mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-15 04:04:10 +01:00
Shorewall 1.4.1
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@518 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
04d78dc49f
commit
8377f70bc7
File diff suppressed because it is too large
Load Diff
@ -15,13 +15,13 @@
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#400169" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Shorewall Installation and
|
||||
Upgrade</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
@ -30,13 +30,13 @@
|
||||
href="upgrade_issues.htm">Upgrade Issues</a></b></p>
|
||||
|
||||
<p><font size="4"><b><a href="#Install_RPM">Install using RPM</a><br>
|
||||
<a href="#Install_Tarball">Install using tarball<br>
|
||||
</a><a href="#LRP">Install the .lrp</a><br>
|
||||
<a href="#Upgrade_RPM">Upgrade using RPM</a><br>
|
||||
<a href="#Upgrade_Tarball">Upgrade using tarball<br>
|
||||
</a><a href="#LRP_Upgrade">Upgrade the .lrp</a><br>
|
||||
<a href="#Config_Files">Configuring Shorewall</a><br>
|
||||
<a href="fallback.htm">Uninstall/Fallback</a></b></font></p>
|
||||
<a href="#Install_Tarball">Install using tarball<br>
|
||||
</a><a href="#LRP">Install the .lrp</a><br>
|
||||
<a href="#Upgrade_RPM">Upgrade using RPM</a><br>
|
||||
<a href="#Upgrade_Tarball">Upgrade using tarball<br>
|
||||
</a><a href="#LRP_Upgrade">Upgrade the .lrp</a><br>
|
||||
<a href="#Config_Files">Configuring Shorewall</a><br>
|
||||
<a href="fallback.htm">Uninstall/Fallback</a></b></font></p>
|
||||
|
||||
<p><a name="Install_RPM"></a>To install Shorewall using the RPM:</p>
|
||||
|
||||
@ -48,20 +48,33 @@
|
||||
attempting to start Shorewall.</b></p>
|
||||
|
||||
<ul>
|
||||
<li>Install the RPM (rpm -ivh <shorewall rpm>).<br>
|
||||
<br>
|
||||
<b>Note: </b>Some SuSE users have encountered a problem whereby rpm
|
||||
reports a conflict with kernel <= 2.2 even though a 2.4 kernel is
|
||||
installed. If this happens, simply use the --nodeps option to rpm (rpm
|
||||
-ivh --nodeps <shorewall rpm>).</li>
|
||||
<li>Edit the <a href="#Config_Files"> configuration files</a> to match
|
||||
your configuration. <font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u>
|
||||
<li>Install the RPM (rpm -ivh <shorewall rpm>).<br>
|
||||
<br>
|
||||
<b>Note1: </b>Some SuSE users have encountered a problem whereby
|
||||
rpm reports a conflict with kernel <= 2.2 even though a 2.4 kernel
|
||||
is installed. If this happens, simply use the --nodeps option to rpm
|
||||
(rpm -ivh --nodeps <shorewall rpm>).<br>
|
||||
<br>
|
||||
<b>Note2: </b>Beginning with Shorewall 1.4.0, Shorewall is dependent
|
||||
on the iproute package. Unfortunately, some distributions call this package
|
||||
iproute2 which will cause the installation of Shorewall to fail with the
|
||||
diagnostic:<br>
|
||||
<br>
|
||||
error: failed dependencies:iproute is needed by shorewall-1.4.0-1
|
||||
<br>
|
||||
<br>
|
||||
This may be worked around by using the --nodeps option of rpm (rpm -ivh --nodeps
|
||||
<shorewall rpm>).<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Edit the <a href="#Config_Files"> configuration files</a> to
|
||||
match your configuration. <font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u>
|
||||
SIMPLY INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
|
||||
IS REQUIRED BEFORE THE FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND
|
||||
AND THE FIREWALL FAILS TO START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY
|
||||
NETWORK TRAFFIC. IF THIS HAPPENS, ISSUE A "shorewall clear" COMMAND TO
|
||||
RESTORE NETWORK CONNECTIVITY.</b></font></li>
|
||||
<li>Start the firewall by typing "shorewall start"</li>
|
||||
NETWORK TRAFFIC. IF THIS HAPPENS, ISSUE A "shorewall clear" COMMAND TO RESTORE
|
||||
NETWORK CONNECTIVITY.</b></font></li>
|
||||
<li>Start the firewall by typing "shorewall start"</li>
|
||||
|
||||
</ul>
|
||||
|
||||
@ -69,122 +82,132 @@ RESTORE NETWORK CONNECTIVITY.</b></font></li>
|
||||
and install script: </p>
|
||||
|
||||
<ul>
|
||||
<li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
|
||||
<li>cd to the shorewall directory (the version is encoded in the
|
||||
directory name as in "shorewall-1.1.10").</li>
|
||||
<li>If you are using <a
|
||||
<li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
|
||||
<li>cd to the shorewall directory (the version is encoded in the
|
||||
directory name as in "shorewall-1.1.10").</li>
|
||||
<li>If you are using <a
|
||||
href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a
|
||||
href="http://www.redhat.com">RedHat</a>, <a
|
||||
href="http://www.linux-mandrake.com">Mandrake</a>, <a
|
||||
href="http://www.corel.com">Corel</a>, <a
|
||||
href="http://www.slackware.com/">Slackware</a> or <a
|
||||
href="http://www.debian.org">Debian</a> then type "./install.sh"</li>
|
||||
<li>If you are using <a href="http://www.suse.com">SuSe</a> then type
|
||||
"./install.sh /etc/init.d"</li>
|
||||
<li>If your distribution has directory /etc/rc.d/init.d
|
||||
<li>If you are using <a href="http://www.suse.com">SuSe</a> then
|
||||
type "./install.sh /etc/init.d"</li>
|
||||
<li>If your distribution has directory /etc/rc.d/init.d
|
||||
or /etc/init.d then type "./install.sh"</li>
|
||||
<li>For other distributions, determine where your distribution
|
||||
<li>For other distributions, determine where your distribution
|
||||
installs init scripts and type "./install.sh <init script
|
||||
directory></li>
|
||||
<li>Edit the <a href="#Config_Files"> configuration files</a> to match
|
||||
your configuration.</li>
|
||||
<li>Start the firewall by typing "shorewall start"</li>
|
||||
<li>If the install script was unable to configure Shorewall to be
|
||||
<li>Edit the <a href="#Config_Files"> configuration files</a> to
|
||||
match your configuration.</li>
|
||||
<li>Start the firewall by typing "shorewall start"</li>
|
||||
<li>If the install script was unable to configure Shorewall to be
|
||||
started automatically at boot, see <a
|
||||
href="starting_and_stopping_shorewall.htm">these instructions</a>.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<p><a name="LRP"></a>To install my version of Shorewall on a fresh Bering
|
||||
disk, simply replace the "shorwall.lrp" file on the image with the file
|
||||
that you downloaded. See the <a href="two-interface.htm">two-interface QuickStart
|
||||
disk, simply replace the "shorwall.lrp" file on the image with the file that
|
||||
you downloaded. See the <a href="two-interface.htm">two-interface QuickStart
|
||||
Guide</a> for information about further steps required.</p>
|
||||
|
||||
<p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM installed
|
||||
and are upgrading to a new version:</p>
|
||||
|
||||
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.4 version or
|
||||
and you have entries in the /etc/shorewall/hosts file then please check
|
||||
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.4 version
|
||||
or and you have entries in the /etc/shorewall/hosts file then please check
|
||||
your /etc/shorewall/interfaces file to be sure that it contains an entry
|
||||
for each interface mentioned in the hosts file. Also, there are certain
|
||||
1.2 rule forms that are no longer supported under 1.4 (you must use the
|
||||
new 1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade issues </a>for
|
||||
details.</p>
|
||||
1.2 rule forms that are no longer supported under 1.4 (you must use the new
|
||||
1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade issues </a>for details.</p>
|
||||
|
||||
<ul>
|
||||
<li>Upgrade the RPM (rpm -Uvh <shorewall rpm file>) <b>Note:
|
||||
</b>If you are installing version 1.2.0 and have one of the 1.2.0
|
||||
Beta RPMs installed, you must use the "--oldpackage" option to rpm (e.g.,
|
||||
"rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm").
|
||||
<li>Upgrade the RPM (rpm -Uvh <shorewall rpm file>) <b>Note:
|
||||
</b>If you are installing version 1.2.0 and have one of the 1.2.0
|
||||
Beta RPMs installed, you must use the "--oldpackage" option to rpm (e.g.,
|
||||
"rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm").
|
||||
|
||||
<p> <b>Note: </b>Some SuSE users have encountered a problem whereby
|
||||
<p> <b>Note1: </b>Some SuSE users have encountered a problem whereby
|
||||
rpm reports a conflict with kernel <= 2.2 even though a 2.4 kernel
|
||||
is installed. If this happens, simply use the --nodeps option to rpm
|
||||
(rpm -Uvh --nodeps <shorewall rpm>).<br>
|
||||
</p>
|
||||
</li>
|
||||
<li>See if there are any incompatibilities between your configuration
|
||||
and the new Shorewall version (type "shorewall check") and correct as necessary.</li>
|
||||
<li>Restart the firewall (shorewall restart).</li>
|
||||
is installed. If this happens, simply use the --nodeps option to rpm (rpm
|
||||
-Uvh --nodeps <shorewall rpm>).<br>
|
||||
<br>
|
||||
<b>Note2: </b>Beginning with Shorewall 1.4.0, Shorewall is dependent on
|
||||
the iproute package. Unfortunately, some distributions call this package iproute2
|
||||
which will cause the upgrade of Shorewall to fail with the diagnostic:<br>
|
||||
<br>
|
||||
error: failed dependencies:iproute is needed by shorewall-1.4.0-1
|
||||
<br>
|
||||
<br>
|
||||
This may be worked around by using the --nodeps option of rpm (rpm -Uvh
|
||||
--nodeps <shorewall rpm>). </p>
|
||||
</li>
|
||||
<li>See if there are any incompatibilities between your configuration
|
||||
and the new Shorewall version (type "shorewall check") and correct as
|
||||
necessary.</li>
|
||||
<li>Restart the firewall (shorewall restart).</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<p><a name="Upgrade_Tarball"></a>If you already have Shorewall installed
|
||||
and are upgrading to a new version using the tarball:</p>
|
||||
<p><a name="Upgrade_Tarball"></a>If you already have Shorewall installed and
|
||||
are upgrading to a new version using the tarball:</p>
|
||||
|
||||
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.4 version
|
||||
and you have entries in the /etc/shorewall/hosts file then please check
|
||||
your /etc/shorewall/interfaces file to be sure that it contains an entry
|
||||
for each interface mentioned in the hosts file. Also, there are certain
|
||||
1.2 rule forms that are no longer supported under 1.4 (you must use the
|
||||
new 1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade issues</a>
|
||||
for details. </p>
|
||||
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.4 version and
|
||||
you have entries in the /etc/shorewall/hosts file then please check your
|
||||
/etc/shorewall/interfaces file to be sure that it contains an entry for
|
||||
each interface mentioned in the hosts file. Also, there are certain 1.2
|
||||
rule forms that are no longer supported under 1.4 (you must use the new
|
||||
1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade issues</a> for
|
||||
details. </p>
|
||||
|
||||
<ul>
|
||||
<li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
|
||||
<li>cd to the shorewall directory (the version is encoded in the
|
||||
directory name as in "shorewall-3.0.1").</li>
|
||||
<li>If you are using <a
|
||||
<li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
|
||||
<li>cd to the shorewall directory (the version is encoded in the
|
||||
directory name as in "shorewall-3.0.1").</li>
|
||||
<li>If you are using <a
|
||||
href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a
|
||||
href="http://www.redhat.com">RedHat</a>, <a
|
||||
href="http://www.linux-mandrake.com">Mandrake</a>, <a
|
||||
href="http://www.corel.com">Corel</a>, <a
|
||||
href="http://www.slackware.com/">Slackware</a> or <a
|
||||
href="http://www.debian.org">Debian</a> then type "./install.sh"</li>
|
||||
<li>If you are using<a href="http://www.suse.com"> SuSe</a> then type
|
||||
"./install.sh /etc/init.d"</li>
|
||||
<li>If your distribution has directory /etc/rc.d/init.d
|
||||
<li>If you are using<a href="http://www.suse.com"> SuSe</a> then
|
||||
type "./install.sh /etc/init.d"</li>
|
||||
<li>If your distribution has directory /etc/rc.d/init.d
|
||||
or /etc/init.d then type "./install.sh"</li>
|
||||
<li>For other distributions, determine where your distribution
|
||||
<li>For other distributions, determine where your distribution
|
||||
installs init scripts and type "./install.sh <init script
|
||||
directory></li>
|
||||
<li>See if there are any incompatibilities between your configuration
|
||||
and the new Shorewall version (type "shorewall check") and correct as necessary.</li>
|
||||
<li>Restart the firewall by typing "shorewall restart"</li>
|
||||
<li>See if there are any incompatibilities between your configuration
|
||||
and the new Shorewall version (type "shorewall check") and correct as
|
||||
necessary.</li>
|
||||
<li>Restart the firewall by typing "shorewall restart"</li>
|
||||
|
||||
</ul>
|
||||
<a name="LRP_Upgrade"></a>If you already have a running Bering
|
||||
installation and wish to upgrade to a later version of Shorewall:<br>
|
||||
<br>
|
||||
<b>UNDER CONSTRUCTION...</b><br>
|
||||
<a name="LRP_Upgrade"></a>If you already have a running Bering
|
||||
installation and wish to upgrade to a later version of Shorewall:<br>
|
||||
<br>
|
||||
<b>UNDER CONSTRUCTION...</b><br>
|
||||
|
||||
<h3><a name="Config_Files"></a>Configuring Shorewall</h3>
|
||||
|
||||
<p>You will need to edit some or all of the configuration files to match
|
||||
your setup. In most cases, the <a
|
||||
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guides</a>
|
||||
contain all of the information you need.</p>
|
||||
your setup. In most cases, the <a href="shorewall_quickstart_guide.htm">Shorewall
|
||||
QuickStart Guides</a> contain all of the information you need.</p>
|
||||
|
||||
<ul>
|
||||
|
||||
</ul>
|
||||
|
||||
<p><font size="2">Updated 2/27/2003 - <a href="support.htm">Tom Eastep</a>
|
||||
<p><font size="2">Updated 3/18/2003 - <a href="support.htm">Tom Eastep</a>
|
||||
</font></p>
|
||||
|
||||
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -17,163 +17,174 @@
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
|
||||
bgcolor="#400169" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Proxy ARP</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<p>Proxy ARP allows you to insert a firewall in front of a set of servers
|
||||
without changing their IP addresses and without having to re-subnet.
|
||||
Before you try to use this technique, I strongly recommend that you read the
|
||||
<a href="shorewall_setup_guide.htm">Shorewall Setup Guide.</a></p>
|
||||
without changing their IP addresses and without having to re-subnet.
|
||||
Before you try to use this technique, I strongly recommend that you read
|
||||
the <a href="shorewall_setup_guide.htm">Shorewall Setup Guide.</a></p>
|
||||
|
||||
<p>The following figure represents a Proxy ARP environment.</p>
|
||||
|
||||
<blockquote>
|
||||
<p align="center"><strong> <img src="images/proxyarp.png"
|
||||
width="519" height="397">
|
||||
</strong></p>
|
||||
</strong></p>
|
||||
|
||||
<blockquote> </blockquote>
|
||||
</blockquote>
|
||||
</blockquote>
|
||||
|
||||
<p align="left">Proxy ARP can be used to make the systems with addresses
|
||||
130.252.100.18 and 130.252.100.19 appear to be on the upper (130.252.100.*)
|
||||
subnet. Assuming that the upper firewall interface is eth0 and the
|
||||
lower interface is eth1, this is accomplished using the following entries
|
||||
in /etc/shorewall/proxyarp:</p>
|
||||
subnet. Assuming that the upper firewall interface is eth0 and the
|
||||
lower interface is eth1, this is accomplished using the following entries
|
||||
in /etc/shorewall/proxyarp:</p>
|
||||
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>ADDRESS</b></td>
|
||||
<td><b>INTERFACE</b></td>
|
||||
<td><b>EXTERNAL</b></td>
|
||||
<td><b>HAVEROUTE</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>130.252.100.18</td>
|
||||
<td>eth1</td>
|
||||
<td>eth0</td>
|
||||
<td>no</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>130.252.100.19</td>
|
||||
<td>eth1</td>
|
||||
<td>eth0</td>
|
||||
<td>no</td>
|
||||
</tr>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>ADDRESS</b></td>
|
||||
<td><b>INTERFACE</b></td>
|
||||
<td><b>EXTERNAL</b></td>
|
||||
<td><b>HAVEROUTE</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>130.252.100.18</td>
|
||||
<td>eth1</td>
|
||||
<td>eth0</td>
|
||||
<td>no</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>130.252.100.19</td>
|
||||
<td>eth1</td>
|
||||
<td>eth0</td>
|
||||
<td>no</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
</blockquote>
|
||||
|
||||
<p>Be sure that the internal systems (130.242.100.18 and 130.252.100.19
|
||||
in the above example) are not included in any specification in /etc/shorewall/masq
|
||||
or /etc/shorewall/nat.</p>
|
||||
|
||||
<p>Note that I've used an RFC1918 IP address for eth1 - that IP address is
|
||||
irrelevant. </p>
|
||||
irrelevant. </p>
|
||||
|
||||
<p>The lower systems (130.252.100.18 and 130.252.100.19) should have their
|
||||
subnet mask and default gateway configured exactly the same way that
|
||||
the Firewall system's eth0 is configured.</p>
|
||||
subnet mask and default gateway configured exactly the same way that
|
||||
the Firewall system's eth0 is configured. In other words, they should
|
||||
be configured just like they would be if they were parallel to the firewall
|
||||
rather than behind it.<br>
|
||||
</p>
|
||||
|
||||
<p><font color="#ff0000"><b>NOTE: Do not add the Proxy ARP'ed address(es)
|
||||
(130.252.100.18 and 130.252.100.19 in the above example) to the external
|
||||
interface (eth0 in this example) of the firewall.</b></font><br>
|
||||
</p>
|
||||
<div align="left"> </div>
|
||||
|
||||
<div align="left">
|
||||
<p align="left">A word of warning is in order here. ISPs typically configure
|
||||
their routers with a long ARP cache timeout. If you move a system from
|
||||
parallel to your firewall to behind your firewall with Proxy ARP, it will
|
||||
probably be HOURS before that system can communicate with the internet.
|
||||
There are a couple of things that you can try:<br>
|
||||
</p>
|
||||
their routers with a long ARP cache timeout. If you move a system from
|
||||
parallel to your firewall to behind your firewall with Proxy ARP, it will
|
||||
probably be HOURS before that system can communicate with the internet.
