - DEST -- The destination
+zone. May be qualified by following the zone name with
+a colon (":") and either an IP address or an IP subnet.
+Because packets are marked prior to routing, you may not specify
+ the name of an interface. This column may also contain
+ "all" to indicate any destination.
+ - PROTOCOL -- The name of
+a protocol in /etc/protocols or the protocol's number.
+ - SOURCE PORT(S) -- The source
+ port or a port range. For all ports, place a hyphen
+("-") in this column.
+ - DEST PORT(S) -- The destination
+ port or a port range. To indicate all ports, place a
+hyphen ("-") in this column.
+ - TOS -- The type of service.
+ Must be one of the following:
+
-
+
-
+
-
+
Minimize-Delay (16)
- Maximize-Throughput (8)
- Maximize-Reliability (4)
- Minimize-Cost (2)
- Normal-Service (0)
-
-
+ Maximize-Throughput (8)
+ Maximize-Reliability (4)
+ Minimize-Cost (2)
+ Normal-Service (0)
+
+
-
+
The /etc/shorewall/tos file that is included with Shorewall contains
- the following entries.
+ the following entries.
-
+
-
+
-
+
-
- | SOURCE |
- DEST |
- PROTOCOL |
- SOURCE
- PORT(S) |
- DEST PORT(S) |
- TOS |
-
-
- | all |
- all |
- tcp |
- - |
- ssh |
- 16 |
-
-
- | all |
- all |
- tcp |
- ssh |
- - |
- 16 |
-
-
- | all |
- all |
- tcp |
- - |
- ftp |
- 16 |
-
-
- | all |
- all |
- tcp |
- ftp |
- - |
- 16 |
-
-
- | all |
- all |
- tcp |
- - |
- ftp-data |
- 8 |
-
-
- | all |
- all |
- tcp |
- ftp-data |
- - |
- 8 |
-
+
+ | SOURCE |
+ DEST |
+ PROTOCOL |
+ SOURCE
+ PORT(S) |
+ DEST PORT(S) |
+ TOS |
+
+
+ | all |
+ all |
+ tcp |
+ - |
+ ssh |
+ 16 |
+
+
+ | all |
+ all |
+ tcp |
+ ssh |
+ - |
+ 16 |
+
+
+ | all |
+ all |
+ tcp |
+ - |
+ ftp |
+ 16 |
+
+
+ | all |
+ all |
+ tcp |
+ ftp |
+ - |
+ 16 |
+
+
+ | all |
+ all |
+ tcp |
+ - |
+ ftp-data |
+ 8 |
+
+
+ | all |
+ all |
+ tcp |
+ ftp-data |
+ - |
+ 8 |
+
-
+
+
-
+
-
+
+
-
WARNING: Users have reported that odd routing problems result from
- adding the ESP and AH protocols to the /etc/shorewall/tos
+ adding the ESP and AH protocols to the /etc/shorewall/tos
file.
-
+
/etc/shorewall/blacklist
-
+
Each
line
in
/etc/shorewall/blacklist
contains
- an
- IP
- address, a MAC address in Shorewall Format
or
subnet
address.
- Example:
+ Example:
-
+
130.252.100.69
206.124.146.0/24
-
+
Packets
from
hosts
listed
in
- the
- blacklist
- file
- will
+ the
+ blacklist
+ file
+ will
-be
- disposed
- of
- according
- to
- the
+ be
+ disposed
+ of
+ according
+ to
+ the
value
assigned
@@ -3447,186 +3614,189 @@ be
blacklist. The black list is designed to
prevent listed hosts/subnets from accessing services on your
network.
-
-
+
+
Beginning with Shorewall 1.3.8, the blacklist file has three columns:
-
-
+
+
- - ADDRESS/SUBNET - As described above.
- - PROTOCOL - Optional. If specified,
- only packets specifying this protocol will be blocked.
- - PORTS - Optional; may only be given
- if PROTOCOL is tcp, udp or icmp. Expressed as a comma-separated
- list of port numbers or service names (from /etc/services). If present,
- only packets destined for the specified protocol and one of the
- listed ports are blocked. When the PROTOCOL is icmp, the PORTS column
- contains a comma-separated list of ICMP type numbers or names (see
- "iptables -h icmp").
-
-
+ - ADDRESS/SUBNET - As described
+above.
+ - PROTOCOL - Optional. If specified,
+ only packets specifying this protocol will be blocked.
+ - PORTS - Optional; may only be
+given if PROTOCOL is tcp, udp or icmp. Expressed as a comma-separated
+ list of port numbers or service names (from /etc/services). If
+present, only packets destined for the specified protocol and one
+of the listed ports are blocked. When the PROTOCOL is icmp, the PORTS
+column contains a comma-separated list of ICMP type numbers or names
+(see "iptables -h icmp").
+
+
-
+
Shorewall also has a dynamic blacklist
- capability.
+ capability.
+
-
IMPORTANT: The Shorewall blacklist file is NOT
- designed to police your users' web browsing -- to do that,
-I suggest that you install and configure Squid (http://www.squid-cache.org).
-
+
/etc/shorewall/rfc1918 (Added in Version 1.3.1)
-
+
This file lists the subnets affected by the norfc1918
- interface option. Columns in the file are:
+ interface option. Columns in the file are:
-
+
- - SUBNET - The subnet using
- VLSM notation (e.g., 192.168.0.0/16).
+ - SUBNET - The subnet
+using VLSM notation (e.g., 192.168.0.0/16).
- - TARGET - What to
- do with packets to/from the SUBNET:
+
- TARGET - What
+to do with packets to/from the SUBNET:
-
+
- - RETURN - Process the
-packet normally thru the rules and policies.
+ - RETURN - Process the
+ packet normally thru the rules and policies.
- - DROP - Silently drop
-the packet.
+ - DROP - Silently drop
+ the packet.
- - logdrop - Log then drop
- the packet -- see the RFC1918_LOG_LEVEL parameter
- above.
+ - logdrop - Log then
+drop the packet -- see the RFC1918_LOG_LEVEL
+parameter above.
-
+
-
-
+
+
-
+
/etc/shorewall/routestopped (Added in Version
- 1.3.4)
+ 1.3.4)
-
+
This file defines the hosts that are accessible from the firewall when
- the firewall is stopped. Columns in the file are:
+ the firewall is stopped. Columns in the file are:
-
+
- - INTERFACE - The firewall
- interface through which the host(s) comminicate with the firewall.
+ - INTERFACE - The firewall
+ interface through which the host(s) comminicate with the firewall.
- - HOST(S) - (Optional) -
-A comma-separated list of IP/Subnet addresses. If not supplied
-or supplied as "-" then 0.0.0.0/0 is assumed.
-
+ - HOST(S) - (Optional)
+- A comma-separated list of IP/Subnet addresses. If not supplied
+ or supplied as "-" then 0.0.0.0/0 is assumed.
+
-
+
Example: When your firewall is stopped, you want firewall accessibility
- from local hosts 192.168.1.0/24 and from your DMZ. Your DMZ
- interfaces through eth1 and your local hosts through eth2.
+ from local hosts 192.168.1.0/24 and from your DMZ. Your DMZ
+ interfaces through eth1 and your local hosts through eth2.
-
+
-
+
-
-
+
+
- | INTERFACE |
+ INTERFACE |
- HOST(S) |
+ HOST(S) |
-
+
-
+
- | eth2 |
+ eth2 |
- 192.168.1.0/24 |
+ 192.168.1.0/24 |
-
+
-
+
- | eth1 |
+ eth1 |
- - |
+ - |
-
+
-
+
-
+
-
+
-
+
/etc/shorewall/maclist (Added in Version 1.3.10)
- This file is described in the MAC Validation Documentation.
-
+
/etc/shorewall/ecn (Added in Version 1.4.0)
- This file is described in the ECN Control Documentation.
-
-
- Updated 3/6/2003 - Tom Eastep
-
+
+
+ Updated 3/21/2003 - Tom Eastep
+
-
+
Copyright © 2001, 2002, 2003 Thomas M. Eastep.
-
+
+
+
diff --git a/Shorewall-docs/Install.htm b/Shorewall-docs/Install.htm
index d636696ca..073c631de 100644
--- a/Shorewall-docs/Install.htm
+++ b/Shorewall-docs/Install.htm
@@ -1,190 +1,213 @@
-
+
Shorewall Installation
-
+
-
+
-
+
-
-
-
- Shorewall Installation and
+
+
+
+ Shorewall Installation and
Upgrade
- |
-
-
-
+ |
+
+
+
-
+
Before upgrading, be sure to review the Upgrade Issues
-
+
Install using RPM
- Install using tarball
- Install the .lrp
- Upgrade using RPM
- Upgrade using tarball
- Upgrade the .lrp
- Configuring Shorewall
- Uninstall/Fallback
-
+ Install using tarball
+ Install the .lrp
+ Upgrade using RPM
+ Upgrade using tarball
+ Upgrade the .lrp
+ Configuring Shorewall
+ Uninstall/Fallback
+
To install Shorewall using the RPM:
-
-If you have RedHat 7.2 and are running iptables version 1.2.3 (at a
- shell prompt, type "/sbin/iptables --version"), you must upgrade to version
+
+
If you have RedHat 7.2 and are running iptables version 1.2.3 (at a
+ shell prompt, type "/sbin/iptables --version"), you must upgrade to version
1.2.4 either from the RedHat update
- site or from the Shorewall Errata page before
+ href="http://www.redhat.com/support/errata/RHSA-2001-144.html">RedHat update
+ site or from the Shorewall Errata page before
attempting to start Shorewall.
-
+
- - Install the RPM (rpm -ivh <shorewall rpm>).
-
- Note: Some SuSE users have encountered a problem whereby rpm
- reports a conflict with kernel <= 2.2 even though a 2.4 kernel is
-installed. If this happens, simply use the --nodeps option to rpm (rpm
--ivh --nodeps <shorewall rpm>).
- - Edit the configuration files to match
- your configuration. WARNING - YOU CAN NOT
- SIMPLY INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
- IS REQUIRED BEFORE THE FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND
- AND THE FIREWALL FAILS TO START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY
-NETWORK TRAFFIC. IF THIS HAPPENS, ISSUE A "shorewall clear" COMMAND TO
-RESTORE NETWORK CONNECTIVITY.
- - Start the firewall by typing "shorewall start"
-
+ - Install the RPM (rpm -ivh <shorewall rpm>).
+
+ Note1: Some SuSE users have encountered a problem whereby
+rpm reports a conflict with kernel <= 2.2 even though a 2.4 kernel
+is installed. If this happens, simply use the --nodeps option to rpm
+(rpm -ivh --nodeps <shorewall rpm>).
+
+ Note2: Beginning with Shorewall 1.4.0, Shorewall is dependent
+on the iproute package. Unfortunately, some distributions call this package
+iproute2 which will cause the installation of Shorewall to fail with the
+diagnostic:
+
+ error: failed dependencies:iproute is needed by shorewall-1.4.0-1
+
+
+This may be worked around by using the --nodeps option of rpm (rpm -ivh --nodeps
+<shorewall rpm>).
+
+
+ - Edit the configuration files to
+match your configuration. WARNING - YOU CAN NOT
+ SIMPLY INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
+ IS REQUIRED BEFORE THE FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND
+ AND THE FIREWALL FAILS TO START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY
+NETWORK TRAFFIC. IF THIS HAPPENS, ISSUE A "shorewall clear" COMMAND TO RESTORE
+NETWORK CONNECTIVITY.
+ - Start the firewall by typing "shorewall start"
+
-
-To install Shorewall using the tarball
+
+
To install Shorewall using the tarball
and install script:
-
+
- - unpack the tarball (tar -zxf shorewall-x.y.z.tgz).
- - cd to the shorewall directory (the version is encoded in the
- directory name as in "shorewall-1.1.10").
- - If you are using unpack the tarball (tar -zxf shorewall-x.y.z.tgz).
+ - cd to the shorewall directory (the version is encoded in the
+ directory name as in "shorewall-1.1.10").
+ - If you are using Caldera, RedHat, Mandrake, Corel, Slackware or Debian then type "./install.sh"
- - If you are using SuSe then type
- "./install.sh /etc/init.d"
- - If your distribution has directory /etc/rc.d/init.d
+
- If you are using SuSe then
+type "./install.sh /etc/init.d"
+ - If your distribution has directory /etc/rc.d/init.d
or /etc/init.d then type "./install.sh"
- - For other distributions, determine where your distribution
- installs init scripts and type "./install.sh <init script
+
- For other distributions, determine where your distribution
+ installs init scripts and type "./install.sh <init script
directory>
- - Edit the configuration files to match
- your configuration.
- - Start the firewall by typing "shorewall start"
- - If the install script was unable to configure Shorewall to be
+
- Edit the configuration files to
+match your configuration.
+ - Start the firewall by typing "shorewall start"
+ - If the install script was unable to configure Shorewall to be
started automatically at boot, see these instructions.
-
+
-
-To install my version of Shorewall on a fresh Bering
- disk, simply replace the "shorwall.lrp" file on the image with the file
-that you downloaded. See the two-interface QuickStart
+
+To install my version of Shorewall on a fresh Bering
+ disk, simply replace the "shorwall.lrp" file on the image with the file that
+ you downloaded. See the two-interface QuickStart
Guide for information about further steps required.
-
-If you already have the Shorewall RPM installed
- and are upgrading to a new version:
-
-If you are upgrading from a 1.2 version of Shorewall to a 1.4 version or
-and you have entries in the /etc/shorewall/hosts file then please check
- your /etc/shorewall/interfaces file to be sure that it contains an entry
- for each interface mentioned in the hosts file. Also, there are certain
-1.2 rule forms that are no longer supported under 1.4 (you must use the
-new 1.4 syntax). See the upgrade issues for
-details.
-
-
-
-If you already have Shorewall installed
-and are upgrading to a new version using the tarball:
-
+If you already have the Shorewall RPM installed
+ and are upgrading to a new version:
+
If you are upgrading from a 1.2 version of Shorewall to a 1.4 version
-and you have entries in the /etc/shorewall/hosts file then please check
-your /etc/shorewall/interfaces file to be sure that it contains an entry
-for each interface mentioned in the hosts file. Also, there are certain
-1.2 rule forms that are no longer supported under 1.4 (you must use the
-new 1.4 syntax). See the upgrade issues
-for details.
-
+or and you have entries in the /etc/shorewall/hosts file then please check
+ your /etc/shorewall/interfaces file to be sure that it contains an entry
+ for each interface mentioned in the hosts file. Also, there are certain
+1.2 rule forms that are no longer supported under 1.4 (you must use the new
+1.4 syntax). See the upgrade issues for details.
+
+
+If you already have Shorewall installed and
+are upgrading to a new version using the tarball:
+
+If you are upgrading from a 1.2 version of Shorewall to a 1.4 version and
+you have entries in the /etc/shorewall/hosts file then please check your
+ /etc/shorewall/interfaces file to be sure that it contains an entry for
+each interface mentioned in the hosts file. Also, there are certain 1.2
+rule forms that are no longer supported under 1.4 (you must use the new
+1.4 syntax). See the upgrade issues for
+details.
+
+
+ - unpack the tarball (tar -zxf shorewall-x.y.z.tgz).
+ - cd to the shorewall directory (the version is encoded in the
+ directory name as in "shorewall-3.0.1").
+ - If you are using Caldera, RedHat, Mandrake, Corel, Slackware or Debian then type "./install.sh"
- - If you are using SuSe then type
- "./install.sh /etc/init.d"
- - If your distribution has directory /etc/rc.d/init.d
+
- If you are using SuSe then
+type "./install.sh /etc/init.d"
+ - If your distribution has directory /etc/rc.d/init.d
or /etc/init.d then type "./install.sh"
- - For other distributions, determine where your distribution
- installs init scripts and type "./install.sh <init script
+
- For other distributions, determine where your distribution
+ installs init scripts and type "./install.sh <init script
directory>
- - See if there are any incompatibilities between your configuration
-and the new Shorewall version (type "shorewall check") and correct as necessary.
- - Restart the firewall by typing "shorewall restart"
-
+ - See if there are any incompatibilities between your configuration
+ and the new Shorewall version (type "shorewall check") and correct as
+necessary.
+ - Restart the firewall by typing "shorewall restart"
+
- If you already have a running Bering
-installation and wish to upgrade to a later version of Shorewall:
-
- UNDER CONSTRUCTION...
-
+ If you already have a running Bering
+ installation and wish to upgrade to a later version of Shorewall:
+
+ UNDER CONSTRUCTION...
+
Configuring Shorewall
-
-You will need to edit some or all of the configuration files to match
- your setup. In most cases, the Shorewall QuickStart Guides
-contain all of the information you need.
-
+
+You will need to edit some or all of the configuration files to match
+your setup. In most cases, the Shorewall
+ QuickStart Guides contain all of the information you need.
+
-
-Updated 2/27/2003 - Tom Eastep
+
+Updated 3/18/2003 - Tom Eastep
-
+
Copyright © 2001, 2002, 2003 Thomas M. Eastep.
-
+
+
diff --git a/Shorewall-docs/News.htm b/Shorewall-docs/News.htm
index 9e62e68e9..e527b6be9 100644
--- a/Shorewall-docs/News.htm
+++ b/Shorewall-docs/News.htm
@@ -3,7 +3,7 @@
-
+
Shorewall News
@@ -12,2622 +12,2743 @@
+
-
+
-
+
-
-
- |
+ |
+
-
+
Shorewall News Archive
- |
-
+
+
-
-
+
+
-
-3/17/2003 - Shorewall 1.4.0
- Shorewall 1.4 represents
-the next step in the evolution of Shorewall. The main thrust of the initial
- release is simply to remove the cruft that has accumulated in Shorewall
-over time.
-
- IMPORTANT: Shorewall 1.4.0 requires the iproute package ('ip'
- utility).
-
- Function from 1.3 that has been omitted from this version include:
-
-
- - The MERGE_HOSTS variable in shorewall.conf is no longer supported.
- Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.
-
-
- - Interface names of the form <device>:<integer> in
- /etc/shorewall/interfaces now generate an error.
-
-
- - Shorewall 1.4 implements behavior consistent with OLD_PING_HANDLING=No.
- OLD_PING_HANDLING=Yes will generate an error at startup as will specification
- of the 'noping' or 'filterping' interface options.
-
-
- - The 'routestopped' option in the /etc/shorewall/interfaces and
- /etc/shorewall/hosts files is no longer supported and will generate an
-error at startup if specified.
-
-
- - The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no longer
- accepted.
-
-
- - The ALLOWRELATED variable in shorewall.conf is no longer supported.
- Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.
-
-
- - The icmp.def file has been removed.
-
-
-
- Changes for 1.4 include:
-
-
- - The /etc/shorewall/shorewall.conf file has been completely reorganized
- into logical sections.
-
-
- - LOG is now a valid action for a rule (/etc/shorewall/rules).
-
-
- - The firewall script and version file are now installed in /usr/share/shorewall.
-
-
- - Late arriving DNS replies are now silently dropped in the common
- chain by default.
-
-
- - In addition to behaving like OLD_PING_HANDLING=No, Shorewall
-1.4 no longer unconditionally accepts outbound ICMP packets. So if you
-want to 'ping' from the firewall, you will need the appropriate rule or
-policy.
-
-
- - CONTINUE is now a valid action for a rule (/etc/shorewall/rules).
-
-
- - 802.11b devices with names of the form wlan<n> now support the
-'maclist' option.
-
-
- - Explicit Congestion Notification (ECN - RFC 3168) may now be turned
-off on a host or network basis using the new /etc/shorewall/ecn file. To use
-this facility:
-
- a) You must be running kernel 2.4.20
- b) You must have applied the patch in
- http://www.shorewall/net/pub/shorewall/ecn/patch.
- c) You must have iptables 1.2.7a installed.
-
-
- - The /etc/shorewall/params file is now processed first so that variables
-may be used in the /etc/shorewall/shorewall.conf file.
-
-
- - Shorewall now gives a more helpful diagnostic when the
-'ipchains' compatibility kernel module is loaded and a 'shorewall start'
- command is issued.
-
-
- - The SHARED_DIR variable has been removed from shorewall.conf. This
-variable was for use by package maintainers and was not documented for general
-use.
-
-
- - Shorewall now ignores 'default' routes when detecting masq'd networks.
-
-
-
-2/8/2003 - Shoreawall 1.3.14
-
-New features include
-
-
- - An OLD_PING_HANDLING option has been added to shorewall.conf.
- When set to Yes, Shorewall ping handling is as it has always been
-(see http://www.shorewall.net/ping.html).
-
- When OLD_PING_HANDLING=No, icmp echo (ping) is handled via
- rules and policies just like any other connection request. The FORWARDPING=Yes
- option in shorewall.conf and the 'noping' and 'filterping' options
- in /etc/shorewall/interfaces will all generate an error.
-
-
- - It is now possible to direct Shorewall to create a "label"
- such as "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes
- and ADD_SNAT_ALIASES=Yes. This is done by specifying the label instead
- of just the interface name:
-
- a) In the INTERFACE column of /etc/shorewall/masq
- b) In the INTERFACE column of /etc/shorewall/nat
-
- - Support for OpenVPN Tunnels.
-
-
- - Support for VLAN devices with names of the form $DEV.$VID
- (e.g., eth0.0)
-
-
- - In /etc/shorewall/tcrules, the MARK value may be optionally
- followed by ":" and either 'F' or 'P' to designate that the marking will
- occur in the FORWARD or PREROUTING chains respectively. If this additional
- specification is omitted, the chain used to mark packets will be determined
- by the setting of the MARK_IN_FORWARD_CHAIN option in shorewall.conf.
-
-
- - When an interface name is entered in the SUBNET column of
- the /etc/shorewall/masq file, Shorewall previously masqueraded traffic
- from only the first subnet defined on that interface. It did not masquerade
- traffic from:
-
- a) The subnets associated with other addresses on the
-interface.
- b) Subnets accessed through local routers.
-
- Beginning with Shorewall 1.3.14, if you enter an interface
- name in the SUBNET column, shorewall will use the firewall's routing
- table to construct the masquerading/SNAT rules.
-
- Example 1 -- This is how it works in 1.3.14.
-
+
+3/24/2003 - Shorewall 1.4.1
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+This release follows up on 1.4.0. It corrects a problem introduced in
+1.4.0 and removes additional warts.
+
+ Problems Corrected:
+
+
+
+ - When Shorewall 1.4.0 is run under the ash shell (such as on Bering/LEAF),
+it can attempt to add ECN disabling rules even if the /etc/shorewall/ecn file
+is empty. That problem has been corrected so that ECN disabling rules are
+only added if there are entries in /etc/shorewall/ecn.
+
+ New Features:
+
+Note: In the list that follows, the term group refers to
+a particular network or subnetwork (which may be 0.0.0.0/0 or it may be a
+host address) accessed through a particular interface. Examples:
+
+ eth0:0.0.0.0/0
+ eth2:192.168.1.0/24
+ eth3:192.0.2.123
+
+ You can use the "shorewall check" command to see the groups associated with
+each of your zones.
+
+
+
+ - Beginning with Shorewall 1.4.1, if a zone Z comprises more than one
+group then if there is no explicit Z to Z policy and there are no
+rules governing traffic from Z to Z then Shorewall will permit all traffic
+between the groups in the zone.
+ - Beginning with Shorewall 1.4.1, Shorewall will never create rules to
+handle traffic from a group to itself.
+ - A NONE policy is introduced in 1.4.1. When a policy of NONE is specified
+from Z1 to Z2:
+
+
+
+ - There may be no rules created that govern connections from Z1 to Z2.
+ - Shorewall will not create any infrastructure to handle traffic from
+Z1 to Z2.
+
+ See the upgrade issues for a discussion
+of how these changes may affect your configuration.
+3/17/2003 - Shorewall 1.4.0
+ Shorewall 1.4 represents
+ the next step in the evolution of Shorewall. The main thrust of the initial
+ release is simply to remove the cruft that has accumulated in Shorewall
+ over time.
+
+ IMPORTANT: Shorewall 1.4.0 requires the iproute package
+('ip' utility).
+
+ Function from 1.3 that has been omitted from this version include:
+
+
+ - The MERGE_HOSTS variable in shorewall.conf is no longer
+supported. Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.
+
+
+ - Interface names of the form <device>:<integer>
+in /etc/shorewall/interfaces now generate an error.
+
+
+ - Shorewall 1.4 implements behavior consistent with OLD_PING_HANDLING=No.
+ OLD_PING_HANDLING=Yes will generate an error at startup as will specification
+ of the 'noping' or 'filterping' interface options.
+
+
+ - The 'routestopped' option in the /etc/shorewall/interfaces
+and /etc/shorewall/hosts files is no longer supported and will generate
+an error at startup if specified.
+
+
+ - The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no
+longer accepted.
+
+
+ - The ALLOWRELATED variable in shorewall.conf is no longer supported.
+ Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.
+
+
+ - The icmp.def file has been removed.
+
+
+
+ Changes for 1.4 include:
+
+
+ - The /etc/shorewall/shorewall.conf file has been completely
+reorganized into logical sections.
+
+
+ - LOG is now a valid action for a rule (/etc/shorewall/rules).
+
+
+ - The firewall script and version file are now installed in
+/usr/share/shorewall.
+
+
+ - Late arriving DNS replies are now silently dropped in the
+common chain by default.
+
+
+ - In addition to behaving like OLD_PING_HANDLING=No, Shorewall
+ 1.4 no longer unconditionally accepts outbound ICMP packets. So if you
+ want to 'ping' from the firewall, you will need the appropriate rule or
+ policy.
+
+
+ - CONTINUE is now a valid action for a rule (/etc/shorewall/rules).
+
+
+ - 802.11b devices with names of the form wlan<n> now support
+the 'maclist' option.
+
+
+ - Explicit Congestion Notification (ECN - RFC 3168) may now be turned
+ off on a host or network basis using the new /etc/shorewall/ecn file. To
+use this facility:
+
+ a) You must be running kernel 2.4.20
+ b) You must have applied the patch in
+ http://www.shorewall/net/pub/shorewall/ecn/patch.
+ c) You must have iptables 1.2.7a installed.
+
+
+ - The /etc/shorewall/params file is now processed first so that variables
+ may be used in the /etc/shorewall/shorewall.conf file.
+
+
+ - Shorewall now gives a more helpful diagnostic when the
+ 'ipchains' compatibility kernel module is loaded and a 'shorewall start'
+ command is issued.
+
+
+ - The SHARED_DIR variable has been removed from shorewall.conf. This
+ variable was for use by package maintainers and was not documented for
+general use.
+
+
+ - Shorewall now ignores 'default' routes when detecting masq'd networks.
+
+
+
+3/10/2003 - Shoreall 1.3.14a
+
+A roleup of the following bug fixes and other updates:
+
+
+ - There is an updated rfc1918 file that reflects the resent allocation
+ of 222.0.0.0/8 and 223.0.0.0/8.
+
+
+
+
+ - The documentation for the routestopped file claimed that a comma-separated
+ list could appear in the second column while the code only supported a
+ single host or network address.
+ - Log messages produced by 'logunclean' and 'dropunclean' were not
+rate-limited.
+ - 802.11b devices with names of the form wlan<n> don't
+ support the 'maclist' interface option.
+ - Log messages generated by RFC 1918 filtering are not rate limited.
+ - The firewall fails to start in the case where you have "eth0 eth1"
+in /etc/shorewall/masq and the default route is through eth1
+
+
+
+2/8/2003 - Shoreawall 1.3.14
+
+New features include
+
+
+ - An OLD_PING_HANDLING option has been added to shorewall.conf.
+ When set to Yes, Shorewall ping handling is as it has always been
+(see http://www.shorewall.net/ping.html).
+
+ When OLD_PING_HANDLING=No, icmp echo (ping) is handled
+via rules and policies just like any other connection request. The
+FORWARDPING=Yes option in shorewall.conf and the 'noping' and 'filterping'
+options in /etc/shorewall/interfaces will all generate an error.
+
+
+ - It is now possible to direct Shorewall to create a "label"
+ such as "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes
+ and ADD_SNAT_ALIASES=Yes. This is done by specifying the label instead
+ of just the interface name:
+
+ a) In the INTERFACE column of /etc/shorewall/masq
+ b) In the INTERFACE column of /etc/shorewall/nat
+
+ - Support for OpenVPN Tunnels.
+
+
+ - Support for VLAN devices with names of the form $DEV.$VID
+ (e.g., eth0.0)
+
+
+ - In /etc/shorewall/tcrules, the MARK value may be optionally
+ followed by ":" and either 'F' or 'P' to designate that the marking
+will occur in the FORWARD or PREROUTING chains respectively. If this
+additional specification is omitted, the chain used to mark packets
+will be determined by the setting of the MARK_IN_FORWARD_CHAIN option
+in shorewall.conf.
+
+
+ - When an interface name is entered in the SUBNET column
+of the /etc/shorewall/masq file, Shorewall previously masqueraded
+traffic from only the first subnet defined on that interface. It did
+not masquerade traffic from:
+
+ a) The subnets associated with other addresses on the
+ interface.
+ b) Subnets accessed through local routers.
+
+ Beginning with Shorewall 1.3.14, if you enter an interface
+ name in the SUBNET column, shorewall will use the firewall's routing
+ table to construct the masquerading/SNAT rules.
+
+ Example 1 -- This is how it works in 1.3.14.
+
+
+
[root@gateway test]# cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-
+
[root@gateway test]# ip route show dev eth2
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
-
+
[root@gateway test]# shorewall start
...
Masqueraded Subnets and Hosts:
To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176
To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176
Processing /etc/shorewall/tos...
-
- When upgrading to Shorewall 1.3.14, if you have multiple
-local subnets connected to an interface that is specified in the
+
+ When upgrading to Shorewall 1.3.14, if you have multiple
+ local subnets connected to an interface that is specified in the
SUBNET column of an /etc/shorewall/masq entry, your /etc/shorewall/masq
file will need changing. In most cases, you will simply be able to remove
redundant entries. In some cases though, you might want to change from
using the interface name to listing specific subnetworks if the change
described above will cause masquerading to occur on subnetworks that you
don't wish to masquerade.
-
- Example 2 -- Suppose that your current config is as follows:
-
+
+ Example 2 -- Suppose that your current config is as follows:
+
-
+
[root@gateway test]# cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
eth0 192.168.10.0/24 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-
+
[root@gateway test]# ip route show dev eth2
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]#
-
- In this case, the second entry in /etc/shorewall/masq
-is no longer required.
-
- Example 3 -- What if your current configuration is like this?
-
+
+ In this case, the second entry in /etc/shorewall/masq
+ is no longer required.
+
+ Example 3 -- What if your current configuration is like
+this?
+
-
+
[root@gateway test]# cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-
+
[root@gateway test]# ip route show dev eth2
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]#
-
- In this case, you would want to change the entry in /etc/shorewall/masq
- to:
+
+ In this case, you would want to change the entry in
+/etc/shorewall/masq to:
-
+
#INTERFACE SUBNET ADDRESS
eth0 192.168.1.0/24 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-
-
+
+
-
+
- 2/5/2003 - Shorewall Support included in Webmin 1.060
-
+ 2/5/2003 - Shorewall Support included in Webmin 1.060
+
Webmin version 1.060 now has Shorewall support included as standard. See
- http://www.webmin.com.
-
- 2/4/2003 - Shorewall 1.3.14-RC1
-
+ http://www.webmin.com.
+
+ 2/4/2003 - Shorewall 1.3.14-RC1
+
Includes the Beta 2 content plus support for OpenVPN tunnels.
-
+
1/28/2003 - Shorewall 1.3.14-Beta2
-
+
Includes the Beta 1 content plus restores VLAN device names of the form
- $dev.$vid (e.g., eth0.1)
-
+ $dev.$vid (e.g., eth0.1)
+
1/25/2003 - Shorewall 1.3.14-Beta1
-
-
+
+
The Beta includes the following changes:
-
-
+
+
- - An OLD_PING_HANDLING option has been added to shorewall.conf.
- When set to Yes, Shorewall ping handling is as it has always been (see
- http://www.shorewall.net/ping.html).
-
- When OLD_PING_HANDLING=No, icmp echo (ping) is handled via
- rules and policies just like any other connection request. The FORWARDPING=Yes
- option in shorewall.conf and the 'noping' and 'filterping' options
- in /etc/shorewall/interfaces will all generate an error.
-
-
- - It is now possible to direct Shorewall to create a
-"label" such as "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes
- and ADD_SNAT_ALIASES=Yes. This is done by specifying the label instead
- of just the interface name:
-
- a) In the INTERFACE column of /etc/shorewall/masq
- b) In the INTERFACE column of /etc/shorewall/nat
-
- - When an interface name is entered in the SUBNET column
- of the /etc/shorewall/masq file, Shorewall previously masqueraded
+
- An OLD_PING_HANDLING option has been added to shorewall.conf.
+ When set to Yes, Shorewall ping handling is as it has always been
+(see http://www.shorewall.net/ping.html).
+
+ When OLD_PING_HANDLING=No, icmp echo (ping) is handled
+via rules and policies just like any other connection request. The
+FORWARDPING=Yes option in shorewall.conf and the 'noping' and 'filterping'
+options in /etc/shorewall/interfaces will all generate an error.
+
+
+ - It is now possible to direct Shorewall to create
+a "label" such as "eth0:0" for IP addresses that it creates under
+ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes. This is done by specifying
+the label instead of just the interface name:
+
+ a) In the INTERFACE column of /etc/shorewall/masq
+ b) In the INTERFACE column of /etc/shorewall/nat
+
+ - When an interface name is entered in the SUBNET column
+ of the /etc/shorewall/masq file, Shorewall previously masqueraded
traffic from only the first subnet defined on that interface. It did
not masquerade traffic from:
-
- a) The subnets associated with other addresses on the
-interface.
- b) Subnets accessed through local routers.
-
- Beginning with Shorewall 1.3.14, if you enter an interface
- name in the SUBNET column, shorewall will use the firewall's routing
- table to construct the masquerading/SNAT rules.
-
- Example 1 -- This is how it works in 1.3.14.
-
+
+ a) The subnets associated with other addresses on the
+ interface.
+ b) Subnets accessed through local routers.
+
+ Beginning with Shorewall 1.3.14, if you enter an interface
+ name in the SUBNET column, shorewall will use the firewall's routing
+ table to construct the masquerading/SNAT rules.
+
+ Example 1 -- This is how it works in 1.3.14.
+
-
+
[root@gateway test]# cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-
+
[root@gateway test]# ip route show dev eth2
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
-
+
[root@gateway test]# shorewall start
...
Masqueraded Subnets and Hosts:
To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176
To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176
Processing /etc/shorewall/tos...
-
- When upgrading to Shorewall 1.3.14, if you have multiple
-local subnets connected to an interface that is specified in the
+
+ When upgrading to Shorewall 1.3.14, if you have multiple
+ local subnets connected to an interface that is specified in the
SUBNET column of an /etc/shorewall/masq entry, your /etc/shorewall/masq
file will need changing. In most cases, you will simply be able to remove
redundant entries. In some cases though, you might want to change from
using the interface name to listing specific subnetworks if the change
described above will cause masquerading to occur on subnetworks that you
don't wish to masquerade.
-
- Example 2 -- Suppose that your current config is as follows:
-
+
+ Example 2 -- Suppose that your current config is as follows:
+
-
+
[root@gateway test]# cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
eth0 192.168.10.0/24 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-
+
[root@gateway test]# ip route show dev eth2
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]#
-
- In this case, the second entry in /etc/shorewall/masq
-is no longer required.
-
- Example 3 -- What if your current configuration is like this?
-
+
+ In this case, the second entry in /etc/shorewall/masq
+ is no longer required.
+
+ Example 3 -- What if your current configuration is like
+this?
+
-
+
[root@gateway test]# cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-
+
[root@gateway test]# ip route show dev eth2
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]#
-
- In this case, you would want to change the entry in /etc/shorewall/masq
- to:
+
+ In this case, you would want to change the entry in
+/etc/shorewall/masq to:
-
+
#INTERFACE SUBNET ADDRESS
eth0 192.168.1.0/24 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-
-
+
+
-
+
1/18/2003 - Shorewall 1.3.13 Documentation in PDF Format
-
+
+
Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.13 documenation.
- the PDF may be downloaded from
-
+ ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
- http://slovakia.shorewall.net/pub/shorewall/pdf/
-
+
1/17/2003 - shorewall.net has MOVED
-
+
Thanks to the generosity of Alex Martin and Rett Consulting, www.shorewall.net and ftp.shorewall.net
are now hosted on a system in Bellevue, Washington. A big thanks to Alex
for making this happen.
-
-
-1/13/2003 - Shorewall 1.3.13
-
-
-Just includes a few things that I had on the burner:
-
-
-
- - A new 'DNAT-' action has been added for entries
-in the /etc/shorewall/rules file. DNAT- is intended for advanced
-users who wish to minimize the number of rules that connection requests
- must traverse.
-
- A Shorewall DNAT rule actually generates two iptables
-rules: a header rewriting rule in the 'nat' table and an ACCEPT rule
-in the 'filter' table. A DNAT- rule only generates the first of these
- rules. This is handy when you have several DNAT rules that would
-generate the same ACCEPT rule.
-
- Here are three rules from my previous rules file:
-
- DNAT net dmz:206.124.146.177 tcp smtp - 206.124.146.178
- DNAT net dmz:206.124.146.177 tcp smtp - 206.124.146.179
- ACCEPT net dmz:206.124.146.177 tcp www,smtp,ftp,...
-
- These three rules ended up generating _three_ copies
- of
-
- ACCEPT net dmz:206.124.146.177 tcp smtp
-
- By writing the rules this way, I end up with only
-one copy of the ACCEPT rule.
-
- DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.178
- DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.179
- ACCEPT net dmz:206.124.146.177 tcp www,smtp,ftp,....
-
-
- - The 'shorewall check' command now prints out the
- applicable policy between each pair of zones.
-
-
- - A new CLEAR_TC option has been added to shorewall.conf.
- If this option is set to 'No' then Shorewall won't clear the current
- traffic control rules during [re]start. This setting is intended for
- use by people that prefer to configure traffic shaping when the network
- interfaces come up rather than when the firewall is started. If that
-is what you want to do, set TC_ENABLED=Yes and CLEAR_TC=No and do not
-supply an /etc/shorewall/tcstart file. That way, your traffic shaping
-rules can still use the 'fwmark' classifier based on packet marking defined
-in /etc/shorewall/tcrules.
-
-
- - A new SHARED_DIR variable has been added that allows
- distribution packagers to easily move the shared directory (default
- /usr/lib/shorewall). Users should never have a need to change the
- value of this shorewall.conf setting.
-
-
-
-
-1/6/2003 - BURNOUT
-
-
-Until further notice, I will not be involved in either Shorewall Development
- or Shorewall Support
-
--Tom Eastep
+1/13/2003 - Shorewall 1.3.13
+
+
+Just includes a few things that I had on the burner:
+
+
+
+ - A new 'DNAT-' action has been added for entries
+ in the /etc/shorewall/rules file. DNAT- is intended for advanced
+ users who wish to minimize the number of rules that connection requests
+ must traverse.
+
+ A Shorewall DNAT rule actually generates two iptables
+ rules: a header rewriting rule in the 'nat' table and an ACCEPT rule
+ in the 'filter' table. A DNAT- rule only generates the first of
+these rules. This is handy when you have several DNAT rules that would
+generate the same ACCEPT rule.
+
+ Here are three rules from my previous rules file:
+
+ DNAT net dmz:206.124.146.177 tcp smtp -
+206.124.146.178
+ DNAT net dmz:206.124.146.177 tcp smtp -
+206.124.146.179
+ ACCEPT net dmz:206.124.146.177 tcp www,smtp,ftp,...
+
+ These three rules ended up generating _three_ copies
+ of
+
+ ACCEPT net dmz:206.124.146.177 tcp smtp
+
+ By writing the rules this way, I end up with only
+ one copy of the ACCEPT rule.
+
+ DNAT- net dmz:206.124.146.177 tcp smtp -
+206.124.146.178
+ DNAT- net dmz:206.124.146.177 tcp smtp -
+206.124.146.179
+ ACCEPT net dmz:206.124.146.177 tcp www,smtp,ftp,....
+
+
+ - The 'shorewall check' command now prints out
+the applicable policy between each pair of zones.
+
+
+ - A new CLEAR_TC option has been added to shorewall.conf.
+ If this option is set to 'No' then Shorewall won't clear the current
+ traffic control rules during [re]start. This setting is intended for
+ use by people that prefer to configure traffic shaping when the network
+ interfaces come up rather than when the firewall is started. If that
+ is what you want to do, set TC_ENABLED=Yes and CLEAR_TC=No and do not
+ supply an /etc/shorewall/tcstart file. That way, your traffic shaping
+ rules can still use the 'fwmark' classifier based on packet marking defined
+ in /etc/shorewall/tcrules.
+
+
+ - A new SHARED_DIR variable has been added that
+allows distribution packagers to easily move the shared directory
+(default /usr/lib/shorewall). Users should never have a need to change
+the value of this shorewall.conf setting.
+
+
+
+
+1/6/2003 - BURNOUT
+
+
+Until further notice, I will not be involved in either Shorewall Development
+ or Shorewall Support
+
+-Tom Eastep
+
+
12/30/2002 - Shorewall Documentation in PDF Format
-
+
+
Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.12 documenation.
- the PDF may be downloaded from
-
+ the PDF may be downloaded from
+
+
ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
- http://slovakia.shorewall.net/pub/shorewall/pdf/
-
-
+
+
+
12/27/2002 - Shorewall 1.3.12 Released
-
+
Features include:
-
-
+
+
- - "shorewall refresh" now reloads the traffic
-shaping rules (tcrules and tcstart).
- - "shorewall debug [re]start" now turns off debugging
- after an error occurs. This places the point of the failure near
- the end of the trace rather than up in the middle of it.
- - "shorewall [re]start" has been speeded up by
-more than 40% with my configuration. Your milage may vary.
- - A "shorewall show classifiers" command has been
- added which shows the current packet classification filters.
-The output from this command is also added as a separate page
-in "shorewall monitor"
- - ULOG (must be all caps) is now accepted as a
-valid syslog level and causes the subject packets to be logged
-using the ULOG target rather than the LOG target. This allows you
-to run ulogd (available from "shorewall refresh" now reloads the traffic
+ shaping rules (tcrules and tcstart).
+ - "shorewall debug [re]start" now turns off
+debugging after an error occurs. This places the point of the
+failure near the end of the trace rather than up in the middle
+of it.
+ - "shorewall [re]start" has been speeded up
+by more than 40% with my configuration. Your milage may vary.
+ - A "shorewall show classifiers" command has
+been added which shows the current packet classification filters.
+ The output from this command is also added as a separate page
+ in "shorewall monitor"
+ - ULOG (must be all caps) is now accepted as
+a valid syslog level and causes the subject packets to be logged
+ using the ULOG target rather than the LOG target. This allows you
+ to run ulogd (available from http://www.gnumonks.org/projects/ulogd)
- and log all Shorewall messages to a separate log file.
- - If you are running a kernel that has a FORWARD
- chain in the mangle table ("shorewall show mangle" will show you
- the chains in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes
- in shorewall.conf. This allows for
- marking input packets based on their destination even when you
- are using Masquerading or SNAT.
- - I have cluttered up the /etc/shorewall directory
- with empty 'init', 'start', 'stop' and 'stopped' files. If you
- already have a file with one of these names, don't worry -- the upgrade
- process won't overwrite your file.
- - I have added a new RFC1918_LOG_LEVEL variable
- to shorewall.conf. This variable
- specifies the syslog level at which packets are logged as a result
- of entries in the /etc/shorewall/rfc1918 file. Previously, these
-packets were always logged at the 'info' level.
-
-
+ - If you are running a kernel that has a FORWARD
+ chain in the mangle table ("shorewall show mangle" will show
+you the chains in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes
+ in shorewall.conf. This allows
+for marking input packets based on their destination even when
+you are using Masquerading or SNAT.
+ - I have cluttered up the /etc/shorewall directory
+ with empty 'init', 'start', 'stop' and 'stopped' files. If you
+ already have a file with one of these names, don't worry -- the
+upgrade process won't overwrite your file.
+ - I have added a new RFC1918_LOG_LEVEL variable
+ to shorewall.conf. This variable
+ specifies the syslog level at which packets are logged as a result
+ of entries in the /etc/shorewall/rfc1918 file. Previously, these
+ packets were always logged at the 'info' level.
+
+
-
+
12/20/2002 - Shorewall 1.3.12 Beta 3
-
- This version corrects a problem with Blacklist logging.
- In Beta 2, if BLACKLIST_LOG_LEVEL was set to anything but ULOG, the
- firewall would fail to start and "shorewall refresh" would also fail.
-
+
+ This version corrects a problem with Blacklist
+logging. In Beta 2, if BLACKLIST_LOG_LEVEL was set to anything
+but ULOG, the firewall would fail to start and "shorewall refresh"
+would also fail.
+
12/20/2002 - Shorewall 1.3.12 Beta 2
-
+
The first public Beta version of Shorewall 1.3.12 is now available (Beta
- 1 was made available only to a limited audience).
-
- Features include:
-
+ 1 was made available only to a limited audience).
+
+ Features include:
+
- - "shorewall refresh" now reloads the traffic
- shaping rules (tcrules and tcstart).
- - "shorewall debug [re]start" now turns off
- debugging after an error occurs. This places the point of the
- failure near the end of the trace rather than up in the middle of
- it.
- - "shorewall [re]start" has been speeded
-up by more than 40% with my configuration. Your milage may vary.
- - A "shorewall show classifiers" command
-has been added which shows the current packet classification
-filters. The output from this command is also added as a separate
-page in "shorewall monitor"
- - ULOG (must be all caps) is now accepted
-as a valid syslog level and causes the subject packets to be logged
- using the ULOG target rather than the LOG target. This allows
+
- "shorewall refresh" now reloads the traffic
+ shaping rules (tcrules and tcstart).
+ - "shorewall debug [re]start" now turns
+off debugging after an error occurs. This places the point of
+the failure near the end of the trace rather than up in the middle
+of it.
+ - "shorewall [re]start" has been speeded
+ up by more than 40% with my configuration. Your milage may vary.
+ - A "shorewall show classifiers" command
+ has been added which shows the current packet classification
+ filters. The output from this command is also added as a separate
+ page in "shorewall monitor"
+ - ULOG (must be all caps) is now accepted
+ as a valid syslog level and causes the subject packets to be
+logged using the ULOG target rather than the LOG target. This allows
you to run ulogd (available from http://www.gnumonks.org/projects/ulogd)
- and log all Shorewall messages to a separate log file.
- - If you are running a kernel that has a
-FORWARD chain in the mangle table ("shorewall show mangle" will
-show you the chains in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes
- in shorewall.conf. This allows for marking input packets based
-on their destination even when you are using Masquerading or SNAT.
- - I have cluttered up the /etc/shorewall
-directory with empty 'init', 'start', 'stop' and 'stopped' files.
-If you already have a file with one of these names, don't worry
--- the upgrade process won't overwrite your file.
-
+ - If you are running a kernel that has
+a FORWARD chain in the mangle table ("shorewall show mangle"
+will show you the chains in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes
+ in shorewall.conf. This allows for marking input packets based
+ on their destination even when you are using Masquerading or SNAT.
+ - I have cluttered up the /etc/shorewall
+ directory with empty 'init', 'start', 'stop' and 'stopped'
+files. If you already have a file with one of these names, don't
+worry -- the upgrade process won't overwrite your file.
+
- You may download the Beta from:
-
+ You may download the Beta from:
+
http://www.shorewall.net/pub/shorewall/Beta
- ftp://ftp.shorewall.net/pub/shorewall/Beta
-
-
+
+
12/12/2002 - Mandrake Multi Network Firewall 
-
- Shorewall is at the center of MandrakeSoft's
- recently-announced
+ Shorewall is at the center of MandrakeSoft's
+ recently-announced Multi
- Network Firewall (MNF) product. Here is the product. Here is the press
- release.
-
+ release.
+
12/7/2002 - Shorewall Support for Mandrake 9.0
-
+
Two months and 3 days after I ordered Mandrake 9.0, it was finally delivered.
- I have installed 9.0 on one of my systems and I am now in
-a position to support Shorewall users who run Mandrake 9.0.
-
+ I have installed 9.0 on one of my systems and I am now in
+ a position to support Shorewall users who run Mandrake 9.0.
+
12/6/2002 - Debian 1.3.11a Packages Available
-
+
-
+
Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.
-
+
12/3/2002 - Shorewall 1.3.11a
-
+
This is a bug-fix roll up which includes Roger Aich's fix for DNAT with
- excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11
- users who don't need rules of this type need not upgrade to
-1.3.11.
-
+ excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11
+ users who don't need rules of this type need not upgrade to
+ 1.3.11.
+
11/24/2002 - Shorewall 1.3.11
-
+
In this version:
-
+
- - A 'tcpflags' option has been added
- to entries in /etc/shorewall/interfaces.
- This option causes Shorewall to make a set of sanity check on TCP
-packet header flags.
- - It is now allowed to use 'all' in
- the SOURCE or DEST column in a A 'tcpflags' option has been added
+ to entries in /etc/shorewall/interfaces.
+ This option causes Shorewall to make a set of sanity check on TCP
+ packet header flags.
+ - It is now allowed to use 'all'
+in the SOURCE or DEST column in a rule. When used, 'all' must
appear by itself (in may not be qualified) and it does not enable
intra-zone traffic. For example, the rule
-
- ACCEPT loc all tcp 80
-
- does not enable http traffic from 'loc'
- to 'loc'.
- - Shorewall's use of the 'echo' command
- is now compatible with bash clones such as ash and dash.
- - fw->fw policies now generate
-a startup error. fw->fw rules generate a warning and
+
+ ACCEPT loc all tcp 80
+
+ does not enable http traffic from 'loc'
+ to 'loc'.
+ - Shorewall's use of the 'echo'
+command is now compatible with bash clones such as ash and
+dash.
+ - fw->fw policies now generate
+ a startup error. fw->fw rules generate a warning and
are ignored
-
+
-
+
11/14/2002 - Shorewall Documentation in PDF Format
-
+
+
Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10 documenation.
- the PDF may be downloaded from
-
+ the PDF may be downloaded from
+
+
ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
- http://slovakia.shorewall.net/pub/shorewall/pdf/
-
-
+
+
+
11/09/2002 - Shorewall is Back at SourceForge
-
+
The main Shorewall 1.3 web site is now back at SourceForge at http://shorewall.sf.net.
-
+
-
+
11/09/2002 - Shorewall 1.3.10
-
+
In this version:
-
+
-
+
10/24/2002 - Shorewall is now in Gentoo Linux
-
- Alexandru Hartmann reports that his
- Shorewall package is now a part of
+ Alexandru Hartmann reports that
+his Shorewall package is now a part of the Gentoo Linux distribution.
Thanks Alex!
-
+
10/23/2002 - Shorewall 1.3.10 Beta 1
- In this version:
+ In this version:
-
+
- You may download the Beta from:
+ You may download the Beta from:
-
+
-
+
10/10/2002 - Debian 1.3.9b Packages Available
-
+
-
+
Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.
-
+
10/9/2002 - Shorewall 1.3.9b
- This release rolls up fixes to the
- installer and to the firewall script.
-
-
-10/6/2002 - Shorewall.net now running on RH8.0
-
- The firewall and server here at
- shorewall.net are now running RedHat release 8.0.
-
- 9/30/2002 - Shorewall 1.3.9a
- Roles up the fix for broken tunnels.
+ This release rolls up fixes to
+the installer and to the firewall script.
+10/6/2002 - Shorewall.net now running on RH8.0
+
+ The firewall and server here
+at shorewall.net are now running RedHat release 8.0.
+
+ 9/30/2002 - Shorewall 1.3.9a
+ Roles up the fix for broken
+tunnels.
+
+
9/30/2002 - TUNNELS Broken in 1.3.9!!!
- There is an updated firewall script
- at ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall
- -- copy that file to /usr/lib/shorewall/firewall.
+ -- copy that file to /usr/lib/shorewall/firewall.
-
+
9/28/2002 - Shorewall 1.3.9
-
+
In this version:
-
+
-
+
- - DNS Names are
now allowed in Shorewall config files (although I recommend against
using them).
- - The connection SOURCE
- may now be qualified by both interface and IP address
- in a Shorewall rule.
- - Shorewall startup is
- now disabled after initial installation until the
-file /etc/shorewall/startup_disabled is removed. This avoids
- nasty surprises during reboot for users who install Shorewall
- but don't configure it.
- - The 'functions' and 'version'
- files and the 'firewall' symbolic link have been moved
- from /var/lib/shorewall to /usr/lib/shorewall to appease
- the LFS police at Debian.
-
-
-
-
-
-
-9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability
- Restored
-
- 
- A couple of recent configuration
- changes at www.shorewall.net broke the Search facility:
-
-
-
-
-
-
- - Mailing List Archive
- Search was not available.
- - The Site Search index
- was incomplete
- - Only one page of
-matches was presented.
-
-
-
-
-
- Hopefully these problems
- are now corrected.
-
-9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability
- Restored
-
- A couple of recent configuration
- changes at www.shorewall.net had the negative effect
- of breaking the Search facility:
-
-
-
- - Mailing List Archive
- Search was not available.
- - The Site Search index
- was incomplete
- - Only one page of matches
- was presented.
-
-
-
- Hopefully these problems
-are now corrected.
-
-
-9/18/2002 - Debian 1.3.8 Packages Available
-
+ The connection SOURCE
+ may now be qualified by both interface and IP address
+ in a Shorewall rule.
+ Shorewall startup
+is now disabled after initial installation until the
+ file /etc/shorewall/startup_disabled is removed. This avoids
+ nasty surprises during reboot for users who install Shorewall
+ but don't configure it.
+ The 'functions' and
+'version' files and the 'firewall' symbolic link have
+been moved from /var/lib/shorewall to /usr/lib/shorewall
+ to appease the LFS police at Debian.
+
+
+
+
+9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability
+ Restored
+
+
+ A couple of recent configuration
+ changes at www.shorewall.net broke the Search facility:
+
+
+
+
+
+
+ - Mailing List Archive
+ Search was not available.
+ - The Site Search
+index was incomplete
+ - Only one page of
+ matches was presented.
+
+
+
+
+
+ Hopefully these problems
+ are now corrected.
+
+9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability
+ Restored
+
+ A couple of recent configuration
+ changes at www.shorewall.net had the negative effect
+ of breaking the Search facility:
+
+
+
+ - Mailing List Archive
+ Search was not available.
+ - The Site Search
+index was incomplete
+ - Only one page of
+matches was presented.
+
+
+
+ Hopefully these problems
+ are now corrected.
+
+
+9/18/2002 - Debian 1.3.8 Packages Available
+
+
+
Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.
-
+
9/16/2002 - Shorewall 1.3.8
-
+
In this version:
-
+
-
+
- - A A NEWNOTSYN option has been
added to shorewall.conf. This option determines whether Shorewall
- accepts TCP packets which are not part of an established
- connection and that are not 'SYN' packets (SYN flag on and
- ACK flag off).
- - The need for the
- 'multi' option to communicate between zones za and
- zb on the same interface is removed in the case where the
-chain 'za2zb' and/or 'zb2za' exists. 'za2zb' will exist if:
+ accepts TCP packets which are not part of an established
+ connection and that are not 'SYN' packets (SYN flag on and
+ ACK flag off).
+ - The need for
+the 'multi' option to communicate between zones za
+ and zb on the same interface is removed in the case where
+ the chain 'za2zb' and/or 'zb2za' exists. 'za2zb' will exist
+if:
-
+
- - There
-is a policy for za to zb; or
- - There is at
- least one rule for za to zb.
+ - There
+ is a policy for za to zb; or
+ - There is
+at least one rule for za to zb.
-
+
-
+
-
+
- - The /etc/shorewall/blacklist
- file now contains three columns. In addition to the
- SUBNET/ADDRESS column, there are optional PROTOCOL and
- PORT columns to block only certain applications from the
- blacklisted addresses.
-
+ - The /etc/shorewall/blacklist
+ file now contains three columns. In addition to
+the SUBNET/ADDRESS column, there are optional PROTOCOL
+ and PORT columns to block only certain applications from
+the blacklisted addresses.
+
-
+
-
+
9/11/2002 - Debian 1.3.7c Packages Available
-
+
Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.
-
+
9/2/2002 - Shorewall 1.3.7c
-
+
This is a role up of a fix for "DNAT" rules where the source zone is $FW
- (fw).
+ (fw).
-
+
8/31/2002 - I'm not available
-
+
I'm currently on vacation -- please respect my need for a couple of
weeks free of Shorewall problem reports.
-
+
-Tom
-
+
8/26/2002 - Shorewall 1.3.7b
-
+
This is a role up of the "shorewall refresh" bug fix and the change which
- reverses the order of "dhcp" and "norfc1918"
+ reverses the order of "dhcp" and "norfc1918"
checking.
-
+
8/26/2002 - French FTP Mirror is Operational
-
+
ftp://france.shorewall.net/pub/mirrors/shorewall
- is now available.
+ is now available.
-
+
8/25/2002 - Shorewall Mirror in France
-
+
Thanks to a Shorewall user in Paris, the Shorewall web site is now mirrored
- at http://france.shorewall.net.
-
+
8/25/2002 - Shorewall 1.3.7a Debian Packages Available
-
+
Lorenzo Martignoni reports that the packages for version 1.3.7a are available
- at http://security.dsi.unimi.it/~lorenzo/debian.html.
-
+
8/22/2002 - Shorewall 1.3.7 Wins a Brown Paper Bag Award for its Author
- -- Shorewall 1.3.7a released
-
+
-
+
1.3.7a corrects problems occurring in rules file processing when starting
- Shorewall 1.3.7.
+ Shorewall 1.3.7.
-
+
8/22/2002 - Shorewall 1.3.7 Released 8/13/2002
-
+
Features in this release include:
-
+
-
+
I would like to thank John Distler for his valuable input regarding TCP
- SYN and ICMP treatment in Shorewall. That input
- has led to marked improvement in Shorewall in the
+ SYN and ICMP treatment in Shorewall. That input
+ has led to marked improvement in Shorewall in the
last two releases.
-
+
8/13/2002 - Documentation in the CVS Repository
-
+
The Shorewall-docs project now contains just the HTML and image files
- the Frontpage files have been removed.
-
+
8/7/2002 - STABLE branch added to CVS Repository
-
+
This branch will only be updated after I release a new version of Shorewall
- so you can always update from this branch to
+ so you can always update from this branch to
get the latest stable tree.
-
+
8/7/2002 - Upgrade Issues section
added to the Errata Page
-
+
Now there is one place to go to look for issues involved with upgrading
- to recent versions of Shorewall.
+ to recent versions of Shorewall.
-
+
8/7/2002 - Shorewall 1.3.6
-
+
This is primarily a bug-fix rollup with a couple of new features:
-
+
- - The latest QuickStart Guides
- including the Shorewall Setup
- Guide.
- - Shorewall will
- now DROP TCP packets that are not part of or related
- to an existing connection and that are not SYN packets.
-These "New not SYN" packets may be optionally logged by
-setting the LOGNEWNOTSYN option in The latest
+ QuickStart Guides
+ including the Shorewall
+Setup Guide.
+ - Shorewall will
+ now DROP TCP packets that are not part of or related
+ to an existing connection and that are not SYN packets.
+ These "New not SYN" packets may be optionally logged
+by setting the LOGNEWNOTSYN option in /etc/shorewall/shorewall.conf.
- - The processing
- of "New not SYN" packets may be extended by commands
+
- The processing
+ of "New not SYN" packets may be extended by commands
in the new newnotsyn
- extension script.
+ extension script.
-
+
-
+
7/30/2002 - Shorewall 1.3.5b Released
-
+
This interim release:
-
+
-
+
7/29/2002 - New Shorewall Setup Guide Available
-
+
The first draft of this guide is available at http://www.shorewall.net/shorewall_setup_guide.htm.
- The guide is intended for use by people who are
- setting up Shorewall to manage multiple public IP
- addresses and by people who want to learn more about Shorewall
-than is described in the single-address guides. Feedback
- on the new guide is welcome.
+ The guide is intended for use by people who
+are setting up Shorewall to manage multiple public
+IP addresses and by people who want to learn more about
+Shorewall than is described in the single-address guides.
+ Feedback on the new guide is welcome.
-
+
7/28/2002 - Shorewall 1.3.5 Debian Package Available
-
+
Lorenzo Martignoni reports that the packages are version 1.3.5a and are
- available at http://security.dsi.unimi.it/~lorenzo/debian.html.
-
+
7/27/2002 - Shorewall 1.3.5a Released
-
+
This interim release restores correct handling of REDIRECT rules.
-
+
7/26/2002 - Shorewall 1.3.5 Released
-
+
This will be the last Shorewall release for a while. I'm going to be
focusing on rewriting a lot of the documentation.
-
+
In this version:
-
+
-
+
7/16/2002 - New Mirror in Argentina
-
+
Thanks to Arturo "Buanzo" Busleiman, there is now a Shorewall mirror in
- Argentina. Thanks Buanzo!!!
+ Argentina. Thanks Buanzo!!!
-
+
7/16/2002 - Shorewall 1.3.4 Released
-
+
In this version:
-
+
-
+
7/8/2002 - Shorewall 1.3.3 Debian Package Available
-
+
Lorenzo Marignoni reports that the packages are available at http://security.dsi.unimi.it/~lorenzo/debian.html.
-
+
7/6/2002 - Shorewall 1.3.3 Released
-
+
In this version:
-
+
- - Entries in /etc/shorewall/interface
- that use the wildcard character ("+") now have
- the "multi" option assumed.
- - The 'rfc1918'
-chain in the mangle table has been renamed 'man1918'
- to make log messages generated from that chain distinguishable
- from those generated by the 'rfc1918' chain in the
- filter table.
- - Interface names
- appearing in the hosts file are now validated against
- the interfaces file.
- - The TARGET column
- in the rfc1918 file is now checked for correctness.
- - The chain structure
- in the nat table has been changed to reduce the
- number of rules that a packet must traverse and to correct
-problems with NAT_BEFORE_RULES=No
- - The "hits" command
- has been enhanced.
+ - Entries in
+/etc/shorewall/interface that use the wildcard character
+ ("+") now have the "multi" option assumed.
+ - The 'rfc1918'
+ chain in the mangle table has been renamed 'man1918'
+ to make log messages generated from that chain distinguishable
+ from those generated by the 'rfc1918' chain in the
+ filter table.
+ - Interface names
+ appearing in the hosts file are now validated against
+ the interfaces file.
+ - The TARGET
+column in the rfc1918 file is now checked for correctness.
+ - The chain structure
+ in the nat table has been changed to reduce the
+ number of rules that a packet must traverse and to correct
+ problems with NAT_BEFORE_RULES=No
+ - The "hits"
+command has been enhanced.
-
+
-
+
6/25/2002 - Samples Updated for 1.3.2
-
+
The comments in the sample configuration files have been updated to reflect
- new features introduced in Shorewall 1.3.2.
+ new features introduced in Shorewall 1.3.2.
-
+
6/25/2002 - Shorewall 1.3.1 Debian Package Available
-
+
Lorenzo Marignoni reports that the package is available at http://security.dsi.unimi.it/~lorenzo/debian.html.
-
+
6/19/2002 - Documentation Available in PDF Format
-
+
Thanks to Mike Martinez, the Shorewall Documentation is now available
for download in Adobe PDF format.
-
+
6/16/2002 - Shorewall 1.3.2 Released
-
+
In this version:
-
+
-
+
6/6/2002 - Why CVS Web access is Password Protected
-
+
Last weekend, I installed the CVS Web package to provide brower-based
access to the Shorewall CVS repository. Since then, I have had several
instances where my server was almost unusable due to the high load generated
by website copying tools like HTTrack and WebStripper. These mindless tools:
-
+
- - Ignore robot.txt
- files.
- - Recursively copy
- everything that they find.
- - Should be classified
- as weapons rather than tools.
+ - Ignore robot.txt
+ files.
+ - Recursively
+copy everything that they find.
+ - Should be classified
+ as weapons rather than tools.
-
+
-
+
These tools/weapons are particularly damaging when combined with CVS Web
- because they doggedly follow every link in the
- cgi-generated HTML resulting in 1000s of executions
- of the cvsweb.cgi script. Yesterday, I spend several
- hours implementing measures to block these tools but unfortunately,
- these measures resulted in my server OOM-ing under even
- moderate load.
+ because they doggedly follow every link in the
+ cgi-generated HTML resulting in 1000s of executions
+ of the cvsweb.cgi script. Yesterday, I spend several
+ hours implementing measures to block these tools but unfortunately,
+ these measures resulted in my server OOM-ing under even
+ moderate load.
-
+
Until I have the time to understand the cause of the OOM (or until I buy
- more RAM if that is what is required), CVS Web
- access will remain Password Protected.
+ more RAM if that is what is required), CVS Web
+ access will remain Password Protected.
-
+
6/5/2002 - Shorewall 1.3.1 Debian Package Available
-
+
Lorenzo Marignoni reports that the package is available at http://security.dsi.unimi.it/~lorenzo/debian.html.
-
+
6/2/2002 - Samples Corrected
-
+
The 1.3.0 samples configurations had several serious problems that prevented
- DNS and SSH from working properly. These problems
- have been corrected in the 1.3.1 samples.
-
+
6/1/2002 - Shorewall 1.3.1 Released
-
+
Hot on the heels of 1.3.0, this release:
-
+
- - Corrects a serious
- problem with "all <zone> CONTINUE"
+
- Corrects a
+serious problem with "all <zone> CONTINUE"
policies. This problem is present in all versions of
Shorewall that support the CONTINUE policy. These previous
versions optimized away the "all2<zone>"
chain and replaced it with the "all2all" chain with the usual
result that a policy of REJECT was enforced rather than the intended
CONTINUE policy.
- - Adds an Adds an /etc/shorewall/rfc1918
file for defining the exact behavior of the 'norfc1918' interface option.
-
+
-
+
5/29/2002 - Shorewall 1.3.0 Released
-
+
In addition to the changes in Beta 1, Beta 2 and RC1, Shorewall 1.3.0
includes:
-
+
- - A 'filterping'
- interface option that allows ICMP echo-request (ping)
- requests addressed to the firewall to be handled by entries
- in /etc/shorewall/rules and /etc/shorewall/policy.
+ - A 'filterping'
+ interface option that allows ICMP echo-request (ping)
+ requests addressed to the firewall to be handled by entries
+ in /etc/shorewall/rules and /etc/shorewall/policy.
-
+
-
+
5/23/2002 - Shorewall 1.3 RC1 Available
-
+
In addition to the changes in Beta 1 and Beta 2, RC1 (Version 1.2.92)
incorporates the following:
-
+
-
+
5/19/2002 - Shorewall 1.3 Beta 2 Available
-
+
In addition to the changes in Beta 1, this release which carries the
designation 1.2.91 adds:
-
+
-
+
5/17/2002 - Shorewall 1.3 Beta 1 Available
-
+
Beta 1 carries the version designation 1.2.90 and implements the following
- features:
+ features:
-
+
- - Simplified rule
- syntax which makes the intent of each rule clearer
-and hopefully makes Shorewall easier to learn.
- - Upward compatibility
- with 1.2 configuration files has been maintained
- so that current users can migrate to the new syntax
- at their convenience.
- - Simplified
+rule syntax which makes the intent of each rule clearer
+ and hopefully makes Shorewall easier to learn.
+ - Upward compatibility
+ with 1.2 configuration files has been maintained
+ so that current users can migrate to the new syntax
+ at their convenience.
+ - WARNING: Compatibility with the old
parameterized sample configurations has NOT been maintained.
Users still running those configurations should migrate
- to the new sample configurations before upgrading to
- 1.3 Beta 1.
+ to the new sample configurations before upgrading to
+ 1.3 Beta 1.
-
+
-
+
5/4/2002 - Shorewall 1.2.13 is Available
-
+
In this version:
-
+
-
+
4/30/2002 - Shorewall Debian News
-
+
Lorenzo Marignoni reports that Shorewall 1.2.12 is now in both the
Debian
Testing Branch and the Debian
Unstable Branch.
-
+
4/20/2002 - Shorewall 1.2.12 is Available
-
+
- - The 'try' command
- works again
- - There is now
-a single RPM that also works with SuSE.
+ - The 'try' command
+ works again
+ - There is now
+ a single RPM that also works with SuSE.
-
+
-
+
4/17/2002 - Shorewall Debian News
-
+
Lorenzo Marignoni reports that:
-
+
-
+
Thanks, Lorenzo!
-
+
4/16/2002 - Shorewall 1.2.11 RPM Available for SuSE
-
+
Thanks to Stefan Mohr, there
- is now a Shorewall 1.2.11
- SuSE RPM available.
+ SuSE RPM available.
-
+
4/13/2002 - Shorewall 1.2.11 Available
-
+
In this version:
-
+
-
+
4/13/2002 - Hamburg Mirror now has FTP
-
+
Stefan now has an FTP mirror at ftp://germany.shorewall.net/pub/shorewall.
- Thanks Stefan!
+ Thanks Stefan!
-
+
4/12/2002 - New Mirror in Hamburg
-
+
Thanks to Stefan Mohr, there
- is now a mirror of the Shorewall website at
- http://germany.shorewall.net.
-
+ is now a mirror of the Shorewall website at
+ http://germany.shorewall.net.
+
-
+
4/10/2002 - Shorewall QuickStart Guide Version 1.1 Available
-
+
Version 1.1 of the QuickStart
- Guide is now available. Thanks to those who
- have read version 1.0 and offered their suggestions.
- Corrections have also been made to the sample scripts.
+ Guide is now available. Thanks to those
+who have read version 1.0 and offered their suggestions.
+ Corrections have also been made to the sample scripts.
-
+
4/9/2002 - Shorewall QuickStart Guide Version 1.0 Available
-
+
Version 1.0 of the QuickStart
- Guide is now available. This Guide and its
- accompanying sample configurations are expected
+ Guide is now available. This Guide and its
+ accompanying sample configurations are expected
to provide a replacement for the recently withdrawn parameterized
- samples.
+ samples.
-
+
4/8/2002 - Parameterized Samples Withdrawn
-
+
Although the parameterized
- samples have allowed people to get a firewall
- up and running quickly, they have unfortunately set
- the wrong level of expectation among those who have used
- them. I am therefore withdrawing support for the samples
+ samples have allowed people to get a firewall
+ up and running quickly, they have unfortunately
+set the wrong level of expectation among those who have
+used them. I am therefore withdrawing support for the samples
and I am recommending that they not be used in new Shorewall
- installations.
+ installations.
-
+
4/2/2002 - Updated Log Parser
-
+
John Lodge has provided an updated
- version of his CGI-based log parser
with corrected date handling.
-
+
3/30/2002 - Shorewall Website Search Improvements
-
+
The quick search on the home page now excludes the mailing list archives.
- The Extended Search
- allows excluding the archives or restricting the
-search to just the archives. An archive search form
-is also available on the Extended Search
+ allows excluding the archives or restricting the
+ search to just the archives. An archive search form
+ is also available on the mailing list information
- page.
+ page.
-
+
3/28/2002 - Debian Shorewall News (From Lorenzo Martignoni)
-
+
-
+
3/25/2002 - Log Parser Available
-
+
John Lodge has provided a CGI-based log parser for Shorewall. Thanks
- John.
+ John.
-
+
3/20/2002 - Shorewall 1.2.10 Released
-
+
In this version:
-
+
-
+
3/11/2002 - Shorewall 1.2.9 Released
-
+
In this version:
-
+
-
+
3/1/2002 - 1.2.8 Debian Package is Available
-
+
See http://security.dsi.unimi.it/~lorenzo/debian.html
-
+
2/25/2002 - New Two-interface Sample
-
+
I've enhanced the two interface sample to allow access from the firewall
- to servers in the local zone -
- http://www.shorewall.net/pub/shorewall/LATEST.samples/two-interfaces.tgz
+ http://www.shorewall.net/pub/shorewall/LATEST.samples/two-interfaces.tgz
-
+
2/23/2002 - Shorewall 1.2.8 Released
-
+
Do to a serious problem with 1.2.7, I am releasing 1.2.8. It corrects
problems associated with the lock file used to prevent multiple state-changing
- operations from occuring simultaneously. My apologies
- for any inconvenience my carelessness may have caused.
+ operations from occuring simultaneously. My
+apologies for any inconvenience my carelessness
+may have caused.
-
+
2/22/2002 - Shorewall 1.2.7 Released
-
+
In this version:
-
+
- - UPnP probes (UDP
- destination port 1900) are now silently dropped
-in the common chain
- - RFC 1918 checking
- in the mangle table has been streamlined to no longer
- require packet marking. RFC 1918 checking in the filter
- table has been changed to require half as many rules as previously.
- - A 'shorewall
-check' command has been added that does a cursory
-validation of the zones, interfaces, hosts, rules and
+
- UPnP probes
+(UDP destination port 1900) are now silently dropped
+ in the common chain
+ - RFC 1918 checking
+ in the mangle table has been streamlined to no longer
+ require packet marking. RFC 1918 checking in the filter
+ table has been changed to require half as many rules as previously.
+ - A 'shorewall
+ check' command has been added that does a cursory
+ validation of the zones, interfaces, hosts, rules and
policy files.
-
+
-
+
2/18/2002 - 1.2.6 Debian Package is Available
-
+
See http://security.dsi.unimi.it/~lorenzo/debian.html
-
+
2/8/2002 - Shorewall 1.2.6 Released
-
+
In this version:
-
+
- - $-variables may
- now be used anywhere in the configuration files except
- /etc/shorewall/zones.
- - The interfaces
- and hosts files now have their contents validated
- before any changes are made to the existing Netfilter
+
- $-variables
+may now be used anywhere in the configuration files
+ except /etc/shorewall/zones.
+ - The interfaces
+ and hosts files now have their contents validated
+ before any changes are made to the existing Netfilter
configuration. The appearance of a zone name that isn't
defined in /etc/shorewall/zones causes "shorewall start"
- and "shorewall restart" to abort without changing the Shorewall
- state. Unknown options in either file cause a warning to be
- issued.
- - A problem occurring
- when BLACKLIST_LOGLEVEL was not set has been corrected.
+ and "shorewall restart" to abort without changing the Shorewall
+ state. Unknown options in either file cause a warning to
+be issued.
+ - A problem occurring
+ when BLACKLIST_LOGLEVEL was not set has been
+corrected.
-
+
-
+
2/4/2002 - Shorewall 1.2.5 Debian Package Available
-
+
see http://security.dsi.unimi.it/~lorenzo/debian.html
-
+
2/1/2002 - Shorewall 1.2.5 Released
-
+
Due to installation problems with Shorewall 1.2.4, I have released Shorewall
- 1.2.5. Sorry for the rapid-fire development.
+ 1.2.5. Sorry for the rapid-fire development.
-
+
In version 1.2.5:
-
+
- - The installation
- problems have been corrected.
- - The installation
+ problems have been corrected.
+ - SNAT is now supported.
- - A "shorewall version"
- command has been added
- - The default value
- of the STATEDIR variable in /etc/shorewall/shorewall.conf
- has been changed to /var/lib/shorewall in order
- to conform to the GNU/Linux File Hierarchy Standard, Version
- 2.2.
+ - A "shorewall
+version" command has been added
+ - The default
+value of the STATEDIR variable in /etc/shorewall/shorewall.conf
+ has been changed to /var/lib/shorewall in order
+ to conform to the GNU/Linux File Hierarchy Standard, Version
+ 2.2.
-
+
-
+
1/28/2002 - Shorewall 1.2.4 Released
-
+
- - The "fw" zone
- may now be given a different
-name.
- - You may now place
- end-of-line comments (preceded by '#') in any of
-the configuration files
- - There is now protection
- against against two state changing operations
- occuring concurrently. This is implemented using the 'lockfile'
- utility if it is available (lockfile is part of procmail);
- otherwise, a less robust technique is used. The lockfile
- is created in the STATEDIR defined in /etc/shorewall/shorewall.conf
- and has the name "lock".
- - "shorewall start"
- no longer fails if "detect" is specified in
- /etc/shorewall/interfaces
+
- The "fw" zone
+ may now be given a different
+ name.
+ - You may now
+place end-of-line comments (preceded by '#') in any
+ of the configuration files
+ - There is now
+protection against against two state changing operations
+ occuring concurrently. This is implemented using the
+ 'lockfile' utility if it is available (lockfile is part
+ of procmail); otherwise, a less robust technique is used.
+ The lockfile is created in the STATEDIR defined in /etc/shorewall/shorewall.conf
+ and has the name "lock".
+ - "shorewall start"
+ no longer fails if "detect" is specified in
+ /etc/shorewall/interfaces
for an interface with subnet mask 255.255.255.255.
-
+
-
+
1/27/2002 - Shorewall 1.2.3 Debian Package Available -- see http://security.dsi.unimi.it/~lorenzo/debian.html
-
+
1/20/2002 - Corrected firewall script available
-
+
Corrects a problem with BLACKLIST_LOGLEVEL. See the
- errata for details.
+ errata for details.
-
+
1/19/2002 - Shorewall 1.2.3 Released
-
+
This is a minor feature and bugfix release. The single new feature is:
-
+
-
+
The following problems were corrected:
-
+
- - The "shorewall
-status" command no longer hangs.
- - The "shorewall
-monitor" command now displays the icmpdef chain
- - The CLIENT PORT(S)
- column in tcrules is no longer ignored
+ - The "shorewall
+ status" command no longer hangs.
+ - The "shorewall
+ monitor" command now displays the icmpdef chain
+ - The CLIENT PORT(S)
+ column in tcrules is no longer ignored
-
+
-
+
1/18/2002 - Shorewall 1.2.2 packaged with new LEAF release
-
+
Jacques Nilo and Eric Wolzak have released a kernel 2.4.16 LEAF distribution
- that includes Shorewall 1.2.2. See http://leaf.sourceforge.net/devel/jnilo
- for details.
+ for details.
-
+
1/11/2002 - Debian Package (.deb) Now Available - Thanks to Lorenzo Martignoni, a 1.2.2
- Shorewall Debian package is now available. There
- is a link to Lorenzo's site from the Shorewall download page.
-
+
1/9/2002 - Updated 1.2.2 /sbin/shorewall available - This corrected version restores
- the "shorewall status" command to health.
+ the "shorewall status" command to health.
-
+
1/8/2002 - Shorewall 1.2.2 Released
-
+
In version 1.2.2
-
+
-
+
1/5/2002 - New Parameterized Samples (version 1.2.0) released. These are minor updates
- to the previously-released samples. There are two
- new rules added:
+ to the previously-released samples. There are
+two new rules added:
-
+
- - Unless you have
- explicitly enabled Auth connections (tcp port 113)
+
- Unless you have
+ explicitly enabled Auth connections (tcp port 113)
to your firewall, these connections will be REJECTED
rather than DROPPED. This speeds up connection establishment
to some servers.
- - Orphan DNS replies
- are now silently dropped.
+ - Orphan DNS replies
+ are now silently dropped.
-
+
-
+
See the README file for upgrade instructions.
-
+
1/1/2002 - Shorewall Mailing List Moving
-
+
The Shorewall mailing list hosted at
- Sourceforge is moving to Shorewall.net. If
-you are a current subscriber to the list at Sourceforge,
- please see these instructions.
- If you would like to subscribe to the new list,
-visit is moving to Shorewall.net. If
+ you are a current subscriber to the list at Sourceforge,
+ please see these instructions.
+ If you would like to subscribe to the new list,
+ visit http://www.shorewall.net/mailman/listinfo/shorewall-users.
-
+
12/31/2001 - Shorewall 1.2.1 Released
-
+
In version 1.2.1:
-
+
-
+
12/21/2001 - Shorewall 1.2.0 Released! - I couldn't resist
releasing 1.2 on 12/21/2001
-
+
Version 1.2 contains the following new features:
-
+
-
+
For the next month or so, I will continue to provide corrections to version
- 1.1.18 as necessary so that current version 1.1.x
- users will not be forced into a quick upgrade to 1.2.0
- just to have access to bug fixes.
+ 1.1.18 as necessary so that current version 1.1.x
+ users will not be forced into a quick upgrade to 1.2.0
+ just to have access to bug fixes.