|
||||
There are a couple of things that you can try:<br>
|
||||
</p>
|
||||
|
||||
<ol>
|
||||
<li>(Courtesy of Bradey Honsinger) A reading of Stevens' <i>TCP/IP Illustrated,
|
||||
Vol 1</i> reveals that a <br>
|
||||
<br>
|
||||
"gratuitous" ARP packet should cause the ISP's router to refresh their ARP
|
||||
cache (section 4.7). A gratuitous ARP is simply a host requesting the MAC
|
||||
address for its own IP; in addition to ensuring that the IP address isn't
|
||||
a duplicate...<br>
|
||||
<br>
|
||||
"if the host sending the gratuitous ARP has just changed its hardware address...,
|
||||
this packet causes any other host...that has an entry in its cache for the
|
||||
old hardware address to update its ARP cache entry accordingly."<br>
|
||||
<br>
|
||||
Which is, of course, exactly what you want to do when you switch a host
|
||||
from being exposed to the Internet to behind Shorewall using proxy ARP (or
|
||||
static NAT for that matter). Happily enough, recent versions of Redhat's
|
||||
<li>(Courtesy of Bradey Honsinger) A reading of Stevens' <i>TCP/IP Illustrated,
|
||||
Vol 1</i> reveals that a <br>
|
||||
<br>
|
||||
"gratuitous" ARP packet should cause the ISP's router to refresh their
|
||||
ARP cache (section 4.7). A gratuitous ARP is simply a host requesting the
|
||||
MAC address for its own IP; in addition to ensuring that the IP address isn't
|
||||
a duplicate...<br>
|
||||
<br>
|
||||
"if the host sending the gratuitous ARP has just changed its hardware
|
||||
address..., this packet causes any other host...that has an entry in its
|
||||
cache for the old hardware address to update its ARP cache entry accordingly."<br>
|
||||
<br>
|
||||
Which is, of course, exactly what you want to do when you switch a host
|
||||
from being exposed to the Internet to behind Shorewall using proxy ARP (or
|
||||
static NAT for that matter). Happily enough, recent versions of Redhat's
|
||||
iputils package include "arping", whose "-U" flag does just that:<br>
|
||||
<br>
|
||||
<font color="#009900"><b>arping -U -I <i><net if> <newly proxied
|
||||
IP></i></b></font><br>
|
||||
<font color="#009900"><b>arping -U -I eth0 66.58.99.83 # for example</b></font><br>
|
||||
<br>
|
||||
Stevens goes on to mention that not all systems respond correctly to gratuitous
|
||||
ARPs, but googling for "arping -U" seems to support the idea that it works
|
||||
most of the time.<br>
|
||||
<br>
|
||||
To use arping with Proxy ARP in the above example, you would have to:<br>
|
||||
<br>
|
||||
<font color="#009900"><b> shorewall clear<br>
|
||||
</b></font> <font color="#009900"><b>ip addr add 130.252.100.18 dev
|
||||
eth0<br>
|
||||
ip addr add 130.252.100.19 dev eth0</b></font><br>
|
||||
<font color="#009900"><b>arping -U -I eth0 130.252.100.18</b></font><br>
|
||||
<font color="#009900"><b>arping -U -I eth0 130.252.100.19</b></font><br>
|
||||
<b><font color="#009900">ip addr del 130.252.100.18 dev eth0<br>
|
||||
ip addr del 130.252.100.19 dev eth0<br>
|
||||
shorewall start</font></b><br>
|
||||
<br>
|
||||
</li>
|
||||
<li>You can call your ISP and ask them to purge the stale ARP cache
|
||||
entry but many either can't or won't purge individual entries.</li>
|
||||
<br>
|
||||
<font color="#009900"><b>arping -U -I <i><net if> <newly
|
||||
proxied IP></i></b></font><br>
|
||||
<font color="#009900"><b>arping -U -I eth0 66.58.99.83 # for example</b></font><br>
|
||||
<br>
|
||||
Stevens goes on to mention that not all systems respond correctly to gratuitous
|
||||
ARPs, but googling for "arping -U" seems to support the idea that it works
|
||||
most of the time.<br>
|
||||
<br>
|
||||
To use arping with Proxy ARP in the above example, you would have to:<br>
|
||||
<br>
|
||||
<font color="#009900"><b> shorewall clear<br>
|
||||
</b></font> <font color="#009900"><b>ip addr add 130.252.100.18
|
||||
dev eth0<br>
|
||||
ip addr add 130.252.100.19 dev eth0</b></font><br>
|
||||
<font color="#009900"><b>arping -U -I eth0 130.252.100.18</b></font><br>
|
||||
<font color="#009900"><b>arping -U -I eth0 130.252.100.19</b></font><br>
|
||||
<b><font color="#009900">ip addr del 130.252.100.18 dev eth0<br>
|
||||
ip addr del 130.252.100.19 dev eth0<br>
|
||||
shorewall start</font></b><br>
|
||||
<br>
|
||||
</li>
|
||||
<li>You can call your ISP and ask them to purge the stale ARP cache
|
||||
entry but many either can't or won't purge individual entries.</li>
|
||||
|
||||
</ol>
|
||||
You can determine if your ISP's gateway ARP cache is stale using ping
|
||||
and tcpdump. Suppose that we suspect that the gateway router has a stale
|
||||
ARP cache entry for 130.252.100.19. On the firewall, run tcpdump as follows:</div>
|
||||
You can determine if your ISP's gateway ARP cache is stale using ping
|
||||
and tcpdump. Suppose that we suspect that the gateway router has a stale
|
||||
ARP cache entry for 130.252.100.19. On the firewall, run tcpdump as follows:</div>
|
||||
|
||||
<div align="left">
|
||||
<pre> <font color="#009900"><b>tcpdump -nei eth0 icmp</b></font></pre>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<p align="left">Now from 130.252.100.19, ping the ISP's gateway (which we
|
||||
will assume is 130.252.100.254):</p>
|
||||
</div>
|
||||
will assume is 130.252.100.254):</p>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<pre> <b><font color="#009900">ping 130.252.100.254</font></b></pre>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<p align="left">We can now observe the tcpdump output:</p>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<pre> 13:35:12.159321 <u>0:4:e2:20:20:33</u> 0:0:77:95:dd:19 ip 98: 130.252.100.19 > 130.252.100.254: icmp: echo request (DF)<br> 13:35:12.207615 0:0:77:95:dd:19 <u>0:c0:a8:50:b2:57</u> ip 98: 130.252.100.254 > 130.252.100.177 : icmp: echo reply</pre>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<p align="left">Notice that the source MAC address in the echo request is
|
||||
different from the destination MAC address in the echo reply!! In this
|
||||
case 0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while 0:c0:a8:50:b2:57
|
||||
was the MAC address of the system on the lower left. In other words, the
|
||||
gateway's ARP cache still associates 130.252.100.19 with the NIC in that
|
||||
system rather than with the firewall's eth0.</p>
|
||||
</div>
|
||||
different from the destination MAC address in the echo reply!! In this
|
||||
case 0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while 0:c0:a8:50:b2:57
|
||||
was the MAC address of the system on the lower left. In other words, the
|
||||
gateway's ARP cache still associates 130.252.100.19 with the NIC in that
|
||||
system rather than with the firewall's eth0.</p>
|
||||
</div>
|
||||
|
||||
<p><font size="2">Last updated 1/26/2003 - </font><font size="2"> <a
|
||||
<p><font size="2">Last updated 3/21/2003 - </font><font size="2"> <a
|
||||
href="support.htm">Tom Eastep</a></font> </p>
|
||||
<a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
<a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -24,14 +24,14 @@
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
|
||||
bgcolor="#400169" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
|
||||
|
||||
<h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
|
||||
</tbody>
|
||||
@ -40,61 +40,64 @@
|
||||
<p align="center"> <b><u>IMPORTANT</u></b></p>
|
||||
|
||||
<ol>
|
||||
<li>
|
||||
<li>
|
||||
|
||||
|
||||
<p align="left"> <b><u>I</u>f you use a Windows system to download
|
||||
a corrected script, be sure to run the script through <u>
|
||||
<a href="http://www.megaloman.com/%7Ehany/software/hd2u/"
|
||||
<a href="http://www.megaloman.com/%7Ehany/software/hd2u/"
|
||||
style="text-decoration: none;"> dos2unix</a></u> after you have moved
|
||||
it to your Linux system.</b></p>
|
||||
</li>
|
||||
<li>
|
||||
</li>
|
||||
<li>
|
||||
|
||||
<p align="left"> <b>If you are installing Shorewall for the
|
||||
first time and plan to use the .tgz and install.sh script, you can
|
||||
untar the archive, replace the 'firewall' script in the untarred directory
|
||||
|
||||
<p align="left"> <b>If you are installing Shorewall for the first
|
||||
time and plan to use the .tgz and install.sh script, you can untar
|
||||
the archive, replace the 'firewall' script in the untarred directory
|
||||
with the one you downloaded below, and then run install.sh.</b></p>
|
||||
</li>
|
||||
<li>
|
||||
</li>
|
||||
<li>
|
||||
|
||||
|
||||
<p align="left"> <b>When the instructions say to install a corrected
|
||||
firewall script in /usr/share/shorewall/firewall, you may
|
||||
rename the existing file before copying in the new file.</b></p>
|
||||
</li>
|
||||
<li>
|
||||
firewall script in /usr/share/shorewall/firewall, you may
|
||||
rename the existing file before copying in the new file.</b></p>
|
||||
</li>
|
||||
<li>
|
||||
|
||||
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
|
||||
ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW.
|
||||
For example, do NOT install the 1.3.9a firewall script if you are running
|
||||
1.3.7c.</font></b><br>
|
||||
</p>
|
||||
</li>
|
||||
</p>
|
||||
</li>
|
||||
|
||||
</ol>
|
||||
|
||||
<ul>
|
||||
<li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
|
||||
<li><b><a href="#V1.4">Problems in Version 1.4</a></b><br>
|
||||
</li>
|
||||
<li> <b><a
|
||||
<li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
|
||||
<li><b><a href="#V1.4">Problems in Version 1.4</a></b><br>
|
||||
</li>
|
||||
<li> <b><a
|
||||
href="errata_3.html">Problems in Version 1.3</a></b></li>
|
||||
<li> <b><a
|
||||
<li> <b><a
|
||||
href="errata_2.htm">Problems in Version 1.2</a></b></li>
|
||||
<li> <b><font
|
||||
<li> <b><font
|
||||
color="#660066"> <a href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
|
||||
<li> <b><font
|
||||
<li> <b><font
|
||||
color="#660066"><a href="#iptables"> Problem with iptables version 1.2.3
|
||||
on RH7.2</a></font></b></li>
|
||||
<li> <b><a
|
||||
href="#Debug">Problems with kernels >= 2.4.18 and
|
||||
RedHat iptables</a></b></li>
|
||||
<li><b><a href="#SuSE">Problems installing/upgrading
|
||||
on RH7.2</a></font></b></li>
|
||||
<li> <b><a
|
||||
href="#Debug">Problems with kernels >= 2.4.18 and RedHat
|
||||
iptables</a></b></li>
|
||||
<li><b><a href="#SuSE">Problems installing/upgrading
|
||||
RPM on SuSE</a></b></li>
|
||||
<li><b><a href="#Multiport">Problems with iptables
|
||||
<li><b><a href="#Multiport">Problems with iptables
|
||||
version 1.2.7 and MULTIPORT=Yes</a></b></li>
|
||||
<li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10
|
||||
and NAT</a></b><br>
|
||||
</li>
|
||||
<li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10
|
||||
and NAT</a></b><br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
@ -103,7 +106,16 @@ and NAT</a></b><br>
|
||||
|
||||
|
||||
<h3></h3>
|
||||
None.
|
||||
|
||||
<h3>1.4.0</h3>
|
||||
<ul>
|
||||
<li>When running under certain shells Shorewall will attempt to create
|
||||
ECN rules even when /etc/shorewall/ecn is empty. You may either just remove
|
||||
/etc/shorewall/ecn or you can install <a
|
||||
href="http://www.shorewall.net/pub/shorewall/errata/1.4.0/firewall">this
|
||||
correct script</a> in /usr/share/shorewall/firewall as described above.<br>
|
||||
</li>
|
||||
</ul>
|
||||
<hr width="100%" size="2">
|
||||
<h2 align="left"><a name="Upgrade"></a>Upgrade Issues</h2>
|
||||
|
||||
@ -117,51 +129,51 @@ and NAT</a></b><br>
|
||||
<blockquote>
|
||||
|
||||
<p align="left">There are a couple of serious bugs in iptables 1.2.3 that
|
||||
prevent it from working with Shorewall. Regrettably, RedHat
|
||||
released this buggy iptables in RedHat 7.2. </p>
|
||||
prevent it from working with Shorewall. Regrettably,
|
||||
RedHat released this buggy iptables in RedHat 7.2. </p>
|
||||
|
||||
|
||||
<p align="left"> I have built a <a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
|
||||
corrected 1.2.3 rpm which you can download here</a> and I have
|
||||
also built an <a
|
||||
corrected 1.2.3 rpm which you can download here</a> and I have
|
||||
also built an <a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
|
||||
iptables-1.2.4 rpm which you can download here</a>. If you are currently
|
||||
iptables-1.2.4 rpm which you can download here</a>. If you are currently
|
||||
running RedHat 7.1, you can install either of these RPMs
|
||||
<b><u>before</u> </b>you upgrade to RedHat 7.2.</p>
|
||||
<b><u>before</u> </b>you upgrade to RedHat 7.2.</p>
|
||||
|
||||
|
||||
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
|
||||
has released an iptables-1.2.4 RPM of their own which you can
|
||||
download from<font color="#ff6633"> <a
|
||||
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
|
||||
</font>I have installed this RPM on my firewall and it works
|
||||
fine.</p>
|
||||
</font>I have installed this RPM on my firewall and it works
|
||||
fine.</p>
|
||||
|
||||
|
||||
<p align="left">If you would like to patch iptables 1.2.3 yourself,
|
||||
the patches are available for download. This <a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
|
||||
which corrects a problem with parsing of the --log-level specification
|
||||
which corrects a problem with parsing of the --log-level specification
|
||||
while this <a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
|
||||
corrects a problem in handling the TOS target.</p>
|
||||
corrects a problem in handling the TOS target.</p>
|
||||
|
||||
|
||||
<p align="left">To install one of the above patches:</p>
|
||||
|
||||
|
||||
<ul>
|
||||
<li>cd iptables-1.2.3/extensions</li>
|
||||
<li>patch -p0 < <i>the-patch-file</i></li>
|
||||
<li>cd iptables-1.2.3/extensions</li>
|
||||
<li>patch -p0 < <i>the-patch-file</i></li>
|
||||
|
||||
|
||||
</ul>
|
||||
</blockquote>
|
||||
</blockquote>
|
||||
|
||||
|
||||
<h3><a name="Debug"></a>Problems with kernels >= 2.4.18
|
||||
and RedHat iptables</h3>
|
||||
and RedHat iptables</h3>
|
||||
|
||||
<blockquote>
|
||||
|
||||
@ -172,74 +184,81 @@ download from<font color="#ff6633"> <a
|
||||
<blockquote>
|
||||
|
||||
<pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.<br>Aborted (core dumped)<br></pre>
|
||||
</blockquote>
|
||||
</blockquote>
|
||||
|
||||
|
||||
<p>The RedHat iptables RPM is compiled with debugging enabled but the
|
||||
user-space debugging code was not updated to reflect recent changes in
|
||||
user-space debugging code was not updated to reflect recent changes in
|
||||
the Netfilter 'mangle' table. You can correct the problem by
|
||||
installing <a
|
||||
href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
|
||||
this iptables RPM</a>. If you are already running a 1.2.5 version
|
||||
of iptables, you will need to specify the --oldpackage option to
|
||||
rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
|
||||
</blockquote>
|
||||
this iptables RPM</a>. If you are already running a 1.2.5 version
|
||||
of iptables, you will need to specify the --oldpackage option
|
||||
to rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
|
||||
</blockquote>
|
||||
|
||||
|
||||
<h3><a name="SuSE"></a>Problems installing/upgrading
|
||||
RPM on SuSE</h3>
|
||||
|
||||
|
||||
<p>If you find that rpm complains about a conflict
|
||||
with kernel <= 2.2 yet you have a 2.4 kernel
|
||||
installed, simply use the "--nodeps" option to
|
||||
rpm.</p>
|
||||
with kernel <= 2.2 yet you have a 2.4 kernel
|
||||
installed, simply use the "--nodeps" option to
|
||||
rpm.</p>
|
||||
|
||||
|
||||
<p>Installing: rpm -ivh --nodeps <i><shorewall rpm></i></p>
|
||||
|
||||
|
||||
<p>Upgrading: rpm -Uvh --nodeps <i><shorewall rpm></i></p>
|
||||
|
||||
|
||||
<h3><a name="Multiport"></a><b>Problems with
|
||||
iptables version 1.2.7 and MULTIPORT=Yes</b></h3>
|
||||
iptables version 1.2.7 and MULTIPORT=Yes</b></h3>
|
||||
|
||||
|
||||
<p>The iptables 1.2.7 release of iptables has made
|
||||
an incompatible change to the syntax used to
|
||||
specify multiport match rules; as a consequence,
|
||||
if you install iptables 1.2.7 you must be running
|
||||
Shorewall 1.3.7a or later or:</p>
|
||||
an incompatible change to the syntax used to
|
||||
specify multiport match rules; as a consequence,
|
||||
if you install iptables 1.2.7 you must be running
|
||||
Shorewall 1.3.7a or later or:</p>
|
||||
|
||||
|
||||
<ul>
|
||||
<li>set MULTIPORT=No
|
||||
in /etc/shorewall/shorewall.conf; or </li>
|
||||
<li>if you are running
|
||||
Shorewall 1.3.6 you may install
|
||||
<a
|
||||
<li>set MULTIPORT=No
|
||||
in /etc/shorewall/shorewall.conf; or </li>
|
||||
<li>if you are running
|
||||
Shorewall 1.3.6 you may install
|
||||
<a
|
||||
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
|
||||
this firewall script</a> in /var/lib/shorewall/firewall
|
||||
this firewall script</a> in /var/lib/shorewall/firewall
|
||||
as described above.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br>
|
||||
</h3>
|
||||
/etc/shorewall/nat entries of the following form will result
|
||||
</h3>
|
||||
/etc/shorewall/nat entries of the following form will result
|
||||
in Shorewall being unable to start:<br>
|
||||
<br>
|
||||
<br>
|
||||
|
||||
<pre>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL<br>192.0.2.22 eth0 192.168.9.22 yes yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
|
||||
Error message is:<br>
|
||||
Error message is:<br>
|
||||
|
||||
<pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
|
||||
The solution is to put "no" in the LOCAL column. Kernel support
|
||||
for LOCAL=yes has never worked properly and 2.4.18-10 has disabled
|
||||
it. The 2.4.19 kernel contains corrected support under a new kernel configuraiton
|
||||
option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
|
||||
The solution is to put "no" in the LOCAL column. Kernel
|
||||
support for LOCAL=yes has never worked properly and 2.4.18-10 has
|
||||
disabled it. The 2.4.19 kernel contains corrected support under a new
|
||||
kernel configuraiton option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
|
||||
|
||||
<p><font size="2"> Last updated 2/8/2003 -
|
||||
<a href="support.htm">Tom Eastep</a></font> </p>
|
||||
<p><font size="2"> Last updated 3/21/2003 -
|
||||
<a href="support.htm">Tom Eastep</a></font> </p>
|
||||
|
||||
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
|
||||
</p>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
File diff suppressed because one or more lines are too long
@ -17,88 +17,93 @@
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#400169" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Quotes from Shorewall Users</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<p>"The configuration is intuitive and flexible, and much easier than any
|
||||
of the other iptables-based firewall programs out there. After sifting through
|
||||
many other scripts, it is obvious that yours is the most well thought-out
|
||||
and complete one available." -- BC, USA</p>
|
||||
<p>"I just installed Shorewall after weeks of messing with ipchains/iptables
|
||||
and I had it up and running in under 20 minutes!" -- JL, Ohio<br>
|
||||
</p>
|
||||
"My case was almost like [the one above]. Well. instead of 'weeks' it was
|
||||
'months' for me, and I think I needed two minutes more:<br>
|
||||
and I had it up and running in under 20 minutes!" -- JL, Ohio<br>
|
||||
</p>
|
||||
"My case was almost like [the one above]. Well. instead of 'weeks' it was
|
||||
'months' for me, and I think I needed two minutes more:<br>
|
||||
|
||||
<ul>
|
||||
<li>One to see that I had no Internet access from the firewall itself.</li>
|
||||
<li>Other to see that this was the default configuration, and it was enough
|
||||
to uncomment a line in /etc/shorewall/policy.<br>
|
||||
</li>
|
||||
<li>One to see that I had no Internet access from the firewall itself.</li>
|
||||
<li>Other to see that this was the default configuration, and it was
|
||||
enough to uncomment a line in /etc/shorewall/policy.<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
Minutes instead of months! Congratulations and thanks for such a simple
|
||||
Minutes instead of months! Congratulations and thanks for such a simple
|
||||
and well documented thing for something as huge as iptables." -- JV, Spain.
|
||||
|
||||
<p>"I downloaded Shorewall 1.2.0 and installed it on Mandrake 8.1 without
|
||||
any problems. Your documentation is great and I really appreciate your
|
||||
network configuration info. That really helped me out alot. THANKS!!!"
|
||||
-- MM. </p>
|
||||
any problems. Your documentation is great and I really appreciate
|
||||
your network configuration info. That really helped me out alot. THANKS!!!"
|
||||
-- MM. </p>
|
||||
|
||||
<p>"[Shorewall is a] great, great project. I've used/tested may firewall
|
||||
scripts but this one is till now the best." -- B.R, Netherlands
|
||||
</p>
|
||||
scripts but this one is till now the best." -- B.R, Netherlands
|
||||
</p>
|
||||
|
||||
<p>"Never in my +12 year career as a sys admin have I witnessed someone
|
||||
so relentless in developing a secure, state of the art, safe and useful
|
||||
product as the Shorewall firewall package for no cost or obligation
|
||||
involved." -- Mario Kerecki, Toronto </p>
|
||||
so relentless in developing a secure, state of the art, safe and useful
|
||||
product as the Shorewall firewall package for no cost or obligation
|
||||
involved." -- Mario Kerecki, Toronto </p>
|
||||
|
||||
<p>"one time more to report, that your great shorewall in the latest
|
||||
release 1.2.9 is working fine for me with SuSE Linux 7.3! I now have
|
||||
7 machines up and running with shorewall on several versions - starting
|
||||
with 1.2.2 up to the new 1.2.9 and I never have encountered any problems!"
|
||||
-- SM, Germany</p>
|
||||
release 1.2.9 is working fine for me with SuSE Linux 7.3! I now
|
||||
have 7 machines up and running with shorewall on several versions -
|
||||
starting with 1.2.2 up to the new 1.2.9 and I never have encountered
|
||||
any problems!" -- SM, Germany</p>
|
||||
|
||||
<p>"You have the best support of any other package I've ever used."
|
||||
-- SE, US </p>
|
||||
-- SE, US </p>
|
||||
|
||||
<p>"Because our company has information which has been classified by the
|
||||
national government as secret, our security doesn't stop by putting a fence
|
||||
around our company. Information security is a hot issue. We also make use
|
||||
of checkpoint firewalls, but not all of the internet servers are guarded
|
||||
by checkpoint, some of them are running....Shorewall." -- Name withheld by
|
||||
request, Europe</p>
|
||||
national government as secret, our security doesn't stop by putting a fence
|
||||
around our company. Information security is a hot issue. We also make use
|
||||
of checkpoint firewalls, but not all of the internet servers are guarded
|
||||
by checkpoint, some of them are running....Shorewall." -- Name withheld
|
||||
by request, Europe</p>
|
||||
|
||||
<p>"thanx for all your efforts you put into shorewall - this product stands
|
||||
out against a lot of commercial stuff i´ve been working with in terms of
|
||||
flexibillity, quality & support" -- RM, Austria</p>
|
||||
out against a lot of commercial stuff i´ve been working with in terms of
|
||||
flexibillity, quality & support" -- RM, Austria</p>
|
||||
|
||||
<p>"I have never seen such a complete firewall package that is so easy to
|
||||
configure. I searched the Debian package system for firewall scripts and
|
||||
Shorewall won hands down." -- RG, Toronto</p>
|
||||
configure. I searched the Debian package system for firewall scripts and
|
||||
Shorewall won hands down." -- RG, Toronto</p>
|
||||
|
||||
<p>"My respects... I've just found and installed Shorewall 1.3.3-1 and it
|
||||
is a wonderful piece of software. I've just sent out an email to about 30
|
||||
people recommending it. :-)<br>
|
||||
While I had previously taken the time (maybe 40 hours) to really understand
|
||||
ipchains, then spent at least an hour per server customizing and carefully
|
||||
scrutinizing firewall rules, I've got shorewall running on my home firewall,
|
||||
with rulesets and policies that I know make sense, in under 20 minutes."
|
||||
-- RP, Guatamala<br>
|
||||
<br>
|
||||
</p>
|
||||
is a wonderful piece of software. I've just sent out an email to about
|
||||
30 people recommending it. :-)<br>
|
||||
While I had previously taken the time (maybe 40 hours) to really understand
|
||||
ipchains, then spent at least an hour per server customizing and carefully
|
||||
scrutinizing firewall rules, I've got shorewall running on my home firewall,
|
||||
with rulesets and policies that I know make sense, in under 20 minutes."
|
||||
-- RP, Guatamala<br>
|
||||
<br>
|
||||
</p>
|
||||
|
||||
<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated 10/9/2002
|
||||
- <a href="support.htm">Tom Eastep</a> </font>
|
||||
</p>
|
||||
<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated 3/18/2003
|
||||
- <a href="support.htm">Tom Eastep</a> </font>
|
||||
</p>
|
||||
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
|
||||
<br>
|
||||
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -17,7 +17,7 @@
|
||||
|
||||
|
||||
|
||||
<base target="_self">
|
||||
<base target="_self">
|
||||
</head>
|
||||
<body>
|
||||
|
||||
@ -28,11 +28,11 @@
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber3"
|
||||
bgcolor="#4b017c">
|
||||
|
||||
<tbody>
|
||||
<tbody>
|
||||
|
||||
<tr>
|
||||
<tr>
|
||||
|
||||
<td width="100%"
|
||||
<td width="100%"
|
||||
height="90">
|
||||
|
||||
|
||||
@ -49,18 +49,19 @@
|
||||
alt="Shorwall Logo" height="70" width="85" align="left"
|
||||
src="images/washington.jpg" border="0">
|
||||
|
||||
</a></i></font><a
|
||||
</a></i></font><a
|
||||
href="http://www.shorewall.net" target="_top"><img border="1"
|
||||
src="images/shorewall.jpg" width="119" height="38" hspace="4"
|
||||
alt="(Shorewall Logo)" align="right" vspace="4">
|
||||
</a></h1>
|
||||
<small><small><small><small><a
|
||||
</a></h1>
|
||||
<small><small><small><small><a
|
||||
href="http://www.shorewall.net" target="_top"> </a></small></small></small></small><big></big>
|
||||
|
||||
<div align="center">
|
||||
<h1><font color="#ffffff">Shorewall 1.4</font><i><font
|
||||
color="#ffffff"> <small><small><small>"iptables made easy" </small></small></small></font></i></h1>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
|
||||
|
||||
<p><a href="http://www.shorewall.net" target="_top">
|
||||
@ -78,14 +79,14 @@
|
||||
|
||||
|
||||
|
||||
<div align="center"><a href="http://1.3/index.htm" target="_top"><font
|
||||
<div align="center"><a href="1.3" target="_top"><font
|
||||
color="#ffffff">Shorewall 1.3 Site is here</font></a>
|
||||
<br>
|
||||
<br>
|
||||
|
||||
</div>
|
||||
</td>
|
||||
</div>
|
||||
</td>
|
||||
|
||||
</tr>
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
@ -106,11 +107,11 @@
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber4">
|
||||
|
||||
<tbody>
|
||||
<tbody>
|
||||
|
||||
<tr>
|
||||
<tr>
|
||||
|
||||
<td width="90%">
|
||||
<td width="90%">
|
||||
|
||||
|
||||
|
||||
@ -154,26 +155,26 @@ firewall that can be used on a dedicated firewall system, a multi-functio
|
||||
|
||||
|
||||
<p>This program is free software; you can redistribute it and/or modify
|
||||
it under the
|
||||
it under the
|
||||
terms of <a href="http://www.gnu.org/licenses/gpl.html">Version
|
||||
2 of the GNU General Public License</a> as published by the Free
|
||||
Software Foundation.<br>
|
||||
|
||||
<br>
|
||||
<br>
|
||||
|
||||
This program is distributed
|
||||
in the hope that it will be useful, but
|
||||
This program is distributed
|
||||
in the hope that it will be useful, but
|
||||
WITHOUT ANY WARRANTY; without even the implied
|
||||
warranty of MERCHANTABILITY or FITNESS FOR
|
||||
A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
for more details.<br>
|
||||
warranty of MERCHANTABILITY or FITNESS FOR
|
||||
A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
for more details.<br>
|
||||
|
||||
<br>
|
||||
<br>
|
||||
|
||||
You should have received
|
||||
a copy of the GNU General Public License
|
||||
along with this program; if not, write
|
||||
to the Free Software Foundation, Inc., 675
|
||||
You should have received
|
||||
a copy of the GNU General Public License
|
||||
along with this program; if not, write
|
||||
to the Free Software Foundation, Inc., 675
|
||||
Mass Ave, Cambridge, MA 02139, USA</p>
|
||||
|
||||
|
||||
@ -205,14 +206,15 @@ to the Free Software Foundation, Inc., 675
|
||||
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
|
||||
border="0" src="images/leaflogo.gif" width="49" height="36">
|
||||
|
||||
</a>Jacques Nilo
|
||||
and Eric Wolzak have a LEAF (router/firewall/gateway
|
||||
on a floppy, CD or compact flash) distribution
|
||||
called <i>Bering</i> that features
|
||||
</a>Jacques Nilo
|
||||
and Eric Wolzak have a LEAF (router/firewall/gateway
|
||||
on a floppy, CD or compact flash) distribution
|
||||
called <i>Bering</i> that features
|
||||
Shorewall-1.3.14 and Kernel-2.4.20. You can find
|
||||
their work at: <a
|
||||
their work at: <a
|
||||
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
|
||||
</a></p>
|
||||
</a></p>
|
||||
|
||||
|
||||
|
||||
|
||||
@ -221,290 +223,68 @@ to the Free Software Foundation, Inc., 675
|
||||
|
||||
<p><b>Congratulations to Jacques and Eric on the recent release of
|
||||
Bering 1.1!!! </b><br>
|
||||
</p>
|
||||
</p>
|
||||
|
||||
<h2>This is a mirror of the main Shorewall web site at SourceForge
|
||||
(<a href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
|
||||
|
||||
<h2>News</h2>
|
||||
|
||||
<p><b>3/17/2003 - Shorewall 1.4.0 </b><b> </b><b><img
|
||||
<p><b>3/24/2003 - Shorewall 1.4.1 </b><b> </b><b><img
|
||||
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
|
||||
</b><b> </b></p>
|
||||
Shorewall 1.4 represents
|
||||
the next step in the evolution of Shorewall. The main thrust of the
|
||||
initial release is simply to remove the cruft that has accumulated in
|
||||
Shorewall over time. <br>
|
||||
<br>
|
||||
<b>IMPORTANT: Shorewall 1.4.0 requires</b> <b>the iproute package
|
||||
('ip' utility).</b><br>
|
||||
<br>
|
||||
Function from 1.3 that has been omitted from this version
|
||||
include:<br>
|
||||
|
||||
|
||||
</b><b> </b></p>
|
||||
This release follows up on 1.4.0. It corrects a problem introduced in 1.4.0
|
||||
and removes additional warts.<br>
|
||||
<br>
|
||||
<b>Problems Corrected:</b><br>
|
||||
<ol>
|
||||
<li>The MERGE_HOSTS variable in shorewall.conf is no longer supported.
|
||||
Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Interface names of the form <device>:<integer>
|
||||
in /etc/shorewall/interfaces now generate an error.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Shorewall 1.4 implements behavior consistent with OLD_PING_HANDLING=No.
|
||||
OLD_PING_HANDLING=Yes will generate an error at startup as will specification
|
||||
of the 'noping' or 'filterping' interface options.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>The 'routestopped' option in the /etc/shorewall/interfaces
|
||||
and /etc/shorewall/hosts files is no longer supported and will generate
|
||||
an error at startup if specified.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no
|
||||
longer accepted.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>The ALLOWRELATED variable in shorewall.conf is no longer
|
||||
supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>The icmp.def file has been removed.<br>
|
||||
</li>
|
||||
|
||||
<li>When Shorewall 1.4.0 is run under the ash shell (such as on Bering/LEAF),
|
||||
it can attempt to add ECN disabling rules even if the /etc/shorewall/ecn
|
||||
file is empty. That problem has been corrected so that ECN disabling rules
|
||||
are only added if there are entries in /etc/shorewall/ecn.</li>
|
||||
</ol>
|
||||
Changes for 1.4 include:<br>
|
||||
|
||||
|
||||
<b>New Features:</b><br>
|
||||
<blockquote>Note: In the list that follows, the term <i>group </i>refers
|
||||
to a particular network or subnetwork (which may be 0.0.0.0/0 or it may be
|
||||
a host address) accessed through a particular interface. Examples:<br>
|
||||
<blockquote>eth0:0.0.0.0/0<br>
|
||||
eth2:192.168.1.0/24<br>
|
||||
eth3:192.0.2.123<br>
|
||||
</blockquote>
|
||||
You can use the "shorewall check" command to see the groups associated with
|
||||
each of your zones.<br>
|
||||
</blockquote>
|
||||
<ol>
|
||||
<li>The /etc/shorewall/shorewall.conf file has been completely
|
||||
reorganized into logical sections.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>LOG is now a valid action for a rule (/etc/shorewall/rules).<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>The firewall script, common functions file and version file
|
||||
are now installed in /usr/share/shorewall.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Late arriving DNS replies are now silently dropped in the
|
||||
common chain by default.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>In addition to behaving like OLD_PING_HANDLING=No, Shorewall
|
||||
1.4 no longer unconditionally accepts outbound ICMP packets. So if
|
||||
you want to 'ping' from the firewall, you will need the appropriate rule
|
||||
or policy.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>CONTINUE is now a valid action for a rule (/etc/shorewall/rules).<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>802.11b devices with names of the form wlan<i><n></i>
|
||||
now support the 'maclist' option.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li value="8">Explicit Congestion Notification (ECN - RFC 3168)
|
||||
may now be turned off on a host or network basis using the new /etc/shorewall/ecn
|
||||
file. To use this facility:<br>
|
||||
<br>
|
||||
a) You must be running kernel 2.4.20<br>
|
||||
b) You must have applied the patch in<br>
|
||||
http://www.shorewall/net/pub/shorewall/ecn/patch.<br>
|
||||
c) You must have iptables 1.2.7a installed.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>The /etc/shorewall/params file is now processed first so that
|
||||
variables may be used in the /etc/shorewall/shorewall.conf file.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li value="10">Shorewall now gives a more helpful diagnostic when
|
||||
the 'ipchains' compatibility kernel module is loaded and a 'shorewall start'
|
||||
command is issued.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>The SHARED_DIR variable has been removed from shorewall.conf.
|
||||
This variable was for use by package maintainers and was not documented
|
||||
for general use.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Shorewall now ignores 'default' routes when detecting masq'd
|
||||
networks.<br>
|
||||
</li>
|
||||
|
||||
<li>Beginning with Shorewall 1.4.1, if a zone Z comprises more than
|
||||
one group<i> </i>then if there is no explicit Z to Z policy and there are
|
||||
no rules governing traffic from Z to Z then Shorewall will permit all traffic
|
||||
between the groups in the zone.</li>
|
||||
<li>Beginning with Shorewall 1.4.1, Shorewall will never create rules
|
||||
to handle traffic from a group to itself.</li>
|
||||
<li>A NONE policy is introduced in 1.4.1. When a policy of NONE is
|
||||
specified from Z1 to Z2:</li>
|
||||
</ol>
|
||||
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
|
||||
target="_top"></a>
|
||||
<p><b>3/11/2003 - Shoreall 1.3.14a</b><b> </b><b> </b><b><img
|
||||
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
|
||||
</b></p>
|
||||
|
||||
<p>A roleup of the following bug fixes and other updates:</p>
|
||||
|
||||
<ul>
|
||||
<li>There is an updated rfc1918 file that reflects the resent
|
||||
allocation of 222.0.0.0/8 and 223.0.0.0/8.</li>
|
||||
<li>The documentation for the routestopped file claimed that a
|
||||
comma-separated list could appear in the second column while the code
|
||||
only supported a single host or network address.</li>
|
||||
<li>Log messages produced by 'logunclean' and 'dropunclean' were
|
||||
not rate-limited. 802.11b devices with names of the form <i>wlan</i><n>
|
||||
don't support the 'maclist' interface option.</li>
|
||||
<li>Log messages generated by RFC 1918 filtering are not rate
|
||||
limited.</li>
|
||||
<li>The firewall fails to start in the case
|
||||
where you have "eth0 eth1" in /etc/shorewall/masq and the default route
|
||||
is through eth1.</li>
|
||||
|
||||
<li>There may be no rules created that govern connections from Z1
|
||||
to Z2.</li>
|
||||
<li>Shorewall will not create any infrastructure to handle traffic
|
||||
from Z1 to Z2.</li>
|
||||
</ul>
|
||||
|
||||
|
||||
<p><b>2/8/2003 - Shorewall 1.3.14</b><b> </b></p>
|
||||
|
||||
|
||||
<p>New features include</p>
|
||||
|
||||
|
||||
<ol>
|
||||
<li>An OLD_PING_HANDLING option has been added
|
||||
to shorewall.conf. When set to Yes, Shorewall ping handling is
|
||||
as it has always been (see http://www.shorewall.net/ping.html).<br>
|
||||
<br>
|
||||
When OLD_PING_HANDLING=No, icmp echo (ping) is handled
|
||||
via rules and policies just like any other connection request.
|
||||
The FORWARDPING=Yes option in shorewall.conf and the 'noping' and
|
||||
'filterping' options in /etc/shorewall/interfaces will all generate
|
||||
an error.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>It is now possible to direct Shorewall to create
|
||||
a "label" such as "eth0:0" for IP addresses that it creates under
|
||||
ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes. This is done by specifying
|
||||
the label instead of just the interface name:<br>
|
||||
<br>
|
||||
a) In the INTERFACE column of /etc/shorewall/masq<br>
|
||||
b) In the INTERFACE column of /etc/shorewall/nat<br>
|
||||
</li>
|
||||
<li>Support for OpenVPN Tunnels.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Support for VLAN devices with names of the
|
||||
form $DEV.$VID (e.g., eth0.0)<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>In /etc/shorewall/tcrules, the MARK value may
|
||||
be optionally followed by ":" and either 'F' or 'P' to designate that
|
||||
the marking will occur in the FORWARD or PREROUTING chains respectively.