-
+
For those of you who have installed one of the Beta RPMS, you will need
- to use the "--oldpackage" option when upgrading
- to 1.2.0:
+ to use the "--oldpackage" option when upgrading
+ to 1.2.0:
-
+
-
+
rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm
-
+
-
+
12/19/2001 - Thanks to Steve
- Cowles, there is now a Shorewall mirror in Texas.
- This web site is mirrored at , there is now a Shorewall mirror in
+Texas. This web site is mirrored at http://www.infohiiway.com/shorewall
- and the ftp site is at ftp://ftp.infohiiway.com/pub/mirrors/shorewall.
-
+
11/30/2001 - A new set of the parameterized Sample
Configurations has been released. In this version:
-
+
- - Ping is now allowed
- between the zones.
- - In the three-interface
- configuration, it is now possible to configure the
- internet services that are to be available to servers in
- the DMZ.
+ - Ping is now
+allowed between the zones.
+ - In the three-interface
+ configuration, it is now possible to configure the
+ internet services that are to be available to servers in
+ the DMZ.
-
+
-
+
11/20/2001 - The current version of Shorewall is 1.1.18.
-
+
In this version:
-
+
- - The spelling of
- ADD_IP_ALIASES has been corrected in the shorewall.conf
- file
- - The logic for
-deleting user-defined chains has been simplified so
- that it avoids a bug in the LRP version of the 'cut' utility.
- - The /var/lib/lrpkg/shorwall.conf
- file has been corrected to properly display the
- NAT entry in that file.
+ - The spelling
+of ADD_IP_ALIASES has been corrected in the shorewall.conf
+ file
+ - The logic for
+ deleting user-defined chains has been simplified so
+ that it avoids a bug in the LRP version of the 'cut' utility.
+ - The /var/lib/lrpkg/shorwall.conf
+ file has been corrected to properly display the
+ NAT entry in that file.
-
+
-
+
11/19/2001 - Thanks to Juraj
- Ontkanin, there is now a Shorewall mirror
- in the Slovak Republic. The website is now mirrored
- at http://www.nrg.sk/mirror/shorewall
- and the FTP site is mirrored at , there is now a Shorewall mirror
+ in the Slovak Republic. The website is now mirrored
+ at http://www.nrg.sk/mirror/shorewall
+ and the FTP site is mirrored at ftp://ftp.nrg.sk/mirror/shorewall.
-
+
11/2/2001 - Announcing Shorewall Parameter-driven Sample Configurations.
- There are three sample configurations:
+ There are three sample configurations:
-
+
- - One Interface
--- for a standalone system.
- - Two Interfaces
--- A masquerading firewall.
- - Three Interfaces
- -- A masquerading firewall with DMZ.
+ - One Interface
+ -- for a standalone system.
+ - Two Interfaces
+ -- A masquerading firewall.
+ - Three Interfaces
+ -- A masquerading firewall with DMZ.
-
+
-
+
Samples may be downloaded from ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.17
- . See the README file for instructions.
+ . See the README file for instructions.
-
+
+
11/1/2001 - The current version of Shorewall is 1.1.17. I intend
- this to be the last of the 1.1 Shorewall
- releases.
+ this to be the last of the 1.1 Shorewall
+ releases.
-
+
+
In this version:
-
+
-
+
10/22/2001 - The current version of Shorewall is 1.1.16. In this
- version:
-
-
-
- - A new "shorewall
- show connections" command has been added.
- - In the "shorewall
- monitor" output, the currently tracked connections
- are now shown on a separate page.
- - Prior to this
-release, Shorewall unconditionally added the external
- IP adddress(es) specified in /etc/shorewall/nat. Beginning
- with version 1.1.16, a new parameter (ADD_IP_ALIASES) may be
- set to "no" (or "No") to inhibit this behavior.
- This allows IP aliases created using your distribution's
- network configuration tools to be used in static
-NAT.
-
-
-
+ version:
-10/15/2001 - The current version of Shorewall is 1.1.15. In this
- version:
-
-
- - Support for nested
- zones has been improved. See the documentation for details
- - Shorewall now
-correctly checks the alternate configuration directory
- for the 'zones' file.
+ - A new "shorewall
+ show connections" command has been added.
+ - In the "shorewall
+ monitor" output, the currently tracked connections
+ are now shown on a separate page.
+ - Prior to this
+ release, Shorewall unconditionally added the external
+ IP adddress(es) specified in /etc/shorewall/nat. Beginning
+ with version 1.1.16, a new parameter (ADD_IP_ALIASES) may be
+ set to "no" (or "No") to inhibit this behavior.
+ This allows IP aliases created using your distribution's
+ network configuration tools to be used in static
+ NAT.
-
+
-
-10/4/2001 - The current version of Shorewall is 1.1.14. In this
- version
+
+10/15/2001 - The current version of Shorewall is 1.1.15. In this
+ version:
-
+
- - Shorewall now
-supports alternate configuration directories. When
+
- Support for
+nested zones has been improved. See the documentation for details
+ - Shorewall now
+ correctly checks the alternate configuration directory
+ for the 'zones' file.
+
+
+
+
+
+10/4/2001 - The current version of Shorewall is 1.1.14. In this
+ version
+
+
+
+ - Shorewall now
+ supports alternate configuration directories. When
an alternate directory is specified when starting or
restarting Shorewall (e.g., "shorewall -c /etc/testconf
restart"), Shorewall will first look for configuration files
in the alternate directory then in /etc/shorewall. To
create an alternate configuration simply:
- 1. Create a New
-Directory
- 2. Copy to that
-directory any of your configuration files that you
+ 1. Create a New
+ Directory
+ 2. Copy to that
+ directory any of your configuration files that you
want to change.
- 3. Modify the copied
- files as needed.
- 4. Restart Shorewall
- specifying the new directory.
- - The rules for
-allowing/disallowing icmp echo-requests (pings) are
- now moved after rules created when processing the rules
- file. This allows you to add rules that selectively allow/deny
- ping based on source or destination address.
- - Rules that specify
- multiple client ip addresses or subnets no longer cause
- startup failures.
- - Zone names in
-the policy file are now validated against the zones
- file.
- - If you have packet mangling support
- enabled, the "norfc1918"
- interface option now logs and drops any incoming packets
- on the interface that have an RFC 1918 destination
- address.
+ 3. Modify the
+copied files as needed.
+ 4. Restart Shorewall
+ specifying the new directory.
+ - The rules for
+ allowing/disallowing icmp echo-requests (pings) are
+ now moved after rules created when processing the rules
+ file. This allows you to add rules that selectively allow/deny
+ ping based on source or destination address.
+ - Rules that specify
+ multiple client ip addresses or subnets no longer
+cause startup failures.
+ - Zone names in
+ the policy file are now validated against the zones
+ file.
+ - If you have
+ packet mangling
+ support enabled, the "norfc1918"
+interface option now logs and drops any incoming packets on
+the interface that have an RFC 1918 destination address.
-
+
-
+
9/12/2001 - The current version of Shorewall is 1.1.13. In this
- version
+ version
-
+
- - Shell variables
- can now be used to parameterize Shorewall rules.
- - The second column
- in the hosts file may now contain a comma-separated
- list.
-
- Example:
- sea eth0:130.252.100.0/24,206.191.149.0/24
- - Handling of multi-zone
- interfaces has been improved. See the documentation for the /etc/shorewall/interfaces
- file.
+ - Shell variables
+ can now be used to parameterize Shorewall rules.
+ - The second column
+ in the hosts file may now contain a comma-separated
+ list.
+
+ Example:
+ sea
+ eth0:130.252.100.0/24,206.191.149.0/24
+ - Handling of
+multi-zone interfaces has been improved. See the
+ documentation for the /etc/shorewall/interfaces
+ file.
-
+
-
+
8/28/2001 - The current version of Shorewall is 1.1.12. In this
- version
+ version
-
+
- - Several columns
- in the rules file may now contain comma-separated
- lists.
- - Shorewall is now
- more rigorous in parsing the options in /etc/shorewall/interfaces.
- - Complementation
- using "!" is now supported in rules.
+ - Several columns
+ in the rules file may now contain comma-separated
+ lists.
+ - Shorewall is
+now more rigorous in parsing the options in /etc/shorewall/interfaces.
+ - Complementation
+ using "!" is now supported in rules.
-
+
-
+
7/28/2001 - The current version of Shorewall is 1.1.11. In this
- version
+ version
-
+
- - A "shorewall refresh"
- command has been added to allow for refreshing
- the rules associated with the broadcast address on a dynamic
- interface. This command should be used in place of "shorewall
- restart" when the internet interface's IP address changes.
- - The /etc/shorewall/start
- file (if any) is now processed after all temporary
- rules have been deleted. This change prevents the accidental
- removal of rules added during the processing of that
- file.
- - The "dhcp" interface
- option is now applicable to firewall interfaces used
- by a DHCP server running on the firewall.
- - The RPM can now
- be built from the .tgz file using "rpm -tb"
+ - A "shorewall
+refresh" command has been added to allow for refreshing
+ the rules associated with the broadcast address on a dynamic
+ interface. This command should be used in place of "shorewall
+ restart" when the internet interface's IP address changes.
+ - The /etc/shorewall/start
+ file (if any) is now processed after all temporary
+ rules have been deleted. This change prevents the accidental
+ removal of rules added during the processing of that
+ file.
+ - The "dhcp" interface
+ option is now applicable to firewall interfaces
+used by a DHCP server running on the firewall.
+ - The RPM can
+now be built from the .tgz file using "rpm -tb"
-
+
-
+
7/6/2001 - The current version of Shorewall is 1.1.10. In this
version
-
+
- - Shorewall now
-enables Ipv4 Packet Forwarding by default. Packet forwarding
- may be disabled by specifying IP_FORWARD=Off in /etc/shorewall/shorewall.conf.
- If you don't want Shorewall to enable or disable
- packet forwarding, add IP_FORWARDING=Keep to your /etc/shorewall/shorewall.conf
+
- Shorewall now
+ enables Ipv4 Packet Forwarding by default. Packet
+forwarding may be disabled by specifying IP_FORWARD=Off
+ in /etc/shorewall/shorewall.conf. If you don't
+want Shorewall to enable or disable packet forwarding,
+ add IP_FORWARDING=Keep to your /etc/shorewall/shorewall.conf
file.
- - The "shorewall
-hits" command no longer lists extraneous service
- names in its last report.
- - Erroneous instructions
- in the comments at the head of the firewall script
- have been corrected.
+ - The "shorewall
+ hits" command no longer lists extraneous service
+ names in its last report.
+ - Erroneous instructions
+ in the comments at the head of the firewall script
+ have been corrected.
-
+
-
+
6/23/2001 - The current version of Shorewall is 1.1.9. In this
version
-
+
- - The "tunnels"
-file really is in the RPM now.
- - SNAT can now be
- applied to port-forwarded connections.
- - A bug which would
- cause firewall start failures in some dhcp configurations
- has been fixed.
- - The firewall script
- now issues a message if you have the name of an
- interface in the second column in an entry in /etc/shorewall/masq
- and that interface is not up.
- - You can now configure
- Shorewall so that it doesn't
- require the NAT and/or mangle netfilter modules.
- - Thanks to Alex
- Polishchuk, the "hits" command from seawall is
+
- The "tunnels"
+ file really is in the RPM now.
+ - SNAT can now
+be applied to port-forwarded connections.
+ - A bug which
+would cause firewall start failures in some dhcp configurations
+ has been fixed.
+ - The firewall
+script now issues a message if you have the name of
+ an interface in the second column in an entry in /etc/shorewall/masq
+ and that interface is not up.
+ - You can now
+configure Shorewall so that it doesn't require the NAT and/or
+ mangle netfilter modules.
+ - Thanks to Alex
+ Polishchuk, the "hits" command from seawall is
now in shorewall.
- - Support for IPIP tunnels has been added.
+ - Support for
+ IPIP tunnels has been added.
-
+
-
+
6/18/2001 - The current version of Shorewall is 1.1.8. In this
version
-
+
-
+
6/2/2001 - The current version of Shorewall is 1.1.7. In this version
-
+
- - The TOS rules
-are now deleted when the firewall is stopped.
- - The .rpm will
-now install regardless of which version of iptables
- is installed.
- - The .rpm will
-now install without iproute2 being installed.
- - The documentation
- has been cleaned up.
- - The sample configuration
- files included in Shorewall have been formatted
- to 80 columns for ease of editing on a VGA console.
+ - The TOS rules
+ are now deleted when the firewall is stopped.
+ - The .rpm will
+ now install regardless of which version of iptables
+ is installed.
+ - The .rpm will
+ now install without iproute2 being installed.
+ - The documentation
+ has been cleaned up.
+ - The sample configuration
+ files included in Shorewall have been formatted
+ to 80 columns for ease of editing on a VGA console.
-
+
-
+
5/25/2001 - The current version of Shorewall is 1.1.6. In this
version
-
+
- - You may now rate-limit the
packet log.
- - Previous
- versions of Shorewall have an implementation of Static NAT
- which violates the principle of least surprise.
-NAT only occurs for packets arriving at (DNAT) or send
-from (SNAT) the interface named in the INTERFACE column of
- /etc/shorewall/nat. Beginning with version 1.1.6, NAT effective
- regardless of which interface packets come from or are destined
-to. To get compatibility with prior versions, I have added
- a new "ALL "ALL INTERFACES" column
- to /etc/shorewall/nat. By placing "no" or "No" in
-the new column, the NAT behavior of prior versions may be
-retained.
- - The treatment
-of IPSEC Tunnels where the remote
- gateway is a standalone system has been improved. Previously,
- it was necessary to include an additional rule allowing UDP
-port 500 traffic to pass through the tunnel. Shorewall will now
- create this rule automatically when you place the name of the
-remote peer's zone in a new GATEWAY ZONE column in /etc/shorewall/tunnels.
+ - Previous
+ versions of Shorewall have an implementation of Static
+NAT which violates the principle of least surprise.
+ NAT only occurs for packets arriving at (DNAT) or send
+ from (SNAT) the interface named in the INTERFACE column of
+ /etc/shorewall/nat. Beginning with version 1.1.6, NAT effective
+ regardless of which interface packets come from or are destined
+ to. To get compatibility with prior versions, I have added
+ a new "ALL "ALL INTERFACES"
+column to /etc/shorewall/nat. By placing "no" or "No"
+in the new column, the NAT behavior of prior versions may
+be retained.
+ - The treatment
+ of IPSEC Tunnels where the
+remote gateway is a standalone system has been improved.
+ Previously, it was necessary to include an additional rule allowing
+ UDP port 500 traffic to pass through the tunnel. Shorewall will
+now create this rule automatically when you place the name of
+the remote peer's zone in a new GATEWAY ZONE column in /etc/shorewall/tunnels.
-
+
-
+
5/20/2001 - The current version of Shorewall is 1.1.5. In this
version
-
+
-
+
5/10/2001 - The current version of Shorewall is 1.1.4. In this
version
-
+
- - Accepting RELATED connections
is now optional.
- - Corrected problem
- where if "shorewall start" aborted early (due
+
- Corrected problem
+ where if "shorewall start" aborted early (due
to kernel configuration errors for example), superfluous
'sed' error messages were reported.
- - Corrected rules
- generated for port redirection.
- - The order in which
- iptables kernel modules are loaded has been corrected
- (Thanks to Mark Pavlidis).
+ - Corrected rules
+ generated for port redirection.
+ - The order in
+which iptables kernel modules are loaded has been
+ corrected (Thanks to Mark Pavlidis).
-
+
-
+
4/28/2001 - The current version of Shorewall is 1.1.3. In this
version
-
+
- - Correct message
- issued when Proxy ARP address added (Thanks to Jason
- Kirtland).
- - /tmp/shorewallpolicy-$$
- is now removed if there is an error while starting
- the firewall.
- - /etc/shorewall/icmp.def
- and /etc/shorewall/common.def are now used to
-define the icmpdef and common chains unless overridden
-by the presence of /etc/shorewall/icmpdef or /etc/shorewall/common.
- - In the .lrp, the
- file /var/lib/lrpkg/shorwall.conf has been corrected.
- An extra space after "/etc/shorwall/policy" has been
- removed and "/etc/shorwall/rules" has been added.
- - When a sub-shell
- encounters a fatal error and has stopped the firewall,
- it now kills the main shell so that the main shell will
- not continue.
- - A problem has
-been corrected where a sub-shell stopped the firewall
- and main shell continued resulting in a perplexing error
- message referring to "common.so" resulted.
- - Previously, placing
- "-" in the PORT(S) column in /etc/shorewall/rules
- resulted in an error message during start. This has been
-corrected.
- - The first line
-of "install.sh" has been corrected -- I had inadvertently
- deleted the initial "#".
+ - Correct message
+ issued when Proxy ARP address added (Thanks to Jason
+ Kirtland).
+ - /tmp/shorewallpolicy-$$
+ is now removed if there is an error while starting
+ the firewall.
+ - /etc/shorewall/icmp.def
+ and /etc/shorewall/common.def are now used to
+ define the icmpdef and common chains unless overridden
+ by the presence of /etc/shorewall/icmpdef or /etc/shorewall/common.
+ - In the .lrp,
+the file /var/lib/lrpkg/shorwall.conf has been corrected.
+ An extra space after "/etc/shorwall/policy" has been
+ removed and "/etc/shorwall/rules" has been added.
+ - When a sub-shell
+ encounters a fatal error and has stopped the firewall,
+ it now kills the main shell so that the main shell will
+ not continue.
+ - A problem has
+ been corrected where a sub-shell stopped the firewall
+ and main shell continued resulting in a perplexing error
+ message referring to "common.so" resulted.
+ - Previously,
+placing "-" in the PORT(S) column in /etc/shorewall/rules
+ resulted in an error message during start. This has
+been corrected.
+ - The first line
+ of "install.sh" has been corrected -- I had inadvertently
+ deleted the initial "#".
-
+
-
+
4/12/2001 - The current version of Shorewall is 1.1.2. In this
version
-
+
- - Port redirection
- now works again.
- - The icmpdef and
- common chains may now
- be user-defined.
- - The firewall no
- longer fails to start if "routefilter" is specified
- for an interface that isn't started. A warning message
-is now issued in this case.
- - The LRP Version
- is renamed "shorwall" for 8,3 MSDOS file system
- compatibility.
- - A couple of LRP-specific
- problems were corrected.
+ - Port redirection
+ now works again.
+ - The icmpdef
+and common chains may
+ now be user-defined.
+ - The firewall
+no longer fails to start if "routefilter" is specified
+ for an interface that isn't started. A warning message
+ is now issued in this case.
+ - The LRP Version
+ is renamed "shorwall" for 8,3 MSDOS file system
+ compatibility.
+ - A couple of
+LRP-specific problems were corrected.
-
+
-
+
4/8/2001 - Shorewall is now affiliated with the Leaf Project 
-
+
-
+
4/5/2001 - The current version of Shorewall is 1.1.1. In this version:
-
+
- - The common chain
- is traversed from INPUT, OUTPUT and FORWARD before
- logging occurs
- - The source has
-been cleaned up dramatically
- - DHCP DISCOVER
-packets with RFC1918 source addresses no longer
- generate log messages. Linux DHCP clients generate such
+
- The common chain
+ is traversed from INPUT, OUTPUT and FORWARD before
+ logging occurs
+ - The source has
+ been cleaned up dramatically
+ - DHCP DISCOVER
+ packets with RFC1918 source addresses no longer
+ generate log messages. Linux DHCP clients generate such
packets and it's annoying to see them logged.
-
+
-
+
3/25/2001 - The current version of Shorewall is 1.1.0. In this version:
-
+
- - Log messages now
- indicate the packet disposition.
- - Error messages
-have been improved.
- - The ability to
-define zones consisting of an enumerated set of hosts
- and/or subnetworks has been added.
- - The zone-to-zone
- chain matrix is now sparse so that only those chains
- that contain meaningful rules are defined.
- - 240.0.0.0/4 and
- 169.254.0.0/16 have been added to the source subnetworks
- whose packets are dropped under the norfc1918
-interface option.
- - Exits are now
-provided for executing an user-defined script when
- a chain is defined, when the firewall is initialized,
- when the firewall is started, when the firewall is
-stopped and when the firewall is cleared.
- - The Linux kernel's
- route filtering facility can now be specified
- selectively on network interfaces.
+ - Log messages
+now indicate the packet disposition.
+ - Error messages
+ have been improved.
+ - The ability
+to define zones consisting of an enumerated set of
+hosts and/or subnetworks has been added.
+ - The zone-to-zone
+ chain matrix is now sparse so that only those chains
+ that contain meaningful rules are defined.
+ - 240.0.0.0/4
+and 169.254.0.0/16 have been added to the source
+ subnetworks whose packets are dropped under the norfc1918
+ interface option.
+ - Exits are now
+ provided for executing an user-defined script when
+ a chain is defined, when the firewall is initialized,
+ when the firewall is started, when the firewall
+is stopped and when the firewall is cleared.
+ - The Linux kernel's
+ route filtering facility can now be specified
+ selectively on network interfaces.
-
+
-
+
3/19/2001 - The current version of Shorewall is 1.0.4. This version:
-
+
- - Allows user-defined
- zones. Shorewall now has only one pre-defined
- zone (fw) with the remaining zones being defined in the
+
- Allows user-defined
+ zones. Shorewall now has only one pre-defined
+ zone (fw) with the remaining zones being defined in the
new configuration file /etc/shorewall/zones. The
/etc/shorewall/zones file released in this version provides
behavior that is compatible with Shorewall 1.0.3.
- - Adds the ability
- to specify logging in entries in the /etc/shorewall/rules
- file.
- - Correct handling
- of the icmp-def chain so that only ICMP packets are
- sent through the chain.
- - Compresses the
-output of "shorewall monitor" if awk is installed.
- Allows the command to work if awk isn't installed (although
- it's not pretty).
+ - Adds the ability
+ to specify logging in entries in the /etc/shorewall/rules
+ file.
+ - Correct handling
+ of the icmp-def chain so that only ICMP packets are
+ sent through the chain.
+ - Compresses the
+ output of "shorewall monitor" if awk is installed.
+ Allows the command to work if awk isn't installed (although
+ it's not pretty).
-
+
-
+
3/13/2001 - The current version of Shorewall is 1.0.3. This is a bug-fix
- release with no new features.
+ release with no new features.
-
+
- - The PATH variable
- in the firewall script now includes /usr/local/bin
- and /usr/local/sbin.
- - DMZ-related chains
- are now correctly deleted if the DMZ is deleted.
- - The interface
-OPTIONS for "gw" interfaces are no longer ignored.
+ - The PATH variable
+ in the firewall script now includes /usr/local/bin
+ and /usr/local/sbin.
+ - DMZ-related
+chains are now correctly deleted if the DMZ is deleted.
+ - The interface
+ OPTIONS for "gw" interfaces are no longer ignored.
-
+
-
+
3/8/2001 - The current version of Shorewall is 1.0.2. It supports an
- additional "gw" (gateway) zone for tunnels and
- it supports IPSEC tunnels with end-points on the firewall.
- There is also a .lrp available now.
+ additional "gw" (gateway) zone for tunnels and
+ it supports IPSEC tunnels with end-points on the firewall.
+ There is also a .lrp available now.
-
-Updated 3/17/2003 - Tom Eastep
-
+
+Updated 3/21/2003 - Tom Eastep
+
-
+
Copyright © 2001, 2002 Thomas M. Eastep.
-
+
+
+
diff --git a/Shorewall-docs/ProxyARP.htm b/Shorewall-docs/ProxyARP.htm
index 58390156a..faba6583a 100644
--- a/Shorewall-docs/ProxyARP.htm
+++ b/Shorewall-docs/ProxyARP.htm
@@ -1,179 +1,190 @@
-
+
Shorewall Proxy ARP
-
+
-
+
-
+
-
+
-
-
- |
+ |
+
+
Proxy ARP
- |
-
-
-
+
+
+
+
-
+
Proxy ARP allows you to insert a firewall in front of a set of servers
- without changing their IP addresses and without having to re-subnet.
-Before you try to use this technique, I strongly recommend that you read the
-Shorewall Setup Guide.
-
+ without changing their IP addresses and without having to re-subnet.
+ Before you try to use this technique, I strongly recommend that you read
+the Shorewall Setup Guide.
+
The following figure represents a Proxy ARP environment.
-
-
+
+
-
-
+
+
-
-
+
+
Proxy ARP can be used to make the systems with addresses
130.252.100.18 and 130.252.100.19 appear to be on the upper (130.252.100.*)
- subnet. Assuming that the upper firewall interface is eth0 and the
- lower interface is eth1, this is accomplished using the following entries
-in /etc/shorewall/proxyarp:
-
-
-
-
-
- | ADDRESS |
- INTERFACE |
- EXTERNAL |
- HAVEROUTE |
-
-
- | 130.252.100.18 |
- eth1 |
- eth0 |
- no |
-
-
- | 130.252.100.19 |
- eth1 |
- eth0 |
- no |
-
-
-
-
-
+ subnet. Assuming that the upper firewall interface is eth0 and the
+ lower interface is eth1, this is accomplished using the following entries
+ in /etc/shorewall/proxyarp:
+
+
+
+
+ | ADDRESS |
+ INTERFACE |
+ EXTERNAL |
+ HAVEROUTE |
+
+
+ | 130.252.100.18 |
+ eth1 |
+ eth0 |
+ no |
+
+
+ | 130.252.100.19 |
+ eth1 |
+ eth0 |
+ no |
+
+
+
+
+
+
Be sure that the internal systems (130.242.100.18 and 130.252.100.19
in the above example) are not included in any specification in /etc/shorewall/masq
or /etc/shorewall/nat.
-
+
Note that I've used an RFC1918 IP address for eth1 - that IP address is
- irrelevant.
-
+ irrelevant.
+
The lower systems (130.252.100.18 and 130.252.100.19) should have their
- subnet mask and default gateway configured exactly the same way that
-the Firewall system's eth0 is configured.
-
-
-
A word of warning is in order here. ISPs typically configure
- their routers with a long ARP cache timeout. If you move a system from
- parallel to your firewall to behind your firewall with Proxy ARP, it will
- probably be HOURS before that system can communicate with the internet.
-There are a couple of things that you can try:
+ subnet mask and default gateway configured exactly the same way that
+ the Firewall system's eth0 is configured. In other words, they should
+be configured just like they would be if they were parallel to the firewall
+rather than behind it.
+
NOTE: Do not add the Proxy ARP'ed address(es)
+(130.252.100.18 and 130.252.100.19 in the above example) to the external
+interface (eth0 in this example) of the firewall.
+
+
+
+
+
A word of warning is in order here. ISPs typically configure
+ their routers with a long ARP cache timeout. If you move a system from
+ parallel to your firewall to behind your firewall with Proxy ARP, it will
+ probably be HOURS before that system can communicate with the internet.
+ There are a couple of things that you can try:
+
+
- - (Courtesy of Bradey Honsinger) A reading of Stevens' TCP/IP Illustrated,
-Vol 1 reveals that a
-
- "gratuitous" ARP packet should cause the ISP's router to refresh their ARP
-cache (section 4.7). A gratuitous ARP is simply a host requesting the MAC
-address for its own IP; in addition to ensuring that the IP address isn't
-a duplicate...
-
- "if the host sending the gratuitous ARP has just changed its hardware address...,
-this packet causes any other host...that has an entry in its cache for the
-old hardware address to update its ARP cache entry accordingly."
-
- Which is, of course, exactly what you want to do when you switch a host
-from being exposed to the Internet to behind Shorewall using proxy ARP (or
-static NAT for that matter). Happily enough, recent versions of Redhat's
+ - (Courtesy of Bradey Honsinger) A reading of Stevens' TCP/IP Illustrated,
+ Vol 1 reveals that a
+
+ "gratuitous" ARP packet should cause the ISP's router to refresh their
+ARP cache (section 4.7). A gratuitous ARP is simply a host requesting the
+MAC address for its own IP; in addition to ensuring that the IP address isn't
+ a duplicate...
+
+ "if the host sending the gratuitous ARP has just changed its hardware
+address..., this packet causes any other host...that has an entry in its
+cache for the old hardware address to update its ARP cache entry accordingly."
+
+ Which is, of course, exactly what you want to do when you switch a host
+ from being exposed to the Internet to behind Shorewall using proxy ARP (or
+ static NAT for that matter). Happily enough, recent versions of Redhat's
iputils package include "arping", whose "-U" flag does just that:
-
- arping -U -I <net if> <newly proxied
-IP>
- arping -U -I eth0 66.58.99.83 # for example
-
- Stevens goes on to mention that not all systems respond correctly to gratuitous
-ARPs, but googling for "arping -U" seems to support the idea that it works
-most of the time.
-
-To use arping with Proxy ARP in the above example, you would have to:
-
- shorewall clear
- ip addr add 130.252.100.18 dev
-eth0
- ip addr add 130.252.100.19 dev eth0
- arping -U -I eth0 130.252.100.18
- arping -U -I eth0 130.252.100.19
- ip addr del 130.252.100.18 dev eth0
- ip addr del 130.252.100.19 dev eth0
- shorewall start
-
-
- - You can call your ISP and ask them to purge the stale ARP cache
-entry but many either can't or won't purge individual entries.
-
+
+ arping -U -I <net if> <newly
+proxied IP>
+ arping -U -I eth0 66.58.99.83 # for example
+
+ Stevens goes on to mention that not all systems respond correctly to gratuitous
+ ARPs, but googling for "arping -U" seems to support the idea that it works
+ most of the time.
+
+ To use arping with Proxy ARP in the above example, you would have to:
+
+ shorewall clear
+ ip addr add 130.252.100.18
+dev eth0
+ ip addr add 130.252.100.19 dev eth0
+ arping -U -I eth0 130.252.100.18
+ arping -U -I eth0 130.252.100.19
+ ip addr del 130.252.100.18 dev eth0
+ ip addr del 130.252.100.19 dev eth0
+ shorewall start
+
+
+ - You can call your ISP and ask them to purge the stale ARP cache
+ entry but many either can't or won't purge individual entries.
+
- You can determine if your ISP's gateway ARP cache is stale using ping
-and tcpdump. Suppose that we suspect that the gateway router has a stale
-ARP cache entry for 130.252.100.19. On the firewall, run tcpdump as follows:
-
-
+ You can determine if your ISP's gateway ARP cache is stale using ping
+ and tcpdump. Suppose that we suspect that the gateway router has a stale
+ ARP cache entry for 130.252.100.19. On the firewall, run tcpdump as follows:
+
+
-
-
+
+
+
Now from 130.252.100.19, ping the ISP's gateway (which we
-will assume is 130.252.100.254):
-
-
-
+ will assume is 130.252.100.254):
+
+
+
-
-
+
+
+
We can now observe the tcpdump output:
-
-
-
+
+
+
13:35:12.159321 0:4:e2:20:20:33 0:0:77:95:dd:19 ip 98: 130.252.100.19 > 130.252.100.254: icmp: echo request (DF)
13:35:12.207615 0:0:77:95:dd:19 0:c0:a8:50:b2:57 ip 98: 130.252.100.254 > 130.252.100.177 : icmp: echo reply
-
-
-
+
+
+
Notice that the source MAC address in the echo request is
- different from the destination MAC address in the echo reply!! In this
-case 0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while 0:c0:a8:50:b2:57
- was the MAC address of the system on the lower left. In other words, the
-gateway's ARP cache still associates 130.252.100.19 with the NIC in that
-system rather than with the firewall's eth0.
-
-
-
Last updated 1/26/2003 -
+
Last updated 3/21/2003 - Tom Eastep
- Copyright © Copyright © 2001, 2002, 2003 Thomas M. Eastep.
+
+
diff --git a/Shorewall-docs/errata.htm b/Shorewall-docs/errata.htm
index 628748a58..a39b6c83f 100644
--- a/Shorewall-docs/errata.htm
+++ b/Shorewall-docs/errata.htm
@@ -2,244 +2,263 @@
-
+
Shorewall 1.4 Errata
-
+
-
+
-
+
-
+
-
+
-
-
- |
+ |
+
+
-
+
Shorewall Errata/Upgrade Issues
- |
-
+
+
-
-
+
+
-
+
IMPORTANT
-
+
- -
-
-
If you use a Windows system to download
- a corrected script, be sure to run the script through
- dos2unix after you have moved
+ -
+
+
+
If you use a Windows system to download
+ a corrected script, be sure to run the script through
+ dos2unix after you have moved
it to your Linux system.
-
- -
-
-
If you are installing Shorewall for the
-first time and plan to use the .tgz and install.sh script, you can
-untar the archive, replace the 'firewall' script in the untarred directory
+
+ -
+
+
+
If you are installing Shorewall for the first
+time and plan to use the .tgz and install.sh script, you can untar
+the archive, replace the 'firewall' script in the untarred directory
with the one you downloaded below, and then run install.sh.
-
- -
-
-
When the instructions say to install a corrected
- firewall script in /usr/share/shorewall/firewall, you may
-rename the existing file before copying in the new file.
-
- -
-
-
DO NOT INSTALL CORRECTED COMPONENTS
- ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW.
- For example, do NOT install the 1.3.9a firewall script if you are running
+
+ -
+
+
+
When the instructions say to install a corrected
+ firewall script in /usr/share/shorewall/firewall, you may
+ rename the existing file before copying in the new file.
+
+ -
+
+
DO NOT INSTALL CORRECTED COMPONENTS
+ ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW.
+ For example, do NOT install the 1.3.9a firewall script if you are running
1.3.7c.
-
-
-
+
+
+
-
+
-
-
+
+
Problems in Version 1.4
-
+
- None.
-
+
+1.4.0
+
+ - When running under certain shells Shorewall will attempt to create
+ECN rules even when /etc/shorewall/ecn is empty. You may either just remove
+/etc/shorewall/ecn or you can install this
+correct script in /usr/share/shorewall/firewall as described above.
+
+
+
Upgrade Issues
-
+
The upgrade issues have moved to a separate page.
-
-
- Problem with
+
+
+ Problem with
iptables version 1.2.3
-
-
-
- There are a couple of serious bugs in iptables 1.2.3 that
- prevent it from working with Shorewall. Regrettably, RedHat
- released this buggy iptables in RedHat 7.2.
-
-
- I have built a
- corrected 1.2.3 rpm which you can download here and I have
- also built an
-iptables-1.2.4 rpm which you can download here. If you are currently
- running RedHat 7.1, you can install either of these RPMs
- before you upgrade to RedHat 7.2.
-
+
+
- Update 11/9/2001: RedHat
- has released an iptables-1.2.4 RPM of their own which you can
-download from http://www.redhat.com/support/errata/RHSA-2001-144.html.
- I have installed this RPM on my firewall and it works
- fine.
-
-
- If you would like to patch iptables 1.2.3 yourself,
- the patches are available for download. This patch
- which corrects a problem with parsing of the --log-level specification
- while this patch
- corrects a problem in handling the TOS target.
-
-
- To install one of the above patches:
-
-
-
- - cd iptables-1.2.3/extensions
- - patch -p0 < the-patch-file
-
-
-
-
-
-
-Problems with kernels >= 2.4.18
- and RedHat iptables
-
-
-
- Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19
- may experience the following:
-
-
-
-
- # shorewall start
Processing /etc/shorewall/shorewall.conf ...
Processing /etc/shorewall/params ...
Starting Shorewall...
Loading Modules...
Initializing...
Determining Zones...
Zones: net
Validating interfaces file...
Validating hosts file...
Determining Hosts in Zones...
Net Zone: eth0:0.0.0.0/0
iptables: libiptc/libip4tc.c:380: do_check: Assertion
`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
Aborted (core dumped)
iptables: libiptc/libip4tc.c:380: do_check: Assertion
`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
Aborted (core dumped)
-
-
-
- The RedHat iptables RPM is compiled with debugging enabled but the
- user-space debugging code was not updated to reflect recent changes in
- the Netfilter 'mangle' table. You can correct the problem by
- installing
- this iptables RPM. If you are already running a 1.2.5 version
- of iptables, you will need to specify the --oldpackage option to
- rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").
-
+ There are a couple of serious bugs in iptables 1.2.3 that
+ prevent it from working with Shorewall. Regrettably,
+RedHat released this buggy iptables in RedHat 7.2.
-Problems installing/upgrading
+
I have built a
+ corrected 1.2.3 rpm which you can download here and I have
+ also built an
+ iptables-1.2.4 rpm which you can download here. If you are currently
+ running RedHat 7.1, you can install either of these RPMs
+ before you upgrade to RedHat 7.2.
+
+
+ Update 11/9/2001: RedHat
+ has released an iptables-1.2.4 RPM of their own which you can
+download from http://www.redhat.com/support/errata/RHSA-2001-144.html.
+ I have installed this RPM on my firewall and it works
+ fine.
+
+
+ If you would like to patch iptables 1.2.3 yourself,
+ the patches are available for download. This patch
+ which corrects a problem with parsing of the --log-level specification
+ while this patch
+ corrects a problem in handling the TOS target.
+
+
+ To install one of the above patches:
+
+
+
+ - cd iptables-1.2.3/extensions
+ - patch -p0 < the-patch-file
+
+
+
+
+
+
+Problems with kernels >= 2.4.18
+ and RedHat iptables
+
+
+
+ Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19
+ may experience the following:
+
+
+
+
+ # shorewall start
Processing /etc/shorewall/shorewall.conf ...
Processing /etc/shorewall/params ...
Starting Shorewall...
Loading Modules...
Initializing...
Determining Zones...
Zones: net
Validating interfaces file...
Validating hosts file...
Determining Hosts in Zones...
Net Zone: eth0:0.0.0.0/0
iptables: libiptc/libip4tc.c:380: do_check: Assertion
`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
Aborted (core dumped)
iptables: libiptc/libip4tc.c:380: do_check: Assertion
`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
Aborted (core dumped)
+
+
+
+ The RedHat iptables RPM is compiled with debugging enabled but the
+ user-space debugging code was not updated to reflect recent changes in
+ the Netfilter 'mangle' table. You can correct the problem by
+ installing
+ this iptables RPM. If you are already running a 1.2.5 version
+ of iptables, you will need to specify the --oldpackage option
+to rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").
+
+
+
+Problems installing/upgrading
RPM on SuSE
-If you find that rpm complains about a conflict
- with kernel <= 2.2 yet you have a 2.4 kernel
- installed, simply use the "--nodeps" option to
- rpm.
+
+If you find that rpm complains about a conflict
+ with kernel <= 2.2 yet you have a 2.4 kernel
+ installed, simply use the "--nodeps" option to
+ rpm.
+
Installing: rpm -ivh --nodeps <shorewall rpm>
+
Upgrading: rpm -Uvh --nodeps <shorewall rpm>
-Problems with
- iptables version 1.2.7 and MULTIPORT=Yes
+
+Problems with
+ iptables version 1.2.7 and MULTIPORT=Yes
-The iptables 1.2.7 release of iptables has made
- an incompatible change to the syntax used to
- specify multiport match rules; as a consequence,
- if you install iptables 1.2.7 you must be running
- Shorewall 1.3.7a or later or:
+
+The iptables 1.2.7 release of iptables has made
+ an incompatible change to the syntax used to
+ specify multiport match rules; as a consequence,
+ if you install iptables 1.2.7 you must be running
+ Shorewall 1.3.7a or later or:
+
- - set MULTIPORT=No
-in /etc/shorewall/shorewall.conf; or
- - if you are running
- Shorewall 1.3.6 you may install
-
- this firewall script in /var/lib/shorewall/firewall
+
- set MULTIPORT=No
+ in /etc/shorewall/shorewall.conf; or
+ - if you are running
+ Shorewall 1.3.6 you may install
+
+ this firewall script in /var/lib/shorewall/firewall
as described above.
-
+
-
+
Problems with RH Kernel 2.4.18-10 and NAT
-
- /etc/shorewall/nat entries of the following form will result
+
+ /etc/shorewall/nat entries of the following form will result
in Shorewall being unable to start:
-
-
+
+
#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
192.0.2.22 eth0 192.168.9.22 yes yes
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
- Error message is:
-
+ Error message is:
+
Setting up NAT...
iptables: Invalid argument
Terminated
- The solution is to put "no" in the LOCAL column. Kernel support
- for LOCAL=yes has never worked properly and 2.4.18-10 has disabled
-it. The 2.4.19 kernel contains corrected support under a new kernel configuraiton
- option; see http://www.shorewall.net/Documentation.htm#NAT
-
- Last updated 2/8/2003 -
- Tom Eastep
-
+ The solution is to put "no" in the LOCAL column. Kernel
+support for LOCAL=yes has never worked properly and 2.4.18-10 has
+disabled it. The 2.4.19 kernel contains corrected support under a new
+kernel configuraiton option; see http://www.shorewall.net/Documentation.htm#NAT
+
+ Last updated 3/21/2003 -
+ Tom Eastep
+
Copyright © 2001, 2002, 2003 Thomas M. Eastep.
-
+
+
diff --git a/Shorewall-docs/myfiles.htm b/Shorewall-docs/myfiles.htm
index e12951d5e..beaaaf83e 100644
--- a/Shorewall-docs/myfiles.htm
+++ b/Shorewall-docs/myfiles.htm
@@ -1,224 +1,229 @@
-
+
My Shorewall Configuration
-
+
-
-
+
+
-
+
-
-
- |
-
+ |
+
+
+
About My Network
- |
-
-
-
+
+
+
+
-
-
-
-My Current Network
-
- Warning: I
- use a combination of Static NAT and Proxy ARP, neither of which are relevant
- to a simple configuration with a single public IP address.
- If you have just a single public IP address, most of what you see here won't
- apply to your setup so beware of copying parts of this configuration and
-expecting them to work for you. What you copy may or may not work in your
-configuration.
-
-
- I have DSL service and have 5 static IP addresses (206.124.146.176-180).
- My DSL "modem" (Fujitsu Speedport)
- is connected to eth0. I have a local network connected to eth2 (subnet
+
+
+My Current Network
+
+
+ Warning 1: I
+ use a combination of Static NAT and Proxy ARP, neither of which are relevant
+ to a simple configuration with a single public IP address.
+ If you have just a single public IP address, most of what you see here
+won't apply to your setup so beware of copying parts of this configuration
+and expecting them to work for you. What you copy may or may not work in
+your configuration.
+
+ Warning 2: My
+configuration uses features introduced in Shorewall version 1.4.1.
+
+
+ I have DSL service and have 5 static IP addresses (206.124.146.176-180).
+ My DSL "modem" (Fujitsu Speedport)
+ is connected to eth0. I have a local network connected to eth2 (subnet
192.168.1.0/24) and a DMZ connected to eth1 (192.168.2.0/24).
-
+
I use:
-
-
+
+
- - Static NAT for Ursa (my XP System) - Internal address 192.168.1.5
- and external address 206.124.146.178.
- - Static NAT for Wookie (my Linux System). Internal address
-192.168.1.3 and external address 206.124.146.179.
- - SNAT through the primary gateway address (206.124.146.176)
- for my Wife's system (Tarry) and the laptop when connected through
-the Wireless Access Point (wap)
-
+ - Static NAT for Ursa (my XP System) - Internal address
+192.168.1.5 and external address 206.124.146.178.
+ - Static NAT for Wookie (my Linux System). Internal address
+ 192.168.1.3 and external address 206.124.146.179.
+ - SNAT through the primary gateway address (206.124.146.176)
+ for my Wife's system (Tarry) and the laptop when connected through the
+Wireless Access Point (wap)
+
-
+
The firewall runs on a 256MB PII/233 with RH8.0.
-
- Wookie runs Samba and acts as the a WINS server. Wookie is in its
+
+
Wookie runs Samba and acts as the a WINS server. Wookie is in its
own 'whitelist' zone called 'me'.
-
- My laptop (eastept1) is connected to eth3 using a cross-over cable.
- It runs its own Sygate firewall
-software and is managed by Proxy ARP. It connects to the local network
+
+
My laptop (eastept1) is connected to eth3 using a cross-over cable.
+ It runs its own Sygate firewall
+software and is managed by Proxy ARP. It connects to the local network
through a PPTP server running on Ursa.
-
- The single system in the DMZ (address 206.124.146.177) runs postfix,
- Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP
- server (Pure-ftpd). The system also runs fetchmail to fetch our email
+
+
The single system in the DMZ (address 206.124.146.177) runs postfix,
+ Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP
+ server (Pure-ftpd). The system also runs fetchmail to fetch our email
from our old and current ISPs. That server is managed through Proxy ARP.
-
- The firewall system itself runs a DHCP server that serves the local
+
+
The firewall system itself runs a DHCP server that serves the local
network.
-
- All administration and publishing is done using ssh/scp. I have X installed
-on both the firewall and the server but no X server or desktop is installed.
-X applications tunnel through SSH to XWin.exe running on Ursa.
-
+
+ All administration and publishing is done using ssh/scp. I have X installed
+ on both the firewall and the server but no X server or desktop is installed.
+ X applications tunnel through SSH to XWin.exe running on Ursa.
+
I run an SNMP server on my firewall to serve MRTG running
+ href="http://www.ee.ethz.ch/%7Eoetiker/webtools/mrtg/"> MRTG running
in the DMZ.
-
+
-
-
+
+
-
- The ethernet interface in the Server is configured
- with IP address 206.124.146.177, netmask
- 255.255.255.0. The server's default gateway is
- 206.124.146.254 (Router at my ISP. This is the same
- default gateway used by the firewall itself). On the firewall,
- Shorewall automatically adds a host route to
- 206.124.146.177 through eth1 (192.168.2.1) because
- of the entry in /etc/shorewall/proxyarp (see
- below).
-
- A similar setup is used on eth3 (192.168.3.1) which
- interfaces to my laptop (206.124.146.180).
-
-
- Ursa (192.168.1.5 AKA 206.124.146.178) runs a PPTP server for Road Warrior
- access.
-
-
+
+ The ethernet interface in the Server is configured
+ with IP address 206.124.146.177, netmask
+ 255.255.255.0. The server's default gateway is
+ 206.124.146.254 (Router at my ISP. This is the same
+ default gateway used by the firewall itself). On the firewall,
+ Shorewall automatically adds a host route
+to 206.124.146.177 through eth1 (192.168.2.1)
+because of the entry in /etc/shorewall/proxyarp
+(see below).
+
+ A similar setup is used on eth3 (192.168.3.1) which
+ interfaces to my laptop (206.124.146.180).
+
+
+ Ursa (192.168.1.5 AKA 206.124.146.178) runs a PPTP server for Road Warrior
+ access.
+
+
-
-
+
+
Shorewall.conf
-
-
+
+
SHARED_DIR=/usr/share/shorewall
LOGFILE=/var/log/firewall
LOGRATE=
LOGBURST=
LOGUNCLEAN=info
BLACKLIST_LOGLEVEL=
LOGNEWNOTSYN=
MACLIST_LOG_LEVEL=$LOG
TCP_FLAGS_LOG_LEVEL=$LOG
RFC1918_LOG_LEVEL=$LOG
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
SUBSYSLOCK=/var/lock/subsys/shorewall
STATEDIR=/var/state/shorewall
MODULESDIR=
FW=fw
NAT_ENABLED=Yes
MANGLE_ENABLED=Yes
IP_FORWARDING=On
ADD_IP_ALIASES=Yes
ADD_SNAT_ALIASES=Yes
TC_ENABLED=Yes
CLEAR_TC=No
MARK_IN_FORWARD_CHAIN=No
CLAMPMSS=Yes
ROUTE_FILTER=No
NAT_BEFORE_RULES=No
MULTIPORT=Yes
DETECT_DNAT_IPADDRS=Yes
MUTEX_TIMEOUT=60
NEWNOTSYN=Yes
BLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=REJECT
TCP_FLAGS_DISPOSITION=DROP
-
-
-
-Params File (Edited):
-
-MIRRORS=<list of shorewall mirror ip addresses>
- NTPSERVERS=<list of the NTP servers I sync with>
- LOG=ULOG
- TEXAS=<ip address of gateway in Dallas>
-
+
+
+
+Params File (Edited):
+
+MIRRORS=<list of shorewall mirror ip addresses>
+ NTPSERVERS=<list of the NTP servers I sync with>
+ LOG=ULOG
+ TEXAS=<ip address of gateway in Dallas>
+
+
Zones File
-
-
+
+
#ZONE DISPLAY COMMENTS
net Internet Internet
me Wookie My Linux Workstation
dmz DMZ Demilitarized zone
loc Local Local networks
tx Texas Peer Network in Dallas
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
-
-
-Interfaces File:
-
-
-
- This is set up so that I can start the firewall before bringing up
-my Ethernet interfaces.
-
+
-
+Interfaces File:
+
+
+
+ This is set up so that I can start the firewall before bringing up my
+Ethernet interfaces.
+
+
+
#ZONE INERFACE BROADCAST OPTIONS
net eth0 206.124.146.255 dhcp,norfc1918,routefilter,blacklist,tcpflags
loc eth2 192.168.1.255 dhcp,maclist
dmz eth1 192.168.2.255
net eth3 206.124.146.255
- texas 192.168.9.255
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
-
-
+
+
Hosts File:
-
-
+
+
#ZONE HOST(S) OPTIONS
me eth2:192.168.1.3
tx texas:192.168.8.0/22
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
-
-
+
+
Routestopped File:
-
-
+
+
#INTERFACQ HOST(S)
eth1 206.124.146.177
eth2 -
eth3 206.124.146.180
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
-
-
+
+
Policy File:
-
-
- #SOURCE DESTINATION POLICY LOG LEVEL BURST:LIMIT
me all ACCEPT
tx me ACCEPT
all me CONTINUE - 2/sec:5
loc net ACCEPT
$FW loc ACCEPT
$FW tx ACCEPT
loc tx ACCEPT
loc fw REJECT $LOG
net net ACCEPT
net all DROP $LOG 10/sec:40
all all REJECT $LOG
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
-
-
+
+
+ #SOURCE DESTINATION POLICY LOG LEVEL BURST:LIMIT
me loc NONE
loc me NONE
me all ACCEPT
tx me ACCEPT
all me CONTINUE - 2/sec:5
loc net ACCEPT
$FW loc ACCEPT
$FW tx ACCEPT
loc tx ACCEPT
loc fw REJECT $LOG
net all DROP $LOG 10/sec:40
all all REJECT $LOG
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
+
+
Masq File:
-
-
-
- Although most of our internal systems use static NAT, my wife's system
- (192.168.1.4) uses IP Masquerading (actually SNAT) as do visitors with
+
+
+
+ Although most of our internal systems use static NAT, my wife's system
+ (192.168.1.4) uses IP Masquerading (actually SNAT) as do visitors with
laptops. Also, I masquerade wookie to the peer subnet in Texas.
-
-
-
+
+
+
#INTERFACE SUBNET ADDRESS
eth0:0.0.0.0/0 eth2 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-
-
+
+
NAT File:
-
-
+
+
#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
206.124.146.178 eth0:0 192.168.1.5 No No
206.124.146.179 eth0:1 192.168.1.3 No No
192.168.1.193 eth2:0 206.124.146.177 No No
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-
-
+
+
Proxy ARP File:
-
-
+
+
#ADDRESS INTERFACE EXTERNAL HAVEROUTE
206.124.146.177 eth1 eth0 No
206.124.146.180 eth3 eth0 No
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
-
-
+
+
Tunnels File (Shell variable TEXAS set in /etc/shorewall/params):
-
-
+
+
#TYPE ZONE GATEWAY GATEWAY ZONE PORT
gre net $TEXAS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
-
-
+
+
Common File:
-
-
+
+
. /etc/shorewall/common.def
run_iptables -A common -p tcp --dport auth -j REJECT
-
-
-Rules File (The shell variables
- are set in /etc/shorewall/params):
-
-
+
+
+Rules File (The shell variables
+ are set in /etc/shorewall/params):
+
+
################################################################################################################################################################
#RESULT CLIENT(S) SERVER(S) PROTO PORT(S) CLIENT ORIGINAL DEST:SNAT
################################################################################################################################################################
# Local Network to Internet - Reject attempts by Trojans to call home
#
REJECT:$LOG loc net tcp 6667
#
# Stop NETBIOS crap since our policy is ACCEPT
#
REJECT loc net tcp 137,445
REJECT loc net udp 137:139
LOG:$LOG loc net tcp 137:139
################################################################################################################################################################
# Local Network to Firewall
#
ACCEPT loc fw tcp ssh,time,10000
ACCEPT loc fw udp snmp
ACCEPT loc fw udp ntp
################################################################################################################################################################
# Local Network to DMZ (10027 is our SMTP backdoor that bypasses virus/spam filtering)
#
ACCEPT loc dmz udp domain
ACCEPT loc dmz tcp smtp,domain,ssh,imap,https,imaps,cvspserver,www,ftp,10027,10000,8080 -
################################################################################################################################################################
# Internet to DMZ
#
ACCEPT net dmz tcp www,smtp,ftp,imaps,domain,cvspserver,https,imap -
ACCEPT net dmz udp domain
ACCEPT net:$MIRRORS dmz tcp rsync
ACCEPT:$LOG net dmz tcp 32768:61000 20
DROP net dmz tcp 1433
################################################################################################################################################################
#
# Net to Local
#
# My laptop isn't NATTED when in its docking station. To allow access to the local lan, I need a VPN to Ursa which is enabled by the following "half"-rules.
#
DNAT- net loc:192.168.1.5 tcp 1723 - 206.124.146.178
DNAT- net loc:192.168.1.5 gre - - 206.124.146.178
#
# When I'm "on the road", the following two rules allow me VPN access back home.
#
ACCEPT net loc:192.168.1.5 tcp 1723
ACCEPT net loc:192.168.1.5 gre
#
# ICQ to Ursa
#
ACCEPT net loc:192.168.1.5 tcp 4000:4100
################################################################################################################################################################
# Net to me
#
ACCEPT net me:192.168.1.3 tcp 4000:4100
################################################################################################################################################################
# DMZ to Internet
#
ACCEPT dmz net tcp smtp,domain,www,https,whois,echo,2702,21,2703,ssh
ACCEPT dmz net udp domain
ACCEPT dmz net:206.124.128.8 tcp pop3
ACCEPT dmz net:66.216.26.115 tcp pop3
#
# Something is wrong with the FTP connection tracking code or there is some client out there
# that is sending a PORT command which that code doesn't understand. Either way,
# the following works around the problem.
#
ACCEPT:$LOG dmz net tcp 1024: 20
################################################################################################################################################################
# DMZ to Firewall -- ntp & snmp
#
ACCEPT dmz fw udp ntp ntp
ACCEPT dmz fw tcp snmp
ACCEPT dmz fw udp snmp
################################################################################################################################################################
#
# DMZ to Local Network
#
ACCEPT dmz loc tcp smtp
################################################################################################################################################################
#
# DMZ to Me -- NFS
#
ACCEPT dmz me tcp 111
ACCEPT dmz me udp 111
ACCEPT dmz me udp 2049
ACCEPT dmz me udp 32700:
################################################################################################################################################################
# Internet to Firewall
#
ACCEPT net:eth3:206.124.146.180 fw udp ntp ntp
REJECT net fw tcp www
DROP net fw tcp 1433
DROP net:eth3:!206.124.146.180 fw all
################################################################################################################################################################
# Firewall to Internet
#
ACCEPT fw net:$NTPSERVERS udp ntp ntp
ACCEPT fw net udp domain
ACCEPT fw net tcp domain,www,https,ssh,1723,whois,1863
ACCEPT fw net udp 33435:33535
ACCEPT fw net icmp 8
################################################################################################################################################################
# Firewall to DMZ
#
ACCEPT fw dmz tcp www,ftp,ssh,smtp
ACCEPT fw dmz udp domain
ACCEPT fw dmz icmp 8
REJECT fw dmz udp 137:139
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
-
-
+
+
Tom Eastep
- Copyright
- © 2001, 2002, 2003 Thomas M. Eastep.
+ Copyright
+ © 2001, 2002, 2003 Thomas M. Eastep.
+
diff --git a/Shorewall-docs/quotes.htm b/Shorewall-docs/quotes.htm
index 452dd5537..87c826166 100644
--- a/Shorewall-docs/quotes.htm
+++ b/Shorewall-docs/quotes.htm
@@ -1,104 +1,109 @@
-
+
-
+
-
+
-
+
Quotes from Shorewall Users
-
+
-
-
- |
+ |
+
+
Quotes from Shorewall Users
- |
-
-
-
+
+
+
+
-
-"I just installed Shorewall after weeks of messing with ipchains/iptables
-and I had it up and running in under 20 minutes!" -- JL, Ohio
-
- "My case was almost like [the one above]. Well. instead of 'weeks' it was
-'months' for me, and I think I needed two minutes more:
-
+
+"The configuration is intuitive and flexible, and much easier than any
+of the other iptables-based firewall programs out there. After sifting through
+many other scripts, it is obvious that yours is the most well thought-out
+and complete one available." -- BC, USA
+"I just installed Shorewall after weeks of messing with ipchains/iptables
+ and I had it up and running in under 20 minutes!" -- JL, Ohio
+
+ "My case was almost like [the one above]. Well. instead of 'weeks' it was
+ 'months' for me, and I think I needed two minutes more:
+
- - One to see that I had no Internet access from the firewall itself.
- - Other to see that this was the default configuration, and it was enough
-to uncomment a line in /etc/shorewall/policy.
-
-
+ - One to see that I had no Internet access from the firewall itself.
+ - Other to see that this was the default configuration, and it was
+enough to uncomment a line in /etc/shorewall/policy.
+
+
- Minutes instead of months! Congratulations and thanks for such a simple
-and well documented thing for something as huge as iptables." -- JV, Spain.
-
-"I downloaded Shorewall 1.2.0 and installed it on Mandrake 8.1 without
-any problems. Your documentation is great and I really appreciate your
-network configuration info. That really helped me out alot. THANKS!!!"
--- MM.
-
-"[Shorewall is a] great, great project. I've used/tested may firewall
-scripts but this one is till now the best." -- B.R, Netherlands
-
-
-"Never in my +12 year career as a sys admin have I witnessed someone
-so relentless in developing a secure, state of the art, safe and useful
-product as the Shorewall firewall package for no cost or obligation
-involved." -- Mario Kerecki, Toronto
-
-"one time more to report, that your great shorewall in the latest
- release 1.2.9 is working fine for me with SuSE Linux 7.3! I now have
-7 machines up and running with shorewall on several versions - starting
-with 1.2.2 up to the new 1.2.9 and I never have encountered any problems!"
--- SM, Germany
-
-"You have the best support of any other package I've ever used."
--- SE, US
-
-"Because our company has information which has been classified by the
-national government as secret, our security doesn't stop by putting a fence
- around our company. Information security is a hot issue. We also make use
-of checkpoint firewalls, but not all of the internet servers are guarded
-by checkpoint, some of them are running....Shorewall." -- Name withheld by
-request, Europe
-
-"thanx for all your efforts you put into shorewall - this product stands
-out against a lot of commercial stuff iŽve been working with in terms of
- flexibillity, quality & support" -- RM, Austria
-
-"I have never seen such a complete firewall package that is so easy to
- configure. I searched the Debian package system for firewall scripts and
- Shorewall won hands down." -- RG, Toronto
-
-"My respects... I've just found and installed Shorewall 1.3.3-1 and it
-is a wonderful piece of software. I've just sent out an email to about 30
-people recommending it. :-)
- While I had previously taken the time (maybe 40 hours) to really understand
- ipchains, then spent at least an hour per server customizing and carefully
- scrutinizing firewall rules, I've got shorewall running on my home firewall,
- with rulesets and policies that I know make sense, in under 20 minutes."
--- RP, Guatamala
-
-
-
-Updated 10/9/2002
-- Tom Eastep
-
-
-Copyright
- © 2001, 2002 Thomas M. Eastep.
+ Minutes instead of months! Congratulations and thanks for such a simple
+and well documented thing for something as huge as iptables." -- JV, Spain.
+
+"I downloaded Shorewall 1.2.0 and installed it on Mandrake 8.1 without
+ any problems. Your documentation is great and I really appreciate
+your network configuration info. That really helped me out alot. THANKS!!!"
+ -- MM.
+
+"[Shorewall is a] great, great project. I've used/tested may firewall
+ scripts but this one is till now the best." -- B.R, Netherlands
+
+
+"Never in my +12 year career as a sys admin have I witnessed someone
+ so relentless in developing a secure, state of the art, safe and useful
+ product as the Shorewall firewall package for no cost or obligation
+ involved." -- Mario Kerecki, Toronto
+
+"one time more to report, that your great shorewall in the latest
+ release 1.2.9 is working fine for me with SuSE Linux 7.3! I now
+have 7 machines up and running with shorewall on several versions -
+starting with 1.2.2 up to the new 1.2.9 and I never have encountered
+any problems!" -- SM, Germany
+
+"You have the best support of any other package I've ever used."
+ -- SE, US
+
+"Because our company has information which has been classified by the
+ national government as secret, our security doesn't stop by putting a fence
+ around our company. Information security is a hot issue. We also make use
+ of checkpoint firewalls, but not all of the internet servers are guarded
+ by checkpoint, some of them are running....Shorewall." -- Name withheld
+by request, Europe
+
+"thanx for all your efforts you put into shorewall - this product stands
+ out against a lot of commercial stuff iŽve been working with in terms of
+ flexibillity, quality & support" -- RM, Austria
+
+"I have never seen such a complete firewall package that is so easy to
+ configure. I searched the Debian package system for firewall scripts and
+ Shorewall won hands down." -- RG, Toronto
+
+"My respects... I've just found and installed Shorewall 1.3.3-1 and it
+ is a wonderful piece of software. I've just sent out an email to about
+30 people recommending it. :-)
+ While I had previously taken the time (maybe 40 hours) to really understand
+ ipchains, then spent at least an hour per server customizing and carefully
+ scrutinizing firewall rules, I've got shorewall running on my home firewall,
+ with rulesets and policies that I know make sense, in under 20 minutes."
+ -- RP, Guatamala
+
+
+Updated 3/18/2003
+ - Tom Eastep
+
+
+Copyright
+ © 2001, 2002, 2003 Thomas M. Eastep.
+
+
diff --git a/Shorewall-docs/seattlefirewall_index.htm b/Shorewall-docs/seattlefirewall_index.htm
index 7f3b37a5e..42a8a48c3 100644
--- a/Shorewall-docs/seattlefirewall_index.htm
+++ b/Shorewall-docs/seattlefirewall_index.htm
@@ -7,7 +7,7 @@
-
+
Shoreline Firewall (Shorewall) 1.4
@@ -17,22 +17,22 @@
-
+
-
+
-
+
-
+
-
+
-
+
-
+
- |
+ |
@@ -121,7 +122,7 @@
-
+
What is it?
@@ -135,7 +136,7 @@
-
+
The Shoreline Firewall, more commonly known as "Shorewall", is
a Netfilter (iptables) based
firewall that can be used on a dedicated firewall system, a multi-function
@@ -152,28 +153,28 @@ firewall that can be used on a dedicated firewall system, a multi-functio
-
+
This program is free software; you can redistribute it and/or modify
- it under the
+ it under the
terms of Version
2 of the GNU General Public License as published by the Free
Software Foundation.
-
+
- This program is distributed
- in the hope that it will be useful, but
+ This program is distributed
+ in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied
- warranty of MERCHANTABILITY or FITNESS FOR
-A PARTICULAR PURPOSE. See the GNU General Public License
- for more details.
+ warranty of MERCHANTABILITY or FITNESS FOR
+ A PARTICULAR PURPOSE. See the GNU General Public License
+ for more details.
-
+
- You should have received
- a copy of the GNU General Public License
- along with this program; if not, write
-to the Free Software Foundation, Inc., 675
+ You should have received
+ a copy of the GNU General Public License
+ along with this program; if not, write
+ to the Free Software Foundation, Inc., 675
Mass Ave, Cambridge, MA 02139, USA
@@ -187,7 +188,7 @@ to the Free Software Foundation, Inc., 675
-
+
Copyright 2001, 2002, 2003 Thomas M. Eastep
@@ -201,336 +202,115 @@ to the Free Software Foundation, Inc., 675
-
+
- Jacques Nilo
- and Eric Wolzak have a LEAF (router/firewall/gateway
- on a floppy, CD or compact flash) distribution
- called Bering that features
+ Jacques Nilo
+ and Eric Wolzak have a LEAF (router/firewall/gateway
+ on a floppy, CD or compact flash) distribution
+ called Bering that features
Shorewall-1.3.14 and Kernel-2.4.20. You can find
- their work at: http://leaf.sourceforge.net/devel/jnilo
-
+
-
+
+
Congratulations to Jacques and Eric on the recent release of
Bering 1.1!!!
-
-
+
+
This is a mirror of the main Shorewall web site at SourceForge
(http://shorewall.sf.net)
-
+
News
-
- 3/17/2003 - Shorewall 1.4.0 
-
- Shorewall 1.4 represents
- the next step in the evolution of Shorewall. The main thrust of the
- initial release is simply to remove the cruft that has accumulated in
- Shorewall over time.
-
- IMPORTANT: Shorewall 1.4.0 requires the iproute package
- ('ip' utility).
-
- Function from 1.3 that has been omitted from this version
- include:
-
-
-
- - The MERGE_HOSTS variable in shorewall.conf is no longer supported.
- Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.
-
-
- - Interface names of the form <device>:<integer>
- in /etc/shorewall/interfaces now generate an error.
-
-
- - Shorewall 1.4 implements behavior consistent with OLD_PING_HANDLING=No.
- OLD_PING_HANDLING=Yes will generate an error at startup as will specification
- of the 'noping' or 'filterping' interface options.
-
-
- - The 'routestopped' option in the /etc/shorewall/interfaces
- and /etc/shorewall/hosts files is no longer supported and will generate
- an error at startup if specified.
-
-
- - The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no
- longer accepted.
-
-
- - The ALLOWRELATED variable in shorewall.conf is no longer
-supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.
-
-
- - The icmp.def file has been removed.
-
-
-
- Changes for 1.4 include:
-
-
-
- - The /etc/shorewall/shorewall.conf file has been completely
- reorganized into logical sections.
-
-
- - LOG is now a valid action for a rule (/etc/shorewall/rules).
-
-
- - The firewall script, common functions file and version file
- are now installed in /usr/share/shorewall.
-
-
- - Late arriving DNS replies are now silently dropped in the
- common chain by default.
-
-
- - In addition to behaving like OLD_PING_HANDLING=No, Shorewall
- 1.4 no longer unconditionally accepts outbound ICMP packets. So if
-you want to 'ping' from the firewall, you will need the appropriate rule
-or policy.
-
-
- - CONTINUE is now a valid action for a rule (/etc/shorewall/rules).
-
-
- - 802.11b devices with names of the form wlan<n>
- now support the 'maclist' option.
-
-
- - Explicit Congestion Notification (ECN - RFC 3168)
- may now be turned off on a host or network basis using the new /etc/shorewall/ecn
- file. To use this facility:
-
- a) You must be running kernel 2.4.20
- b) You must have applied the patch in
- http://www.shorewall/net/pub/shorewall/ecn/patch.
- c) You must have iptables 1.2.7a installed.
-
-
- - The /etc/shorewall/params file is now processed first so that
- variables may be used in the /etc/shorewall/shorewall.conf file.
-
-
- - Shorewall now gives a more helpful diagnostic when
- the 'ipchains' compatibility kernel module is loaded and a 'shorewall start'
- command is issued.
-
-
- - The SHARED_DIR variable has been removed from shorewall.conf.
- This variable was for use by package maintainers and was not documented
-for general use.
-
-
- - Shorewall now ignores 'default' routes when detecting masq'd
- networks.
-
-
-
-
- 3/11/2003 - Shoreall 1.3.14a
-
-
- A roleup of the following bug fixes and other updates:
-
-
- - There is an updated rfc1918 file that reflects the resent
- allocation of 222.0.0.0/8 and 223.0.0.0/8.
- - The documentation for the routestopped file claimed that a
-comma-separated list could appear in the second column while the code
-only supported a single host or network address.
- - Log messages produced by 'logunclean' and 'dropunclean' were
- not rate-limited. 802.11b devices with names of the form wlan<n>
- don't support the 'maclist' interface option.
- - Log messages generated by RFC 1918 filtering are not rate
-limited.
- - The firewall fails to start in the case
-where you have "eth0 eth1" in /etc/shorewall/masq and the default route
-is through eth1.
-
-
-
- 2/8/2003 - Shorewall 1.3.14
-
-
- New features include
-
-
+ 3/24/2003 - Shorewall 1.4.1
+
+This release follows up on 1.4.0. It corrects a problem introduced in 1.4.0
+and removes additional warts.
+
+ Problems Corrected:
- - An OLD_PING_HANDLING option has been added
-to shorewall.conf. When set to Yes, Shorewall ping handling is
-as it has always been (see http://www.shorewall.net/ping.html).
-
- When OLD_PING_HANDLING=No, icmp echo (ping) is handled
- via rules and policies just like any other connection request.
-The FORWARDPING=Yes option in shorewall.conf and the 'noping' and
-'filterping' options in /etc/shorewall/interfaces will all generate
-an error.
-
-
- - It is now possible to direct Shorewall to create
- a "label" such as "eth0:0" for IP addresses that it creates under
- ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes. This is done by specifying
- the label instead of just the interface name:
-
- a) In the INTERFACE column of /etc/shorewall/masq
- b) In the INTERFACE column of /etc/shorewall/nat
-
- - Support for OpenVPN Tunnels.
-
-
- - Support for VLAN devices with names of the
-form $DEV.$VID (e.g., eth0.0)
-
-
- - In /etc/shorewall/tcrules, the MARK value may
-be optionally followed by ":" and either 'F' or 'P' to designate that
-the marking will occur in the FORWARD or PREROUTING chains respectively.
-If this additional specification is omitted, the chain used to mark packets
- will be determined by the setting of the MARK_IN_FORWARD_CHAIN option
- in shorewall.conf.
-
-
- - When an interface name is entered in the SUBNET
- column of the /etc/shorewall/masq file, Shorewall previously masqueraded
- traffic from only the first subnet defined on that interface. It
- did not masquerade traffic from:
-
- a) The subnets associated with other addresses
-on the interface.
- b) Subnets accessed through local routers.
-
- Beginning with Shorewall 1.3.14, if you enter an interface
- name in the SUBNET column, shorewall will use the firewall's routing
- table to construct the masquerading/SNAT rules.
-
- Example 1 -- This is how it works in 1.3.14.
-
-
-
-
-
- [root@gateway test]# cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-
-
-
-
- [root@gateway test]# ip route show dev eth2
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
-
-
-
-
- [root@gateway test]# shorewall start
...
Masqueraded Subnets and Hosts:
To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176
To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176
Processing /etc/shorewall/tos...
-
- When upgrading to Shorewall 1.3.14, if you have multiple
- local subnets connected to an interface that is specified in the
- SUBNET column of an /etc/shorewall/masq entry, your /etc/shorewall/masq
- file will need changing. In most cases, you will simply be able to remove
- redundant entries. In some cases though, you might want to change from
- using the interface name to listing specific subnetworks if the change
- described above will cause masquerading to occur on subnetworks that you
- don't wish to masquerade.
-
- Example 2 -- Suppose that your current config is as
- follows:
-
-
-
-
-
- [root@gateway test]# cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
eth0 192.168.10.0/24 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-
-
-
-
- [root@gateway test]# ip route show dev eth2
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]#
-
- In this case, the second entry in /etc/shorewall/masq
- is no longer required.
-
- Example 3 -- What if your current configuration is
-like this?
-
-
-
-
-
- [root@gateway test]# cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-
-
-
-
- [root@gateway test]# ip route show dev eth2
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]#
-
- In this case, you would want to change the entry
- in /etc/shorewall/masq to:
-
-
-
-
- #INTERFACE SUBNET ADDRESS
eth0 192.168.1.0/24 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-
-
-
+ - When Shorewall 1.4.0 is run under the ash shell (such as on Bering/LEAF),
+it can attempt to add ECN disabling rules even if the /etc/shorewall/ecn
+file is empty. That problem has been corrected so that ECN disabling rules
+are only added if there are entries in /etc/shorewall/ecn.
-
-
-
- 2/5/2003 - Shorewall Support included in Webmin 1.060
-
- Webmin version 1.060 now has Shorewall support included
- as standard. See http://www.webmin.com.
-
-
+ New Features:
+ Note: In the list that follows, the term group refers
+to a particular network or subnetwork (which may be 0.0.0.0/0 or it may be
+a host address) accessed through a particular interface. Examples:
+ eth0:0.0.0.0/0
+eth2:192.168.1.0/24
+eth3:192.0.2.123
+
+You can use the "shorewall check" command to see the groups associated with
+each of your zones.
+
+
+ - Beginning with Shorewall 1.4.1, if a zone Z comprises more than
+one group then if there is no explicit Z to Z policy and there are
+no rules governing traffic from Z to Z then Shorewall will permit all traffic
+between the groups in the zone.
+ - Beginning with Shorewall 1.4.1, Shorewall will never create rules
+to handle traffic from a group to itself.
+ - A NONE policy is introduced in 1.4.1. When a policy of NONE is
+specified from Z1 to Z2:
+
+
+ - There may be no rules created that govern connections from Z1
+to Z2.
+ - Shorewall will not create any infrastructure to handle traffic
+from Z1 to Z2.
+
+See the upgrade issues for a discussion
+of how these changes may affect your configuration.
More News
-
+
Donations
- |
+
- M |
-
+
-
+
+
-
+
-
+
-
-
+
-
+
-
@@ -541,12 +321,12 @@ like this?
-
+
-
+
@@ -558,32 +338,34 @@ like this?
-
+
Shorewall is free
but if you try it and find it useful, please consider making a donation
- to Starlight
Children's Foundation. Thanks!
- |
+
-
+
-
+
-
+
-
-Updated 3/17/2003 - Tom Eastep
+
+
Updated 3/21/2003 - Tom Eastep
-
-
+
+
+
+
diff --git a/Shorewall-docs/shoreline.htm b/Shorewall-docs/shoreline.htm
index ee7d09311..2ccc58089 100644
--- a/Shorewall-docs/shoreline.htm
+++ b/Shorewall-docs/shoreline.htm
@@ -1,128 +1,129 @@
-
+
About the Shorewall Author
-
+
-
-
+
+
-
+
-
-
- |
-
+ |
+
+
+
Tom Eastep
- |
-
-
-
+
+
+
+
-
+
-
-
+
+
Tarry & Tom -- August 2002
-
-
-
+
+
+
-
-I am currently a member of the design team for the next-generation
- operating system from the NonStop Enterprise Division of HP.
-
-I became interested in Internet Security when I established a home office
- in 1999 and had DSL service installed in our home. I investigated
- ipchains and developed the scripts which are now collectively known
-as Seattle Firewall.
-Expanding on what I learned from Seattle Firewall, I then designed
-and wrote Shorewall.
-
+
+I am currently a member of the design team for the next-generation
+ operating system from the NonStop Enterprise Division of HP.
+
+I became interested in Internet Security when I established a home office
+ in 1999 and had DSL service installed in our home. I investigated
+ ipchains and developed the scripts which are now collectively known as
+ Seattle Firewall. Expanding
+ on what I learned from Seattle Firewall, I then designed and
+wrote Shorewall.
+
I telework from our home in Shoreline, Washington
-where I live with my wife Tarry.
-
+ href="http://www.cityofshoreline.com">Shoreline, Washington where
+I live with my wife Tarry.
+
Our current home network consists of:
-
+
- - 1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &
-20GB IDE HDs and LNE100TX (Tulip) NIC - My personal Windows system.
+
- 1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &
+20GB IDE HDs and LNE100TX (Tulip) NIC - My personal Windows system.
Serves as a PPTP server for Road Warrior access. Dual boots Mandrake 9.0.
- - Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip)
- NIC - My personal Linux System which runs Samba configured as
-a WINS server. This system also has VMware installed and can run
-both Debian Woody and Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip)
+ NIC - My personal Linux System which runs Samba configured as a
+ WINS server. This system also has VMware installed and can run both
+ Debian Woody and SuSE 8.1 in virtual machines.
- - K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC
- - Email (Postfix, Courier-IMAP and Mailman), HTTP (Apache), FTP (Pure_ftpd),
+
- K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC
+ - Email (Postfix, Courier-IMAP and Mailman), HTTP (Apache), FTP (Pure_ftpd),
DNS server (Bind 9).
- - PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD - 3
-LNE100TX (Tulip) and 1 TLAN NICs - Firewall running Shorewall 1.3.14
+
- PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD - 3
+ LNE100TX (Tulip) and 1 TLAN NICs - Firewall running Shorewall 1.4.0
and a DHCP server.
- - Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC -
-My wife's personal system.
- - PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD, onboard
- EEPRO100 and EEPRO100 in expansion base and LinkSys WAC11 - My main
- work system.
-
+ - Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC
+- My wife's personal system.
+ - PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD, onboard
+ EEPRO100 and EEPRO100 in expansion base and LinkSys WAC11 - My
+main work system.
+
-
+
For more about our network see my Shorewall Configuration.
-
+
All of our other systems are made by Compaq (part of the new HP).. All of our Tulip NICs are Netgear FA310TXs.
-
+
- ![]()
- ![]()
- ![]()
- ![]()
- 
-
-
-Last updated 3/7/2003 -
+
+Last updated 3/17/2003 - Tom Eastep
- Copyright © 2001, 2002, 2003 Thomas
+ Copyright © 2001, 2002, 2003 Thomas
M. Eastep.
+
diff --git a/Shorewall-docs/shorewall_prerequisites.htm b/Shorewall-docs/shorewall_prerequisites.htm
index b66ccc400..efe2c6189 100644
--- a/Shorewall-docs/shorewall_prerequisites.htm
+++ b/Shorewall-docs/shorewall_prerequisites.htm
@@ -1,67 +1,69 @@
-
+
-
+
-
+
-
+
Shorewall Prerequisites
-
+
-
-
- |
+ |
+
+
Shorewall Requirements
- |
-
-
-
+
+
+
+
-
- Shorewall Requires:
-
+
+ Shorewall Requires:
+
- - A kernel that supports netfilter. I've tested with 2.4.2 - 2.4.20-pre6.
- Check here for kernel configuration information.
- If you are looking for a firewall for use with 2.2 kernels, see the Seattle Firewall site
- .
- - iptables 1.2 or later but beware version 1.2.3 -- see the Errata. WARNING: The
- buggy iptables version 1.2.3 is included in RedHat 7.2 and you should
-upgrade to iptables 1.2.4 prior to installing Shorewall. Version 1.2.4
-is available from RedHat
- and in the Shorewall Errata.
- - Iproute ("ip" utility). The iproute package is included with
-most distributions but may not be installed by default. The official
+
- A kernel that supports netfilter. I've tested with 2.4.2 - 2.4.20.
+With current releases of Shorewall, Traffic Shaping/Control requires at least
+2.4.18. Check here for kernel configuration
+ information. If you are looking for a firewall for use with
+2.2 kernels, see the Seattle Firewall
+ site .
+ - iptables 1.2 or later but beware version 1.2.3 -- see the Errata. WARNING: The
+ buggy iptables version 1.2.3 is included in RedHat 7.2 and you should
+ upgrade to iptables 1.2.4 prior to installing Shorewall. Version 1.2.4
+ is available from RedHat
+ and in the Shorewall Errata.
+ - Iproute ("ip" utility). The iproute package is included with
+most distributions but may not be installed by default. The official
download site is ftp://ftp.inr.ac.ru/ip-routing.
+ target="_blank"> ftp://ftp.inr.ac.ru/ip-routing
.
- A Bourne shell or derivative such as bash or ash. This shell must
- have correct support for variable expansion formats ${variable%pattern
- }, ${variable%%pattern}, ${variable#pattern
+ A Bourne shell or derivative such as bash or ash. This shell must
+ have correct support for variable expansion formats ${variable%pattern
+ }, ${variable%%pattern}, ${variable#pattern
} and ${variable##pattern}.
- The firewall monitoring display is greatly improved if you have
-awk (gawk) installed.
-
+ The firewall monitoring display is greatly improved if you have
+ awk (gawk) installed.
+
-
-Last updated 2/21/2003 - Last updated 3/19/2003 - Tom Eastep
-
+
Copyright © 2001, 2002, 2003 Thomas M. Eastep.