|
||||
If this additional specification is omitted, the chain used to mark packets
|
||||
will be determined by the setting of the MARK_IN_FORWARD_CHAIN option
|
||||
in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>When an interface name is entered in the SUBNET
|
||||
column of the /etc/shorewall/masq file, Shorewall previously masqueraded
|
||||
traffic from only the first subnet defined on that interface. It
|
||||
did not masquerade traffic from:<br>
|
||||
<br>
|
||||
a) The subnets associated with other addresses
|
||||
on the interface.<br>
|
||||
b) Subnets accessed through local routers.<br>
|
||||
<br>
|
||||
Beginning with Shorewall 1.3.14, if you enter an interface
|
||||
name in the SUBNET column, shorewall will use the firewall's routing
|
||||
table to construct the masquerading/SNAT rules.<br>
|
||||
<br>
|
||||
Example 1 -- This is how it works in 1.3.14.<br>
|
||||
<br>
|
||||
|
||||
|
||||
|
||||
|
||||
<pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE SUBNET ADDRESS<br> eth0 eth2 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
|
||||
|
||||
|
||||
|
||||
|
||||
<pre> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24 scope link<br> 192.168.10.0/24 proto kernel scope link src 192.168.10.254<br></pre>
|
||||
|
||||
|
||||
|
||||
|
||||
<pre> [root@gateway test]# shorewall start<br> ...<br> Masqueraded Subnets and Hosts:<br> To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176<br> To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176<br> Processing /etc/shorewall/tos...</pre>
|
||||
<br>
|
||||
When upgrading to Shorewall 1.3.14, if you have multiple
|
||||
local subnets connected to an interface that is specified in the
|
||||
SUBNET column of an /etc/shorewall/masq entry, your /etc/shorewall/masq
|
||||
file will need changing. In most cases, you will simply be able to remove
|
||||
redundant entries. In some cases though, you might want to change from
|
||||
using the interface name to listing specific subnetworks if the change
|
||||
described above will cause masquerading to occur on subnetworks that you
|
||||
don't wish to masquerade.<br>
|
||||
<br>
|
||||
Example 2 -- Suppose that your current config is as
|
||||
follows:<br>
|
||||
<br>
|
||||
|
||||
|
||||
|
||||
|
||||
<pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE SUBNET ADDRESS<br> eth0 eth2 206.124.146.176<br> eth0 192.168.10.0/24 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
|
||||
|
||||
|
||||
|
||||
|
||||
<pre> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24 scope link<br> 192.168.10.0/24 proto kernel scope link src 192.168.10.254<br> [root@gateway test]#</pre>
|
||||
<br>
|
||||
In this case, the second entry in /etc/shorewall/masq
|
||||
is no longer required.<br>
|
||||
<br>
|
||||
Example 3 -- What if your current configuration is
|
||||
like this?<br>
|
||||
<br>
|
||||
|
||||
|
||||
|
||||
|
||||
<pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE SUBNET ADDRESS<br> eth0 eth2 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
|
||||
|
||||
|
||||
|
||||
|
||||
<pre> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24 scope link<br> 192.168.10.0/24 proto kernel scope link src 192.168.10.254<br> [root@gateway test]#</pre>
|
||||
<br>
|
||||
In this case, you would want to change the entry
|
||||
in /etc/shorewall/masq to:<br>
|
||||
|
||||
|
||||
|
||||
|
||||
<pre> #INTERFACE SUBNET ADDRESS<br> eth0 192.168.1.0/24 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
|
||||
</li>
|
||||
|
||||
|
||||
</ol>
|
||||
<br>
|
||||
|
||||
|
||||
<p><b>2/5/2003 - Shorewall Support included in Webmin 1.06</b><b>0</b><b>
|
||||
</b></p>
|
||||
Webmin version 1.060 now has Shorewall support included
|
||||
as standard. See <a href="http://www.webmin.com">http://www.webmin.com</a>.<b>
|
||||
</b>
|
||||
|
||||
See the <a href="upgrade_issues.htm">upgrade issues</a> for a discussion
|
||||
of how these changes may affect your configuration.<br>
|
||||
<p><a href="News.htm">More News</a></p>
|
||||
|
||||
<h2><a name="Donations"></a>Donations</h2>
|
||||
|
||||
|
||||
</td>
|
||||
</td>
|
||||
|
||||
<td width="88"
|
||||
<td width="88"
|
||||
bgcolor="#4b017c" valign="top" align="center"> <a
|
||||
href="http://sourceforge.net">M</a></td>
|
||||
|
||||
</tr>
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
|
||||
@ -515,9 +295,9 @@ like this?<br>
|
||||
|
||||
</table>
|
||||
|
||||
</center>
|
||||
</center>
|
||||
|
||||
</div>
|
||||
</div>
|
||||
|
||||
|
||||
|
||||
@ -526,11 +306,11 @@ like this?<br>
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber2"
|
||||
bgcolor="#4b017c">
|
||||
|
||||
<tbody>
|
||||
<tbody>
|
||||
|
||||
<tr>
|
||||
<tr>
|
||||
|
||||
<td width="100%"
|
||||
<td width="100%"
|
||||
style="margin-top: 1px;">
|
||||
|
||||
|
||||
@ -546,7 +326,7 @@ like this?<br>
|
||||
border="4" src="images/newlog.gif" width="57" height="100" align="left"
|
||||
hspace="10">
|
||||
|
||||
</a></p>
|
||||
</a></p>
|
||||
|
||||
|
||||
|
||||
@ -561,13 +341,13 @@ like this?<br>
|
||||
|
||||
<p align="center"><font size="4" color="#ffffff">Shorewall is free
|
||||
but if you try it and find it useful, please consider making a donation
|
||||
to <a
|
||||
to <a
|
||||
href="http://www.starlight.org"><font color="#ffffff">Starlight
|
||||
Children's Foundation.</font></a> Thanks!</font></p>
|
||||
|
||||
</td>
|
||||
</td>
|
||||
|
||||
</tr>
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
@ -581,9 +361,11 @@ Children's Foundation.</font></a> Thanks!</font></p>
|
||||
|
||||
|
||||
|
||||
<p><font size="2">Updated 3/17/2003 - <a href="support.htm">Tom Eastep</a></font>
|
||||
<p><font size="2">Updated 3/21/2003 - <a href="support.htm">Tom Eastep</a></font>
|
||||
|
||||
<br>
|
||||
</p>
|
||||
<br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -18,80 +18,80 @@
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
|
||||
bgcolor="#400169" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
|
||||
<h1 align="center"><font color="#ffffff">Tom Eastep</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<p align="center"> <img border="3" src="images/TomNTarry.png"
|
||||
alt="Tom on the PCT - 1991" width="316" height="392">
|
||||
</p>
|
||||
</p>
|
||||
|
||||
<p align="center">Tarry & Tom -- August 2002<br>
|
||||
<br>
|
||||
</p>
|
||||
<br>
|
||||
</p>
|
||||
|
||||
<ul>
|
||||
<li>Born 1945 in <a
|
||||
<li>Born 1945 in <a
|
||||
href="http://www.experiencewashington.com">Washington State</a> .</li>
|
||||
<li>BA Mathematics from <a href="http://www.wsu.edu">Washington
|
||||
<li>BA Mathematics from <a href="http://www.wsu.edu">Washington
|
||||
State University</a> 1967</li>
|
||||
<li>MA Mathematics from <a
|
||||
<li>MA Mathematics from <a
|
||||
href="http://www.washington.edu">University of Washington</a> 1969</li>
|
||||
<li>Burroughs Corporation (now <a
|
||||
<li>Burroughs Corporation (now <a
|
||||
href="http://www.unisys.com">Unisys</a> ) 1969 - 1980</li>
|
||||
<li><a href="http://www.tandem.com">Tandem Computers, Incorporated</a>
|
||||
(now part of the <a href="http://www.hp.com">The New HP</a>) 1980 -
|
||||
present</li>
|
||||
<li>Married 1969 - no children.</li>
|
||||
<li><a href="http://www.tandem.com">Tandem Computers, Incorporated</a>
|
||||
(now part of the <a href="http://www.hp.com">The New HP</a>) 1980
|
||||
- present</li>
|
||||
<li>Married 1969 - no children.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<p>I am currently a member of the design team for the next-generation
|
||||
operating system from the NonStop Enterprise Division of HP. </p>
|
||||
operating system from the NonStop Enterprise Division of HP. </p>
|
||||
|
||||
<p>I became interested in Internet Security when I established a home office
|
||||
in 1999 and had DSL service installed in our home. I investigated
|
||||
ipchains and developed the scripts which are now collectively known
|
||||
as <a href="http://seawall.sourceforge.net"> Seattle Firewall</a>.
|
||||
Expanding on what I learned from Seattle Firewall, I then designed
|
||||
and wrote Shorewall. </p>
|
||||
ipchains and developed the scripts which are now collectively known as
|
||||
<a href="http://seawall.sourceforge.net"> Seattle Firewall</a>. Expanding
|
||||
on what I learned from Seattle Firewall, I then designed and
|
||||
wrote Shorewall. </p>
|
||||
|
||||
<p>I telework from our <a
|
||||
href="http://lists.shorewall.net/SeattleInTheSpring.html">home</a> in <a
|
||||
href="http://www.cityofshoreline.com">Shoreline, Washington</a>
|
||||
where I live with my wife Tarry. </p>
|
||||
href="http://www.cityofshoreline.com">Shoreline, Washington</a> where
|
||||
I live with my wife Tarry. </p>
|
||||
|
||||
<p>Our current home network consists of: </p>
|
||||
|
||||
<ul>
|
||||
<li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &
|
||||
<li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &
|
||||
20GB IDE HDs and LNE100TX (Tulip) NIC - My personal Windows system.
|
||||
Serves as a PPTP server for Road Warrior access. Dual boots <a
|
||||
href="http://www.mandrakelinux.com">Mandrake</a> 9.0.</li>
|
||||
<li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip)
|
||||
NIC - My personal Linux System which runs Samba configured as
|
||||
a WINS server. This system also has <a
|
||||
href="http://www.vmware.com/">VMware</a> installed and can run
|
||||
both <a href="http://www.debian.org">Debian Woody</a> and <a
|
||||
<li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip)
|
||||
NIC - My personal Linux System which runs Samba configured as a
|
||||
WINS server. This system also has <a
|
||||
href="http://www.vmware.com/">VMware</a> installed and can run both
|
||||
<a href="http://www.debian.org">Debian Woody</a> and <a
|
||||
href="http://www.suse.com">SuSE 8.1</a> in virtual machines.</li>
|
||||
<li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC
|
||||
<li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC
|
||||
- Email (Postfix, Courier-IMAP and Mailman), HTTP (Apache), FTP (Pure_ftpd),
|
||||
DNS server (Bind 9).</li>
|
||||
<li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD - 3
|
||||
LNE100TX (Tulip) and 1 TLAN NICs - Firewall running Shorewall 1.3.14
|
||||
<li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD - 3
|
||||
LNE100TX (Tulip) and 1 TLAN NICs - Firewall running Shorewall 1.4.0
|
||||
and a DHCP server.</li>
|
||||
<li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC -
|
||||
My wife's personal system.</li>
|
||||
<li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD, onboard
|
||||
EEPRO100 and EEPRO100 in expansion base and LinkSys WAC11 - My main
|
||||
work system.</li>
|
||||
<li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC
|
||||
- My wife's personal system.</li>
|
||||
<li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD, onboard
|
||||
EEPRO100 and EEPRO100 in expansion base and LinkSys WAC11 - My
|
||||
main work system.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
@ -104,25 +104,26 @@ My wife's personal system.</li>
|
||||
|
||||
<p><a href="http://www.redhat.com"><img border="0"
|
||||
src="images/poweredby.png" width="88" height="31">
|
||||
</a><a href="http://www.compaq.com"><img border="0"
|
||||
</a><a href="http://www.compaq.com"><img border="0"
|
||||
src="images/poweredbycompaqlog0.gif" hspace="3" width="83" height="25">
|
||||
</a><a href="http://www.pureftpd.org"><img border="0"
|
||||
</a><a href="http://www.pureftpd.org"><img border="0"
|
||||
src="images/pure.jpg" width="88" height="31">
|
||||
</a><font size="4"><a href="http://www.apache.org"><img
|
||||
</a><font size="4"><a href="http://www.apache.org"><img
|
||||
border="0" src="images/apache_pb1.gif" hspace="2" width="170"
|
||||
height="20">
|
||||
</a><a href="http://www.mandrakelinux.com"><img
|
||||
</a><a href="http://www.mandrakelinux.com"><img
|
||||
src="images/medbutton.png" alt="Powered by Mandrake" width="90"
|
||||
height="32">
|
||||
</a><img src="images/shorewall.jpg" alt="Protected by Shorewall"
|
||||
</a><img src="images/shorewall.jpg" alt="Protected by Shorewall"
|
||||
width="125" height="40" hspace="4">
|
||||
</font></p>
|
||||
</font></p>
|
||||
|
||||
<p><font size="2">Last updated 3/7/2003 - </font><font size="2"> <a
|
||||
<p><font size="2">Last updated 3/17/2003 - </font><font size="2"> <a
|
||||
href="support.htm">Tom Eastep</a></font> </p>
|
||||
<font face="Trebuchet MS"><a href="copyright.htm"><font
|
||||
<font face="Trebuchet MS"><a href="copyright.htm"><font
|
||||
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas
|
||||
M. Eastep.</font></a></font><br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
|
@ -17,51 +17,53 @@
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#400169" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Shorewall Requirements</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
Shorewall Requires:<br>
|
||||
<br>
|
||||
Shorewall Requires:<br>
|
||||
|
||||
<ul>
|
||||
<li>A kernel that supports netfilter. I've tested with 2.4.2 - 2.4.20-pre6.
|
||||
<a href="kernel.htm"> Check here for kernel configuration information.</a>
|
||||
If you are looking for a firewall for use with 2.2 kernels, <a
|
||||
href="http://seawall.sf.net"> see the Seattle Firewall site</a>
|
||||
.</li>
|
||||
<li>iptables 1.2 or later but beware version 1.2.3 -- see the <a
|
||||
<li>A kernel that supports netfilter. I've tested with 2.4.2 - 2.4.20.
|
||||
With current releases of Shorewall, Traffic Shaping/Control requires at least
|
||||
2.4.18. <a href="kernel.htm"> Check here for kernel configuration
|
||||
information.</a> If you are looking for a firewall for use with
|
||||
2.2 kernels, <a href="http://seawall.sf.net"> see the Seattle Firewall
|
||||
site</a> .</li>
|
||||
<li>iptables 1.2 or later but beware version 1.2.3 -- see the <a
|
||||
href="errata.htm">Errata</a>. <font color="#ff0000"><b>WARNING: </b></font>The
|
||||
buggy iptables version 1.2.3 is included in RedHat 7.2 and you should
|
||||
upgrade to iptables 1.2.4 prior to installing Shorewall. Version 1.2.4
|
||||
is available <a
|
||||
buggy iptables version 1.2.3 is included in RedHat 7.2 and you should
|
||||
upgrade to iptables 1.2.4 prior to installing Shorewall. Version 1.2.4
|
||||
is available <a
|
||||
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">from RedHat</a>
|
||||
and in the <a href="errata.htm">Shorewall Errata</a>. </li>
|
||||
<li>Iproute ("ip" utility). The iproute package is included with
|
||||
and in the <a href="errata.htm">Shorewall Errata</a>. </li>
|
||||
<li>Iproute ("ip" utility). The iproute package is included with
|
||||
most distributions but may not be installed by default. The official
|
||||
download site is <a href="ftp://ftp.inr.ac.ru/ip-routing"
|
||||
target="_blank"> <font face="Century Gothic, Arial, Helvetica">f</font>tp://ftp.inr.ac.ru/ip-routing</a>.
|
||||
</li>
|
||||
<li>A Bourne shell or derivative such as bash or ash. This shell must
|
||||
<li>A Bourne shell or derivative such as bash or ash. This shell must
|
||||
have correct support for variable expansion formats ${<i>variable</i>%<i>pattern</i>
|
||||
}, ${<i>variable</i>%%<i>pattern</i>}, ${<i>variable</i>#<i>pattern</i>
|
||||
} and ${<i>variable</i>##<i>pattern</i>}.</li>
|
||||
<li>The firewall monitoring display is greatly improved if you have
|
||||
awk (gawk) installed.</li>
|
||||
<li>The firewall monitoring display is greatly improved if you have
|
||||
awk (gawk) installed.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<p align="left"><font size="2">Last updated 2/21/2003 - <a
|
||||
<p align="left"><font size="2">Last updated 3/19/2003 - <a
|
||||
href="support.htm">Tom Eastep</a></font></p>
|
||||
|
||||
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
|
||||
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -17,7 +17,7 @@
|
||||
|
||||
|
||||
|
||||
<base target="_self">
|
||||
<base target="_self">
|
||||
</head>
|
||||
<body>
|
||||
|
||||
@ -28,11 +28,11 @@
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber3"
|
||||
bgcolor="#4b017c">
|
||||
|
||||
<tbody>
|
||||
<tbody>
|
||||
|
||||
<tr>
|
||||
<tr>
|
||||
|
||||
<td width="100%"
|
||||
<td width="100%"
|
||||
height="90">
|
||||
|
||||
|
||||
@ -49,7 +49,7 @@
|
||||
alt="Shorwall Logo" height="70" width="85" align="left"
|
||||
src="images/washington.jpg" border="0">
|
||||
|
||||
</a></i></font><font
|
||||
</a></i></font><font
|
||||
color="#ffffff">Shorewall 1.4 - <font
|
||||
size="4">"<i>iptables made easy"</i></font></font><a
|
||||
href="http://www.sf.net"> </a></h1>
|
||||
@ -68,8 +68,8 @@
|
||||
<div align="center"><a href="/1.3/index.html" target="_top"><font
|
||||
color="#ffffff">Shorewall 1.3 Site here</font></a></div>
|
||||
|
||||
</td>
|
||||
</tr>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
@ -89,11 +89,11 @@
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber4">
|
||||
|
||||
<tbody>
|
||||
<tbody>
|
||||
|
||||
<tr>
|
||||
<tr>
|
||||
|
||||
<td width="90%">
|
||||
<td width="90%">
|
||||
|
||||
|
||||
|
||||
@ -121,10 +121,10 @@
|
||||
|
||||
|
||||
<p>The Shoreline Firewall, more commonly known as "Shorewall", is
|
||||
a <a href="http://www.netfilter.org">Netfilter</a> (iptables)
|
||||
based firewall that can be used on a dedicated firewall system,
|
||||
a multi-function gateway/router/server or on a standalone
|
||||
GNU/Linux system.</p>
|
||||
a <a href="http://www.netfilter.org">Netfilter</a> (iptables)
|
||||
based firewall that can be used on a dedicated firewall
|
||||
system, a multi-function gateway/router/server or on a standalone
|
||||
GNU/Linux system.</p>
|
||||
|
||||
|
||||
|
||||
@ -139,27 +139,27 @@
|
||||
|
||||
|
||||
<p>This program is free software; you can redistribute it and/or modify
|
||||
it under the
|
||||
terms of <a href="http://www.gnu.org/licenses/gpl.html">Version
|
||||
2 of the GNU General Public License</a> as published by the Free Software
|
||||
Foundation.<br>
|
||||
it under the
|
||||
terms of <a href="http://www.gnu.org/licenses/gpl.html">Version
|
||||
2 of the GNU General Public License</a> as published by the Free
|
||||
Software Foundation.<br>
|
||||
|
||||
<br>
|
||||
<br>
|
||||
|
||||
This program is distributed
|
||||
in the hope that it will be useful, but
|
||||
WITHOUT ANY WARRANTY; without even the implied
|
||||
warranty of MERCHANTABILITY or FITNESS FOR
|
||||
A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
for more details.<br>
|
||||
This program is distributed
|
||||
in the hope that it will be useful, but
|
||||
WITHOUT ANY WARRANTY; without even the implied
|
||||
warranty of MERCHANTABILITY or FITNESS FOR
|
||||
A PARTICULAR PURPOSE. See the GNU General Public
|
||||
License for more details.<br>
|
||||
|
||||
<br>
|
||||
<br>
|
||||
|
||||
You should have received
|
||||
You should have received
|
||||
a copy of the GNU General Public License
|
||||
along with this program; if not, write
|
||||
to the Free Software Foundation, Inc., 675
|
||||
Mass Ave, Cambridge, MA 02139, USA</p>
|
||||
along with this program; if not, write
|
||||
to the Free Software Foundation, Inc., 675
|
||||
Mass Ave, Cambridge, MA 02139, USA</p>
|
||||
|
||||
|
||||
|
||||
@ -190,17 +190,17 @@ to the Free Software Foundation, Inc., 675
|
||||
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
|
||||
border="0" src="images/leaflogo.gif" width="49" height="36">
|
||||
|
||||
</a>Jacques
|
||||
Nilo and Eric Wolzak have a LEAF (router/firewall/gateway
|
||||
on a floppy, CD or compact flash) distribution
|
||||
called <i>Bering</i> that features
|
||||
Shorewall-1.3.14 and Kernel-2.4.20. You can find
|
||||
their work at: <a
|
||||
</a>Jacques
|
||||
Nilo and Eric Wolzak have a LEAF (router/firewall/gateway
|
||||
on a floppy, CD or compact flash) distribution
|
||||
called <i>Bering</i> that features
|
||||
Shorewall-1.3.14 and Kernel-2.4.20. You can find
|
||||
their work at: <a
|
||||
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
|
||||
<b>Congratulations
|
||||
<b>Congratulations
|
||||
to Jacques and Eric on the recent release of Bering
|
||||
1.1!!! <br>
|
||||
</b>
|
||||
1.1!!! <br>
|
||||
</b>
|
||||
|
||||
|
||||
|
||||
@ -222,257 +222,12 @@ Nilo and Eric Wolzak have a LEAF (router/firewall/gatew
|
||||
|
||||
|
||||
|
||||
<p><b>3/17/2003 - Shorewall 1.4.0 </b><b> </b><b><img
|
||||
<p><b>3/24/2003 - Shorewall 1.4.1 </b><b> </b><b><img
|
||||
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
|
||||
</b><b> </b></p>
|
||||
Shorewall 1.4 represents
|
||||
the next step in the evolution of Shorewall. The main thrust of the
|
||||
initial release is simply to remove the cruft that has accumulated in
|
||||
Shorewall over time. <br>
|
||||
<br>
|
||||
<b>IMPORTANT: Shorewall 1.4.0 requires</b> <b>the iproute package
|
||||
('ip' utility).</b><br>
|
||||
<br>
|
||||
Function from 1.3 that has been omitted from this version
|
||||
include:<br>
|
||||
</b><b> </b></p>
|
||||
<b> </b>
|
||||
|
||||
|
||||
<ol>
|
||||
<li>The MERGE_HOSTS variable in shorewall.conf is no longer supported.