-
+
+
diff --git a/Shorewall-docs/shorewall_setup_guide.htm b/Shorewall-docs/shorewall_setup_guide.htm
index bb9699d0d..c9b333464 100644
--- a/Shorewall-docs/shorewall_setup_guide.htm
+++ b/Shorewall-docs/shorewall_setup_guide.htm
@@ -1,429 +1,209 @@
-
+
-
+
-
+
-
+
Shorewall Setup Guide
-
+
-
+
Shorewall Setup Guide
-
+
1.0 Introduction
- 2.0 Shorewall Concepts
- 3.0 Network Interfaces
- 4.0 Addressing, Subnets and Routing
-
-
+ 2.0 Shorewall Concepts
+ 3.0 Network Interfaces
+ 4.0 Addressing, Subnets and Routing
+
+
4.1 IP Addresses
- 4.2 Subnets
- 4.3 Routing
- 4.4 Address Resolution Protocol
- 4.5 RFC 1918
-
-
-5.0 Setting up your Network
-
-
- 5.1 Routed
- 5.2 Non-routed
-
-
- 5.2.1 SNAT
- 5.2.2 DNAT
- 5.2.3 Proxy ARP
- 5.2.4 Static NAT
+ 4.2 Subnets
+ 4.3 Routing
+ 4.4 Address Resolution Protocol
+ 4.5 RFC 1918
-
+
+5.0 Setting up your Network
+
+
+ 5.1 Routed
+ 5.2 Non-routed
+
+
+ 5.2.1 SNAT
+ 5.2.2 DNAT
+ 5.2.3 Proxy ARP
+ 5.2.4 Static NAT
+
+
5.3 Rules
- 5.4 Odds and Ends
-
-
+ 5.4 Odds and Ends
+
+
6.0 DNS
- 7.0 Starting and Stopping the Firewall
-
+ 7.0 Starting and Stopping the Firewall
+
1.0 Introduction
-
+
This guide is intended for users who are setting up Shorewall in an environment
- where a set of public IP addresses must be managed or who want to know
- more about Shorewall than is contained in the single-address guides. Because
- the range of possible applications is so broad, the Guide will give you
- general guidelines and will point you to other resources as necessary.
-
+ the range of possible applications is so broad, the Guide will give you
+ general guidelines and will point you to other resources as necessary.
+
- If you run LEAF Bering, your Shorewall configuration is NOT what
- I release -- I suggest that you consider installing a stock Shorewall
-lrp from the shorewall.net site before you proceed.
-
+ If you run LEAF Bering, your Shorewall configuration is NOT
+what I release -- I suggest that you consider installing a stock Shorewall
+ lrp from the shorewall.net site before you proceed.
+
Shorewall requires that the iproute/iproute2 package be installed (on
- RedHat, the package is called iproute). You can tell if
-this package is installed by the presence of an ip program on your
+ RedHat, the package is called iproute). You can tell if
+ this package is installed by the presence of an ip program on your
firewall system. As root, you can use the 'which' command to check for
this program:
-
+
[root@gateway root]# which ip
/sbin/ip
[root@gateway root]#
-
+
I recommend that you first read through the guide to familiarize yourself
- with what's involved then go back through it again making your configuration
- changes. Points at which configuration changes are recommended are flagged
- with 
- .
-
+ with what's involved then go back through it again making your configuration
+ changes. Points at which configuration changes are recommended are flagged
+ with
+ .
+
- If you edit your configuration files on a Windows system, you
-must save them as Unix files if your editor supports that option or you
-must run them through dos2unix before trying to use them with Shorewall.
-Similarly, if you copy a configuration file from your Windows hard drive
-to a floppy disk, you must run dos2unix against the copy before using it
-with Shorewall.
-
+ If you edit your configuration files on a Windows system, you
+ must save them as Unix files if your editor supports that option or you
+ must run them through dos2unix before trying to use them with Shorewall.
+ Similarly, if you copy a configuration file from your Windows hard drive
+ to a floppy disk, you must run dos2unix against the copy before using
+it with Shorewall.
+
-
+
2.0 Shorewall Concepts
-
+
The configuration files for Shorewall are contained in the directory
/etc/shorewall -- for most setups, you will only need to deal with a few
of these as described in this guide. Skeleton files are created during the
Shorewall Installation Process.
-
+
As each file is introduced, I suggest that you look through the actual
- file on your system -- each file contains detailed configuration instructions
- and some contain default entries.
-
+ file on your system -- each file contains detailed configuration instructions
+ and some contain default entries.
+
Shorewall views the network where it is running as being composed of a
- set of zones. In the default installation, the following zone names
- are used:
-
+ set of zones. In the default installation, the following zone
+names are used:
+
-
-
- | Name |
- Description |
-
-
- | net |
- The Internet |
-
-
- | loc |
- Your Local Network |
-
-
- | dmz |
- Demilitarized Zone |
-
-
-
+
+
+ | Name |
+ Description |
+
+
+ | net |
+ The Internet |
+
+
+ | loc |
+ Your Local Network |
+
+
+ | dmz |
+ Demilitarized Zone |
+
+
+
-
+
Zones are defined in the /etc/shorewall/zones
- file.
-
+ file.
+
Shorewall also recognizes the firewall system as its own zone - by default,
- the firewall itself is known as fw but that may be changed in the
- /etc/shorewall/shorewall.conf
- file. In this guide, the default name (fw) will be used.
-
+ the firewall itself is known as fw but that may be changed in
+the /etc/shorewall/shorewall.conf
+ file. In this guide, the default name (fw) will be used.
+
With the exception of fw, Shorewall attaches absolutely no meaning
- to zone names. Zones are entirely what YOU make of them. That means that
- you should not expect Shorewall to do something special "because this
-is the internet zone" or "because that is the DMZ".
-
+ to zone names. Zones are entirely what YOU make of them. That means that
+ you should not expect Shorewall to do something special "because this
+ is the internet zone" or "because that is the DMZ".
+
- Edit the /etc/shorewall/zones file and make any changes necessary.
-
+ Edit the /etc/shorewall/zones file and make any changes necessary.
+
Rules about what traffic to allow and what traffic to deny are expressed
- in terms of zones.
-
+ in terms of zones.
+
-
+
Shorewall is built on top of the Netfilter
- kernel facility. Netfilter implements a connection
- tracking function that allows what is often referred to as stateful
- inspection of packets. This stateful property allows firewall rules
- to be defined in terms of connections rather than in terms of
- packets. With Shorewall, you:
-
+ tracking function that allows what is often referred to as stateful
+ inspection of packets. This stateful property allows firewall rules
+ to be defined in terms of connections rather than in terms of
+ packets. With Shorewall, you:
+
- - Identify the source zone.
- - Identify the destination zone.
- - If the POLICY from the client's zone to the server's
- zone is what you want for this client/server pair, you need do nothing
- further.
- - If the POLICY is not what you want, then you must add
- a rule. That rule is expressed in terms of the client's zone and
-the server's zone.
-
+ - Identify the source zone.
+ - Identify the destination zone.
+ - If the POLICY from the client's zone to the server's
+ zone is what you want for this client/server pair, you need do
+nothing further.
+ - If the POLICY is not what you want, then you must
+add a rule. That rule is expressed in terms of the client's zone
+and the server's zone.
+
-
+
Just because connections of a particular type are allowed from zone A
to the firewall and are also allowed from the firewall to zone B DOES NOT mean that these connections are allowed
- from zone A to zone B. It rather means that you can have
- a proxy running on the firewall that accepts a connection from zone
+ from zone A to zone B
. It rather means that you can
+have a proxy running on the firewall that accepts a connection from zone
A and then establishes its own separate connection from the firewall to
zone B.
-
+
For each connection request entering the firewall, the request is first
- checked against the /etc/shorewall/rules file. If no rule in that file
- matches the connection request then the first policy in /etc/shorewall/policy
- that matches the request is applied. If that policy is REJECT or DROP
-the request is first checked against the rules in /etc/shorewall/common.def.
-
+ checked against the /etc/shorewall/rules file. If no rule in that file
+ matches the connection request then the first policy in /etc/shorewall/policy
+ that matches the request is applied. If that policy is REJECT or DROP
+ the request is first checked against the rules in /etc/shorewall/common.def.
+
The default /etc/shorewall/policy file has the following policies:
-
-
-
-
-
- | Source Zone |
- Destination Zone |
- Policy |
- Log Level |
- Limit:Burst |
-
-
- | loc |
- net |
- ACCEPT |
- |
- |
-
-
- | net |
- all |
- DROP |
- info |
- |
-
-
- | all |
- all |
- REJECT |
- info |
- |
-
-
-
-
-
-
-The above policy will:
-
-
- - allow all connection requests from your local network to the
- internet
- - drop (ignore) all connection requests from the internet to
-your firewall or local network and log a message at the info
-level (here is a description of log
-levels).
- - reject all other connection requests and log a message at the
- info level. When a request is rejected, the firewall will
- return an RST (if the protocol is TCP) or an ICMP port-unreachable packet
- for other protocols.
-
-
-
-
- At this point, edit your /etc/shorewall/policy and make any changes
- that you wish.
-
-3.0 Network Interfaces
-
-For the remainder of this guide, we'll refer to the following
- diagram. While it may not look like your own network, it can be used to
- illustrate the important aspects of Shorewall configuration.
-
-In this diagram:
-
-
- - The DMZ Zone consists of systems DMZ 1 and DMZ 2. A DMZ is
-used to isolate your internet-accessible servers from your local systems
-so that if one of those servers is compromised, you still have the firewall
- between the compromised system and your local systems.
- - The Local Zone consists of systems Local 1, Local 2 and Local
- 3.
- - All systems from the ISP outward comprise the Internet Zone.
-
-
-
-
- 
-
-
-The simplest way to define zones is to simply associate the
- zone name (previously defined in /etc/shorewall/zones) with a network
-interface. This is done in the /etc/shorewall/interfaces
- file.
-
-The firewall illustrated above has three network interfaces.
- Where Internet connectivity is through a cable or DSL "Modem", the External
- Interface will be the Ethernet adapter that is connected to that "Modem"
- (e.g., eth0) unless you connect via Point-to-Point
- Protocol over Ethernet (PPPoE) or Point-to-Point
- Tunneling Protocol (PPTP) in which case the External
-Interface will be a ppp interface (e.g., ppp0). If you connect via
-a regular modem, your External Interface will also be ppp0. If
-you connect using ISDN, you external interface will be ippp0.
-
-
- If your external interface is ppp0 or ippp0 then
- you will want to set CLAMPMSS=yes in /etc/shorewall/shorewall.conf.
-
-Your Local Interface will be an Ethernet adapter (eth0,
- eth1 or eth2) and will be connected to a hub or switch. Your local computers
- will be connected to the same switch (note: If you have only a single
-local system, you can connect the firewall directly to the computer using
-a cross-over cable).
-
-Your DMZ Interface will also be an Ethernet adapter
- (eth0, eth1 or eth2) and will be connected to a hub or switch. Your DMZ
- computers will be connected to the same switch (note: If you have only
-a single DMZ system, you can connect the firewall directly to the computer
- using a cross-over cable).
-
-
- Do not connect more than one interface to the same hub or
-switch (even for testing). It won't work the way that you expect it to
-and you will end up confused and believing that Linux networking doesn't
-work at all.
-
-For the remainder of this Guide, we will assume that:
-
-
- -
-
The external interface is eth0.
-
- -
-
The Local interface is eth1.
-
- -
-
The DMZ interface is eth2.
-
-
-
-
-The Shorewall default configuration does not define the contents
- of any zone. To define the above configuration using the /etc/shorewall/interfaces
- file, that file would might contain:
-
-
-
-
-
- | Zone |
- Interface |
- Broadcast |
- Options |
-
-
- | net |
- eth0 |
- detect |
- norfc1918 |
-
-
- | loc |
- eth1 |
- detect |
- |
-
-
- | dmz |
- eth2 |
- detect |
- |
-
-
-
-
-
-
-
- Edit the /etc/shorewall/interfaces file and define the network
- interfaces on your firewall and associate each interface with a zone.
-If you have a zone that is interfaced through more than one interface,
-simply include one entry for each interface and repeat the zone name as
-many times as necessary.
-
-Example:
-
-
-
-
-
- | Zone |
- Interface |
- Broadcast |
- Options |
-
-
- | net |
- eth0 |
- detect |
- norfc1918 |
-
-
- | loc |
- eth1 |
- detect |
- |
-
-
- | loc |
- eth2 |
- detect |
- dhcp |
-
-
-
-
-
-
-
-
When you have more than one interface to a zone, you will
- usually want a policy that permits intra-zone traffic:
-
-
+
+
-
+
| Source Zone |
Destination Zone |
Policy |
@@ -432,80 +212,302 @@ many times as necessary.
| loc |
- loc |
+ net |
ACCEPT |
|
|
-
-
+
+ | net |
+ all |
+ DROP |
+ info |
+ |
+
+
+ | all |
+ all |
+ REJECT |
+ info |
+ |
+
+
+
-
The above policy will:
+
+
+ - allow all connection requests from your local network to
+the internet
+ - drop (ignore) all connection requests from the internet to
+ your firewall or local network and log a message at the info
+ level (here is a description of log
+ levels).
+ - reject all other connection requests and log a message at
+the info level. When a request is rejected, the firewall
+will return an RST (if the protocol is TCP) or an ICMP port-unreachable
+packet for other protocols.
+
+
+
+
+ At this point, edit your /etc/shorewall/policy and make any
+changes that you wish.
+
+3.0 Network Interfaces
+
+For the remainder of this guide, we'll refer to the following
+ diagram. While it may not look like your own network, it can be used
+to illustrate the important aspects of Shorewall configuration.
+
+In this diagram:
+
+
+ - The DMZ Zone consists of systems DMZ 1 and DMZ 2. A DMZ is
+ used to isolate your internet-accessible servers from your local systems
+ so that if one of those servers is compromised, you still have the firewall
+ between the compromised system and your local systems.
+ - The Local Zone consists of systems Local 1, Local 2 and Local
+ 3.
+ - All systems from the ISP outward comprise the Internet Zone.
+
+
+
+
+
+
+
+The simplest way to define zones is to simply associate the
+ zone name (previously defined in /etc/shorewall/zones) with a network
+ interface. This is done in the /etc/shorewall/interfaces file.
+
+The firewall illustrated above has three network interfaces.
+ Where Internet connectivity is through a cable or DSL "Modem", the External
+ Interface will be the Ethernet adapter that is connected to that
+"Modem" (e.g., eth0) unless you connect via Point-to-Point
+ Protocol over Ethernet (PPPoE) or Point-to-Point
+ Tunneling Protocol (PPTP) in which case the External
+ Interface will be a ppp interface (e.g., ppp0). If you connect
+via a regular modem, your External Interface will also be ppp0.
+If you connect using ISDN, you external interface will be ippp0.
+
+
+ If your external interface is ppp0 or ippp0 then
+ you will want to set CLAMPMSS=yes in /etc/shorewall/shorewall.conf.
+
+Your Local Interface will be an Ethernet adapter (eth0,
+ eth1 or eth2) and will be connected to a hub or switch. Your local computers
+ will be connected to the same switch (note: If you have only a single
+ local system, you can connect the firewall directly to the computer using
+ a cross-over cable).
+
+Your DMZ Interface will also be an Ethernet adapter
+ (eth0, eth1 or eth2) and will be connected to a hub or switch. Your DMZ
+ computers will be connected to the same switch (note: If you have only
+ a single DMZ system, you can connect the firewall directly to the computer
+ using a cross-over cable).
+
+
+ Do not connect more than one interface to the same hub
+or switch (even for testing). It won't work the way that you expect
+it to and you will end up confused and believing that Linux networking
+doesn't work at all.
+
+For the remainder of this Guide, we will assume that:
+
+
+ -
+
The external interface is eth0.
+
+ -
+
The Local interface is eth1.
+
+ -
+
The DMZ interface is eth2.
+
+
+
+
+The Shorewall default configuration does not define the contents
+ of any zone. To define the above configuration using the /etc/shorewall/interfaces
+ file, that file would might contain:
+
+
+
+
+
+ | Zone |
+ Interface |
+ Broadcast |
+ Options |
+
+
+ | net |
+ eth0 |
+ detect |
+ norfc1918 |
+
+
+ | loc |
+ eth1 |
+ detect |
+ |
+
+
+ | dmz |
+ eth2 |
+ detect |
+ |
+
+
+
+
+
+
- You may define more complicated zones using the
+
+Example:
+
+
+
+
+
+ | Zone |
+ Interface |
+ Broadcast |
+ Options |
+
+
+ | net |
+ eth0 |
+ detect |
+ norfc1918 |
+
+
+ | loc |
+ eth1 |
+ detect |
+ |
+
+
+ | loc |
+ eth2 |
+ detect |
+ dhcp |
+
+
+
+
+
+
+
+
When you have more than one interface to a zone, you will
+ usually want a policy that permits intra-zone traffic:
+
+
+
+
+
+ | Source Zone |
+ Destination Zone |
+ Policy |
+ Log Level |
+ Limit:Burst |
+
+
+ | loc |
+ loc |
+ ACCEPT |
+ |
+ |
+
+
+
+
+
+
+ You may define more complicated zones using the /etc/shorewall/hosts file but in most
- cases, that isn't necessary.
-
+ cases, that isn't necessary.
+
4.0 Addressing, Subnets and Routing
-
+
Normally, your ISP will assign you a set of Public
- IP addresses. You will configure your firewall's external interface to
-use one of those addresses permanently and you will then have to decide
-how you are going to use the rest of your addresses. Before we tackle that
-question though, some background is in order.
-
+ IP addresses. You will configure your firewall's external interface to
+ use one of those addresses permanently and you will then have to decide
+ how you are going to use the rest of your addresses. Before we tackle that
+ question though, some background is in order.
+
If you are thoroughly familiar with IP addressing and routing,
- you may go to the next section.
-
+ you may go to the next section.
+
The following discussion barely scratches the surface of addressing
and routing. If you are interested in learning more about this subject,
I highly recommend "IP Fundamentals: What Everyone Needs to Know about
Addressing & Routing", Thomas A. Maufer, Prentice-Hall, 1999, ISBN
0-13-975483-0.
-
+
4.1 IP Addresses
-
+
IP version 4 (IPv4) addresses are 32-bit numbers.
- The notation w.x.y.z refers to an address where the high-order byte has
- value "w", the next byte has value "x", etc. If we take the address 192.0.2.14
- and express it in hexadecimal, we get:
-
-
+ The notation w.x.y.z refers to an address where the high-order byte has
+ value "w", the next byte has value "x", etc. If we take the address 192.0.2.14
+ and express it in hexadecimal, we get:
+
+
C0.00.02.0E
-
-
+
+
or looking at it as a 32-bit integer
-
-
+
+
C000020E
-
-
+
+
4.2 Subnets
-
+
You will still hear the terms "Class A network", "Class B
- network" and "Class C network". In the early days of IP, networks only
- came in three sizes (there were also Class D networks but they were used
- differently):
-
-
+ network" and "Class C network". In the early days of IP, networks only
+ came in three sizes (there were also Class D networks but they were used
+ differently):
+
+
Class A - netmask 255.0.0.0, size = 2 ** 24
-
+
Class B - netmask 255.255.0.0, size = 2 ** 16
-
+
Class C - netmask 255.255.255.0, size = 256
-
-
+
+
The class of a network was uniquely determined by the value
- of the high order byte of its address so you could look at an IP address
- and immediately determine the associated netmask. The netmask is
- a number that when logically ANDed with an address isolates the network
- number; the remainder of the address is the host number. For
- example, in the Class C address 192.0.2.14, the network number is hex C00002
- and the host number is hex 0E.
-
+ of the high order byte of its address so you could look at an IP address
+ and immediately determine the associated netmask. The netmask
+is a number that when logically ANDed with an address isolates the network
+ number; the remainder of the address is the host number. For
+ example, in the Class C address 192.0.2.14, the network number is hex
+C00002 and the host number is hex 0E.
+
As the internet grew, it became clear that such a gross
partitioning of the 32-bit address space was going to be very limiting (early
on, large corporations and universities were assigned their own class A
@@ -513,2005 +515,2019 @@ partitioning of the 32-bit address space was going to be very limiting (early
these networks into smaller subnetworks evolved; that technique is
referred to as Classless InterDomain Routing (CIDR). Today, any system
that you are likely to work with will understand CIDR and Class-based networking
- is largely a thing of the past.
-
+ is largely a thing of the past.
+
A subnetwork (often referred to as a subnet) is
- a contiguous set of IP addresses such that:
-
+ a contiguous set of IP addresses such that:
+
- -
+
-
The number of addresses in the set is a power of 2; and
-
- -
+
+ -
The first address in the set is a multiple of the set
- size.
-
- -
+ size.
+
+ -
The first address in the subnet is reserved and is referred
- to as the subnet address.
-
- -
+ to as the subnet address.
+
+ -
The last address in the subnet is reserved as the subnet's
- broadcast address.
-
-
+ broadcast address.
+
+
-
+
As you can see by this definition, in each subnet of size
- n there are (n - 2) usable addresses (addresses that can
- be assigned to hosts). The first and last address in the subnet are
-used for the subnet address and subnet broadcast address respectively.
-Consequently, small subnetworks are more wasteful of IP addresses than
-are large ones.
-
+ n there are (n - 2) usable addresses (addresses that
+can be assigned to hosts). The first and last address in the subnet
+are used for the subnet address and subnet broadcast address respectively.
+ Consequently, small subnetworks are more wasteful of IP addresses than
+ are large ones.
+
Since n is a power of two, we can easily calculate
- the Natural Logarithm (log2) of n. For the more
-common subnet sizes, the size and its natural logarithm are given in the
- following table:
-
-
+ the Natural Logarithm (log2) of n. For the more
+ common subnet sizes, the size and its natural logarithm are given in the
+ following table:
+
+
-
-
- | n |
- log2 n |
- (32 - log2 n) |
-
-
- | 8 |
- 3 |
- 29 |
-
-
- | 16 |
- 4 |
- 28 |
-
-
- | 32 |
- 5 |
- 27 |
-
-
- | 64 |
- 6 |
- 26 |
-
-
- | 128 |
- 7 |
- 25 |
-
-
- | 256 |
- 8 |
- 24 |
-
-
- | 512 |
- 9 |
- 23 |
-
-
- | 1024 |
- 10 |
- 22 |
-
-
- | 2048 |
- 11 |
- 21 |
-
-
- | 4096 |
- 12 |
- 20 |
-
-
- | 8192 |
- 13 |
- 19 |
-
-
- | 16384 |
- 14 |
- 18 |
-
-
- | 32768 |
- 15 |
- 17 |
-
-
- | 65536 |
- 16 |
- 16 |
-
-
-
+
+
+ | n |
+ log2 n |
+ (32 - log2 n) |
+
+
+ | 8 |
+ 3 |
+ 29 |
+
+
+ | 16 |
+ 4 |
+ 28 |
+
+
+ | 32 |
+ 5 |
+ 27 |
+
+
+ | 64 |
+ 6 |
+ 26 |
+
+
+ | 128 |
+ 7 |
+ 25 |
+
+
+ | 256 |
+ 8 |
+ 24 |
+
+
+ | 512 |
+ 9 |
+ 23 |
+
+
+ | 1024 |
+ 10 |
+ 22 |
+
+
+ | 2048 |
+ 11 |
+ 21 |
+
+
+ | 4096 |
+ 12 |
+ 20 |
+
+
+ | 8192 |
+ 13 |
+ 19 |
+
+
+ | 16384 |
+ 14 |
+ 18 |
+
+
+ | 32768 |
+ 15 |
+ 17 |
+
+
+ | 65536 |
+ 16 |
+ 16 |
+
+
+
-
-
+
+
You will notice that the above table also contains a column
- for (32 - log2 n). That number is the Variable Length Subnet
- Mask for a network of size n. From the above table, we can
- derive the following one which is a little easier to use.
-
-
+ for (32 - log2 n). That number is the Variable Length Subnet
+ Mask for a network of size n. From the above table, we can
+ derive the following one which is a little easier to use.
+
+
-
-
- | Size of Subnet |
- VLSM |
- Subnet Mask |
-
-
- | 8 |
- /29 |
- 255.255.255.248 |
-
-
- | 16 |
- /28 |
- 255.255.255.240 |
-
-
- | 32 |
- /27 |
- 255.255.255.224 |
-
-
- | 64 |
- /26 |
- 255.255.255.192 |
-
-
- | 128 |
- /25 |
- 255.255.255.128 |
-
-
- | 256 |
- /24 |
- 255.255.255.0 |
-
-
- | 512 |
- /23 |
- 255.255.254.0 |
-
-
- | 1024 |
- /22 |
- 255.255.252.0 |
-
-
- | 2048 |
- /21 |
- 255.255.248.0 |
-
-
- | 4096 |
- /20 |
- 255.255.240.0 |
-
-
- | 8192 |
- /19 |
- 255.255.224.0 |
-
-
- | 16384 |
- /18 |
- 255.255.192.0 |
-
-
- | 32768 |
- /17 |
- 255.255.128.0 |
-
-
- | 65536 |
- /16 |
- 255.255.0.0 |
-
-
- | 2 ** 24 |
- /8 |
- 255.0.0.0 |
-
-
-
+
+
+ | Size of Subnet |
+ VLSM |
+ Subnet Mask |
+
+
+ | 8 |
+ /29 |
+ 255.255.255.248 |
+
+
+ | 16 |
+ /28 |
+ 255.255.255.240 |
+
+
+ | 32 |
+ /27 |
+ 255.255.255.224 |
+
+
+ | 64 |
+ /26 |
+ 255.255.255.192 |
+
+
+ | 128 |
+ /25 |
+ 255.255.255.128 |
+
+
+ | 256 |
+ /24 |
+ 255.255.255.0 |
+
+
+ | 512 |
+ /23 |
+ 255.255.254.0 |
+
+
+ | 1024 |
+ /22 |
+ 255.255.252.0 |
+
+
+ | 2048 |
+ /21 |
+ 255.255.248.0 |
+
+
+ | 4096 |
+ /20 |
+ 255.255.240.0 |
+
+
+ | 8192 |
+ /19 |
+ 255.255.224.0 |
+
+
+ | 16384 |
+ /18 |
+ 255.255.192.0 |
+
+
+ | 32768 |
+ /17 |
+ 255.255.128.0 |
+
+
+ | 65536 |
+ /16 |
+ 255.255.0.0 |
+
+
+ | 2 ** 24 |
+ /8 |
+ 255.0.0.0 |
+
+
+
-
-
+
+
Notice that the VLSM is written with a slash ("/") -- you
- will often hear a subnet of size 64 referred to as a "slash 26" subnet
- and one of size 8 referred to as a "slash 29".
-
+ will often hear a subnet of size 64 referred to as a "slash 26" subnet
+ and one of size 8 referred to as a "slash 29".
+
The subnet's mask (also referred to as its netmask) is
- simply a 32-bit number with the first "VLSM" bits set to one and the
- remaining bits set to zero. For example, for a subnet of size 64, the
- subnet mask has 26 leading one bits:
-
-
+ simply a 32-bit number with the first "VLSM" bits set to one and the
+ remaining bits set to zero. For example, for a subnet of size 64, the
+ subnet mask has 26 leading one bits:
+
+
11111111111111111111111111000000 = FFFFFFC0 = FF.FF.FF.C0
- = 255.255.255.192
-
-
+ = 255.255.255.192
+
+
The subnet mask has the property that if you logically AND
- the subnet mask with an address in the subnet, the result is the subnet
- address. Just as important, if you logically AND the subnet mask with
- an address outside the subnet, the result is NOT the subnet address.
-As we will see below, this property of subnet masks is very useful in
-routing.
-
+ the subnet mask with an address in the subnet, the result is the subnet
+ address. Just as important, if you logically AND the subnet mask with
+ an address outside the subnet, the result is NOT the subnet address.
+ As we will see below, this property of subnet masks is very useful in
+ routing.
+
For a subnetwork whose address is a.b.c.d and whose
- Variable Length Subnet Mask is /v, we denote the subnetwork as
- "a.b.c.d/v" using CIDR Notation.
-
+ Variable Length Subnet Mask is /v, we denote the subnetwork
+as "a.b.c.d/v" using CIDR Notation.
+
Example:
-
-
+
+
-
-
- | Subnet: |
- 10.10.10.0 - 10.10.10.127 |
-
-
- | Subnet Size: |
- 128 |
-
-
- | Subnet Address: |
- 10.10.10.0 |
-
-
- | Broadcast Address: |
- 10.10.10.127 |
-
-
- | CIDR Notation: |
- 10.10.10.0/25 |
-
-
-
+
+
+ | Subnet: |
+ 10.10.10.0 - 10.10.10.127 |
+
+
+ | Subnet Size: |
+ 128 |
+
+
+ | Subnet Address: |
+ 10.10.10.0 |
+
+
+ | Broadcast Address: |
+ 10.10.10.127 |
+
+
+ | CIDR Notation: |
+ 10.10.10.0/25 |
+
+
+
-
-
+
+
There are two degenerate subnets that need mentioning; namely,
- the subnet with one member and the subnet with 2 ** 32 members.
-
-
+ the subnet with one member and the subnet with 2 ** 32 members.
+
+
-
-
- | Size of Subnetwork |
- VLSM Length |
- Subnet Mask |
- CIDR Notation |
-
-
- | 1 |
- 32 |
- 255.255.255.255 |
- a.b.c.d/32 |
-
-
- | 2 ** 32 |
- 0 |
- 0.0.0.0 |
- 0.0.0.0/0 |
-
-
-
+
+
+ | Size of Subnetwork |
+ VLSM Length |
+ Subnet Mask |
+ CIDR Notation |
+
+
+ | 1 |
+ 32 |
+ 255.255.255.255 |
+ a.b.c.d/32 |
+
+
+ | 2 ** 32 |
+ 0 |
+ 0.0.0.0 |
+ 0.0.0.0/0 |
+
+
+
-
-
-So any address a.b.c.d may also be written a.b.c.d/32
- and the set of all possible IP addresses is written 0.0.0.0/0.
-
-Later in this guide, you will see the notation a.b.c.d/v
- used to describe the ip configuration of a network interface (the 'ip'
- utility also uses this syntax). This simply means that the interface is
- configured with ip address a.b.c.d and with the netmask that corresponds
- to VLSM /v.
-
-Example: 192.0.2.65/29
-
- The interface is configured with IP address 192.0.2.65
- and netmask 255.255.255.248.
-
-4.3 Routing
-
-One of the purposes of subnetting is that it forms the basis
- for routing. Here's the routing table on my firewall:
-
-
-
- [root@gateway root]# netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.9.1 0.0.0.0 255.255.255.255 UH 40 0 0 texas
206.124.146.177 0.0.0.0 255.255.255.255 UH 40 0 0 eth1
206.124.146.180 0.0.0.0 255.255.255.255 UH 40 0 0 eth3
192.168.3.0 0.0.0.0 255.255.255.0 U 40 0 0 eth3
192.168.2.0 0.0.0.0 255.255.255.0 U 40 0 0 eth1
192.168.1.0 0.0.0.0 255.255.255.0 U 40 0 0 eth2
206.124.146.0 0.0.0.0 255.255.255.0 U 40 0 0 eth0
192.168.9.0 192.0.2.223 255.255.255.0 UG 40 0 0 texas
127.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0 lo
0.0.0.0 206.124.146.254 0.0.0.0 UG 40 0 0 eth0
[root@gateway root]#
-
So any address a.b.c.d may also be written a.b.c.d/32
+ and the set of all possible IP addresses is written 0.0.0.0/0.
+
+Later in this guide, you will see the notation a.b.c.d/v
+ used to describe the ip configuration of a network interface (the 'ip'
+ utility also uses this syntax). This simply means that the interface is
+ configured with ip address a.b.c.d and with the netmask that corresponds
+ to VLSM /v.
+
+Example: 192.0.2.65/29
+
+ The interface is configured with IP address 192.0.2.65
+ and netmask 255.255.255.248.
+
+4.3 Routing
+
+One of the purposes of subnetting is that it forms the basis
+ for routing. Here's the routing table on my firewall:
+
+
+
+ [root@gateway root]# netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.9.1 0.0.0.0 255.255.255.255 UH 40 0 0 texas
206.124.146.177 0.0.0.0 255.255.255.255 UH 40 0 0 eth1
206.124.146.180 0.0.0.0 255.255.255.255 UH 40 0 0 eth3
192.168.3.0 0.0.0.0 255.255.255.0 U 40 0 0 eth3
192.168.2.0 0.0.0.0 255.255.255.0 U 40 0 0 eth1
192.168.1.0 0.0.0.0 255.255.255.0 U 40 0 0 eth2
206.124.146.0 0.0.0.0 255.255.255.0 U 40 0 0 eth0
192.168.9.0 192.0.2.223 255.255.255.0 UG 40 0 0 texas
127.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0 lo
0.0.0.0 206.124.146.254 0.0.0.0 UG 40 0 0 eth0
[root@gateway root]#
+
+
The device texas is a GRE tunnel to a peer site in
- the Dallas, Texas area.
-
- The first three routes are host routes since they indicate
-how to get to a single host. In the 'netstat' output this can be seen
-by the "Genmask" (Subnet Mask) of 255.255.255.255 and the "H" in the Flags
-column. The remainder are 'net' routes since they tell the kernel how
-to route packets to a subnetwork. The last route is the default route
-and the gateway mentioned in that route is called the default gateway.
-
+ the Dallas, Texas area.
+
+ The first three routes are host routes since they indicate
+ how to get to a single host. In the 'netstat' output this can be seen
+ by the "Genmask" (Subnet Mask) of 255.255.255.255 and the "H" in the
+Flags column. The remainder are 'net' routes since they tell the kernel
+how to route packets to a subnetwork. The last route is the default
+route and the gateway mentioned in that route is called the default
+ gateway.
+
When the kernel is trying to send a packet to IP address A,
it starts at the top of the routing table and:
-
+
- -
+
-
A is logically ANDed with the 'Genmask' value in
the table entry.
-
- -
+
+ -
The result is compared with the 'Destination' value in
- the table entry.
-
- -
+ the table entry.
+
+ -
If the result and the 'Destination' value are the same,
- then:
-
+ then:
+
- -
-
+
-
+
If the 'Gateway' column is non-zero, the packet is
- sent to the gateway over the interface named in the 'Iface' column.
-
- -
-
+ sent to the gateway over the interface named in the 'Iface' column.
+
+ -
+
Otherwise, the packet is sent directly to A over
- the interface named in the 'iface' column.
-
-
+ the interface named in the 'iface' column.
+
+
-
-
+
+
Otherwise, the above steps are repeated on the next entry
- in the table.
-
-
+ in the table.
+
+
-
+
Since the default route matches any IP address (A land
0.0.0.0 = 0.0.0.0), packets that don't match any of the other routing table
entries are sent to the default gateway which is usually a router
at your ISP.
-
+
Lets take an example. Suppose that we want to route a packet
- to 192.168.1.5. That address clearly doesn't match any of the host routes
- in the table but if we logically and that address with 255.255.255.0,
-the result is 192.168.1.0 which matches this routing table entry:
-
-
-
+ to 192.168.1.5. That address clearly doesn't match any of the host routes
+ in the table but if we logically and that address with 255.255.255.0,
+ the result is 192.168.1.0 which matches this routing table entry:
+
+
+
192.168.1.0 0.0.0.0 255.255.255.0 U 40 0 0 eth2
-
-
+
+
So to route a packet to 192.168.1.5, the packet is sent directly over eth2.
-
One more thing needs to be emphasized -- all outgoing packet
- are sent using the routing table and reply packets are not a special case.
- There seems to be a common mis-conception whereby people think that request
- packets are like salmon and contain a genetic code that is magically
+ are sent using the routing table and reply packets are not a special
+case. There seems to be a common mis-conception whereby people think that
+request packets are like salmon and contain a genetic code that is magically
transferred to reply packets so that the replies follow the reverse route
taken by the request. That isn't the case; the replies may take a totally
different route back to the client than was taken by the requests -- they
are totally independent.
-
+
4.4 Address Resolution Protocol
-
+
When sending packets over Ethernet, IP addresses aren't used.
- Rather Ethernet addressing is based on Media Access Control (MAC)
- addresses. Each Ethernet device has it's own unique MAC address which
- is burned into a PROM on the device during manufacture. You can obtain
-the MAC of an Ethernet device using the 'ip' utility:
-
-
-
+ Rather Ethernet addressing is based on
Media Access Control (MAC)
+ addresses. Each Ethernet device has it's own unique MAC address which
+ is burned into a PROM on the device during manufacture. You can obtain
+ the MAC of an Ethernet device using the 'ip' utility:
+
+
+
[root@gateway root]# ip addr show eth0
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc htb qlen 100
link/ether 02:00:08:e3:fa:55 brd ff:ff:ff:ff:ff:ff
inet 206.124.146.176/24 brd 206.124.146.255 scope global eth0
inet 206.124.146.178/24 brd 206.124.146.255 scope global secondary eth0
inet 206.124.146.179/24 brd 206.124.146.255 scope global secondary eth0
[root@gateway root]#
-
-
-
-
+
+
+
+
As you can see from the above output, the MAC is 6 bytes (48
bits) wide. A card's MAC is usually also printed on a label attached to
the card itself.
-
-
-
+
+
+
Because IP uses IP addresses and Ethernet uses MAC addresses,
- a mechanism is required to translate an IP address into a MAC address;
- that is the purpose of the Address Resolution Protocol (ARP).
- Here is ARP in action:
-
-
-
-
-
+ a mechanism is required to translate an IP address into a MAC address;
+ that is the purpose of the Address Resolution Protocol (ARP).
+ Here is ARP in action:
+
+
+
+
+
[root@gateway root]# tcpdump -nei eth2 arp
tcpdump: listening on eth2
09:56:49.766757 2:0:8:e3:4c:48 0:6:25:aa:8a:f0 arp 42: arp who-has 192.168.1.19 tell 192.168.1.254
09:56:49.769372 0:6:25:aa:8a:f0 2:0:8:e3:4c:48 arp 60: arp reply 192.168.1.19 is-at 0:6:25:aa:8a:f0
2 packets received by filter
0 packets dropped by kernel
[root@gateway root]#
+
+
+
In this exchange, 192.168.1.254 (MAC 2:0:8:e3:4c:48) wants
+ to know the MAC of the device with IP address 192.168.1.19. The system
+ having that IP address is responding that the MAC address of the device
+ with IP address 192.168.1.19 is 0:6:25:aa:8a:f0.
+
+In order to avoid having to exchange ARP information each
+ time that an IP packet is to be sent, systems maintain an ARP cache
+ of IP<->MAC correspondences. You can see the ARP cache on your
+system (including your Windows system) using the 'arp' command:
+
+
+
+
[root@gateway root]# arp -na
? (206.124.146.177) at 00:A0:C9:15:39:78 [ether] on eth1
? (192.168.1.3) at 00:A0:CC:63:66:89 [ether] on eth2
? (192.168.1.5) at 00:A0:CC:DB:31:C4 [ether] on eth2
? (206.124.146.254) at 00:03:6C:8A:18:38 [ether] on eth0
? (192.168.1.19) at 00:06:25:AA:8A:F0 [ether] on eth2
-
-
-
In this exchange, 192.168.1.254 (MAC 2:0:8:e3:4c:48) wants
- to know the MAC of the device with IP address 192.168.1.19. The system
- having that IP address is responding that the MAC address of the device
- with IP address 192.168.1.19 is 0:6:25:aa:8a:f0.
-
-
In order to avoid having to exchange ARP information each
- time that an IP packet is to be sent, systems maintain an ARP cache
- of IP<->MAC correspondences. You can see the ARP cache on your system
- (including your Windows system) using the 'arp' command:
-
-
-
-
[root@gateway root]# arp -na
? (206.124.146.177) at 00:A0:C9:15:39:78 [ether] on eth1
? (192.168.1.3) at 00:A0:CC:63:66:89 [ether] on eth2
? (192.168.1.5) at 00:A0:CC:DB:31:C4 [ether] on eth2
? (206.124.146.254) at 00:03:6C:8A:18:38 [ether] on eth0
? (192.168.1.19) at 00:06:25:AA:8A:F0 [ether] on eth2
-
-
+
The leading question marks are a result of my having specified
- the 'n' option (Windows 'arp' doesn't allow that option) which causes
-the 'arp' program to forego IP->DNS name translation. Had I not given
-that option, the question marks would have been replaced with the FQDN
-corresponding to each IP address. Notice that the last entry in the table
-records the information we saw using tcpdump above.
-
+ the 'n' option (Windows 'arp' doesn't allow that option) which causes
+ the 'arp' program to forego IP->DNS name translation. Had I not given
+ that option, the question marks would have been replaced with the FQDN
+ corresponding to each IP address. Notice that the last entry in the table
+ records the information we saw using tcpdump above.