|
||||
Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Interface names of the form <device>:<integer>
|
||||
in /etc/shorewall/interfaces now generate an error.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Shorewall 1.4 implements behavior consistent with OLD_PING_HANDLING=No.
|
||||
OLD_PING_HANDLING=Yes will generate an error at startup as will specification
|
||||
of the 'noping' or 'filterping' interface options.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>The 'routestopped' option in the /etc/shorewall/interfaces
|
||||
and /etc/shorewall/hosts files is no longer supported and will generate
|
||||
an error at startup if specified.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no
|
||||
longer accepted.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>The ALLOWRELATED variable in shorewall.conf is no longer supported.
|
||||
Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>The icmp.def file has been removed.<br>
|
||||
</li>
|
||||
</ol>
|
||||
Changes for 1.4 include:<br>
|
||||
|
||||
|
||||
<ol>
|
||||
<li>The /etc/shorewall/shorewall.conf file has been completely
|
||||
reorganized into logical sections.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>LOG is now a valid action for a rule (/etc/shorewall/rules).<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>The firewall script, common functions file and version file
|
||||
are now installed in /usr/share/shorewall.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Late arriving DNS replies are now silently dropped in the
|
||||
common chain by default.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>In addition to behaving like OLD_PING_HANDLING=No, Shorewall
|
||||
1.4 no longer unconditionally accepts outbound ICMP packets. So if you
|
||||
want to 'ping' from the firewall, you will need the appropriate rule or
|
||||
policy.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>CONTINUE is now a valid action for a rule (/etc/shorewall/rules).<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>802.11b devices with names of the form wlan<i><n></i>
|
||||
now support the 'maclist' option.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li value="8">Explicit Congestion Notification (ECN - RFC 3168)
|
||||
may now be turned off on a host or network basis using the new /etc/shorewall/ecn
|
||||
file. To use this facility:<br>
|
||||
<br>
|
||||
a) You must be running kernel 2.4.20<br>
|
||||
b) You must have applied the patch in<br>
|
||||
http://www.shorewall/net/pub/shorewall/ecn/patch.<br>
|
||||
c) You must have iptables 1.2.7a installed.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>The /etc/shorewall/params file is now processed first so that
|
||||
variables may be used in the /etc/shorewall/shorewall.conf file.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li value="10">Shorewall now gives a more helpful diagnostic when
|
||||
the 'ipchains' compatibility kernel module is loaded and a 'shorewall start'
|
||||
command is issued.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>The SHARED_DIR variable has been removed from shorewall.conf.
|
||||
This variable was for use by package maintainers and was not documented
|
||||
for general use.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Shorewall now ignores 'default' routes when detecting masq'd
|
||||
networks.<br>
|
||||
</li>
|
||||
</ol>
|
||||
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta" target="_top"></a>
|
||||
<p><b>3/11/2003 - Shoreall 1.3.14a</b><b> </b><b> </b><b><img
|
||||
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
|
||||
</b></p>
|
||||
|
||||
<p>A roleup of the following bug fixes and other updates:</p>
|
||||
|
||||
<ul>
|
||||
<li>There is an updated rfc1918 file that reflects the resent
|
||||
allocation of 222.0.0.0/8 and 223.0.0.0/8. </li>
|
||||
<li>The documentation for the routestopped file claimed that a comma-separated
|
||||
list could appear in the second column while the code only supported a
|
||||
single host or network address. </li>
|
||||
<li>Log messages produced by 'logunclean' and 'dropunclean' were
|
||||
not rate-limited. </li>
|
||||
<li>802.11b devices with names of the form <i>wlan</i><n>
|
||||
don't support the 'maclist' interface option. </li>
|
||||
<li>Log messages generated by RFC 1918 filtering are not rate limited. </li>
|
||||
<li>The firewall fails to start in the case where you have "eth0
|
||||
eth1" in /etc/shorewall/masq and the default route is through eth1
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
<p><b>2/8/2003 - Shorewall 1.3.14</b><b> </b></p>
|
||||
|
||||
|
||||
<p>New features include</p>
|
||||
|
||||
|
||||
<ol>
|
||||
<li>An OLD_PING_HANDLING option has been added to shorewall.conf.
|
||||
When set to Yes, Shorewall ping handling is as it has always been
|
||||
(see http://www.shorewall.net/ping.html).<br>
|
||||
<br>
|
||||
When OLD_PING_HANDLING=No, icmp echo (ping) is handled
|
||||
via rules and policies just like any other connection request. The
|
||||
FORWARDPING=Yes option in shorewall.conf and the 'noping' and 'filterping'
|
||||
options in /etc/shorewall/interfaces will all generate an error.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>It is now possible to direct Shorewall to create
|
||||
a "label" such as "eth0:0" for IP addresses that it creates under
|
||||
ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes. This is done by specifying
|
||||
the label instead of just the interface name:<br>
|
||||
<br>
|
||||
a) In the INTERFACE column of /etc/shorewall/masq<br>
|
||||
b) In the INTERFACE column of /etc/shorewall/nat<br>
|
||||
</li>
|
||||
<li>Support for OpenVPN Tunnels.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Support for VLAN devices with names of the form
|
||||
$DEV.$VID (e.g., eth0.0)<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>In /etc/shorewall/tcrules, the MARK value may be
|
||||
optionally followed by ":" and either 'F' or 'P' to designate that the
|
||||
marking will occur in the FORWARD or PREROUTING chains respectively.
|
||||
If this additional specification is omitted, the chain used to mark packets
|
||||
will be determined by the setting of the MARK_IN_FORWARD_CHAIN option
|
||||
in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>When an interface name is entered in the SUBNET
|
||||
column of the /etc/shorewall/masq file, Shorewall previously masqueraded
|
||||
traffic from only the first subnet defined on that interface. It
|
||||
did not masquerade traffic from:<br>
|
||||
<br>
|
||||
a) The subnets associated with other addresses on the
|
||||
interface.<br>
|
||||
b) Subnets accessed through local routers.<br>
|
||||
<br>
|
||||
Beginning with Shorewall 1.3.14, if you enter an interface
|
||||
name in the SUBNET column, shorewall will use the firewall's routing
|
||||
table to construct the masquerading/SNAT rules.<br>
|
||||
<br>
|
||||
Example 1 -- This is how it works in 1.3.14.<br>
|
||||
<br>
|
||||
|
||||
|
||||
|
||||
<pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE SUBNET ADDRESS<br> eth0 eth2 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
|
||||
|
||||
|
||||
|
||||
<pre> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24 scope link<br> 192.168.10.0/24 proto kernel scope link src 192.168.10.254<br></pre>
|
||||
|
||||
|
||||
|
||||
<pre> [root@gateway test]# shorewall start<br> ...<br> Masqueraded Subnets and Hosts:<br> To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176<br> To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176<br> Processing /etc/shorewall/tos...</pre>
|
||||
<br>
|
||||
When upgrading to Shorewall 1.3.14, if you have multiple
|
||||
local subnets connected to an interface that is specified in the
|
||||
SUBNET column of an /etc/shorewall/masq entry, your /etc/shorewall/masq
|
||||
file will need changing. In most cases, you will simply be able to remove
|
||||
redundant entries. In some cases though, you might want to change from
|
||||
using the interface name to listing specific subnetworks if the change described
|
||||
above will cause masquerading to occur on subnetworks that you don't wish
|
||||
to masquerade.<br>
|
||||
<br>
|
||||
Example 2 -- Suppose that your current config is as follows:<br>
|
||||
<br>
|
||||
|
||||
|
||||
|
||||
<pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE SUBNET ADDRESS<br> eth0 eth2 206.124.146.176<br> eth0 192.168.10.0/24 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
|
||||
|
||||
|
||||
|
||||
<pre> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24 scope link<br> 192.168.10.0/24 proto kernel scope link src 192.168.10.254<br> [root@gateway test]#</pre>
|
||||
<br>
|
||||
In this case, the second entry in /etc/shorewall/masq
|
||||
is no longer required.<br>
|
||||
<br>
|
||||
Example 3 -- What if your current configuration is like
|
||||
this?<br>
|
||||
<br>
|
||||
|
||||
|
||||
|
||||
<pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE SUBNET ADDRESS<br> eth0 eth2 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
|
||||
|
||||
|
||||
|
||||
<pre> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24 scope link<br> 192.168.10.0/24 proto kernel scope link src 192.168.10.254<br> [root@gateway test]#</pre>
|
||||
<br>
|
||||
In this case, you would want to change the entry in
|
||||
/etc/shorewall/masq to:<br>
|
||||
|
||||
|
||||
|
||||
<pre> #INTERFACE SUBNET ADDRESS<br> eth0 192.168.1.0/24 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
|
||||
</li>
|
||||
|
||||
|
||||
</ol>
|
||||
|
||||
|
||||
<p><b>2/5/2003 - Shorewall Support included in Webmin 1.06</b><b>0</b><b>
|
||||
</b></p>
|
||||
Webmin version 1.060 now has Shorewall support included
|
||||
as standard. See <a href="http://www.webmin.com">http://www.webmin.com</a>
|
||||
<b> </b>
|
||||
|
||||
|
||||
|
||||
|
||||
@ -502,6 +257,50 @@ as standard. See <a href="http://www.webmin.com">http://www.webmin.
|
||||
|
||||
|
||||
|
||||
<p>This release follows up on 1.4.0. It corrects a problem introduced
|
||||
in 1.4.0 and removes additional warts.<br>
|
||||
<br>
|
||||
<b>Problems Corrected:</b><br>
|
||||
</p>
|
||||
<ol>
|
||||
<li>When Shorewall 1.4.0 is run under the ash shell (such as on Bering/LEAF),
|
||||
it can attempt to add ECN disabling rules even if the /etc/shorewall/ecn file
|
||||
is empty. That problem has been corrected so that ECN disabling rules are
|
||||
only added if there are entries in /etc/shorewall/ecn.</li>
|
||||
</ol>
|
||||
<b>New Features:</b><br>
|
||||
|
||||
<blockquote>Note: In the list that follows, the term <i>group </i>refers
|
||||
to a particular network or subnetwork (which may be 0.0.0.0/0 or it may be
|
||||
a host address) accessed through a particular interface. Examples:<br>
|
||||
|
||||
<blockquote>eth0:0.0.0.0/0<br>
|
||||
eth2:192.168.1.0/24<br>
|
||||
eth3:192.0.2.123<br>
|
||||
</blockquote>
|
||||
You can use the "shorewall check" command to see the groups associated with
|
||||
each of your zones.<br>
|
||||
</blockquote>
|
||||
|
||||
<ol>
|
||||
<li>Beginning with Shorewall 1.4.1, if a zone Z comprises more than
|
||||
one group<i> </i>then if there is no explicit Z to Z policy and there are
|
||||
no rules governing traffic from Z to Z then Shorewall will permit all traffic
|
||||
between the groups in the zone.</li>
|
||||
<li>Beginning with Shorewall 1.4.1, Shorewall will never create rules
|
||||
to handle traffic from a group to itself.</li>
|
||||
<li>A NONE policy is introduced in 1.4.1. When a policy of NONE is
|
||||
specified from Z1 to Z2:</li>
|
||||
</ol>
|
||||
|
||||
<ul>
|
||||
<li>There may be no rules created that govern connections from Z1
|
||||
to Z2.</li>
|
||||
<li>Shorewall will not create any infrastructure to handle traffic
|
||||
from Z1 to Z2.</li>
|
||||
</ul>
|
||||
See the <a href="upgrade_issues.htm">upgrade issues</a> for a discussion
|
||||
of how these changes may affect your configuration.
|
||||
<p><a href="News.htm">More News</a></p>
|
||||
|
||||
|
||||
@ -527,7 +326,7 @@ as standard. See <a href="http://www.webmin.com">http://www.webmin.
|
||||
<h1 align="center"><a href="http://www.sf.net"><img align="left"
|
||||
alt="SourceForge Logo"
|
||||
src="http://sourceforge.net/sflogo.php?group_id=22587&type=3">
|
||||
</a></h1>
|
||||
</a></h1>
|
||||
|
||||
|
||||
|
||||
@ -555,13 +354,14 @@ as standard. See <a href="http://www.webmin.com">http://www.webmin.
|
||||
<h2><a name="Donations"></a>Donations</h2>
|
||||
|
||||
|
||||
</td>
|
||||
</td>
|
||||
|
||||
<td width="88"
|
||||
<td width="88"
|
||||
bgcolor="#4b017c" valign="top" align="center"> <br>
|
||||
</td>
|
||||
|
||||
</tr>
|
||||
</td>
|
||||
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
@ -573,9 +373,9 @@ as standard. See <a href="http://www.webmin.com">http://www.webmin.
|
||||
|
||||
</table>
|
||||
|
||||
</center>
|
||||
</center>
|
||||
|
||||
</div>
|
||||
</div>
|
||||
|
||||
|
||||
|
||||
@ -584,11 +384,11 @@ as standard. See <a href="http://www.webmin.com">http://www.webmin.
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber2"
|
||||
bgcolor="#4b017c">
|
||||
|
||||
<tbody>
|
||||
<tbody>
|
||||
|
||||
<tr>
|
||||
<tr>
|
||||
|
||||
<td width="100%"
|
||||
<td width="100%"
|
||||
style="margin-top: 1px;">
|
||||
|
||||
|
||||
@ -604,7 +404,7 @@ as standard. See <a href="http://www.webmin.com">http://www.webmin.
|
||||
border="4" src="images/newlog.gif" width="57" height="100" align="left"
|
||||
hspace="10">
|
||||
|
||||
</a></p>
|
||||
</a></p>
|
||||
|
||||
|
||||
|
||||
@ -618,15 +418,16 @@ as standard. See <a href="http://www.webmin.com">http://www.webmin.
|
||||
|
||||
|
||||
|
||||
<p align="center"><font size="4" color="#ffffff">Shorewall is free but
|
||||
if you try it and find it useful, please consider making a donation
|
||||
to <a
|
||||
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
|
||||
Foundation.</font></a> Thanks!</font></p>
|
||||
<p align="center"><font size="4" color="#ffffff">Shorewall is free
|
||||
but if you try it and find it useful, please consider making a donation
|
||||
to <a
|
||||
href="http://www.starlight.org"><font color="#ffffff">Starlight
|
||||
Children's Foundation.</font></a> Thanks!</font></p>
|
||||
|
||||
</td>
|
||||
</td>
|
||||
|
||||
</tr>
|
||||
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
@ -640,10 +441,11 @@ Foundation.</font></a> Thanks!</font></p>
|
||||
|
||||
|
||||
|
||||
<p><font size="2">Updated 3/17/2003 - <a href="support.htm">Tom Eastep</a></font>
|
||||
<p><font size="2">Updated 3/21/2003 - <a href="support.htm">Tom Eastep</a></font>
|
||||
|
||||
<br>
|
||||
</p>
|
||||
<br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -18,9 +18,9 @@
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
|
||||
bgcolor="#400169" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
|
||||
|
||||
|
||||
@ -28,9 +28,9 @@
|
||||
|
||||
<h1 align="center"><font color="#ffffff">Shorewall Support Guide<img
|
||||
src="images/obrasinf.gif" alt="" width="90" height="90" align="middle">
|
||||
</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
@ -39,32 +39,32 @@
|
||||
|
||||
|
||||
<h2>Before Reporting a Problem or Asking a Question<br>
|
||||
</h2>
|
||||
There are a number
|
||||
of sources of Shorewall information. Please try these before you post.
|
||||
</h2>
|
||||
There are a number
|
||||
of sources of Shorewall information. Please try these before you post.
|
||||
|
||||
|
||||
<ul>
|
||||
<li>More than half of the questions posted
|
||||
on the support list have answers directly accessible from the <a
|
||||
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a><br>
|
||||
</li>
|
||||
<li> The <a
|
||||
<li>More than half of the questions posted
|
||||
on the support list have answers directly accessible from the
|
||||
<a href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a><br>
|
||||
</li>
|
||||
<li> The <a
|
||||
href="FAQ.htm">FAQ</a> has solutions to more than 20 common problems.
|
||||
</li>
|
||||
</li>
|
||||
|
||||
<li> The <a
|
||||
<li> The <a
|
||||
href="troubleshoot.htm">Troubleshooting</a> Information contains
|
||||
a number of tips to help you solve common problems.
|
||||
</li>
|
||||
a number of tips to help you solve common problems.
|
||||
</li>
|
||||
|
||||
<li> The <a
|
||||
<li> The <a
|
||||
href="errata.htm"> Errata</a> has links to download updated
|
||||
components. </li>
|
||||
|
||||
<li> The Site and Mailing
|
||||
List Archives search facility can locate documents and posts
|
||||
about similar problems: </li>
|
||||
<li> The Site and Mailing
|
||||
List Archives search facility can locate documents and posts
|
||||
about similar problems: </li>
|
||||
|
||||
</ul>
|
||||
|
||||
@ -80,12 +80,12 @@ of sources of Shorewall information. Please try these before you post.
|
||||
<option value="or">Any </option>
|
||||
<option value="boolean">Boolean </option>
|
||||
</select>
|
||||
Format:
|
||||
Format:
|
||||
<select name="format">
|
||||
<option value="builtin-long">Long </option>
|
||||
<option value="builtin-short">Short </option>
|
||||
</select>
|
||||
Sort by:
|
||||
Sort by:
|
||||
<select name="sort">
|
||||
<option value="score">Score </option>
|
||||
<option value="time">Time </option>
|
||||
@ -94,49 +94,49 @@ of sources of Shorewall information. Please try these before you post.
|
||||
<option value="revtime">Reverse Time </option>
|
||||
<option value="revtitle">Reverse Title </option>
|
||||
</select>
|
||||
</font><input type="hidden" name="config" value="htdig"><input
|
||||
</font><input type="hidden" name="config" value="htdig"><input
|
||||
type="hidden" name="restrict" value=""><font size="-1"> Include Mailing
|
||||
List Archives:
|
||||
List Archives:
|
||||
<select size="1" name="exclude">
|
||||
<option value="">Yes</option>
|
||||
<option value="[http://lists.shorewall.net/pipermail/.*]">No</option>
|
||||
</select>
|
||||
</font><br>
|
||||
Search: <input type="text" size="30" name="words" value=""> <input
|
||||
</font><br>
|
||||
Search: <input type="text" size="30" name="words" value=""> <input
|
||||
type="submit" value="Search"><br>
|
||||
</form>
|
||||
</blockquote>
|
||||
</form>
|
||||
</blockquote>
|
||||
|
||||
<h2>Problem Reporting Guidelines<br>
|
||||
</h2>
|
||||
</h2>
|
||||
|
||||
|
||||
<ul>
|
||||
<li>Please remember we only know what is posted
|
||||
in your message. Do not leave out any information that appears to
|
||||
be correct, or was mentioned in a previous post. There have been
|
||||
<li>Please remember we only know what is posted
|
||||
in your message. Do not leave out any information that appears
|
||||
to be correct, or was mentioned in a previous post. There have been
|
||||
countless posts by people who were sure that some part of their
|
||||
configuration was correct when it actually contained a small error.
|
||||
We tend to be skeptics where detail is lacking.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Please keep in mind that you're asking for
|
||||
<strong>free</strong> technical support. Any help we offer
|
||||
is an act of generosity, not an obligation. Try to make it easy
|
||||
configuration was correct when it actually contained a small error.
|
||||
We tend to be skeptics where detail is lacking.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Please keep in mind that you're asking for
|
||||
<strong>free</strong> technical support. Any help we offer
|
||||
is an act of generosity, not an obligation. Try to make it easy
|
||||
for us to help you. Follow good, courteous practices in writing
|
||||
and formatting your e-mail. Provide details that we need if you expect
|
||||
good answers. <em>Exact quoting </em> of error messages, log entries,
|
||||
command output, and other output is better than a paraphrase or summary.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li> Please don't
|
||||
describe your environment and then ask us to send you
|
||||
custom configuration files. We're here to answer your
|
||||
questions but we can't do your job for you.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>When reporting a problem, <strong>ALWAYS</strong>
|
||||
include this information:</li>
|
||||
<br>
|
||||
</li>
|
||||
<li> Please
|
||||
don't describe your environment and then ask us to send you
|
||||
custom configuration files. We're here to answer your
|
||||
questions but we can't do your job for you.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>When reporting a problem, <strong>ALWAYS</strong>
|
||||
include this information:</li>
|
||||
|
||||
</ul>
|
||||
|
||||
@ -144,68 +144,68 @@ questions but we can't do your job for you.<br>
|
||||
|
||||
|
||||
<ul>
|
||||
<li>the exact version of Shorewall you are running.<br>
|
||||
<br>
|
||||
<b><font color="#009900">shorewall version</font><br>
|
||||
</b> <br>
|
||||
</li>
|
||||
<li>the exact version of Shorewall you are
|
||||
running.<br>
|
||||
<br>
|
||||
<b><font color="#009900">shorewall version</font><br>
|
||||
</b> <br>
|
||||
</li>
|
||||
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
<ul>
|
||||
<li>the exact kernel version you are running<br>
|
||||
<br>
|
||||
<font color="#009900"><b>uname -a<br>
|
||||
<br>
|
||||
</b></font></li>
|
||||
<li>the exact kernel version you are running<br>
|
||||
<br>
|
||||
<font color="#009900"><b>uname -a<br>
|
||||
<br>
|
||||
</b></font></li>
|
||||
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
<ul>
|
||||
<li>the complete, exact output of<br>
|
||||
<br>
|
||||
<font color="#009900"><b>ip addr show<br>
|
||||
<br>
|
||||
</b></font></li>
|
||||
<li>the complete, exact output of<br>
|
||||
<br>
|
||||
<font color="#009900"><b>ip addr show<br>
|
||||
<br>
|
||||
</b></font></li>
|
||||
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
<ul>
|
||||
<li>the complete, exact output of<br>
|
||||
<br>
|
||||
<font color="#009900"><b>ip route show<br>
|
||||
<br>
|
||||
</b></font></li>
|
||||
<li>the complete, exact output of<br>
|
||||
<br>
|
||||
<font color="#009900"><b>ip route show<br>
|
||||
<br>
|
||||
</b></font></li>
|
||||
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
<ul>
|
||||
<li>If your kernel is modularized, the exact
|
||||
output from<br>
|
||||
<br>
|
||||
<font color="#009900"><b>lsmod</b></font><br>
|
||||
<br>
|
||||
</li>
|
||||
<li>the exact wording of any <code
|
||||
<li>If your kernel is modularized, the exact
|
||||
output from<br>
|
||||
<br>
|
||||
<font color="#009900"><b>lsmod</b></font><br>
|
||||
<br>
|
||||
</li>
|
||||
<li>the exact wording of any <code
|
||||
style="color: green; font-weight: bold;">ping</code> failure responses<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>If you installed Shorewall using one of the QuickStart
|
||||
Guides, please indicate which one. <br>
|
||||
<br>
|
||||
</li>
|
||||
<li><b>If you are running Shorewall under Mandrake using
|
||||
the Mandrake installation of Shorewall, please say so.</b><br>
|
||||
<br>
|
||||
</li>
|
||||
<br>
|
||||
</li>
|
||||
<li>If you installed Shorewall using one of the QuickStart
|
||||
Guides, please indicate which one. <br>
|
||||
<br>
|
||||
</li>
|
||||
<li><b>If you are running Shorewall under Mandrake
|
||||
using the Mandrake installation of Shorewall, please say so.</b><br>
|
||||
</li>
|
||||
|
||||
|
||||
</ul>
|
||||
@ -213,50 +213,51 @@ output from<br>
|
||||
</ul>
|
||||
|
||||
<ul>
|
||||
<li><b>NEVER </b>include the output of "<b><font
|
||||
color="#009900">iptables -L</font></b>". Instead,<font
|
||||
color="#ff0000"><u><i><big> <b>if you are having connection problems of
|
||||
any kind then:</b></big></i></u></font><br>
|
||||
<br>
|
||||
1. <b><font color="#009900">/sbin/shorewall/reset</font></b><br>
|
||||
<br>
|
||||
2. Try the connection that is failing.<br>
|
||||
<br>
|
||||
3.<b><font color="#009900"> /sbin/shorewall status > /tmp/status.txt</font></b><br>
|
||||
<br>
|
||||
4. Post the /tmp/status.txt file as an attachment.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>As a general
|
||||
matter, please <strong>do not edit the diagnostic information</strong>
|
||||
in an attempt to conceal your IP address, netmask, nameserver addresses,
|
||||
domain name, etc. These aren't secrets, and concealing them often
|
||||
misleads us (and 80% of the time, a hacker could derive them anyway
|
||||
from information contained in the SMTP headers of your post).<br>
|
||||
<br>
|
||||
<strong></strong></li>
|
||||
<li>Do you see any "Shorewall" messages ("<b><font
|
||||
|
||||
<ul>
|
||||
<li><font color="#ff0000"><u><i><big><b>If you are having connection
|
||||
problems of any kind then:</b></big></i></u></font><br>
|
||||
<br>
|
||||
1. <b><font color="#009900">/sbin/shorewall/reset</font></b><br>
|
||||
<br>
|
||||
2. Try the connection that is failing.<br>
|
||||
<br>
|
||||
3.<b><font color="#009900"> /sbin/shorewall status > /tmp/status.txt</font></b><br>
|
||||
<br>
|
||||
4. Post the /tmp/status.txt file as an attachment.<br>
|
||||
<br>
|
||||
</li>
|
||||
</ul>
|
||||
<li>As a general
|
||||
matter, please <strong>do not edit the diagnostic information</strong>
|
||||
in an attempt to conceal your IP address, netmask, nameserver
|
||||
addresses, domain name, etc. These aren't secrets, and concealing
|
||||
them often misleads us (and 80% of the time, a hacker could derive them
|
||||
anyway from information contained in the SMTP headers of your post).<br>
|
||||
<br>
|
||||
<strong></strong></li>
|
||||
<li>Do you see any "Shorewall" messages ("<b><font
|
||||
color="#009900">/sbin/shorewall show log</font></b>") when
|
||||
you exercise the function that is giving you problems? If so, include
|
||||
the message(s) in your post along with a copy of your /etc/shorewall/interfaces
|
||||
file.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Please include any of the Shorewall configuration files
|
||||
(especially the /etc/shorewall/hosts file if you have
|
||||
modified that file) that you think are relevant. If you
|
||||
you exercise the function that is giving you problems? If so,
|
||||
include the message(s) in your post along with a copy of your /etc/shorewall/interfaces
|
||||
file.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Please include any of the Shorewall configuration files
|
||||
(especially the /etc/shorewall/hosts file if you have
|
||||
modified that file) that you think are relevant. If you
|
||||
include /etc/shorewall/rules, please include /etc/shorewall/policy
|
||||
as well (rules are meaningless unless one also knows the policies).<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>If an error occurs when you try to "<font
|
||||
as well (rules are meaningless unless one also knows the policies).<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>If an error occurs when you try to "<font
|
||||
color="#009900"><b>shorewall start</b></font>", include a
|
||||
trace (See the <a href="troubleshoot.htm">Troubleshooting</a>
|
||||
section for instructions).<br>
|
||||
<br>
|
||||
</li>
|
||||
<li><b>The list server limits posts to 120kb so don't post GIFs
|
||||
of your network layout, etc. to the Mailing
|
||||
<br>
|
||||
</li>
|
||||
<li><b>The list server limits posts to 120kb so don't post GIFs
|
||||
of your network layout, etc. to the Mailing
|
||||
List -- your post will be rejected.</b></li>
|
||||
|
||||
</ul>
|
||||
@ -267,9 +268,9 @@ List -- your post will be rejected.</b></li>
|
||||
|
||||
The author gratefully acknowleges that the above list was heavily
|
||||
plagiarized from the excellent LEAF document by <i>Ray</i> <em>Olszewski</em>
|
||||
found at <a
|
||||
found at <a
|
||||
href="http://leaf-project.org/pub/doc/docmanager/docid_1891.html">http://leaf-project.org/pub/doc/docmanager/docid_1891.html</a>.<br>
|
||||
</blockquote>
|
||||
</blockquote>
|
||||
|
||||
<h2>When using the mailing list, please post in plain text</h2>
|
||||
|
||||
@ -277,18 +278,18 @@ plagiarized from the excellent LEAF document by <i>Ray</i> <em>Olszewski</e
|
||||
A growing number of MTAs serving list subscribers are rejecting
|
||||
all HTML traffic. At least one MTA has gone so far as to blacklist
|
||||
shorewall.net "for continuous abuse" because it has been my policy
|
||||
to allow HTML in list posts!!<br>
|
||||
<br>
|
||||
I think that blocking all HTML is a Draconian
|
||||
way to control spam and that the ultimate losers here are not
|
||||
the spammers but the list subscribers whose MTAs are bouncing
|
||||
to allow HTML in list posts!!<br>
|
||||
<br>
|
||||
I think that blocking all HTML is a Draconian
|
||||
way to control spam and that the ultimate losers here are not
|
||||
the spammers but the list subscribers whose MTAs are bouncing
|
||||
all shorewall.net mail. As one list subscriber wrote to me privately
|
||||
"These e-mail admin's need to get a <i>(expletive deleted)</i> life
|
||||
instead of trying to rid the planet of HTML based e-mail". Nevertheless,
|
||||
to allow subscribers to receive list posts as must as possible, I have
|
||||
now configured the list server at shorewall.net to strip all HTML
|
||||
from outgoing posts.<br>
|
||||
</blockquote>
|
||||
"These e-mail admin's need to get a <i>(expletive deleted)</i> life
|
||||
instead of trying to rid the planet of HTML based e-mail". Nevertheless,
|
||||
to allow subscribers to receive list posts as must as possible, I
|
||||
have now configured the list server at shorewall.net to strip all HTML
|
||||
from outgoing posts.<br>
|
||||
</blockquote>
|
||||
|
||||
|
||||
<h2>Where to Send your Problem Report or to Ask for Help</h2>
|
||||
@ -298,42 +299,47 @@ from outgoing posts.<br>
|
||||
|
||||
<h4>If you run Shorewall under Bering -- <span
|
||||
style="font-weight: 400;">please post your question or problem
|
||||
to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF
|
||||
Users mailing list</a>.</span></h4>
|
||||
<b>If you run Shorewall under MandrakeSoft Multi
|
||||
Network Firewall (MNF) and you have not purchased an MNF license
|
||||
from MandrakeSoft then you can post non MNF-specific Shorewall questions
|
||||
to the </b><a href="mailto:shorewall-users@lists.shorewall.net">Shorewall
|
||||
users mailing list</a>. <b>Do not expect to get free MNF support
|
||||
on the list or forum.</b><br>
|
||||
to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF
|
||||
Users mailing list</a>.</span></h4>
|
||||
<b>If you run Shorewall under MandrakeSoft
|
||||
Multi Network Firewall (MNF) and you have not purchased an MNF
|
||||
license from MandrakeSoft then you can post non MNF-specific Shorewall
|
||||
questions to the </b><a
|
||||
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
|
||||
list</a> or to the <a
|
||||
href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support
|
||||
Forum</a>. <b>Do not expect to get free MNF support on the list or forum.</b><br>
|
||||
|
||||
|
||||
<p>Otherwise, please post your question or problem to the <a
|
||||
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
|
||||
list</a>.</p>
|
||||
</blockquote>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<p>To Subscribe to the mailing list go to <a
|
||||
list</a> or to the <a
|
||||
href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support
|
||||
Forum</a>.<br>
|
||||
To Subscribe to the mailing list go to <a
|
||||
href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a>
|
||||
.<br>
|
||||
</p>
|
||||
.<br>
|
||||
</p>
|
||||
</blockquote>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<p>For information on other Shorewall mailing lists, go to <a
|
||||
href="http://lists.shorewall.net/mailing_list.htm">http://lists.shorewall.net/mailing_list.htm</a><br>
|
||||
</p>
|
||||
</p>
|
||||
|
||||
|
||||
<p align="left"><font size="2">Last Updated 3/14/2003 - Tom Eastep</font></p>
|
||||
<p align="left"><font size="2">Last Updated 3/17/2003 - Tom Eastep</font></p>
|
||||
|
||||
|
||||
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
|
||||
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
|
||||
</p>
|
||||
<br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -17,14 +17,14 @@
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#400169" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
|
||||
|
||||
<h1 align="center"><font color="#ffffff">Traffic Shaping/Control</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
@ -32,83 +32,84 @@
|
||||
<p align="left">Shorewall has limited support for traffic shaping/control.
|
||||
In order to use traffic shaping under Shorewall, it is essential that
|
||||
you get a copy of the <a href="http://ds9a.nl/lartc">Linux Advanced Routing
|
||||
and Shaping HOWTO</a>, version 0.3.0 or later.</p>
|
||||
and Shaping HOWTO</a>, version 0.3.0 or later. It is also necessary
|
||||
to be running Linux Kernel 2.4.18 or later.</p>
|
||||
|
||||
<p align="left">Shorewall traffic shaping support consists of the following:</p>
|
||||
|
||||
<ul>
|
||||
<li>A new <b>TC_ENABLED</b> parameter in /etc/shorewall.conf.
|
||||
Traffic Shaping also requires that you enable packet mangling.</li>
|
||||
<li>A new <b>CLEAR_TC </b>parameter in /etc/shorewall.conf (Added
|
||||
in Shorewall 1.3.13). When Traffic Shaping is enabled (TC_ENABLED=Yes),
|
||||
the setting of this variable determines whether Shorewall clears the traffic
|
||||
<li>A new <b>TC_ENABLED</b> parameter in /etc/shorewall.conf.
|
||||
Traffic Shaping also requires that you enable packet mangling.</li>
|
||||
<li>A new <b>CLEAR_TC </b>parameter in /etc/shorewall.conf (Added
|
||||
in Shorewall 1.3.13). When Traffic Shaping is enabled (TC_ENABLED=Yes),
|
||||
the setting of this variable determines whether Shorewall clears the traffic
|
||||
shaping configuration during Shorewall [re]start and Shorewall stop. <br>
|
||||
</li>
|
||||
<li><b>/etc/shorewall/tcrules</b> - A file where you can
|
||||
</li>
|
||||
<li><b>/etc/shorewall/tcrules</b> - A file where you can
|
||||
specify firewall marking of packets. The firewall mark value may
|
||||
be used to classify packets for traffic shaping/control.<br>
|
||||
</li>
|
||||
<li><b>/etc/shorewall/tcstart </b>- A user-supplied file
|
||||
</li>
|
||||
<li><b>/etc/shorewall/tcstart </b>- A user-supplied file
|
||||
that is sourced by Shorewall during "shorewall start" and which
|
||||
you can use to define your traffic shaping disciplines and classes.
|
||||
I have provided a <a
|
||||
I have provided a <a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/cbq">sample</a> that does
|
||||
table-driven CBQ shaping but if you read the traffic shaping sections
|
||||
of the HOWTO mentioned above, you can probably code your own faster
|
||||
than you can learn how to use my sample. I personally use <a
|
||||
href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB</a> (see below).
|
||||
HTB support may eventually become an integral part of Shorewall
|
||||
since HTB is a lot simpler and better-documented than CBQ. As of 2.4.20,
|
||||
HTB is a standard part of the kernel but iproute2 must be patched in
|
||||
order to use it.<br>
|
||||
<br>
|
||||
In tcstart, when you want to run the 'tc' utility, use
|
||||
table-driven CBQ shaping but if you read the traffic shaping sections
|
||||
of the HOWTO mentioned above, you can probably code your own
|
||||
faster than you can learn how to use my sample. I personally use
|
||||
<a href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB</a> (see below).