+
4.5 RFC 1918
-
+
IP addresses are allocated by the Internet Assigned Number Authority (IANA)
- who delegates allocations on a geographic basis to Regional Internet
- Registries (RIRs). For example, allocation for the Americas and for
- sub-Sahara Africa is delegated to the American
- Registry for Internet Numbers (ARIN). These RIRs may in turn delegate
- to national registries. Most of us don't deal with these registrars but
- rather get our IP addresses from our ISP.
-
+ who delegates allocations on a geographic basis to
Regional Internet
+ Registries (RIRs). For example, allocation for the Americas and for
+ sub-Sahara Africa is delegated to the
American Registry for Internet Numbers
+(ARIN). These RIRs may in turn delegate to national registries. Most
+of us don't deal with these registrars but rather get our IP addresses
+from our ISP.
+
It's a fact of life that most of us can't afford as many Public
IP addresses as we have devices to assign them to so we end up making use
of Private IP addresses. RFC 1918 reserves several IP address ranges
for this purpose:
-
-
+
+
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
-
-
-
+
+
+
The addresses reserved by RFC 1918 are sometimes referred
- to as non-routable because the Internet backbone routers don't
- forward packets which have an RFC-1918 destination address. This is understandable
- given that anyone can select any of these addresses for their private
- use.
-
-
-
+ to as non-routable because the Internet backbone routers don't
+ forward packets which have an RFC-1918 destination address. This is
+understandable given that anyone can select any of these addresses for
+their private use.
+
+
+
When selecting addresses from these ranges, there's a couple
- of things to keep in mind:
-
-
-
+ of things to keep in mind:
+
+
+
- -
+
-
As the IPv4 address space becomes depleted, more and more
organizations (including ISPs) are beginning to use RFC 1918 addresses
- in their infrastructure.
-
- -
+ in their infrastructure.
+
+ -
You don't want to use addresses that are being used by
- your ISP or by another organization with whom you want to establish
- a VPN relationship.
-
-
+ your ISP or by another organization with whom you want to establish
+ a VPN relationship.
+
+
-
-
-
+
+
+
So it's a good idea to check with your ISP to see if they
- are using (or are planning to use) private addresses before you decide
- the addresses that you are going to use.
-
-
-
+ are using (or are planning to use) private addresses before you decide
+ the addresses that you are going to use.
+
+
+
5.0 Setting up your Network
-
-
-
+
+
+
The choice of how to set up your network depends primarily
- on how many Public IP addresses you have vs. how many addressable entities
- you have in your network. Regardless of how many addresses you have,
- your ISP will handle that set of addresses in one of two ways:
-
-
-
+ on how many Public IP addresses you have vs. how many addressable entities
+ you have in your network. Regardless of how many addresses you have,
+ your ISP will handle that set of addresses in one of two ways:
+
+
+
- -
+
-
Routed - Traffic to any of your addresses will
- be routed through a single gateway address. This will generally
- only be done if your ISP has assigned you a complete subnet (/29 or
-larger). In this case, you will assign the gateway address as the IP
-address of your firewall/router's external interface.
-
- -
+ be routed through a single gateway address. This will generally
+ only be done if your ISP has assigned you a complete subnet (/29 or
+ larger). In this case, you will assign the gateway address as the IP
+ address of your firewall/router's external interface.
+
+ -
Non-routed - Your ISP will send traffic to each
- of your addresses directly.
-
-
+ of your addresses directly.
+
+
-
-
-
+
+
+
In the subsections that follow, we'll look at each of these
- separately.
-
-
+ separately.
+
+
Before we begin, there is one thing for you to check:
-
+
- If you are using the Debian package, please check your shorewall.conf
- file to ensure that the following are set correctly; if they are not,
+ If you are using the Debian package, please check your shorewall.conf
+ file to ensure that the following are set correctly; if they are not,
change them appropriately:
-
-
+
+
- - NAT_ENABLED=Yes
- - IP_FORWARDING=On
-
-
+ - NAT_ENABLED=Yes
+ - IP_FORWARDING=On
+
+
-
-
-
+
+
+
-
-
+
+
+
Let's assume that your ISP has assigned you the subnet
192.0.2.64/28 routed through 192.0.2.65. That means that you have IP addresses
- 192.0.2.64 - 192.0.2.79 and that your firewall's external IP address
- is 192.0.2.65. Your ISP has also told you that you should use a netmask
- of 255.255.255.0 (so your /28 is part of a larger /24). With this many
- IP addresses, you are able to subnet your /28 into two /29's and set
-up your network as shown in the following diagram.
-
-
-
+ 192.0.2.64 - 192.0.2.79 and that your firewall's external IP address
+ is 192.0.2.65. Your ISP has also told you that you should use a netmask
+ of 255.255.255.0 (so your /28 is part of a larger /24). With this many
+ IP addresses, you are able to subnet your /28 into two /29's and set
+ up your network as shown in the following diagram.
+
+
+
-
-
-
-
+
+
+
+
Here, the DMZ comprises the subnet 192.0.2.64/29 and the Local
network is 192.0.2.72/29. The default gateway for hosts in the DMZ would
be configured to 192.0.2.66 and the default gateway for hosts in the local
network would be 192.0.2.73.
-
-
-
+
+
+
Notice that this arrangement is rather wasteful of public
- IP addresses since it is using 192.0.2.64 and 192.0.2.72 for subnet
-addresses, 192.0.2.71 and 192.0.2.79 for subnet broadcast addresses and
-192.0.2.66 and 168.0.2.73 for internal addresses on the firewall/router.
-Nevertheless, it shows how subnetting can work and if we were dealing
-with a /24 rather than a /28 network, the use of 6 IP addresses out of
-256 would be justified because of the simplicity of the setup.
-
-
-
+ IP addresses since it is using 192.0.2.64 and 192.0.2.72 for subnet
+ addresses, 192.0.2.71 and 192.0.2.79 for subnet broadcast addresses
+and 192.0.2.66 and 168.0.2.73 for internal addresses on the firewall/router.
+ Nevertheless, it shows how subnetting can work and if we were dealing
+ with a /24 rather than a /28 network, the use of 6 IP addresses out
+of 256 would be justified because of the simplicity of the setup.
+
+
+
The astute reader may have noticed that the Firewall/Router's
- external interface is actually part of the DMZ subnet (192.0.2.64/29).
- What if DMZ 1 (192.0.2.67) tries to communicate with 192.0.2.65? The
- routing table on DMZ 1 will look like this:
-
-
-
-
+ external interface is actually part of the DMZ subnet (192.0.2.64/29).
+ What if DMZ 1 (192.0.2.67) tries to communicate with 192.0.2.65? The
+ routing table on DMZ 1 will look like this:
+
+
+
+
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.0.2.64 0.0.0.0 255.255.255.248 U 40 0 0 eth0
0.0.0.0 192.0.2.66 0.0.0.0 UG 40 0 0 eth0
-
-
-
-
+
+
+
+
This means that DMZ 1 will send an ARP "who-has 192.0.2.65"
- request and no device on the DMZ Ethernet segment has that IP address.
- Oddly enough, the firewall will respond to the request with the MAC
-address of its DMZ Interface!! DMZ 1 can then send Ethernet frames
-addressed to that MAC address and the frames will be received (correctly)
-by the firewall/router.
-
-
-
+ request and no device on the DMZ Ethernet segment has that IP address.
+ Oddly enough, the firewall will respond to the request with the MAC
+ address of its DMZ Interface!! DMZ 1 can then send Ethernet frames
+ addressed to that MAC address and the frames will be received (correctly)
+ by the firewall/router.
+
+
+
It is this rather unexpected ARP behavior on the part of the
Linux Kernel that prompts the warning earlier in this guide regarding the
connecting of multiple firewall/router interfaces to the same hub or switch.
When an ARP request for one of the firewall/router's IP addresses is sent
by another system connected to the hub/switch, all of the firewall's
- interfaces that connect to the hub/switch can respond! It is then a
-race as to which "here-is" response reaches the sender first.
-
-
-
+ interfaces that connect to the hub/switch can respond! It is then a
+ race as to which "here-is" response reaches the sender first.
+
+
+
-
-
+
+
+
If you have the above situation but it is non-routed, you
can configure your network exactly as described above with one additional
- twist; simply specify the "proxyarp" option on all three firewall interfaces
- in the /etc/shorewall/interfaces file.
-
-
-
+ twist; simply specify the "proxyarp" option on all three firewall interfaces
+ in the /etc/shorewall/interfaces file.
+
+
+
Most of us don't have the luxury of having enough public IP
addresses to set up our networks as shown in the preceding example (even
if the setup is routed).
-
-
-
+
+
+
For the remainder of this section, assume that your ISP
- has assigned you IP addresses 192.0.2.176-180 and has told you to use
- netmask 255.255.255.0 and default gateway 192.0.2.254.
-
-
-
+ has assigned you IP addresses 192.0.2.176-180 and has told you to use
+ netmask 255.255.255.0 and default gateway 192.0.2.254.
+
+
+
Clearly, that set of addresses doesn't comprise a subnetwork
- and there aren't enough addresses for all of the network interfaces.
- There are four different techniques that can be used to work around this
- problem.
-
-
-
+ and there aren't enough addresses for all of the network interfaces.
+ There are four different techniques that can be used to work around
+this problem.
+
+
+
- -
+
-
Source Network Address Translation (SNAT).
-
- -
+
+ -
Destination Network Address Translation (DNAT)
- also known as Port Forwarding.
-
- -
+ also known as Port Forwarding.
+
+ -
Proxy ARP.
-
- -
+
+ -
Network Address Translation (NAT) also referred
- to as Static NAT.
-
-
+ to as Static NAT.
+
+
-
-
-
+
+
+
Often a combination of these techniques is used. Each of these
will be discussed in the sections that follow.
-
-
-
+
+
+
-
-
+
+
+
With SNAT, an internal LAN segment is configured using RFC
- 1918 addresses. When a host A on this internal segment initiates
- a connection to host B on the internet, the firewall/router rewrites
- the IP header in the request to use one of your public IP addresses
+ 1918 addresses. When a host A on this internal segment initiates
+ a connection to host B on the internet, the firewall/router
+rewrites the IP header in the request to use one of your public IP addresses
as the source address. When B responds and the response is received
by the firewall, the firewall changes the destination address back
to the RFC 1918 address of A and forwards the response back to
A.
-
-
-
+
+
+
Let's suppose that you decide to use SNAT on your local zone
- and use public address 192.0.2.176 as both your firewall's external
-IP address and the source IP address of internet requests sent from that
- zone.
-
-
-
+ and use public address 192.0.2.176 as both your firewall's external
+ IP address and the source IP address of internet requests sent from
+that zone.
+
+
+
-
-
-
+
+
+
The local zone has been subnetted as 192.168.201.0/29
- (netmask 255.255.255.248).
-
+ (netmask 255.255.255.248).
-
+
- The systems in the local zone would be configured with a default
- gateway of 192.168.201.1 (the IP address of the firewall's local interface).
-
+ The systems in the local zone would be configured with a
+default gateway of 192.168.201.1 (the IP address of the firewall's
+local interface).
+
-
+
-
-
-
+
+
+
-
-
- | INTERFACE |
- SUBNET |
- ADDRESS |
-
-
- | eth0 |
- 192.168.201.0/29 |
- 192.0.2.176 |
-
-
-
+
+
+ | INTERFACE |
+ SUBNET |
+ ADDRESS |
+
+
+ | eth0 |
+ 192.168.201.0/29 |
+ 192.0.2.176 |
+
+
+
-
-
+
+
+
+
This example used the normal technique of assigning the same
- public IP address for the firewall external interface and for SNAT.
-If you wanted to use a different IP address, you would either have to
-use your distributions network configuration tools to add that IP address
- to the external interface or you could set ADD_SNAT_ALIASES=Yes in
- /etc/shorewall/shorewall.conf and Shorewall will add the address for you.
-
-
-
+ public IP address for the firewall external interface and for SNAT.
+ If you wanted to use a different IP address, you would either have to
+ use your distributions network configuration tools to add that IP address
+ to the external interface or you could set ADD_SNAT_ALIASES=Yes in
+ /etc/shorewall/shorewall.conf and Shorewall will add the address for you.
+
+
+
-
-
+
+
+
When SNAT is used, it is impossible for hosts on the internet
- to initiate a connection to one of the internal systems since those
-systems do not have a public IP address. DNAT provides a way to allow
-selected connections from the internet.
-
-
-
+ to initiate a connection to one of the internal systems since those
+ systems do not have a public IP address. DNAT provides a way to allow
+ selected connections from the internet.
+
+
+
- Suppose that your daughter wants to run a web server on her
- system "Local 3". You could allow connections to the internet to her
- server by adding the following entry in /etc/shorewall/rules:
-
-
-
+
+
+
-
-
- | ACTION |
- SOURCE |
- DESTINATION |
- PROTOCOL |
- PORT |
- SOURCE PORT |
- ORIGINAL DESTINATION |
-
-
- | DNAT |
- net |
- loc:192.168.201.4 |
- tcp |
- www |
- - |
- 192.0.2.176 |
-
-
-
+
+
+ | ACTION |
+ SOURCE |
+ DESTINATION |
+ PROTOCOL |
+ PORT |
+ SOURCE PORT |
+ ORIGINAL DESTINATION |
+
+
+ | DNAT |
+ net |
+ loc:192.168.201.4 |
+ tcp |
+ www |
+ - |
+ 192.0.2.176 |
+
+
+
-
-
+
+
+
+
If one of your daughter's friends at address A wants
- to access your daughter's server, she can connect to http://192.0.2.176 (the firewall's external
- IP address) and the firewall will rewrite the destination IP address
- to 192.168.201.4 (your daughter's system) and forward the request. When
- your daughter's server responds, the firewall will rewrite the source
- address back to 192.0.2.176 and send the response back to A.
-
-
-
+ IP address) and the firewall will rewrite the destination IP address
+ to 192.168.201.4 (your daughter's system) and forward the request. When
+ your daughter's server responds, the firewall will rewrite the source
+ address back to 192.0.2.176 and send the response back to A.
+
+
+
This example used the firewall's external IP address for DNAT.
You can use another of your public IP addresses but Shorewall will not
add that address to the firewall's external interface for you.
-
-
-
+
+
+
-
-
+
+
+
The idea behind proxy ARP is that:
-
-
-
+
+
+
- -
+
-
A host H behind your firewall is assigned one of
your public IP addresses (A) and is assigned the same netmask
(M) as the firewall's external interface.
-
- -
+
+ -
The firewall responds to ARP "who has" requests for A.
-
-
- -
+
+
+ -
When H issues an ARP "who has" request for an address
in the subnetwork defined by A and M, the firewall will
respond (with the MAC if the firewall interface to H).
-
-
+
+
-
-
-
+
+
+
Let suppose that we decide to use Proxy ARP on the DMZ in
- our example network.
-
-
-
+ our example network.
+
+
+
-
-
-
+
+
Here, we've assigned the IP addresses 192.0.2.177 to
- system DMZ 1 and 192.0.2.178 to DMZ 2. Notice that we've just assigned
- an arbitrary RFC 1918 IP address and subnet mask to the DMZ interface
- on the firewall. That address and netmask isn't relevant - just be sure
- it doesn't overlap another subnet that you've defined.
-
+ system DMZ 1 and 192.0.2.178 to DMZ 2. Notice that we've just assigned
+ an arbitrary RFC 1918 IP address and subnet mask to the DMZ interface
+ on the firewall. That address and netmask isn't relevant - just be sure
+ it doesn't overlap another subnet that you've defined.
+
-
+
-
-
+
+
+
-
-
- | ADDRESS |
- INTERFACE |
- EXTERNAL |
- HAVE ROUTE |
-
-
- | 192.0.2.177 |
- eth2 |
- eth0 |
- No |
-
-
- | 192.0.2.178 |
- eth2 |
- eth0 |
- No |
-
-
-
+
+
+ | ADDRESS |
+ INTERFACE |
+ EXTERNAL |
+ HAVE ROUTE |
+
+
+ | 192.0.2.177 |
+ eth2 |
+ eth0 |
+ No |
+
+
+ | 192.0.2.178 |
+ eth2 |
+ eth0 |
+ No |
+
+
+
-
-
+
+
+
+
Because the HAVE ROUTE column contains No, Shorewall will
- add host routes thru eth2 to 192.0.2.177 and 192.0.2.178.
-
-
-
The ethernet interfaces on DMZ 1 and DMZ 2 should be configured
- to have the IP addresses shown but should have the same default gateway as
- the firewall itself -- namely 192.0.2.254.
-
-
-
-
-
-
-
-
A word of warning is in order here. ISPs typically configure
- their routers with a long ARP cache timeout. If you move a system from
- parallel to your firewall to behind your firewall with Proxy ARP, it
-will probably be HOURS before that system can communicate with the internet.
- There are a couple of things that you can try:
+ add host routes thru eth2 to 192.0.2.177 and 192.0.2.178.
+
The ethernet interfaces on DMZ 1 and DMZ 2 should be configured
+ to have the IP addresses shown but should have the same default gateway
+as the firewall itself -- namely 192.0.2.254. In other words, they should
+be configured just like they would be if they were parallel to the firewall
+rather than behind it.
+
+
+
NOTE: Do not add the Proxy ARP'ed address(es)
+(192.0.2.177 and 192.0.2.178 in the above example) to the external interface
+(eth0 in this example) of the firewall.
+
+
+
+
+
+
+
+
+
A word of warning is in order here. ISPs typically configure
+ their routers with a long ARP cache timeout. If you move a system from
+ parallel to your firewall to behind your firewall with Proxy ARP, it
+ will probably be HOURS before that system can communicate with the internet.
+ There are a couple of things that you can try:
+
+
- - (Courtesy of Bradey Honsinger) A reading of Stevens' TCP/IP
-Illustrated, Vol 1 reveals that a
-
- "gratuitous" ARP packet should cause the ISP's router to refresh their
- ARP cache (section 4.7). A gratuitous ARP is simply a host requesting the
- MAC address for its own IP; in addition to ensuring that the IP address
-isn't a duplicate,...
-
- "if the host sending the gratuitous ARP has just changed its hardware
- address..., this packet causes any other host...that has an entry in its
- cache for the old hardware address to update its ARP cache entry accordingly."
-
- Which is, of course, exactly what you want to do when you switch a host
- from being exposed to the Internet to behind Shorewall using proxy ARP
- (or static NAT for that matter). Happily enough, recent versions of Redhat's
- iputils package include "arping", whose "-U" flag does just that:
-
- arping -U -I <net if> <newly proxied
- IP>
- arping -U -I eth0 66.58.99.83 # for example
-
- Stevens goes on to mention that not all systems respond correctly to
-gratuitous ARPs, but googling for "arping -U" seems to support the idea
-that it works most of the time.
-
-
- - You can call your ISP and ask them to purge the stale ARP cache
- entry but many either can't or won't purge individual entries.
-
+ - (Courtesy of Bradey Honsinger) A reading of Stevens' TCP/IP
+ Illustrated, Vol 1 reveals that a
+
+ "gratuitous" ARP packet should cause the ISP's router to refresh their
+ ARP cache (section 4.7). A gratuitous ARP is simply a host requesting
+the MAC address for its own IP; in addition to ensuring that the IP address
+ isn't a duplicate,...
+
+ "if the host sending the gratuitous ARP has just changed its hardware
+ address..., this packet causes any other host...that has an entry in its
+ cache for the old hardware address to update its ARP cache entry accordingly."
+
+ Which is, of course, exactly what you want to do when you switch a
+host from being exposed to the Internet to behind Shorewall using proxy
+ARP (or static NAT for that matter). Happily enough, recent versions of
+Redhat's iputils package include "arping", whose "-U" flag does just that:
+
+ arping -U -I <net if> <newly
+proxied IP>
+ arping -U -I eth0 66.58.99.83 # for example
+
+ Stevens goes on to mention that not all systems respond correctly
+to gratuitous ARPs, but googling for "arping -U" seems to support the
+idea that it works most of the time.
+
+
+ - You can call your ISP and ask them to purge the stale ARP
+cache entry but many either can't or won't purge individual entries.
+
- You can determine if your ISP's gateway ARP cache is stale using
-ping and tcpdump. Suppose that we suspect that the gateway router has
-a stale ARP cache entry for 130.252.100.19. On the firewall, run tcpdump
-as follows:
-
-
+ You can determine if your ISP's gateway ARP cache is stale using
+ ping and tcpdump. Suppose that we suspect that the gateway router has
+ a stale ARP cache entry for 130.252.100.19. On the firewall, run tcpdump
+ as follows:
+
+
-
-
+
+
+
Now from 130.252.100.19, ping the ISP's gateway (which we
- will assume is 130.252.100.254):
-
-
-
+ will assume is 130.252.100.254):
+
+
+
-
-
-
+
+
We can now observe the tcpdump output:
-
-
-
+
+
+
13:35:12.159321 0:4:e2:20:20:33 0:0:77:95:dd:19 ip 98: 192.0.2.177 > 192.0.2.254: icmp: echo request (DF)
13:35:12.207615 0:0:77:95:dd:19 0:c0:a8:50:b2:57 ip 98: 192.0.2.254 > 192.0.2.177 : icmp: echo reply
-
-
-
+
+
+
Notice that the source MAC address in the echo request is
- different from the destination MAC address in the echo reply!! In this
- case 0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while 0:c0:a8:50:b2:57
- was the MAC address of DMZ 1. In other words, the gateway's ARP cache
- still associates 192.0.2.177 with the NIC in DMZ 1 rather than with the
- firewall's eth0.
-
-
-
+ different from the destination MAC address in the echo reply!! In this
+ case 0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while 0:c0:a8:50:b2:57
+ was the MAC address of DMZ 1. In other words, the gateway's ARP cache
+ still associates 192.0.2.177 with the NIC in DMZ 1 rather than with
+the firewall's eth0.
+
+
+
-
-
+
+
+
With static NAT, you assign local systems RFC 1918 addresses
- then establish a one-to-one mapping between those addresses and public
- IP addresses. For outgoing connections SNAT (Source Network Address
- Translation) occurs and on incoming connections DNAT (Destination Network
- Address Translation) occurs. Let's go back to our earlier example involving
- your daughter's web server running on system Local 3.
-
-
-
+ then establish a one-to-one mapping between those addresses and public
+ IP addresses. For outgoing connections SNAT (Source Network Address
+ Translation) occurs and on incoming connections DNAT (Destination
+Network Address Translation) occurs. Let's go back to our earlier example
+involving your daughter's web server running on system Local 3.
+
+
+
-
-
-
-
+
+
+
+
Recall that in this setup, the local network is using SNAT
- and is sharing the firewall external IP (192.0.2.176) for outbound connections.
- This is done with the following entry in /etc/shorewall/masq:
-
-
-
-
+ and is sharing the firewall external IP (192.0.2.176) for outbound
+connections. This is done with the following entry in /etc/shorewall/masq:
+
+
-
-
- | INTERFACE |
- SUBNET |
- ADDRESS |
-
-
- | eth0 |
- 192.168.201.0/29 |
- 192.0.2.176 |
-
-
-
+
+
+ | INTERFACE |
+ SUBNET |
+ ADDRESS |
+
+
+ | eth0 |
+ 192.168.201.0/29 |
+ 192.0.2.176 |
+
+
+
-
-
+
+
+
+
- Suppose now that you have decided to give your daughter her
-own IP address (192.0.2.179) for both inbound and outbound connections.
-You would do that by adding an entry in /etc/shorewall/nat.
-
-
-
+
+
+
-
-
- | EXTERNAL |
- INTERFACE |
- INTERNAL |
- ALL INTERFACES |
- LOCAL |
-
-
- | 192.0.2.179 |
- eth0 |
- 192.168.201.4 |
- No |
- No |
-
-
-
+
+
+ | EXTERNAL |
+ INTERFACE |
+ INTERNAL |
+ ALL INTERFACES |
+ LOCAL |
+
+
+ | 192.0.2.179 |
+ eth0 |
+ 192.168.201.4 |
+ No |
+ No |
+
+
+
-
-
+
+
+
+
With this entry in place, you daughter has her own IP address
- and the other two local systems share the firewall's IP address.
-
-
-
+ and the other two local systems share the firewall's IP address.
+
+
+
- Once the relationship between 192.0.2.179 and 192.168.201.4
-is established by the nat file entry above, it is no longer appropriate
- to use a DNAT rule for you daughter's web server -- you would rather
- just use an ACCEPT rule:
-
-
-
-
+ Once the relationship between 192.0.2.179 and 192.168.201.4
+ is established by the nat file entry above, it is no longer appropriate
+ to use a DNAT rule for you daughter's web server -- you would rather
+ just use an ACCEPT rule:
+
+
-
-
- | ACTION |
- SOURCE |
- DESTINATION |
- PROTOCOL |
- PORT |
- SOURCE PORT |
- ORIGINAL DESTINATION |
-
-
- | ACCEPT |
- net |
- loc:192.168.201.4 |
- tcp |
- www |
- |
- |
-
-
-
+
+
+ | ACTION |
+ SOURCE |
+ DESTINATION |
+ PROTOCOL |
+ PORT |
+ SOURCE PORT |
+ ORIGINAL DESTINATION |
+
+
+ | ACCEPT |
+ net |
+ loc:192.168.201.4 |
+ tcp |
+ www |
+ |
+ |
+
+
+
-
-
+
+
+
+
-
-
+
+
+
- With the default policies, your local systems (Local 1-3) can
- access any servers on the internet and the DMZ can't access any other
- host (including the firewall). With the exception of DNAT rules which cause address translation and allow
- the translated connection request to pass through the firewall, the way
- to allow connection requests through your firewall is to use ACCEPT
-rules.
-
-
-
+ the translated connection request to pass through the firewall, the
+way to allow connection requests through your firewall is to use ACCEPT
+ rules.
+
+
+
NOTE: Since the SOURCE PORT and ORIG. DEST. Columns aren't
- used in this section, they won't be shown
-
-
-
+ used in this section, they won't be shown
+
+
+
You probably want to allow ping between your zones:
-
-
-
+
+
+
-
-
- | ACTION |
- SOURCE |
- DESTINATION |
- PROTOCOL |
- PORT |
-
-
- | ACCEPT |
- net |
- dmz |
- icmp |
- echo-request |
-
-
- | ACCEPT |
- net |
- loc |
- icmp |
- echo-request |
-
-
- | ACCEPT |
- dmz |
- loc |
- icmp |
- echo-request |
-
-
- | ACCEPT |
- loc |
- dmz |
- icmp |
- echo-request |
-
-
-
+
+
+ | ACTION |
+ SOURCE |
+ DESTINATION |
+ PROTOCOL |
+ PORT |
+
+
+ | ACCEPT |
+ net |
+ dmz |
+ icmp |
+ echo-request |
+
+
+ | ACCEPT |
+ net |
+ loc |
+ icmp |
+ echo-request |
+
+
+ | ACCEPT |
+ dmz |
+ loc |
+ icmp |
+ echo-request |
+
+
+ | ACCEPT |
+ loc |
+ dmz |
+ icmp |
+ echo-request |
+
+
+
-
-
+
+
+
+
Let's suppose that you run mail and pop3 servers on DMZ 2
- and a Web Server on DMZ 1. The rules that you would need are:
-
-
-
-
+ and a Web Server on DMZ 1. The rules that you would need are:
+
+
-
-
- | ACTION |
- SOURCE |
- DESTINATION |
- PROTOCOL |
- PORT |
- COMMENTS |
-
-
- | ACCEPT |
- net |
- dmz:192.0.2.178 |
- tcp |
- smtp |
- # Mail from the Internet |
-
-
- | ACCEPT |
- net |
- dmz:192.0.2.178 |
- tcp |
- pop3 |
- # Pop3 from the Internet |
-
-
- | ACCEPT |
- loc |
- dmz:192.0.2.178 |
- tcp |
- smtp |
- # Mail from the Local Network |
-
-
- | ACCEPT |
- loc |
- dmz:192.0.2.178 |
- tcp |
- pop3 |
- # Pop3 from the Local Network |
-
-
- | ACCEPT |
- fw |
- dmz:192.0.2.178 |
- tcp |
- smtp |
- # Mail from the Firewall |
-
-
- | ACCEPT |
- dmz:192.0.2.178 |
- net |
- tcp |
- smtp |
- # Mail to the Internet |
-
-
- | ACCEPT |
- net |
- dmz:192.0.2.177 |
- tcp |
- http |
- # WWW from the Net |
-
-
- | ACCEPT |
- net |
- dmz:192.0.2.177 |
- tcp |
- https |
- # Secure HTTP from the Net |
-
-
- | ACCEPT |
- loc |
- dmz:192.0.2.177 |
- tcp |
- https |
- # Secure HTTP from the Local Net |
-
-
-
+
+
+ | ACTION |
+ SOURCE |
+ DESTINATION |
+ PROTOCOL |
+ PORT |
+ COMMENTS |
+
+
+ | ACCEPT |
+ net |
+ dmz:192.0.2.178 |
+ tcp |
+ smtp |
+ # Mail from the Internet |
+
+
+ | ACCEPT |
+ net |
+ dmz:192.0.2.178 |
+ tcp |
+ pop3 |
+ # Pop3 from the Internet |
+
+
+ | ACCEPT |
+ loc |
+ dmz:192.0.2.178 |
+ tcp |
+ smtp |
+ # Mail from the Local Network |
+
+
+ | ACCEPT |
+ loc |
+ dmz:192.0.2.178 |
+ tcp |
+ pop3 |
+ # Pop3 from the Local Network |
+
+
+ | ACCEPT |
+ fw |
+ dmz:192.0.2.178 |
+ tcp |
+ smtp |
+ # Mail from the Firewall |
+
+
+ | ACCEPT |
+ dmz:192.0.2.178 |
+ net |
+ tcp |
+ smtp |
+ # Mail to the Internet |
+
+
+ | ACCEPT |
+ net |
+ dmz:192.0.2.177 |
+ tcp |
+ http |
+ # WWW from the Net |
+
+
+ | ACCEPT |
+ net |
+ dmz:192.0.2.177 |
+ tcp |
+ https |
+ # Secure HTTP from the Net |
+
+
+ | ACCEPT |
+ loc |
+ dmz:192.0.2.177 |
+ tcp |
+ https |
+ # Secure HTTP from the Local Net |
+
+
+
-
-
+
+
+
+
If you run a public DNS server on 192.0.2.177, you would need
to add the following rules:
-
-
-
+
+
+
-
-
- | ACTION |
- SOURCE |
- DESTINATION |
- PROTOCOL |
- PORT |
- COMMENTS |
-
-
- | ACCEPT |
- net |
- dmz:192.0.2.177 |
- udp |
- domain |
- # UDP DNS from the Internet |
-
-
- | ACCEPT |
- net |
- dmz:192.0.2.177 |
- tcp |
- domain |
- # TCP DNS from the internet |
-
-
- | ACCEPT |
- fw |
- dmz:192.0.2.177 |
- udp |
- domain |
- # UDP DNS from firewall |
-
-
- | ACCEPT |
- fw |
- dmz:192.0.2.177 |
- tcp |
- domain |
- # TCP DNS from firewall |
-
-
- | ACCEPT |
- loc |
- dmz:192.0.2.177 |
- udp |
- domain |
- # UDP DNS from the local Net |
-
-
- | ACCEPT |
- loc |
- dmz:192.0.2.177 |
- tcp |
- domain |
- # TCP DNS from the local Net |
-
-
- | ACCEPT |
- dmz:192.0.2.177 |
- net |
- udp |
- domain |
- # UDP DNS to the Internet |
-
-
- | ACCEPT |
- dmz:192.0.2.177 |
- net |
- tcp |
- domain |
- # TCP DNS to the Internet |
-
-
-
+
+
+ | ACTION |
+ SOURCE |
+ DESTINATION |
+ PROTOCOL |
+ PORT |
+ COMMENTS |
+
+
+ | ACCEPT |
+ net |
+ dmz:192.0.2.177 |
+ udp |
+ domain |
+ # UDP DNS from the Internet |
+
+
+ | ACCEPT |
+ net |
+ dmz:192.0.2.177 |
+ tcp |
+ domain |
+ # TCP DNS from the internet |
+
+
+ | ACCEPT |
+ fw |
+ dmz:192.0.2.177 |
+ udp |
+ domain |
+ # UDP DNS from firewall |
+
+
+ | ACCEPT |
+ fw |
+ dmz:192.0.2.177 |
+ tcp |
+ domain |
+ # TCP DNS from firewall |
+
+
+ | ACCEPT |
+ loc |
+ dmz:192.0.2.177 |
+ udp |
+ domain |
+ # UDP DNS from the local Net |
+
+
+ | ACCEPT |
+ loc |
+ dmz:192.0.2.177 |
+ tcp |
+ domain |
+ # TCP DNS from the local Net |
+
+
+ | ACCEPT |
+ dmz:192.0.2.177 |
+ net |
+ udp |
+ domain |
+ # UDP DNS to the Internet |
+
+
+ | ACCEPT |
+ dmz:192.0.2.177 |
+ net |
+ tcp |
+ domain |
+ # TCP DNS to the Internet |
+
+
+
-
-
+
+
+
+
You probably want some way to communicate with your firewall
- and DMZ systems from the local network -- I recommend SSH which through
- its scp utility can also do publishing and software update distribution.
-
-
-
-
+ and DMZ systems from the local network -- I recommend SSH which through
+ its scp utility can also do publishing and software update distribution.
+
+
-
-
- | ACTION |
- SOURCE |
- DESTINATION |
- PROTOCOL |
- PORT |
- COMMENTS |
-
-
- | ACCEPT |
- loc |
- dmz |
- tcp |
- ssh |
- # SSH to the DMZ |
-
-
- | ACCEPT |
- loc |
- fw |
- tcp |
- ssh |
- # SSH to the Firewall |
-
-
-
+
+
+ | ACTION |
+ SOURCE |
+ DESTINATION |
+ PROTOCOL |
+ PORT |
+ COMMENTS |
+
+
+ | ACCEPT |
+ loc |
+ dmz |
+ tcp |
+ ssh |
+ # SSH to the DMZ |
+
+
+ | ACCEPT |
+ loc |
+ fw |
+ tcp |
+ ssh |
+ # SSH to the Firewall |
+
+
+
-
-
+
+
+
+
-
-
+
+
+
The above discussion reflects my personal preference for using
Proxy ARP for my servers in my DMZ and SNAT/NAT for my local systems. I
prefer to use NAT only in cases where a system that is part of an RFC 1918
subnet needs to have it's own public IP.
-
-
-
+
+
+
- If you haven't already, it would be a good idea to browse through
- /etc/shorewall/shorewall.conf just
- to see if there is anything there that might be of interest. You might
- also want to look at the other configuration files that you haven't
-touched yet just to get a feel for the other things that Shorewall can
-do.
-
-
-
+ If you haven't already, it would be a good idea to browse
+through
/etc/shorewall/shorewall.conf
+just to see if there is anything there that might be of interest. You
+might also want to look at the other configuration files that you
+haven't touched yet just to get a feel for the other things that Shorewall
+can do.
+
In case you haven't been keeping score, here's the final set
of configuration files for our sample network. Only those that were modified
from the original installation are shown.
-
-
-
+
+
+
/etc/shorewall/interfaces (The "options" will be very site-specific).
-
-
-
+
+
+
-
-
- | Zone |
- Interface |
- Broadcast |
- Options |
-
-
- | net |
- eth0 |
- detect |
- norfc1918,routefilter |
-
-
- | loc |
- eth1 |
- detect |
- |
-
-
- | dmz |
- eth2 |
- detect |
- |
-
-
-
+
+
+ | Zone |
+ Interface |
+ Broadcast |
+ Options |
+
+
+ | net |
+ eth0 |
+ detect |
+ norfc1918,routefilter |
+
+
+ | loc |
+ eth1 |
+ detect |
+ |
+
+
+ | dmz |
+ eth2 |
+ detect |
+ |
+
+
+
-
-
+
+
+
+
The setup described here requires that your network interfaces
- be brought up before Shorewall can start. This opens a short window
-during which you have no firewall protection. If you replace 'detect'
-with the actual broadcast addresses in the entries above, you can bring
-up Shorewall before you bring up your network interfaces.
-
-
-
-
+ be brought up before Shorewall can start. This opens a short window
+ during which you have no firewall protection. If you replace 'detect'
+ with the actual broadcast addresses in the entries above, you can bring
+ up Shorewall before you bring up your network interfaces.