|
||||
HTB support may eventually become an integral part of Shorewall
|
||||
since HTB is a lot simpler and better-documented than CBQ. As of
|
||||
2.4.20, HTB is a standard part of the kernel but iproute2 must be patched
|
||||
in order to use it.<br>
|
||||
<br>
|
||||
In tcstart, when you want to run the 'tc' utility, use
|
||||
the run_tc function supplied by shorewall if you want tc errors
|
||||
to stop the firewall.<br>
|
||||
<br>
|
||||
You can generally use off-the-shelf traffic shaping scripts by
|
||||
<br>
|
||||
You can generally use off-the-shelf traffic shaping scripts by
|
||||
simply copying them to /etc/shorewall/tcstart. I use <a
|
||||
href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (HTB version)
|
||||
that way (i.e., I just copied wshaper.htb to /etc/shorewall/tcstart
|
||||
and modified it according to the Wonder Shaper README). <b>WARNING: </b>If
|
||||
that way (i.e., I just copied wshaper.htb to /etc/shorewall/tcstart and
|
||||
modified it according to the Wonder Shaper README). <b>WARNING: </b>If
|
||||
you use use Masquerading or SNAT (i.e., you only have one external IP address)
|
||||
then listing internal hosts in the NOPRIOHOSTSRC variable in the wshaper[.htb]
|
||||
script won't work. Traffic shaping occurs after SNAT has already been
|
||||
applied so when traffic shaping happens, all outbound traffic will have
|
||||
as a source address the IP addresss of your firewall's external interface.<br>
|
||||
</li>
|
||||
<li><b>/etc/shorewall/tcclear</b> - A user-supplied file
|
||||
script won't work. Traffic shaping occurs after SNAT has already been applied
|
||||
so when traffic shaping happens, all outbound traffic will have as a source
|
||||
address the IP addresss of your firewall's external interface.<br>
|
||||
</li>
|
||||
<li><b>/etc/shorewall/tcclear</b> - A user-supplied file
|
||||
that is sourced by Shorewall when it is clearing traffic shaping.
|
||||
This file is normally not required as Shorewall's method of clearing
|
||||
qdisc and filter definitions is pretty general.</li>
|
||||
qdisc and filter definitions is pretty general.</li>
|
||||
|
||||
</ul>
|
||||
Shorewall allows you to start traffic shaping when Shorewall itself
|
||||
starts or it allows you to bring up traffic shaping when you bring up your
|
||||
interfaces.<br>
|
||||
<br>
|
||||
To start traffic shaping when Shorewall starts:<br>
|
||||
Shorewall allows you to start traffic shaping when Shorewall itself
|
||||
starts or it allows you to bring up traffic shaping when you bring up
|
||||
your interfaces.<br>
|
||||
<br>
|
||||
To start traffic shaping when Shorewall starts:<br>
|
||||
|
||||
<ol>
|
||||
<li>Set TC_ENABLED=Yes and CLEAR_TC=Yes</li>
|
||||
<li>Supply an /etc/shorewall/tcstart script to configure your traffic
|
||||
shaping rules.</li>
|
||||
<li>Optionally supply an /etc/shorewall/tcclear script to stop traffic
|
||||
<li>Set TC_ENABLED=Yes and CLEAR_TC=Yes</li>
|
||||
<li>Supply an /etc/shorewall/tcstart script to configure your traffic
|
||||
shaping rules.</li>
|
||||
<li>Optionally supply an /etc/shorewall/tcclear script to stop traffic
|
||||
shaping. That is usually unnecessary.</li>
|
||||
<li>If your tcstart script uses the 'fwmark' classifier, you can
|
||||
<li>If your tcstart script uses the 'fwmark' classifier, you can
|
||||
mark packets using entries in /etc/shorewall/tcrules.</li>
|
||||
|
||||
</ol>
|
||||
To start traffic shaping when you bring up your network interfaces,
|
||||
you will have to arrange for your traffic shaping configuration script to
|
||||
be run at that time. How you do that is distribution dependent and will not
|
||||
be covered here. You then should:<br>
|
||||
To start traffic shaping when you bring up your network interfaces,
|
||||
you will have to arrange for your traffic shaping configuration script
|
||||
to be run at that time. How you do that is distribution dependent and will
|
||||
not be covered here. You then should:<br>
|
||||
|
||||
<ol>
|
||||
<li>Set TC_ENABLED=Yes and CLEAR_TC=No</li>
|
||||
<li>Do not supply /etc/shorewall/tcstart or /etc/shorewall/tcclear
|
||||
<li>Set TC_ENABLED=Yes and CLEAR_TC=No</li>
|
||||
<li>Do not supply /etc/shorewall/tcstart or /etc/shorewall/tcclear
|
||||
scripts.</li>
|
||||
<li value="4">If your tcstart script uses the 'fwmark' classifier,
|
||||
<li value="4">If your tcstart script uses the 'fwmark' classifier,
|
||||
you can mark packets using entries in /etc/shorewall/tcrules.</li>
|
||||
|
||||
</ol>
|
||||
@ -119,179 +120,179 @@ be covered here. You then should:<br>
|
||||
|
||||
<p align="center"><img border="0" src="images/QoS.png" width="590"
|
||||
height="764">
|
||||
</p>
|
||||
</p>
|
||||
|
||||
<h3 align="left"><a name="tcrules"></a>/etc/shorewall/tcrules</h3>
|
||||
|
||||
<p align="left">The fwmark classifier provides a convenient way to classify
|
||||
packets for traffic shaping. The /etc/shorewall/tcrules file provides
|
||||
a means for specifying these marks in a tabular fashion.<br>
|
||||
</p>
|
||||
</p>
|
||||
|
||||
<p align="left">Normally, packet marking occurs in the PREROUTING chain before
|
||||
any address rewriting takes place. This makes it impossible to mark inbound
|
||||
packets based on their destination address when SNAT or Masquerading
|
||||
are being used. Beginning with Shorewall 1.3.12, you can cause packet
|
||||
marking to occur in the FORWARD chain by using the MARK_IN_FORWARD_CHAIN
|
||||
option in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
|
||||
</p>
|
||||
packets based on their destination address when SNAT or Masquerading are
|
||||
being used. Beginning with Shorewall 1.3.12, you can cause packet marking
|
||||
to occur in the FORWARD chain by using the MARK_IN_FORWARD_CHAIN option
|
||||
in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
|
||||
</p>
|
||||
|
||||
<p align="left">Columns in the file are as follows:</p>
|
||||
|
||||
<ul>
|
||||
<li>MARK - Specifies the mark value is to be assigned in
|
||||
case of a match. This is an integer in the range 1-255. Beginning
|
||||
with Shorewall version 1.3.14, this value may be optionally followed by
|
||||
":" and either 'F' or 'P' to designate that the marking will occur in the
|
||||
FORWARD or PREROUTING chains respectively. If this additional specification
|
||||
is omitted, the chain used to mark packets will be determined by the setting
|
||||
of the MARK_IN_FORWARD_CHAIN option in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
|
||||
<br>
|
||||
Example - 5<br>
|
||||
</li>
|
||||
<li>SOURCE - The source of the packet. If the packet originates
|
||||
on the firewall, place "fw" in this column. Otherwise, this is a
|
||||
comma-separated list of interface names, IP addresses, MAC addresses
|
||||
in <a href="Documentation.htm#MAC">Shorewall Format</a> and/or Subnets.<br>
|
||||
<br>
|
||||
Examples<br>
|
||||
eth0<br>
|
||||
192.168.2.4,192.168.1.0/24<br>
|
||||
</li>
|
||||
<li>DEST -- Destination of the packet. Comma-separated
|
||||
<li>MARK - Specifies the mark value is to be assigned
|
||||
in case of a match. This is an integer in the range 1-255. Beginning
|
||||
with Shorewall version 1.3.14, this value may be optionally followed by ":"
|
||||
and either 'F' or 'P' to designate that the marking will occur in the FORWARD
|
||||
or PREROUTING chains respectively. If this additional specification is omitted,
|
||||
the chain used to mark packets will be determined by the setting of the
|
||||
MARK_IN_FORWARD_CHAIN option in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
|
||||
<br>
|
||||
Example - 5<br>
|
||||
</li>
|
||||
<li>SOURCE - The source of the packet. If the packet originates
|
||||
on the firewall, place "fw" in this column. Otherwise, this is
|
||||
a comma-separated list of interface names, IP addresses, MAC addresses
|
||||
in <a href="Documentation.htm#MAC">Shorewall Format</a> and/or Subnets.<br>
|
||||
<br>
|
||||
Examples<br>
|
||||
eth0<br>
|
||||
192.168.2.4,192.168.1.0/24<br>
|
||||
</li>
|
||||
<li>DEST -- Destination of the packet. Comma-separated
|
||||
list of IP addresses and/or subnets.<br>
|
||||
</li>
|
||||
<li>PROTO - Protocol - Must be the name of a protocol from
|
||||
/etc/protocol, a number or "all"<br>
|
||||
</li>
|
||||
<li>PORT(S) - Destination Ports. A comma-separated list
|
||||
of Port names (from /etc/services), port numbers or port ranges (e.g.,
|
||||
21:22); if the protocol is "icmp", this column is interpreted
|
||||
</li>
|
||||
<li>PROTO - Protocol - Must be the name of a protocol
|
||||
from /etc/protocol, a number or "all"<br>
|
||||
</li>
|
||||
<li>PORT(S) - Destination Ports. A comma-separated list
|
||||
of Port names (from /etc/services), port numbers or port ranges
|
||||
(e.g., 21:22); if the protocol is "icmp", this column is interpreted
|
||||
as the destination icmp type(s).<br>
|
||||
</li>
|
||||
<li>CLIENT PORT(S) - (Optional) Port(s) used by the client.
|
||||
If omitted, any source port is acceptable. Specified as a comma-separate
|
||||
</li>
|
||||
<li>CLIENT PORT(S) - (Optional) Port(s) used by the client.
|
||||
If omitted, any source port is acceptable. Specified as a comma-separate
|
||||
list of port names, port numbers or port ranges.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<p align="left">Example 1 - All packets arriving on eth1 should be marked
|
||||
with 1. All packets arriving on eth2 and eth3 should be marked with
|
||||
2. All packets originating on the firewall itself should be marked with
|
||||
3.</p>
|
||||
with 1. All packets arriving on eth2 and eth3 should be marked with
|
||||
2. All packets originating on the firewall itself should be marked
|
||||
with 3.</p>
|
||||
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>MARK</b></td>
|
||||
<td><b>SOURCE</b></td>
|
||||
<td><b>DEST</b></td>
|
||||
<td><b>PROTO</b></td>
|
||||
<td><b>PORT(S)</b></td>
|
||||
<td><b>CLIENT PORT(S)</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><b>MARK</b></td>
|
||||
<td><b>SOURCE</b></td>
|
||||
<td><b>DEST</b></td>
|
||||
<td><b>PROTO</b></td>
|
||||
<td><b>PORT(S)</b></td>
|
||||
<td><b>CLIENT PORT(S)</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>1</td>
|
||||
<td>eth1</td>
|
||||
<td>0.0.0.0/0</td>
|
||||
<td>all</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>2</td>
|
||||
<td>eth2</td>
|
||||
<td>0.0.0.0/0</td>
|
||||
<td>all</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">2<br>
|
||||
</td>
|
||||
<td valign="top">eth3<br>
|
||||
</td>
|
||||
<td valign="top">0.0.0.0/0<br>
|
||||
</td>
|
||||
<td valign="top">all<br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>3</td>
|
||||
<td>fw</td>
|
||||
<td>0.0.0.0/0</td>
|
||||
<td>all</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<td>1</td>
|
||||
<td>eth1</td>
|
||||
<td>0.0.0.0/0</td>
|
||||
<td>all</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>2</td>
|
||||
<td>eth2</td>
|
||||
<td>0.0.0.0/0</td>
|
||||
<td>all</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">2<br>
|
||||
</td>
|
||||
<td valign="top">eth3<br>
|
||||
</td>
|
||||
<td valign="top">0.0.0.0/0<br>
|
||||
</td>
|
||||
<td valign="top">all<br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>3</td>
|
||||
<td>fw</td>
|
||||
<td>0.0.0.0/0</td>
|
||||
<td>all</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<p align="left">Example 2 - All GRE (protocol 47) packets not originating
|
||||
on the firewall and destined for 155.186.235.151 should be marked with
|
||||
12.</p>
|
||||
on the firewall and destined for 155.186.235.151 should be marked
|
||||
with 12.</p>
|
||||
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>MARK</b></td>
|
||||
<td><b>SOURCE</b></td>
|
||||
<td><b>DEST</b></td>
|
||||
<td><b>PROTO</b></td>
|
||||
<td><b>PORT(S)</b></td>
|
||||
<td><b>CLIENT PORT(S)</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><b>MARK</b></td>
|
||||
<td><b>SOURCE</b></td>
|
||||
<td><b>DEST</b></td>
|
||||
<td><b>PROTO</b></td>
|
||||
<td><b>PORT(S)</b></td>
|
||||
<td><b>CLIENT PORT(S)</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>12</td>
|
||||
<td>0.0.0.0/0</td>
|
||||
<td>155.186.235.151</td>
|
||||
<td>47</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<td>12</td>
|
||||
<td>0.0.0.0/0</td>
|
||||
<td>155.186.235.151</td>
|
||||
<td>47</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<p align="left">Example 3 - All SSH packets originating in 192.168.1.0/24
|
||||
and destined for 155.186.235.151 should be marked with 22.</p>
|
||||
and destined for 155.186.235.151 should be marked with 22.</p>
|
||||
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>MARK</b></td>
|
||||
<td><b>SOURCE</b></td>
|
||||
<td><b>DEST</b></td>
|
||||
<td><b>PROTO</b></td>
|
||||
<td><b>PORT(S)</b></td>
|
||||
<td><b>CLIENT PORT(S)</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><b>MARK</b></td>
|
||||
<td><b>SOURCE</b></td>
|
||||
<td><b>DEST</b></td>
|
||||
<td><b>PROTO</b></td>
|
||||
<td><b>PORT(S)</b></td>
|
||||
<td><b>CLIENT PORT(S)</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>22</td>
|
||||
<td>192.168.1.0/24</td>
|
||||
<td>155.186.235.151</td>
|
||||
<td>tcp</td>
|
||||
<td>22</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<td>22</td>
|
||||
<td>192.168.1.0/24</td>
|
||||
<td>155.186.235.151</td>
|
||||
<td>tcp</td>
|
||||
<td>22</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<h3>My Setup<br>
|
||||
</h3>
|
||||
</h3>
|
||||
|
||||
<p>While I am currently using the HTB version of <a
|
||||
href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (I just copied
|
||||
wshaper.htb to <b>/etc/shorewall/tcstart</b> and modified it as shown
|
||||
in the Wondershaper README), I have also run with the following set of
|
||||
hand-crafted rules in my <b>/etc/shorewall/tcstart</b> file:<br>
|
||||
</p>
|
||||
</p>
|
||||
|
||||
<blockquote>
|
||||
<pre>run_tc qdisc add dev eth0 root handle 1: htb default 30<br><br>run_tc class add dev eth0 parent 1: classid 1:1 htb rate 384kbit burst 15k<br><br>echo " Added Top Level Class -- rate 384kbit"</pre>
|
||||
@ -307,30 +308,31 @@ hand-crafted rules in my <b>/etc/shorewall/tcstart</b> file:<br>
|
||||
<pre>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 0 handle 2 fw classid 1:20<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30</pre>
|
||||
|
||||
<pre>echo " Defined fwmark filters"<br></pre>
|
||||
</blockquote>
|
||||
</blockquote>
|
||||
|
||||
<p>My tcrules file that went with this tcstart file is shown in Example 1
|
||||
above. You can look at <a href="myfiles.htm">my configuration</a> to
|
||||
see why I wanted shaping of this type.<br>
|
||||
</p>
|
||||
</p>
|
||||
|
||||
<ol>
|
||||
<li>I wanted to allow up to 140kbits/second for traffic outbound
|
||||
from my DMZ (note that the ceiling is set to 384kbit so outbound DMZ traffic
|
||||
can use all available bandwidth if there is no traffic from the local
|
||||
systems or from my laptop or firewall).</li>
|
||||
<li>My laptop and local systems could use up to 224kbits/second.</li>
|
||||
<li>My firewall could use up to 20kbits/second.</li>
|
||||
<li>I wanted to allow up to 140kbits/second for traffic outbound
|
||||
from my DMZ (note that the ceiling is set to 384kbit so outbound DMZ
|
||||
traffic can use all available bandwidth if there is no traffic from the
|
||||
local systems or from my laptop or firewall).</li>
|
||||
<li>My laptop and local systems could use up to 224kbits/second.</li>
|
||||
<li>My firewall could use up to 20kbits/second.</li>
|
||||
|
||||
</ol>
|
||||
You see <a href="myfiles.htm">the rest of my Shorewall configuration</a>
|
||||
to see how this fit in. <br>
|
||||
You see <a href="myfiles.htm">the rest of my Shorewall configuration</a>
|
||||
to see how this fit in. <br>
|
||||
|
||||
<p><font size="2">Last Updated 3/5/2003 - <a href="support.htm">Tom Eastep</a></font></p>
|
||||
<p><font size="2">Last Updated 3/19/2003 - <a href="support.htm">Tom Eastep</a></font></p>
|
||||
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
|
||||
</p>
|
||||
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
|
@ -11,6 +11,7 @@
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
|
||||
|
||||
<meta name="Microsoft Theme" content="none">
|
||||
</head>
|
||||
<body>
|
||||
@ -18,175 +19,277 @@
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
|
||||
bgcolor="#400169" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
|
||||
|
||||
<h1 align="center"><font color="#ffffff">Upgrade Issues</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
|
||||
<p>For upgrade instructions see the <a
|
||||
href="Install.htm">Install/Upgrade page</a>.</p>
|
||||
href="Install.htm">Install/Upgrade page</a>.<br>
|
||||
</p>
|
||||
|
||||
<p>It is important that you read all of the sections on this page where the
|
||||
version number mentioned in the section title is later than what you are
|
||||
currently running. <br>
|
||||
</p>
|
||||
|
||||
<h3> </h3>
|
||||
|
||||
<h3>Version >= 1.4.0</h3>
|
||||
<b>IMPORTANT: Shorewall >=1.4.0 <u>REQUIRES</u></b> <b>the iproute package
|
||||
('ip' utility).</b><br>
|
||||
<br>
|
||||
If you are upgrading from a version < 1.4.0, then:<br>
|
||||
<h3>Version >= 1.4.1</h3>
|
||||
|
||||
<ul>
|
||||
<li>The <b>noping </b>and <b>forwardping</b> interface options are
|
||||
no longer supported nor is the <b>FORWARDPING </b>option in shorewall.conf.
|
||||
ICMP echo-request (ping) packets are treated just like any other connection
|
||||
request and are subject to rules and policies.</li>
|
||||
<li>Interface names of the form <device>:<integer> in
|
||||
/etc/shorewall/interfaces now generate a Shorewall error at startup (they
|
||||
always have produced warnings in iptables).</li>
|
||||
<li>The MERGE_HOSTS variable has been removed from shorewall.conf.