+
+
-
-
- | Zone |
- Interface |
- Broadcast |
- Options |
-
-
- | net |
- eth0 |
- 192.0.2.255 |
- norfc1918,routefilter |
-
-
- | loc |
- eth1 |
- 192.168.201.7 |
- |
-
-
- | dmz |
- eth2 |
- 192.168.202.7 |
- |
-
-
-
+
+
+ | Zone |
+ Interface |
+ Broadcast |
+ Options |
+
+
+ | net |
+ eth0 |
+ 192.0.2.255 |
+ norfc1918,routefilter |
+
+
+ | loc |
+ eth1 |
+ 192.168.201.7 |
+ |
+
+
+ | dmz |
+ eth2 |
+ 192.168.202.7 |
+ |
+
+
+
-
-
+
+
+
+
/etc/shorewall/masq - Local subnet
-
-
-
+
+
+
-
-
- | INTERFACE |
- SUBNET |
- ADDRESS |
-
-
- | eth0 |
- 192.168.201.0/29 |
- 192.0.2.176 |
-
-
-
+
+
+ | INTERFACE |
+ SUBNET |
+ ADDRESS |
+
+
+ | eth0 |
+ 192.168.201.0/29 |
+ 192.0.2.176 |
+
+
+
-
-
+
+
+
+
/etc/shorewall/proxyarp - DMZ
-
-
-
+
+
+
-
-
- | ADDRESS |
- INTERFACE |
- EXTERNAL |
- HAVE ROUTE |
-
-
- | 192.0.2.177 |
- eth2 |
- eth0 |
- No |
-
-
- | 192.0.2.178 |
- eth2 |
- eth0 |
- No |
-
-
-
+
+
+ | ADDRESS |
+ INTERFACE |
+ EXTERNAL |
+ HAVE ROUTE |
+
+
+ | 192.0.2.177 |
+ eth2 |
+ eth0 |
+ No |
+
+
+ | 192.0.2.178 |
+ eth2 |
+ eth0 |
+ No |
+
+
+
-
-
+
+
+
+
/etc/shorewall/nat- Daughter's System
-
-
-
+
+
+
-
-
- | EXTERNAL |
- INTERFACE |
- INTERNAL |
- ALL INTERFACES |
- LOCAL |
-
-
- | 192.0.2.179 |
- eth0 |
- 192.168.201.4 |
- No |
- No |
-
-
-
+
+
+ | EXTERNAL |
+ INTERFACE |
+ INTERNAL |
+ ALL INTERFACES |
+ LOCAL |
+
+
+ | 192.0.2.179 |
+ eth0 |
+ 192.168.201.4 |
+ No |
+ No |
+
+
+
-
-
+
+
+
+
-
-
+
+
+
-
-
- | ACTION |
- SOURCE |
- DESTINATION |
- PROTOCOL |
- PORT |
- COMMENTS |
-
-
- | ACCEPT |
- net |
- dmz:192.0.2.178 |
- tcp |
- smtp |
- # Mail from the Internet |
-
-
- | ACCEPT |
- net |
- dmz:192.0.2.178 |
- tcp |
- pop3 |
- # Pop3 from the Internet |
-
-
- | ACCEPT |
- loc |
- dmz:192.0.2.178 |
- tcp |
- smtp |
- # Mail from the Local Network |
-
-
- | ACCEPT |
- loc |
- dmz:192.0.2.178 |
- tcp |
- pop3 |
- # Pop3 from the Local Network |
-
-
- | ACCEPT |
- fw |
- dmz:192.0.2.178 |
- tcp |
- smtp |
- # Mail from the Firewall |
-
-
- | ACCEPT |
- dmz:192.0.2.178 |
- net |
- tcp |
- smtp |
- # Mail to the Internet |
-
-
- | ACCEPT |
- net |
- dmz:192.0.2.178 |
- tcp |
- http |
- # WWW from the Net |
-
-
- | ACCEPT |
- net |
- dmz:192.0.2.178 |
- tcp |
- https |
- # Secure HTTP from the Net |
-
-
- | ACCEPT |
- loc |
- dmz:192.0.2.178 |
- tcp |
- https |
- # Secure HTTP from the Local Net |
-
-
- | ACCEPT |
- net |
- dmz:192.0.2.177 |
- udp |
- domain |
- # UDP DNS from the Internet |
-
-
- | ACCEPT |
- net |
- dmz:192.0.2.177 |
- tcp |
- domain |
- # TCP DNS from the internet |
-
-
- | ACCEPT |
- fw |
- dmz:192.0.2.177 |
- udp |
- domain |
- # UDP DNS from firewall |
-
-
- | ACCEPT |
- fw |
- dmz:192.0.2.177 |
- tcp |
- domain |
- # TCP DNS from firewall |
-
-
- | ACCEPT |
- loc |
- dmz:192.0.2.177 |
- udp |
- domain |
- # UDP DNS from the local Net |
-
-
- | ACCEPT |
- loc |
- dmz:192.0.2.177 |
- tcp |
- domain |
- # TCP DNS from the local Net |
-
-
- | ACCEPT |
- dmz:192.0.2.177 |
- net |
- udp |
- domain |
- # UDP DNS to the Internet |
-
-
- | ACCEPT |
- dmz:192.0.2.177 |
- net |
- tcp |
- domain |
- # TCP DNS to the Internet |
-
-
- | ACCEPT |
- net |
- dmz |
- icmp |
- echo-request |
- # Ping |
-
-
- | ACCEPT |
- net |
- loc |
- icmp |
- echo-request |
- # " |
-
-
- | ACCEPT |
- dmz |
- loc |
- icmp |
- echo-request |
- # " |
-
-
- | ACCEPT |
- loc |
- dmz |
- icmp |
- echo-request |
- # " |
-
-
- | ACCEPT |
- loc |
- dmz |
- tcp |
- ssh |
- # SSH to the DMZ |
-
-
- | ACCEPT |
- loc |
- fw |
- tcp |
- ssh |
- # SSH to the Firewall |
-
-
-
+
+
+ | ACTION |
+ SOURCE |
+ DESTINATION |
+ PROTOCOL |
+ PORT |
+ COMMENTS |
+
+
+ | ACCEPT |
+ net |
+ dmz:192.0.2.178 |
+ tcp |
+ smtp |
+ # Mail from the Internet |
+
+
+ | ACCEPT |
+ net |
+ dmz:192.0.2.178 |
+ tcp |
+ pop3 |
+ # Pop3 from the Internet |
+
+
+ | ACCEPT |
+ loc |
+ dmz:192.0.2.178 |
+ tcp |
+ smtp |
+ # Mail from the Local Network |
+
+
+ | ACCEPT |
+ loc |
+ dmz:192.0.2.178 |
+ tcp |
+ pop3 |
+ # Pop3 from the Local Network |
+
+
+ | ACCEPT |
+ fw |
+ dmz:192.0.2.178 |
+ tcp |
+ smtp |
+ # Mail from the Firewall |
+
+
+ | ACCEPT |
+ dmz:192.0.2.178 |
+ net |
+ tcp |
+ smtp |
+ # Mail to the Internet |
+
+
+ | ACCEPT |
+ net |
+ dmz:192.0.2.178 |
+ tcp |
+ http |
+ # WWW from the Net |
+
+
+ | ACCEPT |
+ net |
+ dmz:192.0.2.178 |
+ tcp |
+ https |
+ # Secure HTTP from the Net |
+
+
+ | ACCEPT |
+ loc |
+ dmz:192.0.2.178 |
+ tcp |
+ https |
+ # Secure HTTP from the Local Net |
+
+
+ | ACCEPT |
+ net |
+ dmz:192.0.2.177 |
+ udp |
+ domain |
+ # UDP DNS from the Internet |
+
+
+ | ACCEPT |
+ net |
+ dmz:192.0.2.177 |
+ tcp |
+ domain |
+ # TCP DNS from the internet |
+
+
+ | ACCEPT |
+ fw |
+ dmz:192.0.2.177 |
+ udp |
+ domain |
+ # UDP DNS from firewall |
+
+
+ | ACCEPT |
+ fw |
+ dmz:192.0.2.177 |
+ tcp |
+ domain |
+ # TCP DNS from firewall |
+
+
+ | ACCEPT |
+ loc |
+ dmz:192.0.2.177 |
+ udp |
+ domain |
+ # UDP DNS from the local Net |
+
+
+ | ACCEPT |
+ loc |
+ dmz:192.0.2.177 |
+ tcp |
+ domain |
+ # TCP DNS from the local Net |
+
+
+ | ACCEPT |
+ dmz:192.0.2.177 |
+ net |
+ udp |
+ domain |
+ # UDP DNS to the Internet |
+
+
+ | ACCEPT |
+ dmz:192.0.2.177 |
+ net |
+ tcp |
+ domain |
+ # TCP DNS to the Internet |
+
+
+ | ACCEPT |
+ net |
+ dmz |
+ icmp |
+ echo-request |
+ # Ping |
+
+
+ | ACCEPT |
+ net |
+ loc |
+ icmp |
+ echo-request |
+ # " |
+
+
+ | ACCEPT |
+ dmz |
+ loc |
+ icmp |
+ echo-request |
+ # " |
+
+
+ | ACCEPT |
+ loc |
+ dmz |
+ icmp |
+ echo-request |
+ # " |
+
+
+ | ACCEPT |
+ loc |
+ dmz |
+ tcp |
+ ssh |
+ # SSH to the DMZ |
+
+
+ | ACCEPT |
+ loc |
+ fw |
+ tcp |
+ ssh |
+ # SSH to the Firewall |
+
+
+
-
-
+
+
+
+
-
-
+
+
+
Given the collection of RFC 1918 and public addresses in this
setup, it only makes sense to have separate internal and external DNS
servers. You can combine the two into a single BIND 9 server using Views.
If you are not interested in Bind 9 views, you can go to the next section.
-
-
-
+
+
+
Suppose that your domain is foobar.net and you want the two
- DMZ systems named www.foobar.net and mail.foobar.net and you want the
- three local systems named "winken.foobar.net, blinken.foobar.net and
-nod.foobar.net. You want your firewall to be known as firewall.foobar.net
-externally and it's interface to the local network to be know as gateway.foobar.net
- and its interface to the dmz as dmz.foobar.net. Let's have the DNS server
- on 192.0.2.177 which will also be known by the name ns1.foobar.net.
-
-
-
+ DMZ systems named www.foobar.net and mail.foobar.net and you want the
+ three local systems named "winken.foobar.net, blinken.foobar.net and
+ nod.foobar.net. You want your firewall to be known as firewall.foobar.net
+ externally and it's interface to the local network to be know as gateway.foobar.net
+ and its interface to the dmz as dmz.foobar.net. Let's have the DNS server
+ on 192.0.2.177 which will also be known by the name ns1.foobar.net.
+
+
+
The /etc/named.conf file would look like this:
-
-
-
-
-
+
+
+
+
+
options {
directory "/var/named";
listen-on { 127.0.0.1 ; 192.0.2.177; };
};
logging {
channel xfer-log {
file "/var/log/named/bind-xfer.log";
print-category yes;
print-severity yes;
print-time yes;
severity info;
};
category xfer-in { xfer-log; };
category xfer-out { xfer-log; };
category notify { xfer-log; };
};
-
-
-
+
+
+
#
# This is the view presented to our internal systems
#
view "internal" {
#
# These are the clients that see this view
#
match-clients { 192.168.201.0/29;
192.168.202.0/29;
127.0.0/24;
192.0.2.176/32;
192.0.2.178/32;
192.0.2.179/32;
192.0.2.180/32; };
#
# If this server can't complete the request, it should use outside
# servers to do so
#
recursion yes;
zone "." in {
type hint;
file "int/root.cache";
};
zone "foobar.net" in {
type master;
notify no;
allow-update { none; };
file "int/db.foobar";
};
zone "0.0.127.in-addr.arpa" in {
type master;
notify no;
allow-update { none; };
file "int/db.127.0.0";
};
zone "201.168.192.in-addr.arpa" in {
type master;
notify no;
allow-update { none; };
file "int/db.192.168.201";
};
zone "202.168.192.in-addr.arpa" in {
type master;
notify no;
allow-update { none; };
file "int/db.192.168.202";
};
zone "176.2.0.192.in-addr.arpa" in {
type master;
notify no;
allow-update { none; };
file "db.192.0.2.176";
};
(or status NAT for that matter)
zone "177.2.0.192.in-addr.arpa" in {
type master;
notify no;
allow-update { none; };
file "db.192.0.2.177";
};
zone "178.2.0.192.in-addr.arpa" in {
type master;
notify no;
allow-update { none; };
file "db.192.0.2.178";
};
zone "179.2.0.192.in-addr.arpa" in {
type master;
notify no;
allow-update { none; };
file "db.206.124.146.179";
};
};
#
# This is the view that we present to the outside world
#
view "external" {
match-clients { any; };
#
# If we can't answer the query, we tell the client so
#
recursion no;
zone "foobar.net" in {
type master;
notify yes;
allow-update {none; };
allow-transfer { <secondary NS IP>; };
file "ext/db.foobar";
};
zone "176.2.0.192.in-addr.arpa" in {
type master;
notify yes;
allow-update { none; };
allow-transfer { <secondary NS IP>; };
file "db.192.0.2.176";
};
zone "177.2.0.192.in-addr.arpa" in {
type master;
notify yes;
allow-update { none; };
allow-transfer { <secondary NS IP>; };
file "db.192.0.2.177";
};
zone "178.2.0.192.in-addr.arpa" in {
type master;
notify yes;
allow-update { none; };
allow-transfer { <secondary NS IP>; };
file "db.192.0.2.178";
};
zone "179.2.0.192.in-addr.arpa" in {
type master;
notify yes;
allow-update { none; };
allow-transfer { <secondary NS IP>; };
file "db.192.0.2.179";
};
};
-
-
-
+
+
+
Here are the files in /var/named (those not shown are usually
- included in your bind disbribution).
-
+ included in your bind disbribution).
+
db.192.0.2.176 - This is the reverse zone for the firewall's
- external interface
-
-
+ external interface
+
+
; ############################################################
; Start of Authority (Inverse Address Arpa) for 192.0.2.176/32
; Filename: db.192.0.2.176
; ############################################################
@ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. (
2001102303 ; serial
10800 ; refresh (3 hour)
3600 ; retry (1 hour)
604800 ; expire (7 days)
86400 ) ; minimum (1 day)
;
; ############################################################
; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)
; ############################################################
@ 604800 IN NS ns1.foobar.net.
@ 604800 IN NS <name of secondary ns>.
;
; ############################################################
; Iverse Address Arpa Records (PTR's)
; ############################################################
176.2.0.192.in-addr.arpa. 86400 IN PTR firewall.foobar.net.
-
-
-
-
+
+
+
+
db.192.0.2.177 - This is the reverse zone for the www/DNS
- server
-
+ server
+
; ############################################################
; Start of Authority (Inverse Address Arpa) for 192.0.2.177/32
; Filename: db.192.0.2.177
; ############################################################
@ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. (
2001102303 ; serial
10800 ; refresh (3 hour)
3600 ; retry (1 hour)
604800 ; expire (7 days)
86400 ) ; minimum (1 day)
;
; ############################################################
; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)
; ############################################################
@ 604800 IN NS ns1.foobar.net.
@ 604800 IN NS <name of secondary ns>.
;
; ############################################################
; Iverse Address Arpa Records (PTR's)
; ############################################################
177.2.0.192.in-addr.arpa. 86400 IN PTR www.foobar.net.
-
-
-
-
-
+
+
+
+
+
db.192.0.2.178 - This is the reverse zone for the mail
- server
-
+ server
+
; ############################################################
; Start of Authority (Inverse Address Arpa) for 192.0.2.178/32
; Filename: db.192.0.2.178
; ############################################################
@ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. (
2001102303 ; serial
10800 ; refresh (3 hour)
3600 ; retry (1 hour)
604800 ; expire (7 days)
86400 ) ; minimum (1 day)
;
; ############################################################
; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)
; ############################################################
@ 604800 IN NS ns1.foobar.net.
@ 604800 IN NS <name of secondary ns>.
;
; ############################################################
; Iverse Address Arpa Records (PTR's)
; ############################################################
178.2.0.192.in-addr.arpa. 86400 IN PTR mail.foobar.net.
-
-
-
-
-
+
+
+
+
+
db.192.0.2.179 - This is the reverse zone for daughter's
- web server's public IP
-
+ web server's public IP
+
; ############################################################
; Start of Authority (Inverse Address Arpa) for 192.0.2.179/32
; Filename: db.192.0.2.179
; ############################################################
@ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. (
2001102303 ; serial
10800 ; refresh (3 hour)
3600 ; retry (1 hour)
604800 ; expire (7 days)
86400 ) ; minimum (1 day)
;
; ############################################################
; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)
; ############################################################
@ 604800 IN NS ns1.foobar.net.
@ 604800 IN NS <name of secondary ns>.
;
; ############################################################
; Iverse Address Arpa Records (PTR's)
; ############################################################
179.2.0.192.in-addr.arpa. 86400 IN PTR nod.foobar.net.
-
-
-
-
-
+
+
+
+
+
int/db.127.0.0 - The reverse zone for localhost
-
-
-
+
+
+
; ############################################################
; Start of Authority (Inverse Address Arpa) for 127.0.0.0/8
; Filename: db.127.0.0
; ############################################################
@ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. (
2001092901 ; serial
10800 ; refresh (3 hour)
3600 ; retry (1 hour)
604800 ; expire (7 days)
86400 ) ; minimum (1 day)
; ############################################################
; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)
; ############################################################
@ 604800 IN NS ns1.foobar.net.
; ############################################################
; Iverse Address Arpa Records (PTR's)
; ############################################################
1 86400 IN PTR localhost.foobar.net.
-
-
+
+
+
+
int/db.192.168.201 - Reverse zone for the local net. This
- is only shown to internal clients
-
-
-
-
+ is only shown to internal clients
+
+
; ############################################################
; Start of Authority (Inverse Address Arpa) for 192.168.201.0/29
; Filename: db.192.168.201
; ############################################################
@ 604800 IN SOA ns1.foobar.net netadmin.foobar.net. (
2002032501 ; serial
10800 ; refresh (3 hour)
3600 ; retry (1 hour)
604800 ; expire (7 days)
86400 ) ; minimum (1 day)
; ############################################################
; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)
; ############################################################
@ 604800 IN NS ns1.foobar.net.
; ############################################################
; Iverse Address Arpa Records (PTR's)
; ############################################################
1 86400 IN PTR gateway.foobar.net.
2 86400 IN PTR winken.foobar.net.
3 86400 IN PTR blinken.foobar.net.
4 86400 IN PTR nod.foobar.net.
-
-
+
+
+
+
int/db.192.168.202 - Reverse zone for the firewall's DMZ
interface
-
-
-
-
-
+
+
+
+
+
; ############################################################
; Start of Authority (Inverse Address Arpa) for 192.168.202.0/29
; Filename: db.192.168.202
; ############################################################
@ 604800 IN SOA ns1.foobar.net netadmin.foobar.net. (
2002032501 ; serial
10800 ; refresh (3 hour)
3600 ; retry (1 hour)
604800 ; expire (7 days)
86400 ) ; minimum (1 day)
; ############################################################
; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)
; ############################################################
@ 604800 IN NS ns1.foobar.net.
; ############################################################
; Iverse Address Arpa Records (PTR's)
; ############################################################
1 86400 IN PTR dmz.foobar.net.
-
-
-
+
+
+
int/db.foobar - Forward zone for use by internal clients.
-
-
-
+
+
+
;##############################################################
; Start of Authority for foobar.net.
; Filename: db.foobar
;##############################################################
@ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. (
2002071501 ; serial
10800 ; refresh (3 hour)
3600 ; retry (1 hour)
604800 ; expire (7 days)
86400 ); minimum (1 day)
;############################################################
; foobar.net Nameserver Records (NS)
;############################################################
@ 604800 IN NS ns1.foobar.net.
;############################################################
; Foobar.net Office Records (ADDRESS)
;############################################################
localhost 86400 IN A 127.0.0.1
firewall 86400 IN A 192.0.2.176
www 86400 IN A 192.0.2.177
ns1 86400 IN A 192.0.2.177
www 86400 IN A 192.0.2.177
gateway 86400 IN A 192.168.201.1
winken 86400 IN A 192.168.201.2
blinken 86400 IN A 192.168.201.3
nod 86400 IN A 192.168.201.4
-
-
+
+
+
+
ext/db.foobar - Forward zone for external clients
-
-
-
-
-
+
+
+
+
+
;##############################################################
; Start of Authority for foobar.net.
; Filename: db.foobar
;##############################################################
@ 86400 IN SOA ns1.foobar.net. netadmin.foobar.net. (
2002052901 ; serial
10800 ; refresh (3 hour)
3600 ; retry (1 hour)
604800 ; expire (7 days)
86400 ); minimum (1 day)
;############################################################
; Foobar.net Nameserver Records (NS)
;############################################################
@ 86400 IN NS ns1.foobar.net.
@ 86400 IN NS <secondary NS>.
;############################################################
; Foobar.net Foobar Wa Office Records (ADDRESS)
;############################################################
localhost 86400 IN A 127.0.0.1
;
; The firewall itself
;
firewall 86400 IN A 192.0.2.176
;
; The DMZ
;
ns1 86400 IN A 192.0.2.177
www 86400 IN A 192.0.2.177
mail 86400 IN A 192.0.2.178
;
; The Local Network
;
nod 86400 IN A 192.0.2.179
;############################################################
; Current Aliases for foobar.net (CNAME)
;############################################################
;############################################################
; foobar.net MX Records (MAIL EXCHANGER)
;############################################################
foobar.net. 86400 IN A 192.0.2.177
86400 IN MX 0 mail.foobar.net.
86400 IN MX 1 <backup MX>.
-
-
-
+
+
+
7.0 Starting and Stopping
- Your Firewall
-
-
-
+ Your Firewall
+
+
+
-
-
+ your system to start Shorewall at system boot.
+
+
+
The firewall is started using the "shorewall start" command
- and stopped using "shorewall stop". When the firewall is stopped, routing
- is enabled on those hosts that have an entry in /etc/shorewall/routestopped. A
- running firewall may be restarted using the "shorewall restart" command.
- If you want to totally remove any trace of Shorewall from your Netfilter
- configuration, use "shorewall clear".
-
-
-
+ running firewall may be restarted using the "shorewall restart" command.
+ If you want to totally remove any trace of Shorewall from your Netfilter
+ configuration, use "shorewall clear".
+
+
+
- Edit the /etc/shorewall/routestopped file and configure those
- systems that you want to be able to access the firewall when it is stopped.
-
-
-
+ Edit the /etc/shorewall/routestopped file and configure those
+ systems that you want to be able to access the firewall when it is
+stopped.
+
+
+
WARNING: If you are connected to your firewall from
- the internet, do not issue a "shorewall stop" command unless you have
- added an entry for the IP address that you are connected from to /etc/shorewall/routestopped.
Also, I don't recommend using "shorewall restart"; it is better to create
- an alternate configuration
- and test it using the "shorewall
- try" command.
-
-
-Last updated 2/21/2003 - alternate configuration
+ and test it using the "shorewall
+ try" command.
+
+
+Last updated 3/21/2003 - Tom Eastep
-
+
Copyright 2002, 2003
- Thomas M. Eastep
-
+ Thomas M. Eastep
+
+
+
diff --git a/Shorewall-docs/sourceforge_index.htm b/Shorewall-docs/sourceforge_index.htm
index cf7699c5a..be7961910 100644
--- a/Shorewall-docs/sourceforge_index.htm
+++ b/Shorewall-docs/sourceforge_index.htm
@@ -7,7 +7,7 @@
-
+
Shoreline Firewall (Shorewall) 1.3
@@ -17,23 +17,23 @@
-
+
-
+
-
+
-
+
- |
+ |
@@ -43,13 +43,13 @@
-
+
- Shorewall 1.4 - "iptables made easy"
@@ -64,36 +64,36 @@
-
+
- |
-
+
+
-
-
-
+
+
+
-
-
+
+
-
+
-
+
-
+
- |
+ |
@@ -105,7 +105,7 @@
-
+
What is it?
@@ -119,12 +119,12 @@
-
- The Shoreline Firewall, more commonly known as "Shorewall", is
- a Netfilter (iptables)
- based firewall that can be used on a dedicated firewall system,
- a multi-function gateway/router/server or on a standalone
- GNU/Linux system.
+
+ The Shoreline Firewall, more commonly known as "Shorewall", is
+ a Netfilter (iptables)
+ based firewall that can be used on a dedicated firewall
+system, a multi-function gateway/router/server or on a standalone
+ GNU/Linux system.
@@ -137,29 +137,29 @@
-
- This program is free software; you can redistribute it and/or modify
- it under the
-terms of Version
- 2 of the GNU General Public License as published by the Free Software
- Foundation.
+
+ This program is free software; you can redistribute it and/or modify
+ it under the
+ terms of Version
+ 2 of the GNU General Public License as published by the Free
+Software Foundation.
-
+
- This program is distributed
- in the hope that it will be useful, but
- WITHOUT ANY WARRANTY; without even the implied
- warranty of MERCHANTABILITY or FITNESS FOR
-A PARTICULAR PURPOSE. See the GNU General Public License
- for more details.
+ This program is distributed
+ in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied
+ warranty of MERCHANTABILITY or FITNESS FOR
+ A PARTICULAR PURPOSE. See the GNU General Public
+License for more details.
-
+
- You should have received
- a copy of the GNU General Public License
- along with this program; if not, write
-to the Free Software Foundation, Inc., 675
- Mass Ave, Cambridge, MA 02139, USA
+ You should have received
+ a copy of the GNU General Public License
+ along with this program; if not, write
+ to the Free Software Foundation, Inc., 675
+ Mass Ave, Cambridge, MA 02139, USA
@@ -172,7 +172,7 @@ to the Free Software Foundation, Inc., 675
-
+
Copyright 2001, 2002, 2003 Thomas M. Eastep
@@ -186,26 +186,26 @@ to the Free Software Foundation, Inc., 675
-
+
- Jacques
-Nilo and Eric Wolzak have a LEAF (router/firewall/gateway
- on a floppy, CD or compact flash) distribution
- called Bering that features
- Shorewall-1.3.14 and Kernel-2.4.20. You can find
- their work at: Jacques
+ Nilo and Eric Wolzak have a LEAF (router/firewall/gateway
+ on a floppy, CD or compact flash) distribution
+ called Bering that features
+ Shorewall-1.3.14 and Kernel-2.4.20. You can find
+ their work at: http://leaf.sourceforge.net/devel/jnilo
- Congratulations
- to Jacques and Eric on the recent release of Bering
- 1.1!!!
-
+ Congratulations
+ to Jacques and Eric on the recent release of Bering
+1.1!!!
+
-
+
News
@@ -221,278 +221,23 @@ Nilo and Eric Wolzak have a LEAF (router/firewall/gatew
-
- 3/17/2003 - Shorewall 1.4.0 ![]() 3/24/2003 - Shorewall 1.4.1
-
- Shorewall 1.4 represents
- the next step in the evolution of Shorewall. The main thrust of the
-initial release is simply to remove the cruft that has accumulated in
-Shorewall over time.
-
- IMPORTANT: Shorewall 1.4.0 requires the iproute package
- ('ip' utility).
-
- Function from 1.3 that has been omitted from this version
-include:
+
+
-
-
- - The MERGE_HOSTS variable in shorewall.conf is no longer supported.
- Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.
-
-
- - Interface names of the form <device>:<integer>
- in /etc/shorewall/interfaces now generate an error.
-
-
- - Shorewall 1.4 implements behavior consistent with OLD_PING_HANDLING=No.
- OLD_PING_HANDLING=Yes will generate an error at startup as will specification
- of the 'noping' or 'filterping' interface options.
-
-
- - The 'routestopped' option in the /etc/shorewall/interfaces
- and /etc/shorewall/hosts files is no longer supported and will generate
- an error at startup if specified.
-
-
- - The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no
-longer accepted.
-
-
- - The ALLOWRELATED variable in shorewall.conf is no longer supported.
- Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.
-
-
- - The icmp.def file has been removed.
-
-
- Changes for 1.4 include:
-
-
- - The /etc/shorewall/shorewall.conf file has been completely
- reorganized into logical sections.
-
-
- - LOG is now a valid action for a rule (/etc/shorewall/rules).
-
-
- - The firewall script, common functions file and version file
- are now installed in /usr/share/shorewall.
-
-
- - Late arriving DNS replies are now silently dropped in the
-common chain by default.
-
-
- - In addition to behaving like OLD_PING_HANDLING=No, Shorewall
- 1.4 no longer unconditionally accepts outbound ICMP packets. So if you
- want to 'ping' from the firewall, you will need the appropriate rule or
- policy.
-
-
- - CONTINUE is now a valid action for a rule (/etc/shorewall/rules).
-
-
- - 802.11b devices with names of the form wlan<n>
- now support the 'maclist' option.
-
-
- - Explicit Congestion Notification (ECN - RFC 3168)
- may now be turned off on a host or network basis using the new /etc/shorewall/ecn
- file. To use this facility:
-
- a) You must be running kernel 2.4.20
- b) You must have applied the patch in
- http://www.shorewall/net/pub/shorewall/ecn/patch.
- c) You must have iptables 1.2.7a installed.
-
-
- - The /etc/shorewall/params file is now processed first so that
- variables may be used in the /etc/shorewall/shorewall.conf file.
-
-
- - Shorewall now gives a more helpful diagnostic when
- the 'ipchains' compatibility kernel module is loaded and a 'shorewall start'
- command is issued.
-
-
- - The SHARED_DIR variable has been removed from shorewall.conf.
- This variable was for use by package maintainers and was not documented
-for general use.
-
-
- - Shorewall now ignores 'default' routes when detecting masq'd
- networks.
-
-
-
- 3/11/2003 - Shoreall 1.3.14a
-
-
- A roleup of the following bug fixes and other updates:
-
+
+
+
+
+
+
+
+
+
- - There is an updated rfc1918 file that reflects the resent
-allocation of 222.0.0.0/8 and 223.0.0.0/8.
- - The documentation for the routestopped file claimed that a comma-separated
- list could appear in the second column while the code only supported a
- single host or network address.
- - Log messages produced by 'logunclean' and 'dropunclean' were
- not rate-limited.
- - 802.11b devices with names of the form wlan<n>
-don't support the 'maclist' interface option.
- - Log messages generated by RFC 1918 filtering are not rate limited.
- - The firewall fails to start in the case where you have "eth0
- eth1" in /etc/shorewall/masq and the default route is through eth1
-
-
-
-
-
- 2/8/2003 - Shorewall 1.3.14
-
-
- New features include
-
-
-
- - An OLD_PING_HANDLING option has been added to shorewall.conf.
- When set to Yes, Shorewall ping handling is as it has always been
- (see http://www.shorewall.net/ping.html).
-
- When OLD_PING_HANDLING=No, icmp echo (ping) is handled
-via rules and policies just like any other connection request. The
-FORWARDPING=Yes option in shorewall.conf and the 'noping' and 'filterping'
-options in /etc/shorewall/interfaces will all generate an error.
-
-
- - It is now possible to direct Shorewall to create
- a "label" such as "eth0:0" for IP addresses that it creates under
- ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes. This is done by specifying
- the label instead of just the interface name:
-
- a) In the INTERFACE column of /etc/shorewall/masq
- b) In the INTERFACE column of /etc/shorewall/nat
-
- - Support for OpenVPN Tunnels.
-
-
- - Support for VLAN devices with names of the form
-$DEV.$VID (e.g., eth0.0)
-
-
- - In /etc/shorewall/tcrules, the MARK value may be
-optionally followed by ":" and either 'F' or 'P' to designate that the
-marking will occur in the FORWARD or PREROUTING chains respectively.
-If this additional specification is omitted, the chain used to mark packets
-will be determined by the setting of the MARK_IN_FORWARD_CHAIN option
-in shorewall.conf.
-
-
- - When an interface name is entered in the SUBNET
-column of the /etc/shorewall/masq file, Shorewall previously masqueraded
- traffic from only the first subnet defined on that interface. It
-did not masquerade traffic from:
-
- a) The subnets associated with other addresses on the
- interface.
- b) Subnets accessed through local routers.
-
- Beginning with Shorewall 1.3.14, if you enter an interface
- name in the SUBNET column, shorewall will use the firewall's routing
- table to construct the masquerading/SNAT rules.
-
- Example 1 -- This is how it works in 1.3.14.
-
-
-
-
- [root@gateway test]# cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-
-
-
- [root@gateway test]# ip route show dev eth2
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
-
-
-
- [root@gateway test]# shorewall start
...
Masqueraded Subnets and Hosts:
To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176
To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176
Processing /etc/shorewall/tos...
-
- When upgrading to Shorewall 1.3.14, if you have multiple
- local subnets connected to an interface that is specified in the
-SUBNET column of an /etc/shorewall/masq entry, your /etc/shorewall/masq
-file will need changing. In most cases, you will simply be able to remove
-redundant entries. In some cases though, you might want to change from
-using the interface name to listing specific subnetworks if the change described
-above will cause masquerading to occur on subnetworks that you don't wish
-to masquerade.
-
- Example 2 -- Suppose that your current config is as follows:
-
-
-
-
- [root@gateway test]# cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
eth0 192.168.10.0/24 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-
-
-
- [root@gateway test]# ip route show dev eth2
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]#
-
- In this case, the second entry in /etc/shorewall/masq
- is no longer required.
-
- Example 3 -- What if your current configuration is like
- this?
-
-
-
-
- [root@gateway test]# cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-
-
-
- [root@gateway test]# ip route show dev eth2
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]#
-
- In this case, you would want to change the entry in
- /etc/shorewall/masq to:
-
-
-
- #INTERFACE SUBNET ADDRESS
eth0 192.168.1.0/24 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-
-
-
-
-
-
- 2/5/2003 - Shorewall Support included in Webmin 1.060
-
- Webmin version 1.060 now has Shorewall support included
-as standard. See http://www.webmin.com
-
-
-
-
-
-
-
-
-
-
-
-
@@ -502,6 +247,60 @@ as standard. See http://www.webmin.
+
+
+
+
+
+
+
+
+
+
+ This release follows up on 1.4.0. It corrects a problem introduced
+in 1.4.0 and removes additional warts.
+
+ Problems Corrected:
+
+
+ - When Shorewall 1.4.0 is run under the ash shell (such as on Bering/LEAF),
+it can attempt to add ECN disabling rules even if the /etc/shorewall/ecn file
+is empty. That problem has been corrected so that ECN disabling rules are
+only added if there are entries in /etc/shorewall/ecn.
+
+ New Features:
+
+ Note: In the list that follows, the term group refers
+to a particular network or subnetwork (which may be 0.0.0.0/0 or it may be
+a host address) accessed through a particular interface. Examples:
+
+ eth0:0.0.0.0/0
+ eth2:192.168.1.0/24
+ eth3:192.0.2.123
+
+ You can use the "shorewall check" command to see the groups associated with
+each of your zones.
+
+
+
+ - Beginning with Shorewall 1.4.1, if a zone Z comprises more than
+one group then if there is no explicit Z to Z policy and there are
+no rules governing traffic from Z to Z then Shorewall will permit all traffic
+between the groups in the zone.
+ - Beginning with Shorewall 1.4.1, Shorewall will never create rules
+to handle traffic from a group to itself.
+ - A NONE policy is introduced in 1.4.1. When a policy of NONE is
+specified from Z1 to Z2:
+
+
+
+ - There may be no rules created that govern connections from Z1
+to Z2.
+ - Shorewall will not create any infrastructure to handle traffic
+from Z1 to Z2.
+
+ See the upgrade issues for a discussion
+of how these changes may affect your configuration.
More News
@@ -515,7 +314,7 @@ as standard. See http://www.webmin.
-
+
@@ -523,18 +322,18 @@ as standard. See http://www.webmin.
-
+
+
-
+
@@ -542,7 +341,7 @@ as standard. See http://www.webmin.
-
+
This site is hosted by the generous folks at SourceForge.net
@@ -551,45 +350,47 @@ as standard. See http://www.webmin.
-
+
Donations
- |
+
-
- |
-
+
+
+
-
-
-
+
+
+
-
+
-
+
Updated 3/17/2003 - Tom Eastep
-
-
-
+
+Updated 3/21/2003 - Tom Eastep
+
+
+
+
diff --git a/Shorewall-docs/support.htm b/Shorewall-docs/support.htm
index 0f85ded95..203d346b4 100644
--- a/Shorewall-docs/support.htm
+++ b/Shorewall-docs/support.htm
@@ -3,89 +3,89 @@
-
+
-
+
Shorewall Support Guide
-
+
-
-
- |
+ |
+
+
+
-
-
+
Shorewall Support Guide
-
- |
-
+
+
+
-
-
+
+
-
+
Before Reporting a Problem or Asking a Question
-
- There are a number
-of sources of Shorewall information. Please try these before you post.
-
-
+
+ There are a number
+ of sources of Shorewall information. Please try these before you post.
+
+
-
+
Site and Mailing List Archive Search
-
-
+
+
-
-
+
+
+
Problem Reporting Guidelines
-
+
-
+
- - Please remember we only know what is posted
-in your message. Do not leave out any information that appears to
-be correct, or was mentioned in a previous post. There have been
+
- Please remember we only know what is posted
+ in your message. Do not leave out any information that appears
+to be correct, or was mentioned in a previous post. There have been
countless posts by people who were sure that some part of their
- configuration was correct when it actually contained a small error.
- We tend to be skeptics where detail is lacking.
-
-
- - Please keep in mind that you're asking for
- free technical support. Any help we offer
-is an act of generosity, not an obligation. Try to make it easy
+ configuration was correct when it actually contained a small error.
+ We tend to be skeptics where detail is lacking.
+
+
+ - Please keep in mind that you're asking for
+ free technical support. Any help we offer
+ is an act of generosity, not an obligation. Try to make it easy
for us to help you. Follow good, courteous practices in writing
and formatting your e-mail. Provide details that we need if you expect
good answers. Exact quoting of error messages, log entries,
command output, and other output is better than a paraphrase or summary.
-
-
- - Please don't
- describe your environment and then ask us to send you
- custom configuration files. We're here to answer your
-questions but we can't do your job for you.
-
-
- - When reporting a problem, ALWAYS
- include this information:
-
+
+
+ - Please
+don't describe your environment and then ask us to send you
+ custom configuration files. We're here to answer your
+ questions but we can't do your job for you.
+
+
+ - When reporting a problem, ALWAYS
+ include this information:
+
-
+
-
+
- - the exact version of Shorewall you are running.
-
- shorewall version
-
-
+ - the exact version of Shorewall you are
+running.
+
+ shorewall version
+
+
-
+
-
+
- - the exact kernel version you are running
-
- uname -a
-
-
+ - the exact kernel version you are running
+
+ uname -a
+
+
-
+
-
+
- - the complete, exact output of
-
- ip addr show
-
-
+ - the complete, exact output of
+
+ ip addr show
+
+
-
+
-
+
- - the complete, exact output of
-
- ip route show
-
-
+ - the complete, exact output of
+
+ ip route show
+
+
-
+
-
+
- - If your kernel is modularized, the exact
-output from
-
- lsmod
-
-
- - the exact wording of any
If your kernel is modularized, the exact
+ output from
+
+ lsmod
+
+
+ - the exact wording of any
ping failure responses
-
-
- - If you installed Shorewall using one of the QuickStart
- Guides, please indicate which one.
-
-
- - If you are running Shorewall under Mandrake using
- the Mandrake installation of Shorewall, please say so.
+
+
+ - If you installed Shorewall using one of the QuickStart
+ Guides, please indicate which one.
+
+
+ - If you are running Shorewall under Mandrake
+using the Mandrake installation of Shorewall, please say so.
+
+
+
+
+
+
+
+
+
+
+ - If you are having connection
+ problems of any kind then:
+
+ 1. /sbin/shorewall/reset
+
+ 2. Try the connection that is failing.
+
+ 3. /sbin/shorewall status > /tmp/status.txt
+
+ 4. Post the /tmp/status.txt file as an attachment.
-
-
-
-
-
-
- - NEVER include the output of "iptables -L". Instead, if you are having connection problems of
- any kind then:
-
- 1. /sbin/shorewall/reset
-
- 2. Try the connection that is failing.
-
- 3. /sbin/shorewall status > /tmp/status.txt
-
- 4. Post the /tmp/status.txt file as an attachment.
-
-
- - As a general
- matter, please do not edit the diagnostic information
- in an attempt to conceal your IP address, netmask, nameserver addresses,
- domain name, etc. These aren't secrets, and concealing them often
- misleads us (and 80% of the time, a hacker could derive them anyway
- from information contained in the SMTP headers of your post).
-
-
- - Do you see any "Shorewall" messages ("As a general
+ matter, please do not edit the diagnostic information
+ in an attempt to conceal your IP address, netmask, nameserver
+addresses, domain name, etc. These aren't secrets, and concealing
+ them often misleads us (and 80% of the time, a hacker could derive them
+ anyway from information contained in the SMTP headers of your post).
+
+
+ - Do you see any "Shorewall" messages ("/sbin/shorewall show log") when
- you exercise the function that is giving you problems? If so, include
- the message(s) in your post along with a copy of your /etc/shorewall/interfaces
- file.
-
-
- - Please include any of the Shorewall configuration files
- (especially the /etc/shorewall/hosts file if you have
- modified that file) that you think are relevant. If you
+ you exercise the function that is giving you problems? If so,
+include the message(s) in your post along with a copy of your /etc/shorewall/interfaces
+ file.
+
+
+ - Please include any of the Shorewall configuration files
+ (especially the /etc/shorewall/hosts file if you have
+ modified that file) that you think are relevant. If you
include /etc/shorewall/rules, please include /etc/shorewall/policy
- as well (rules are meaningless unless one also knows the policies).
-
-
- - If an error occurs when you try to "
+
+
+ - If an error occurs when you try to "shorewall start", include a
trace (See the Troubleshooting
section for instructions).
-
-
- - The list server limits posts to 120kb so don't post GIFs
- of your network layout, etc. to the Mailing
+
+
+ - The list server limits posts to 120kb so don't post GIFs
+ of your network layout, etc. to the Mailing
List -- your post will be rejected.
-
+
-
+
The author gratefully acknowleges that the above list was heavily
plagiarized from the excellent LEAF document by Ray Olszewski
- found at http://leaf-project.org/pub/doc/docmanager/docid_1891.html.
-
-
+
+
When using the mailing list, please post in plain text
-
+
A growing number of MTAs serving list subscribers are rejecting
all HTML traffic. At least one MTA has gone so far as to blacklist
shorewall.net "for continuous abuse" because it has been my policy
- to allow HTML in list posts!!
-
- I think that blocking all HTML is a Draconian
- way to control spam and that the ultimate losers here are not
-the spammers but the list subscribers whose MTAs are bouncing
+ to allow HTML in list posts!!
+
+ I think that blocking all HTML is a Draconian
+ way to control spam and that the ultimate losers here are not
+ the spammers but the list subscribers whose MTAs are bouncing
all shorewall.net mail. As one list subscriber wrote to me privately
- "These e-mail admin's need to get a (expletive deleted) life
- instead of trying to rid the planet of HTML based e-mail". Nevertheless,
- to allow subscribers to receive list posts as must as possible, I have
- now configured the list server at shorewall.net to strip all HTML
-from outgoing posts.
-
+ "These e-mail admin's need to get a (expletive deleted) life
+ instead of trying to rid the planet of HTML based e-mail". Nevertheless,
+ to allow subscribers to receive list posts as must as possible, I
+have now configured the list server at shorewall.net to strip all HTML
+ from outgoing posts.
+
-
+
Where to Send your Problem Report or to Ask for Help
-
+
-
+
If you run Shorewall under Bering -- please post your question or problem
- to the LEAF
- Users mailing list.
- If you run Shorewall under MandrakeSoft Multi
- Network Firewall (MNF) and you have not purchased an MNF license
- from MandrakeSoft then you can post non MNF-specific Shorewall questions
- to the Shorewall
- users mailing list. Do not expect to get free MNF support
-on the list or forum.
+ to the LEAF
+ Users mailing list.
+ If you run Shorewall under MandrakeSoft
+Multi Network Firewall (MNF) and you have not purchased an MNF
+license from MandrakeSoft then you can post non MNF-specific Shorewall
+questions to the Shorewall users mailing
+ list or to the Shorewall Support
+Forum. Do not expect to get free MNF support on the list or forum.
-
+
Otherwise, please post your question or problem to the Shorewall users mailing
- list.
-
-
-
-
-
-
-To Subscribe to the mailing list go to or to the Shorewall Support
+Forum.
+ To Subscribe to the mailing list go to http://lists.shorewall.net/mailman/listinfo/shorewall-users
- .
-
-
+ .
+
+
+
+
+
+
+
For information on other Shorewall mailing lists, go to http://lists.shorewall.net/mailing_list.htm
-
+
-
-Last Updated 3/14/2003 - Tom Eastep
+
+Last Updated 3/17/2003 - Tom Eastep
-
+
Copyright © 2001, 2002, 2003 Thomas M. Eastep.
-
-
+
+
+
+
diff --git a/Shorewall-docs/traffic_shaping.htm b/Shorewall-docs/traffic_shaping.htm
index cbc5ea160..4efe4fa46 100644
--- a/Shorewall-docs/traffic_shaping.htm
+++ b/Shorewall-docs/traffic_shaping.htm
@@ -1,336 +1,338 @@
-
+
-
+
-
+
-
+
Traffic Shaping
-
+
-
-
- |
+ |
+
+
-
+
Traffic Shaping/Control
- |
-
-
-
+
+
+
+
-
-Shorewall has limited support for traffic shaping/control.
- In order to use traffic shaping under Shorewall, it is essential that
- you get a copy of the Linux Advanced Routing
- and Shaping HOWTO, version 0.3.0 or later.
-
+
+Shorewall has limited support for traffic shaping/control.
+ In order to use traffic shaping under Shorewall, it is essential that
+ you get a copy of the Linux Advanced Routing
+ and Shaping HOWTO, version 0.3.0 or later. It is also necessary
+to be running Linux Kernel 2.4.18 or later.
+
Shorewall traffic shaping support consists of the following:
-
+
- - A new TC_ENABLED parameter in /etc/shorewall.conf.
- Traffic Shaping also requires that you enable packet mangling.
- - A new CLEAR_TC parameter in /etc/shorewall.conf (Added
-in Shorewall 1.3.13). When Traffic Shaping is enabled (TC_ENABLED=Yes),
-the setting of this variable determines whether Shorewall clears the traffic
+
- A new TC_ENABLED parameter in /etc/shorewall.conf.
+ Traffic Shaping also requires that you enable packet mangling.
+ - A new CLEAR_TC parameter in /etc/shorewall.conf (Added
+ in Shorewall 1.3.13). When Traffic Shaping is enabled (TC_ENABLED=Yes),
+ the setting of this variable determines whether Shorewall clears the traffic
shaping configuration during Shorewall [re]start and Shorewall stop.
-
- - /etc/shorewall/tcrules - A file where you can
- specify firewall marking of packets. The firewall mark value may
+
+ - /etc/shorewall/tcrules - A file where you can
+ specify firewall marking of packets. The firewall mark value may
be used to classify packets for traffic shaping/control.
-
- - /etc/shorewall/tcstart - A user-supplied file
- that is sourced by Shorewall during "shorewall start" and which
- you can use to define your traffic shaping disciplines and classes.
- I have provided a sample that does
- table-driven CBQ shaping but if you read the traffic shaping sections
- of the HOWTO mentioned above, you can probably code your own faster
- than you can learn how to use my sample. I personally use HTB (see below).
-HTB support may eventually become an integral part of Shorewall
-since HTB is a lot simpler and better-documented than CBQ. As of 2.4.20,
- HTB is a standard part of the kernel but iproute2 must be patched in
- order to use it.
-
- In tcstart, when you want to run the 'tc' utility, use
- the run_tc function supplied by shorewall if you want tc errors
+
+ - /etc/shorewall/tcstart - A user-supplied file
+ that is sourced by Shorewall during "shorewall start" and which
+ you can use to define your traffic shaping disciplines and classes.
+ I have provided a sample that does
+ table-driven CBQ shaping but if you read the traffic shaping sections
+ of the HOWTO mentioned above, you can probably code your own
+faster than you can learn how to use my sample. I personally use
+ HTB (see below).
+ HTB support may eventually become an integral part of Shorewall
+ since HTB is a lot simpler and better-documented than CBQ. As of
+2.4.20, HTB is a standard part of the kernel but iproute2 must be patched
+ in order to use it.
+
+ In tcstart, when you want to run the 'tc' utility, use
+ the run_tc function supplied by shorewall if you want tc errors
to stop the firewall.
-
- You can generally use off-the-shelf traffic shaping scripts by
+
+ You can generally use off-the-shelf traffic shaping scripts by
simply copying them to /etc/shorewall/tcstart. I use The Wonder Shaper (HTB version)
- that way (i.e., I just copied wshaper.htb to /etc/shorewall/tcstart
-and modified it according to the Wonder Shaper README). WARNING: If
- you use use Masquerading or SNAT (i.e., you only have one external IP address)
- then listing internal hosts in the NOPRIOHOSTSRC variable in the wshaper[.htb]
- script won't work. Traffic shaping occurs after SNAT has already been
-applied so when traffic shaping happens, all outbound traffic will have
-as a source address the IP addresss of your firewall's external interface.
-
- - /etc/shorewall/tcclear - A user-supplied file
- that is sourced by Shorewall when it is clearing traffic shaping.
- This file is normally not required as Shorewall's method of clearing
- qdisc and filter definitions is pretty general.
-
+ href="http://lartc.org/wondershaper/">The Wonder Shaper (HTB version)
+ that way (i.e., I just copied wshaper.htb to /etc/shorewall/tcstart and
+ modified it according to the Wonder Shaper README). WARNING: If
+ you use use Masquerading or SNAT (i.e., you only have one external IP address)
+ then listing internal hosts in the NOPRIOHOSTSRC variable in the wshaper[.htb]
+ script won't work. Traffic shaping occurs after SNAT has already been applied
+ so when traffic shaping happens, all outbound traffic will have as a source
+ address the IP addresss of your firewall's external interface.
+
+ - /etc/shorewall/tcclear - A user-supplied file
+ that is sourced by Shorewall when it is clearing traffic shaping.
+ This file is normally not required as Shorewall's method of clearing
+ qdisc and filter definitions is pretty general.
+
- Shorewall allows you to start traffic shaping when Shorewall itself
-starts or it allows you to bring up traffic shaping when you bring up your
-interfaces.
-
- To start traffic shaping when Shorewall starts:
-
+ Shorewall allows you to start traffic shaping when Shorewall itself
+ starts or it allows you to bring up traffic shaping when you bring up
+your interfaces.
+
+ To start traffic shaping when Shorewall starts:
+
- - Set TC_ENABLED=Yes and CLEAR_TC=Yes
- - Supply an /etc/shorewall/tcstart script to configure your traffic
- shaping rules.
- - Optionally supply an /etc/shorewall/tcclear script to stop traffic
+
- Set TC_ENABLED=Yes and CLEAR_TC=Yes
+ - Supply an /etc/shorewall/tcstart script to configure your traffic
+ shaping rules.
+ - Optionally supply an /etc/shorewall/tcclear script to stop traffic
shaping. That is usually unnecessary.
- - If your tcstart script uses the 'fwmark' classifier, you can
+
- If your tcstart script uses the 'fwmark' classifier, you can
mark packets using entries in /etc/shorewall/tcrules.
-
+
- To start traffic shaping when you bring up your network interfaces,
-you will have to arrange for your traffic shaping configuration script to
-be run at that time. How you do that is distribution dependent and will not
-be covered here. You then should:
-
+ To start traffic shaping when you bring up your network interfaces,
+ you will have to arrange for your traffic shaping configuration script
+to be run at that time. How you do that is distribution dependent and will
+not be covered here. You then should:
+
- - Set TC_ENABLED=Yes and CLEAR_TC=No
- - Do not supply /etc/shorewall/tcstart or /etc/shorewall/tcclear
+
- Set TC_ENABLED=Yes and CLEAR_TC=No
+ - Do not supply /etc/shorewall/tcstart or /etc/shorewall/tcclear
scripts.
- - If your tcstart script uses the 'fwmark' classifier,
+
- If your tcstart script uses the 'fwmark' classifier,
you can mark packets using entries in /etc/shorewall/tcrules.
-
+
-
+
Kernel Configuration
-
+
This screen shot show how I've configured QoS in my Kernel:
-
+
-
-
+
+
/etc/shorewall/tcrules
-
-The fwmark classifier provides a convenient way to classify
- packets for traffic shaping. The /etc/shorewall/tcrules file provides
+
+
The fwmark classifier provides a convenient way to classify
+ packets for traffic shaping. The /etc/shorewall/tcrules file provides
a means for specifying these marks in a tabular fashion.
-
-
-Normally, packet marking occurs in the PREROUTING chain before
- any address rewriting takes place. This makes it impossible to mark inbound
- packets based on their destination address when SNAT or Masquerading
-are being used. Beginning with Shorewall 1.3.12, you can cause packet
-marking to occur in the FORWARD chain by using the MARK_IN_FORWARD_CHAIN
-option in shorewall.conf.
-
-
+
+
+Normally, packet marking occurs in the PREROUTING chain before
+ any address rewriting takes place. This makes it impossible to mark inbound
+ packets based on their destination address when SNAT or Masquerading are
+ being used. Beginning with Shorewall 1.3.12, you can cause packet marking
+ to occur in the FORWARD chain by using the MARK_IN_FORWARD_CHAIN option
+ in shorewall.conf.
+
+
Columns in the file are as follows:
-
+
- - MARK - Specifies the mark value is to be assigned in
- case of a match. This is an integer in the range 1-255. Beginning
-with Shorewall version 1.3.14, this value may be optionally followed by
-":" and either 'F' or 'P' to designate that the marking will occur in the
-FORWARD or PREROUTING chains respectively. If this additional specification
-is omitted, the chain used to mark packets will be determined by the setting
-of the MARK_IN_FORWARD_CHAIN option in shorewall.conf.
-
- Example - 5
-
- - SOURCE - The source of the packet. If the packet originates
- on the firewall, place "fw" in this column. Otherwise, this is a
- comma-separated list of interface names, IP addresses, MAC addresses
- in Shorewall Format and/or Subnets.
-
- Examples
- eth0
- 192.168.2.4,192.168.1.0/24
-
- - DEST -- Destination of the packet. Comma-separated
+
- MARK - Specifies the mark value is to be assigned
+in case of a match. This is an integer in the range 1-255. Beginning
+with Shorewall version 1.3.14, this value may be optionally followed by ":"
+and either 'F' or 'P' to designate that the marking will occur in the FORWARD
+or PREROUTING chains respectively. If this additional specification is omitted,
+the chain used to mark packets will be determined by the setting of the
+MARK_IN_FORWARD_CHAIN option in shorewall.conf.
+
+ Example - 5
+
+ - SOURCE - The source of the packet. If the packet originates
+ on the firewall, place "fw" in this column. Otherwise, this is
+a comma-separated list of interface names, IP addresses, MAC addresses
+ in Shorewall Format and/or Subnets.
+
+ Examples
+ eth0
+ 192.168.2.4,192.168.1.0/24
+
+ - DEST -- Destination of the packet. Comma-separated
list of IP addresses and/or subnets.
-
- - PROTO - Protocol - Must be the name of a protocol from
- /etc/protocol, a number or "all"
-
- - PORT(S) - Destination Ports. A comma-separated list
-of Port names (from /etc/services), port numbers or port ranges (e.g.,
- 21:22); if the protocol is "icmp", this column is interpreted
+
+ - PROTO - Protocol - Must be the name of a protocol
+from /etc/protocol, a number or "all"
+
+ - PORT(S) - Destination Ports. A comma-separated list
+ of Port names (from /etc/services), port numbers or port ranges
+(e.g., 21:22); if the protocol is "icmp", this column is interpreted
as the destination icmp type(s).
-
- - CLIENT PORT(S) - (Optional) Port(s) used by the client.
- If omitted, any source port is acceptable. Specified as a comma-separate
+
+ - CLIENT PORT(S) - (Optional) Port(s) used by the client.
+ If omitted, any source port is acceptable. Specified as a comma-separate
list of port names, port numbers or port ranges.
-
+
-
-Example 1 - All packets arriving on eth1 should be marked
- with 1. All packets arriving on eth2 and eth3 should be marked with
- 2. All packets originating on the firewall itself should be marked with
- 3.
-
+
+Example 1 - All packets arriving on eth1 should be marked
+ with 1. All packets arriving on eth2 and eth3 should be marked with
+ 2. All packets originating on the firewall itself should be marked
+with 3.
+
-
+
+
+ | MARK |
+ SOURCE |
+ DEST |
+ PROTO |
+ PORT(S) |
+ CLIENT PORT(S) |
+
- | MARK |
- SOURCE |
- DEST |
- PROTO |
- PORT(S) |
- CLIENT PORT(S) |
-
-
- | 1 |
- eth1 |
- 0.0.0.0/0 |
- all |
- |
- |
-
-
- | 2 |
- eth2 |
- 0.0.0.0/0 |
- all |
- |
- |
-
-
- 2
- |
- eth3
- |
- 0.0.0.0/0
- |
- all
- |
-
- |
-
- |
-
-
- | 3 |
- fw |
- 0.0.0.0/0 |
- all |
- |
- |
-
-
-
+ 1 |
+ eth1 |
+ 0.0.0.0/0 |
+ all |
+ |
+ |
+
+
+ | 2 |
+ eth2 |
+ 0.0.0.0/0 |
+ all |
+ |
+ |
+
+
+ 2
+ |
+ eth3
+ |
+ 0.0.0.0/0
+ |
+ all
+ |
+
+ |
+
+ |
+
+
+ | 3 |
+ fw |
+ 0.0.0.0/0 |
+ all |
+ |
+ |
+
+
+
-
-Example 2 - All GRE (protocol 47) packets not originating
- on the firewall and destined for 155.186.235.151 should be marked with
- 12.
-
+
+Example 2 - All GRE (protocol 47) packets not originating
+ on the firewall and destined for 155.186.235.151 should be marked
+with 12.
+
-
+
+
+ | MARK |
+ SOURCE |
+ DEST |
+ PROTO |
+ PORT(S) |
+ CLIENT PORT(S) |
+
- | MARK |
- SOURCE |
- DEST |
- PROTO |
- PORT(S) |
- CLIENT PORT(S) |
-
-
- | 12 |
- 0.0.0.0/0 |
- 155.186.235.151 |
- 47 |
- |
- |
-
-
-
+ 12 |
+ 0.0.0.0/0 |
+ 155.186.235.151 |
+ 47 |
+ |
+ |
+
+
+
-
-Example 3 - All SSH packets originating in 192.168.1.0/24
- and destined for 155.186.235.151 should be marked with 22.
-
+
+Example 3 - All SSH packets originating in 192.168.1.0/24
+ and destined for 155.186.235.151 should be marked with 22.
+
-
+
+
+ | MARK |
+ SOURCE |
+ DEST |
+ PROTO |
+ PORT(S) |
+ CLIENT PORT(S) |
+
- | MARK |
- SOURCE |
- DEST |
- PROTO |
- PORT(S) |
- CLIENT PORT(S) |
-
-
- | 22 |
- 192.168.1.0/24 |
- 155.186.235.151 |
- tcp |
- 22 |
- |
-
-
-
+ 22 |
+ 192.168.1.0/24 |
+ 155.186.235.151 |
+ tcp |
+ 22 |
+ |
+
+
+
-
+
My Setup
-
-
+
+
While I am currently using the HTB version of The Wonder Shaper (I just copied
- wshaper.htb to /etc/shorewall/tcstart and modified it as shown
- in the Wondershaper README), I have also run with the following set of
+ href="http://lartc.org/wondershaper/">The Wonder Shaper (I just copied
+ wshaper.htb to /etc/shorewall/tcstart and modified it as shown
+ in the Wondershaper README), I have also run with the following set of
hand-crafted rules in my /etc/shorewall/tcstart file:
-
-
-
- run_tc qdisc add dev eth0 root handle 1: htb default 30
run_tc class add dev eth0 parent 1: classid 1:1 htb rate 384kbit burst 15k
echo " Added Top Level Class -- rate 384kbit"
-
- run_tc class add dev eth0 parent 1:1 classid 1:10 htb rate 140kbit ceil 384kbit burst 15k prio 1
run_tc class add dev eth0 parent 1:1 classid 1:20 htb rate 224kbit ceil 384kbit burst 15k prio 0
run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 20kbit ceil 384kbit burst 15k quantum 1500 prio 1
-
- echo " Added Second Level Classes -- rates 140kbit, 224kbit, 20kbit"
-
- run_tc qdisc add dev eth0 parent 1:10 pfifo limit 5
run_tc qdisc add dev eth0 parent 1:20 pfifo limit 10
run_tc qdisc add dev eth0 parent 1:30 pfifo limit 5
-
- echo " Enabled PFIFO on Second Level Classes"
-
- run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10
run_tc filter add dev eth0 protocol ip parent 1:0 prio 0 handle 2 fw classid 1:20
run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30
-
- echo " Defined fwmark filters"
-
-
-My tcrules file that went with this tcstart file is shown in Example 1
- above. You can look at my configuration to
-see why I wanted shaping of this type.
+
+ run_tc qdisc add dev eth0 root handle 1: htb default 30
run_tc class add dev eth0 parent 1: classid 1:1 htb rate 384kbit burst 15k
echo " Added Top Level Class -- rate 384kbit"
+
+ run_tc class add dev eth0 parent 1:1 classid 1:10 htb rate 140kbit ceil 384kbit burst 15k prio 1
run_tc class add dev eth0 parent 1:1 classid 1:20 htb rate 224kbit ceil 384kbit burst 15k prio 0
run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 20kbit ceil 384kbit burst 15k quantum 1500 prio 1
+
+ echo " Added Second Level Classes -- rates 140kbit, 224kbit, 20kbit"
+
+ run_tc qdisc add dev eth0 parent 1:10 pfifo limit 5
run_tc qdisc add dev eth0 parent 1:20 pfifo limit 10
run_tc qdisc add dev eth0 parent 1:30 pfifo limit 5
+
+ echo " Enabled PFIFO on Second Level Classes"
+
+ run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10
run_tc filter add dev eth0 protocol ip parent 1:0 prio 0 handle 2 fw classid 1:20
run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30
+
+ echo " Defined fwmark filters"
+
+
+My tcrules file that went with this tcstart file is shown in Example 1
+ above. You can look at my configuration to
+see why I wanted shaping of this type.
+
+
- - I wanted to allow up to 140kbits/second for traffic outbound
- from my DMZ (note that the ceiling is set to 384kbit so outbound DMZ traffic
- can use all available bandwidth if there is no traffic from the local
-systems or from my laptop or firewall).
- - My laptop and local systems could use up to 224kbits/second.
- - My firewall could use up to 20kbits/second.
-
+ - I wanted to allow up to 140kbits/second for traffic outbound
+ from my DMZ (note that the ceiling is set to 384kbit so outbound DMZ
+traffic can use all available bandwidth if there is no traffic from the
+local systems or from my laptop or firewall).
+ - My laptop and local systems could use up to 224kbits/second.
+ - My firewall could use up to 20kbits/second.
+
- You see the rest of my Shorewall configuration
-to see how this fit in.
-
-Last Updated 3/5/2003 - Tom Eastep
-
-Copyright
- © 2001, 2002, 2003 Thomas M. Eastep.
-
+ You see the rest of my Shorewall configuration
+ to see how this fit in.
+
+Last Updated 3/19/2003 - Tom Eastep
+
+Copyright
+ © 2001, 2002, 2003 Thomas M. Eastep.
+
+
diff --git a/Shorewall-docs/upgrade_issues.htm b/Shorewall-docs/upgrade_issues.htm
index 79d1c7aa7..3220327e2 100755
--- a/Shorewall-docs/upgrade_issues.htm
+++ b/Shorewall-docs/upgrade_issues.htm
@@ -1,310 +1,409 @@
-
+
Upgrade Issues
-
+
-
+
-
+
+
-
+
-
-
- |
-
+ |
+
+
+
+
Upgrade Issues
- |
-
-
-
+
+
+
+
-
+
+
For upgrade instructions see the Install/Upgrade page.
-
+ href="Install.htm">Install/Upgrade page.
+
+
+It is important that you read all of the sections on this page where the
+ version number mentioned in the section title is later than what you are
+currently running.
+
+
-
+
+Version >= 1.4.1
+
+
+ - Beginning with Version 1.4.1, intra-zone traffic is accepted by default.
+Previously, traffic from a zone to itself was treated just like any other
+traffic; any matching rules were applied followed by enforcement of the appropriate
+policy. With 1.4.1 and later versions, unless you have explicit rules for
+traffic from Z to Z or you have an explicit Z to Z policy (where "Z" is some
+zone) then traffic within zone Z will be accepted. If you do have one or more
+explicit rules for Z to Z or if you have an explicit Z to Z policy then the
+behavior is as it was in prior versions.
+
+
+
+
+
+ - If you have a Z Z ACCEPT policy for a zone to allow traffic between
+two interfaces to the same zone, that policy can be removed and traffic between
+the interfaces will traverse fewer rules than previously.
+ - If you have a Z Z DROP or Z Z REJECT policy or you have Z->Z
+rules then your configuration should not require any change.
+ - If you are currently relying on a implicit policy (one that has "all"
+in either the SOURCE or DESTINATION column) to prevent traffic between two
+interfaces to a zone Z and you have no rules for Z->Z then you should
+add an explicit DROP or REJECT policy for Z to Z.
+
+
+
+
+
+
+ - Beginning with Version 1.4.1, Shorewall will never create rules to
+deal with traffic from a given interface:subnetwork back to itself.
+The multi interface option is no longer available so if you want to
+route traffic between two subnetworks on the same interface then either:
+
+
+
+
+
+ - The subnetworks must be in different zones; or
+ - You must use the /etc/shorewall/hosts file to define the subnetworks
+in a single zone.
+
+
+
+ Example 1 -- Two zones:
+
+ /etc/shorewall/zones
z1 Zone1 The first Zone
z2 Zone2 The secont Zone
/etc/shorewall/policy
z1 z2 ACCEPT
z2 z1 ACCEPT
/etc/shorewall/interfaces
- eth1 192.168.1.255,192.168.2.255
/etc/shorewall/hosts
z1 eth1:192.168.1.0/24
z2 eth1:192.168.2.0/24
+
+Example 2 -- One zone:
+
+
/etc/shorewall/zones
z Zone The Zone
/etc/shorewall/interfaces
- eth1 192.168.1.255,192.168.2.255
/etc/shorewall/hosts
z eth1:192.168.1.0/24
z eth1:192.168.2.0/24
+
+Note that in the second example, we don't need any policy since z->z traffic
+is accepted by default. The second technique is preferable if you want unlimited
+access between the two subnetworks.
+
+Sometimes, you want two separate zones on one interface but you don't want
+Shorewall to set up any infrastructure to handle traffic between them.
+
+Example:
+
+
+ /etc/shorewall/zones
z1 Zone1 The first Zone
z2 Zone2 The secont Zone
/etc/shorewall/interfaces
z2 eth1 192.168.1.255
/etc/shorewall/hosts
z1 eth1:192.168.1.3
+
+Here, zone z1 is nested in zone z2 and the firewall is not going to be involved
+in any traffic between these two zones. Beginning with Shorewall 1.4.1, you
+can prevent Shorewall from setting up any infrastructure to handle traffic
+between z1 and z2 by using the new NONE policy:
+
+ /etc/shorewall/policy
z1 z2 NONE
z2 z1 NONE
+
+Note that NONE policies are generally used in pairs unless there is asymetric
+routing where only the traffic on one direction flows through the firewall
+and you are using a NONE polciy in the other direction.
Version >= 1.4.0
- IMPORTANT: Shorewall >=1.4.0 REQUIRES the iproute package
-('ip' utility).
-
- If you are upgrading from a version < 1.4.0, then:
-
-
- - The noping and forwardping interface options are
-no longer supported nor is the FORWARDPING option in shorewall.conf.
-ICMP echo-request (ping) packets are treated just like any other connection
-request and are subject to rules and policies.
- - Interface names of the form <device>:<integer> in
-/etc/shorewall/interfaces now generate a Shorewall error at startup (they
-always have produced warnings in iptables).
- - The MERGE_HOSTS variable has been removed from shorewall.conf.
-Shorewall 1.4 behaves like 1.3 did when MERGE_HOSTS=Yes; that is zone contents
-are determined by BOTH the interfaces and hosts files when there are entries
-for the zone in both files.
- - The routestopped option in the interfaces and hosts file
-has been eliminated; use entries in the routestopped file instead.
- - The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no longer
- accepted; you must convert to using the new syntax.
- - The ALLOWRELATED variable in shorewall.conf is no longer
- supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.
- - Late-arriving DNS replies are not dropped by default;
-there is no need for your own /etc/shorewall/common file simply to avoid
-logging these packets.
- - The 'firewall', 'functions' and 'version' file have been
- moved to /usr/share/shorewall.
- - The icmp.def file has been removed. If you include it
-from /etc/shorewall/icmpdef, you will need to modify that file.
- - The 'multi' interface option is no longer supported. Shorewall
- will generate rules for sending packets back out the same interface that
-they arrived on in two cases:
-
-
-
-
-
-
- - There is an explicit policy for the source zone to or from
- the destination zone. An explicit policy names both zones and does not use
- the 'all' reserved word.
-
-
-
-
- - There are one or more rules for traffic for the source zone to
-or from the destination zone including rules that use the 'all' reserved
-word. Exception: if the source zone and destination zone are the same then
-the rule must be explicit - it must name the zone in both the SOURCE and
-DESTINATION columns.
-
-
- - If you followed the advice in FAQ #2 and call find_interface_address
-in /etc/shorewall/params, that code should be moved to /etc/shorewall/init.
-
-
-
-
-
-
-Version >= 1.3.14
- 
- Beginning in version 1.3.14, Shorewall treats entries in /etc/shorewall/masq differently. The change
- involves entries with an interface name in the SUBNET (second)
- column:
-
-
- - Prior to 1.3.14, Shorewall would detect the FIRST subnet on the
- interface (as shown by "ip addr show interface") and would masquerade
- traffic from that subnet. Any other subnets that routed through eth1 needed
- their own entry in /etc/shorewall/masq to be masqueraded or to have SNAT
- applied.
- - Beginning with Shorewall 1.3.14, Shorewall uses the firewall's
- routing table to determine ALL subnets routed through the named interface.
- Traffic originating in ANY of those subnets is masqueraded or has SNAT
-applied.
-
-
- You will need to make a change to your configuration if:
-
-
- - You have one or more entries in /etc/shorewall/masq with an interface
- name in the SUBNET (second) column; and
- - That interface connects to more than one subnetwork.
-
-
- Two examples:
-
- Example 1 -- Suppose that your current config is as follows:
-
-
- [root@gateway test]# cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
eth0 192.168.10.0/24 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
[root@gateway test]# ip route show dev eth2
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]#
-
-In this case, the second entry in /etc/shorewall/masq is no longer
- required.
-
- Example 2-- What if your current configuration is like this?
-
- [root@gateway test]# cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
[root@gateway test]# ip route show dev eth2
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]#
-
-In this case, you would want to change the entry in /etc/shorewall/masq
- to:
-
-
- #INTERFACE SUBNET ADDRESS
eth0 192.168.1.0/24 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-
- Version 1.3.14 also introduced simplified ICMP echo-request (ping)
- handling. The option OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf
- is used to specify that the old (pre-1.3.14) ping handling is to be used
- (If the option is not set in your /etc/shorewall/shorewall.conf then OLD_PING_HANDLING=Yes
- is assumed). I don't plan on supporting the old handling indefinitely so
- I urge current users to migrate to using the new handling as soon as possible.
- See the 'Ping' handling documentation for details.
-
-Version 1.3.10
- If you have installed the 1.3.10 Beta 1 RPM and are now upgrading
-to version 1.3.10, you will need to use the '--force' option:
-
-
-
- rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm
-
-
-Version >= 1.3.9
- The 'functions' file has moved to /usr/lib/shorewall/functions.
-If you have an application that uses functions from that file, your application
- will need to be changed to reflect this change of location.
+ IMPORTANT: Shorewall >=1.4.0 requires the iproute
+ package ('ip' utility).
+
+ Note: Unfortunately, some distributions call this package iproute2
+ which will cause the upgrade of Shorewall to fail with the diagnostic:
+
+ error: failed dependencies:iproute is needed by shorewall-1.4.0-1
+
+
+ This may be worked around by using the --nodeps option of rpm (rpm -Uvh
+ --nodeps <shorewall rpm>).
+
+ If you are upgrading from a version < 1.4.0, then:
+
+ - The noping and forwardping interface options
+are no longer supported nor is the FORWARDPING option in shorewall.conf.
+ ICMP echo-request (ping) packets are treated just like any other connection
+ request and are subject to rules and policies.
+ - Interface names of the form <device>:<integer>
+in /etc/shorewall/interfaces now generate a Shorewall error at startup
+(they always have produced warnings in iptables).
+ - The MERGE_HOSTS variable has been removed from shorewall.conf.
+ Shorewall 1.4 behaves like 1.3 did when MERGE_HOSTS=Yes; that is zone
+contents are determined by BOTH the interfaces and hosts files when there
+are entries for the zone in both files.
+ - The routestopped option in the interfaces and hosts
+file has been eliminated; use entries in the routestopped file instead.
+ - The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no
+longer accepted; you must convert to using the new syntax.
+ - The ALLOWRELATED variable in shorewall.conf is no
+longer supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.
+ - Late-arriving DNS replies are now dropped by default;
+ there is no need for your own /etc/shorewall/common file simply to avoid
+ logging these packets.
+ - The 'firewall', 'functions' and 'version' file have
+ been moved to /usr/share/shorewall.
+ - The icmp.def file has been removed. If you include
+it from /etc/shorewall/icmpdef, you will need to modify that file.
+
+
+ - If you followed the advice in FAQ #2 and call find_interface_address
+ in /etc/shorewall/params, that code should be moved to /etc/shorewall/init.
+
+
+
+
+
+
+Version 1.4.0
+
+
+ - The 'multi' interface option is no longer supported. Shorewall
+ will generate rules for sending packets back out the same interface that
+ they arrived on in two cases:
+
+
+
+
+
+ - There is an explicit policy for the source zone to or from
+ the destination zone. An explicit policy names both zones and does not use
+ the 'all' reserved word.
+
+
+
+
+ - There are one or more rules for traffic for the source zone to
+or from the destination zone including rules that use the 'all' reserved
+ word. Exception: if the source zone and destination zone are the same then
+ the rule must be explicit - it must name the zone in both the SOURCE and
+DESTINATION columns.
+
+
+
+
+Version >= 1.3.14
+
+ Beginning in version 1.3.14, Shorewall treats entries in /etc/shorewall/masq differently. The change
+ involves entries with an interface name in the SUBNET
+(second) column:
+
+
+ - Prior to 1.3.14, Shorewall would detect the FIRST subnet
+on the interface (as shown by "ip addr show interface") and would
+masquerade traffic from that subnet. Any other subnets that routed through
+eth1 needed their own entry in /etc/shorewall/masq to be masqueraded or
+to have SNAT applied.
+ - Beginning with Shorewall 1.3.14, Shorewall uses the firewall's
+ routing table to determine ALL subnets routed through the named interface.
+ Traffic originating in ANY of those subnets is masqueraded or has SNAT
+ applied.
+
+
+ You will need to make a change to your configuration if:
+
+
+ - You have one or more entries in /etc/shorewall/masq with
+an interface name in the SUBNET (second) column; and
+ - That interface connects to more than one subnetwork.
+
+
+ Two examples:
+
+ Example 1 -- Suppose that your current config is as follows:
+
+
+ [root@gateway test]# cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
eth0 192.168.10.0/24 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
[root@gateway test]# ip route show dev eth2
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]#
+
+In this case, the second entry in /etc/shorewall/masq is no longer
+ required.
+
+ Example 2-- What if your current configuration is like this?
+
+ [root@gateway test]# cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
[root@gateway test]# ip route show dev eth2
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]#
+
+In this case, you would want to change the entry in /etc/shorewall/masq
+ to:
+
+
+ #INTERFACE SUBNET ADDRESS
eth0 192.168.1.0/24 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
+
+ Version 1.3.14 also introduced simplified ICMP echo-request
+(ping) handling. The option OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf
+ is used to specify that the old (pre-1.3.14) ping handling is to be used
+ (If the option is not set in your /etc/shorewall/shorewall.conf then OLD_PING_HANDLING=Yes
+ is assumed). I don't plan on supporting the old handling indefinitely
+so I urge current users to migrate to using the new handling as soon as
+possible. See the 'Ping' handling documentation
+for details.
+
+Version 1.3.10
+ If you have installed the 1.3.10 Beta 1 RPM and are now upgrading
+ to version 1.3.10, you will need to use the '--force' option:
+
+
+
+ rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm
+
+
+Version >= 1.3.9
+ The 'functions' file has moved to /usr/lib/shorewall/functions.
+ If you have an application that uses functions from that file, your
+application will need to be changed to reflect this change of location.
+
Version >= 1.3.8
-
+
If you have a pair of firewall systems configured for failover
- or if you have asymmetric routing, you will need to modify
- your firewall setup slightly under Shorewall
- versions >= 1.3.8. Beginning with version 1.3.8,
- you must set NEWNOTSYN=Yes in your
- /etc/shorewall/shorewall.conf file.
-
+ or if you have asymmetric routing, you will need to modify
+ your firewall setup slightly under Shorewall
+ versions >= 1.3.8. Beginning with version 1.3.8,
+ you must set NEWNOTSYN=Yes in your
+ /etc/shorewall/shorewall.conf file.
+
Version >= 1.3.7
-
+
Users specifying ALLOWRELATED=No in /etc/shorewall.conf
- will need to include the following rules
- in their /etc/shorewall/icmpdef file (creating
- this file if necessary):
-
+ will need to include the following rules
+ in their /etc/shorewall/icmpdef file
+(creating this file if necessary):
+
run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT
-
+
Users having an /etc/shorewall/icmpdef file may remove the ". /etc/shorewall/icmp.def"
- command from that file since the icmp.def file is now empty.
-
+ command from that file since the icmp.def file is now empty.
+
Upgrading Bering to
Shorewall >= 1.3.3
-
+
To properly upgrade with Shorewall version
1.3.3 and later:
-
+
- - Be sure you have a backup
--- you will need to transcribe any Shorewall
- configuration changes that you have
-made to the new configuration.
- - Replace the shorwall.lrp
-package provided on the Bering floppy
-with the later one. If you did not obtain
-the later version from Jacques's site,
-see additional instructions below.
- - Edit the /var/lib/lrpkg/root.exclude.list
- file and remove the /var/lib/shorewall
- entry if present. Then do not forget
-to backup root.lrp !
-
+ - Be sure you have a backup
+ -- you will need to transcribe any
+Shorewall configuration changes that
+you have made to the new configuration.
+ - Replace the shorwall.lrp
+ package provided on the Bering floppy
+ with the later one. If you did not
+obtain the later version from Jacques's
+ site, see additional instructions below.
+ - Edit the /var/lib/lrpkg/root.exclude.list
+ file and remove the /var/lib/shorewall
+ entry if present. Then do not forget
+ to backup root.lrp !
+
-
+
The .lrp that I release isn't set up for a two-interface firewall like
- Jacques's. You need to follow the instructions
- for setting up a two-interface firewall plus you also need to add
- the following two Bering-specific rules to /etc/shorewall/rules:
-
-
+ Jacques's. You need to follow the instructions
+ for setting up a two-interface firewall plus you also need to
+ add the following two Bering-specific rules to /etc/shorewall/rules:
+
+
# Bering specific rules:
# allow loc to fw udp/53 for dnscache to work
# allow loc to fw tcp/80 for weblet to work
#
ACCEPT loc fw udp 53
ACCEPT loc fw tcp 80
-
-
+
+
Version 1.3.6 and 1.3.7
-
+
If you have a pair of firewall systems configured for
failover or if you have asymmetric routing, you will need to modify
- your firewall setup slightly under Shorewall versions 1.3.6
- and 1.3.7
-
+ your firewall setup slightly under Shorewall versions 1.3.6
+ and 1.3.7
+
- -
-
+
-
+
Create the file /etc/shorewall/newnotsyn and in it add
- the following rule
-
- run_iptables -A newnotsyn -j RETURN
- # So that the connection tracking table can be rebuilt
- # from non-SYN
-packets after takeover.
-
-
- -
-
+ the following rule
+
+ run_iptables -A newnotsyn
+-j RETURN # So that the connection tracking table can be
+rebuilt
+ # from non-SYN
+ packets after takeover.
+
+
+ -
+
Create /etc/shorewall/common (if you don't already
have that file) and include the following:
-
- run_iptables -A common -p tcp
---tcp-flags ACK,FIN,RST ACK -j ACCEPT #Accept Acks to rebuild
-connection
-
- #tracking table.
- . /etc/shorewall/common.def
-
-
+
+ run_iptables -A common -p
+tcp --tcp-flags ACK,FIN,RST ACK -j ACCEPT #Accept Acks
+to rebuild connection
+
+ #tracking table.
+ . /etc/shorewall/common.def
+
+
-
+
Versions >= 1.3.5
-
+
Some forms of pre-1.3.0 rules file syntax are no
longer supported.
-
+
Example 1:
-
-
+
+
ACCEPT net loc:192.168.1.12:22 tcp 11111 - all
-
-
+
Must be replaced with:
-
-
+
+
DNAT net loc:192.168.1.12:22 tcp 11111
-
-
-
+
+
+
-
-
+
+
+
ACCEPT loc fw::3128 tcp 80 - all
-
-
-
+
+
+
-
-
+
+
+
REDIRECT loc 3128 tcp 80
-
-
+
Version >= 1.3.2
-
+
The functions and versions files together with the
'firewall' symbolic link have moved from /etc/shorewall to /var/lib/shorewall.
- If you have applications that access these files, those applications
- should be modified accordingly.
-
- Last updated 3/6/2003 -
-Tom Eastep
-
+ If you have applications that access these files, those
+applications should be modified accordingly.
+
+ Last updated 3/18/2003 -
+ Tom Eastep
+
Copyright
- © 2001, 2002, 2003 Thomas M. Eastep.
-
-
-
-
-
-
+ © 2001, 2002, 2003 Thomas M. Eastep.
+
diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt
index 63612e8a8..f47da6b25 100755
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -5,3 +5,5 @@ Changes since 1.4.0
2. Never create rules for : to itself.
3. Always allow intrazone traffic.
+
+4. Correct building of ECN interface list under ash.
diff --git a/Shorewall/fallback.sh b/Shorewall/fallback.sh
index 40cac8cd8..092186888 100755
--- a/Shorewall/fallback.sh
+++ b/Shorewall/fallback.sh
@@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
-VERSION=1.4.0
+VERSION=1.4.1
usage() # $1 = exit status
{
diff --git a/Shorewall/install.sh b/Shorewall/install.sh
index deb3dec18..c368e21ad 100755
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall.
#
-VERSION=1.4.0
+VERSION=1.4.1
usage() # $1 = exit status
{
diff --git a/Shorewall/shorewall.spec b/Shorewall/shorewall.spec
index ea1f9c4ed..a299bc280 100644
--- a/Shorewall/shorewall.spec
+++ b/Shorewall/shorewall.spec
@@ -1,5 +1,5 @@
%define name shorewall
-%define version 1.4.0
+%define version 1.4.1
%define release 1
%define prefix /usr
@@ -105,6 +105,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog
+* Fri Mar 21 2003 Tom Eastep
+- Changed version to 1.4.1-1
* Mon Mar 17 2003 Tom Eastep
- Changed version to 1.4.0-1
* Fri Mar 07 2003 Tom Eastep
diff --git a/Shorewall/uninstall.sh b/Shorewall/uninstall.sh
index b544cfd98..5ab7c63d4 100755
--- a/Shorewall/uninstall.sh
+++ b/Shorewall/uninstall.sh
@@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall
-VERSION=1.4.0
+VERSION=1.4.1
usage() # $1 = exit status
{