|
||||
Shorewall 1.4 behaves like 1.3 did when MERGE_HOSTS=Yes; that is zone contents
|
||||
are determined by BOTH the interfaces and hosts files when there are entries
|
||||
for the zone in both files.</li>
|
||||
<li>The <b>routestopped</b> option in the interfaces and hosts file
|
||||
has been eliminated; use entries in the routestopped file instead.</li>
|
||||
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no longer
|
||||
accepted; you must convert to using the new syntax.</li>
|
||||
<li value="6">The ALLOWRELATED variable in shorewall.conf is no longer
|
||||
supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.</li>
|
||||
<li value="6">Late-arriving DNS replies are not dropped by default;
|
||||
there is no need for your own /etc/shorewall/common file simply to avoid
|
||||
logging these packets.</li>
|
||||
<li value="6">The 'firewall', 'functions' and 'version' file have been
|
||||
moved to /usr/share/shorewall.</li>
|
||||
<li value="6">The icmp.def file has been removed. If you include it
|
||||
from /etc/shorewall/icmpdef, you will need to modify that file.</li>
|
||||
<li value="8">The 'multi' interface option is no longer supported. Shorewall
|
||||
will generate rules for sending packets back out the same interface that
|
||||
they arrived on in two cases:</li>
|
||||
<li>Beginning with Version 1.4.1, intra-zone traffic is accepted by default.
|
||||
Previously, traffic from a zone to itself was treated just like any other
|
||||
traffic; any matching rules were applied followed by enforcement of the appropriate
|
||||
policy. With 1.4.1 and later versions, unless you have explicit rules for
|
||||
traffic from Z to Z or you have an explicit Z to Z policy (where "Z" is some
|
||||
zone) then traffic within zone Z will be accepted. If you do have one or more
|
||||
explicit rules for Z to Z or if you have an explicit Z to Z policy then the
|
||||
behavior is as it was in prior versions.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<blockquote>
|
||||
<ol>
|
||||
<li>If you have a Z Z ACCEPT policy for a zone to allow traffic between
|
||||
two interfaces to the same zone, that policy can be removed and traffic between
|
||||
the interfaces will traverse fewer rules than previously.</li>
|
||||
<li>If you have a Z Z DROP or Z Z REJECT policy or you have Z->Z
|
||||
rules then your configuration should not require any change.</li>
|
||||
<li>If you are currently relying on a implicit policy (one that has "all"
|
||||
in either the SOURCE or DESTINATION column) to prevent traffic between two
|
||||
interfaces to a zone Z and you have no rules for Z->Z then you should
|
||||
add an explicit DROP or REJECT policy for Z to Z.<br>
|
||||
</li>
|
||||
|
||||
</ol>
|
||||
</blockquote>
|
||||
|
||||
<ul>
|
||||
<li>Beginning with Version 1.4.1, Shorewall will never create rules to
|
||||
deal with traffic from a given <i>interface:subnetwork </i>back to itself.
|
||||
The <i>multi</i> interface option is no longer available so if you want to
|
||||
route traffic between two subnetworks on the same interface then either:</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<blockquote>
|
||||
<ol>
|
||||
<li>The subnetworks must be in different zones; or</li>
|
||||
<li>You must use the /etc/shorewall/hosts file to define the subnetworks
|
||||
in a single zone.</li>
|
||||
|
||||
</ol>
|
||||
</blockquote>
|
||||
Example 1 -- Two zones:<br>
|
||||
<blockquote>
|
||||
<pre>/etc/shorewall/zones<br><br>z1 Zone1 The first Zone<br>z2 Zone2 The secont Zone<br><br>/etc/shorewall/policy<br><br>z1 z2 ACCEPT<br>z2 z1 ACCEPT<br><br>/etc/shorewall/interfaces<br><br>- eth1 192.168.1.255,192.168.2.255<br><br>/etc/shorewall/hosts<br><br>z1 eth1:192.168.1.0/24<br>z2 eth1:192.168.2.0/24<br></pre>
|
||||
</blockquote>
|
||||
Example 2 -- One zone:
|
||||
<blockquote>
|
||||
<pre><br>/etc/shorewall/zones<br><br>z Zone The Zone<br><br>/etc/shorewall/interfaces<br><br>- eth1 192.168.1.255,192.168.2.255<br><br>/etc/shorewall/hosts<br><br>z eth1:192.168.1.0/24<br>z eth1:192.168.2.0/24<br></pre>
|
||||
</blockquote>
|
||||
Note that in the second example, we don't need any policy since z->z traffic
|
||||
is accepted by default. The second technique is preferable if you want unlimited
|
||||
access between the two subnetworks.<br>
|
||||
<br>
|
||||
Sometimes, you want two separate zones on one interface but you don't want
|
||||
Shorewall to set up any infrastructure to handle traffic between them. <br>
|
||||
<br>
|
||||
Example:<br>
|
||||
|
||||
<blockquote>
|
||||
<pre>/etc/shorewall/zones<br><br>z1 Zone1 The first Zone<br>z2 Zone2 The secont Zone<br><br>/etc/shorewall/interfaces<br><br>z2 eth1 192.168.1.255<br><br>/etc/shorewall/hosts<br><br>z1 eth1:192.168.1.3<br></pre>
|
||||
</blockquote>
|
||||
Here, zone z1 is nested in zone z2 and the firewall is not going to be involved
|
||||
in any traffic between these two zones. Beginning with Shorewall 1.4.1, you
|
||||
can prevent Shorewall from setting up any infrastructure to handle traffic
|
||||
between z1 and z2 by using the new NONE policy:<br>
|
||||
<blockquote>
|
||||
<pre>/etc/shorewall/policy<br><pre>z1 z2 NONE<br>z2 z1 NONE</pre></pre>
|
||||
</blockquote>
|
||||
Note that NONE policies are generally used in pairs unless there is asymetric
|
||||
routing where only the traffic on one direction flows through the firewall
|
||||
and you are using a NONE polciy in the other direction.
|
||||
<h3>Version >= 1.4.0</h3>
|
||||
<b>IMPORTANT: Shorewall >=1.4.0 </b><b>requires</b> <b>the iproute
|
||||
package ('ip' utility).</b><br>
|
||||
<br>
|
||||
<b>Note: </b>Unfortunately, some distributions call this package iproute2
|
||||
which will cause the upgrade of Shorewall to fail with the diagnostic:<br>
|
||||
<br>
|
||||
error: failed dependencies:iproute is needed by shorewall-1.4.0-1
|
||||
<br>
|
||||
<br>
|
||||
This may be worked around by using the --nodeps option of rpm (rpm -Uvh
|
||||
--nodeps <shorewall rpm>).<br>
|
||||
<br>
|
||||
If you are upgrading from a version < 1.4.0, then:<br>
|
||||
|
||||
<ul>
|
||||
<li>The <b>noping </b>and <b>forwardping</b> interface options
|
||||
are no longer supported nor is the <b>FORWARDPING </b>option in shorewall.conf.
|
||||
ICMP echo-request (ping) packets are treated just like any other connection
|
||||
request and are subject to rules and policies.</li>
|
||||
<li>Interface names of the form <device>:<integer>
|
||||
in /etc/shorewall/interfaces now generate a Shorewall error at startup
|
||||
(they always have produced warnings in iptables).</li>
|
||||
<li>The MERGE_HOSTS variable has been removed from shorewall.conf.
|
||||
Shorewall 1.4 behaves like 1.3 did when MERGE_HOSTS=Yes; that is zone
|
||||
contents are determined by BOTH the interfaces and hosts files when there
|
||||
are entries for the zone in both files.</li>
|
||||
<li>The <b>routestopped</b> option in the interfaces and hosts
|
||||
file has been eliminated; use entries in the routestopped file instead.</li>
|
||||
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no
|
||||
longer accepted; you must convert to using the new syntax.</li>
|
||||
<li value="6">The ALLOWRELATED variable in shorewall.conf is no
|
||||
longer supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.</li>
|
||||
<li value="6">Late-arriving DNS replies are now dropped by default;
|
||||
there is no need for your own /etc/shorewall/common file simply to avoid
|
||||
logging these packets.</li>
|
||||
<li value="6">The 'firewall', 'functions' and 'version' file have
|
||||
been moved to /usr/share/shorewall.</li>
|
||||
<li value="6">The icmp.def file has been removed. If you include
|
||||
it from /etc/shorewall/icmpdef, you will need to modify that file.</li>
|
||||
|
||||
<ul>
|
||||
|
||||
</ul>
|
||||
<li>If you followed the advice in FAQ #2 and call find_interface_address
|
||||
in /etc/shorewall/params, that code should be moved to /etc/shorewall/init.<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<ul>
|
||||
|
||||
</ul>
|
||||
|
||||
<h3>Version 1.4.0</h3>
|
||||
|
||||
<ul>
|
||||
<li value="8">The 'multi' interface option is no longer supported. Shorewall
|
||||
will generate rules for sending packets back out the same interface that
|
||||
they arrived on in two cases:</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<blockquote>
|
||||
<ul>
|
||||
<li>There is an <u>explicit</u> policy for the source zone to or from
|
||||
the destination zone. An explicit policy names both zones and does not use
|
||||
the 'all' reserved word.</li>
|
||||
<li>There is an <u>explicit</u> policy for the source zone to or from
|
||||
the destination zone. An explicit policy names both zones and does not use
|
||||
the 'all' reserved word.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<ul>
|
||||
<li>There are one or more rules for traffic for the source zone to
|
||||
<li>There are one or more rules for traffic for the source zone to
|
||||
or from the destination zone including rules that use the 'all' reserved
|
||||
word. Exception: if the source zone and destination zone are the same then
|
||||
the rule must be explicit - it must name the zone in both the SOURCE and
|
||||
word. Exception: if the source zone and destination zone are the same then
|
||||
the rule must be explicit - it must name the zone in both the SOURCE and
|
||||
DESTINATION columns.</li>
|
||||
|
||||
</ul>
|
||||
<li>If you followed the advice in FAQ #2 and call find_interface_address
|
||||
in /etc/shorewall/params, that code should be moved to /etc/shorewall/init.<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<ul>
|
||||
|
||||
</ul>
|
||||
</blockquote>
|
||||
|
||||
<h3>Version >= 1.3.14</h3>
|
||||
<img src="images/BD21298_3.gif" alt="" width="13" height="13">
|
||||
Beginning in version 1.3.14, Shorewall treats entries in <a
|
||||
<img src="images/BD21298_3.gif" alt="" width="13" height="13">
|
||||
Beginning in version 1.3.14, Shorewall treats entries in <a
|
||||
href="Documentation.htm#Masq">/etc/shorewall/masq </a>differently. The change
|
||||
involves entries with an <b>interface name</b> in the <b>SUBNET</b> (second)
|
||||
<b>column</b>:<br>
|
||||
involves entries with an <b>interface name</b> in the <b>SUBNET</b>
|
||||
(second) <b>column</b>:<br>
|
||||
|
||||
<ul>
|
||||
<li>Prior to 1.3.14, Shorewall would detect the FIRST subnet on the
|
||||
interface (as shown by "ip addr show <i>interface</i>") and would masquerade
|
||||
traffic from that subnet. Any other subnets that routed through eth1 needed
|
||||
their own entry in /etc/shorewall/masq to be masqueraded or to have SNAT
|
||||
applied.</li>
|
||||
<li>Beginning with Shorewall 1.3.14, Shorewall uses the firewall's
|
||||
routing table to determine ALL subnets routed through the named interface.
|
||||
Traffic originating in ANY of those subnets is masqueraded or has SNAT
|
||||
applied.</li>
|
||||
<li>Prior to 1.3.14, Shorewall would detect the FIRST subnet
|
||||
on the interface (as shown by "ip addr show <i>interface</i>") and would
|
||||
masquerade traffic from that subnet. Any other subnets that routed through
|
||||
eth1 needed their own entry in /etc/shorewall/masq to be masqueraded or
|
||||
to have SNAT applied.</li>
|
||||
<li>Beginning with Shorewall 1.3.14, Shorewall uses the firewall's
|
||||
routing table to determine ALL subnets routed through the named interface.
|
||||
Traffic originating in ANY of those subnets is masqueraded or has SNAT
|
||||
applied.</li>
|
||||
|
||||
</ul>
|
||||
You will need to make a change to your configuration if:<br>
|
||||
You will need to make a change to your configuration if:<br>
|
||||
|
||||
<ol>
|
||||
<li>You have one or more entries in /etc/shorewall/masq with an interface
|
||||
name in the SUBNET (second) column; and</li>
|
||||
<li>That interface connects to more than one subnetwork.</li>
|
||||
<li>You have one or more entries in /etc/shorewall/masq with
|
||||
an interface name in the SUBNET (second) column; and</li>
|
||||
<li>That interface connects to more than one subnetwork.</li>
|
||||
|
||||
</ol>
|
||||
Two examples:<br>
|
||||
<br>
|
||||
<b>Example 1</b> -- Suppose that your current config is as follows:<br>
|
||||
<br>
|
||||
Two examples:<br>
|
||||
<br>
|
||||
<b>Example 1</b> -- Suppose that your current config is as follows:<br>
|
||||
<br>
|
||||
|
||||
<pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE SUBNET ADDRESS<br> eth0 eth2 206.124.146.176<br> eth0 192.168.10.0/24 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24 scope link<br> 192.168.10.0/24 proto kernel scope link src 192.168.10.254<br> [root@gateway test]#</pre>
|
||||
|
||||
<blockquote>In this case, the second entry in /etc/shorewall/masq is no longer
|
||||
required.<br>
|
||||
</blockquote>
|
||||
<b>Example 2</b>-- What if your current configuration is like this?<br>
|
||||
required.<br>
|
||||
</blockquote>
|
||||
<b>Example 2</b>-- What if your current configuration is like this?<br>
|
||||
|
||||
<pre> [root@gateway test]# cat /etc/shorewall/masq <br> #INTERFACE SUBNET ADDRESS <br> eth0 eth2 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE <br> [root@gateway test]# ip route show dev eth2 <br> 192.168.1.0/24 scope link<br> 192.168.10.0/24 proto kernel scope link src 192.168.10.254 <br> [root@gateway test]#</pre>
|
||||
|
||||
<blockquote>In this case, you would want to change the entry in /etc/shorewall/masq
|
||||
to:<br>
|
||||
</blockquote>
|
||||
to:<br>
|
||||
</blockquote>
|
||||
|
||||
<pre> #INTERFACE SUBNET ADDRESS <br> eth0 192.168.1.0/24 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
|
||||
<img src="images/BD21298_3.gif" alt="" width="13" height="13">
|
||||
Version 1.3.14 also introduced simplified ICMP echo-request (ping)
|
||||
handling. The option OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf
|
||||
is used to specify that the old (pre-1.3.14) ping handling is to be used
|
||||
(If the option is not set in your /etc/shorewall/shorewall.conf then OLD_PING_HANDLING=Yes
|
||||
is assumed). I don't plan on supporting the old handling indefinitely so
|
||||
I urge current users to migrate to using the new handling as soon as possible.
|
||||
See the <a href="ping.html">'Ping' handling documentation</a> for details.<br>
|
||||
<img src="images/BD21298_3.gif" alt="" width="13" height="13">
|
||||
Version 1.3.14 also introduced simplified ICMP echo-request
|
||||
(ping) handling. The option OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf
|
||||
is used to specify that the old (pre-1.3.14) ping handling is to be used
|
||||
(If the option is not set in your /etc/shorewall/shorewall.conf then OLD_PING_HANDLING=Yes
|
||||
is assumed). I don't plan on supporting the old handling indefinitely
|
||||
so I urge current users to migrate to using the new handling as soon as
|
||||
possible. See the <a href="ping.html">'Ping' handling documentation</a>
|
||||
for details.<br>
|
||||
|
||||
<h3>Version 1.3.10</h3>
|
||||
If you have installed the 1.3.10 Beta 1 RPM and are now upgrading
|
||||
to version 1.3.10, you will need to use the '--force' option:<br>
|
||||
<br>
|
||||
If you have installed the 1.3.10 Beta 1 RPM and are now upgrading
|
||||
to version 1.3.10, you will need to use the '--force' option:<br>
|
||||
<br>
|
||||
|
||||
<blockquote>
|
||||
<pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm </pre>
|
||||
</blockquote>
|
||||
</blockquote>
|
||||
|
||||
<h3>Version >= 1.3.9</h3>
|
||||
The 'functions' file has moved to /usr/lib/shorewall/functions.
|
||||
If you have an application that uses functions from that file, your application
|
||||
will need to be changed to reflect this change of location.<br>
|
||||
The 'functions' file has moved to /usr/lib/shorewall/functions.
|
||||
If you have an application that uses functions from that file, your
|
||||
application will need to be changed to reflect this change of location.<br>
|
||||
|
||||
<h3>Version >= 1.3.8</h3>
|
||||
|
||||
<p>If you have a pair of firewall systems configured for failover
|
||||
or if you have asymmetric routing, you will need to modify
|
||||
your firewall setup slightly under Shorewall
|
||||
versions >= 1.3.8. Beginning with version 1.3.8,
|
||||
you must set NEWNOTSYN=Yes in your
|
||||
/etc/shorewall/shorewall.conf file.</p>
|
||||
or if you have asymmetric routing, you will need to modify
|
||||
your firewall setup slightly under Shorewall
|
||||
versions >= 1.3.8. Beginning with version 1.3.8,
|
||||
you must set NEWNOTSYN=Yes in your
|
||||
/etc/shorewall/shorewall.conf file.</p>
|
||||
|
||||
<h3>Version >= 1.3.7</h3>
|
||||
|
||||
<p>Users specifying ALLOWRELATED=No in /etc/shorewall.conf
|
||||
will need to include the following rules
|
||||
in their /etc/shorewall/icmpdef file (creating
|
||||
this file if necessary):</p>
|
||||
will need to include the following rules
|
||||
in their /etc/shorewall/icmpdef file
|
||||
(creating this file if necessary):</p>
|
||||
|
||||
<pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</pre>
|
||||
|
||||
<p>Users having an /etc/shorewall/icmpdef file may remove the ". /etc/shorewall/icmp.def"
|
||||
command from that file since the icmp.def file is now empty.</p>
|
||||
command from that file since the icmp.def file is now empty.</p>
|
||||
|
||||
<h3><b><a name="Bering">Upgrading </a>Bering to
|
||||
Shorewall >= 1.3.3</b></h3>
|
||||
@ -195,62 +298,63 @@ If you have an application that uses functions from that file, your applicat
|
||||
1.3.3 and later:</p>
|
||||
|
||||
<ol>
|
||||
<li>Be sure you have a backup
|
||||
-- you will need to transcribe any Shorewall
|
||||
configuration changes that you have
|
||||
made to the new configuration.</li>
|
||||
<li>Replace the shorwall.lrp
|
||||
package provided on the Bering floppy
|
||||
with the later one. If you did not obtain
|
||||
the later version from Jacques's site,
|
||||
see additional instructions below.</li>
|
||||
<li>Edit the /var/lib/lrpkg/root.exclude.list
|
||||
file and remove the /var/lib/shorewall
|
||||
entry if present. Then do not forget
|
||||
to backup root.lrp !</li>
|
||||
<li>Be sure you have a backup
|
||||
-- you will need to transcribe any
|
||||
Shorewall configuration changes that
|
||||
you have made to the new configuration.</li>
|
||||
<li>Replace the shorwall.lrp
|
||||
package provided on the Bering floppy
|
||||
with the later one. If you did not
|
||||
obtain the later version from Jacques's
|
||||
site, see additional instructions below.</li>
|
||||
<li>Edit the /var/lib/lrpkg/root.exclude.list
|
||||
file and remove the /var/lib/shorewall
|
||||
entry if present. Then do not forget
|
||||
to backup root.lrp !</li>
|
||||
|
||||
</ol>
|
||||
|
||||
<p>The .lrp that I release isn't set up for a two-interface firewall like
|
||||
Jacques's. You need to follow the <a href="two-interface.htm">instructions
|
||||
for setting up a two-interface firewall</a> plus you also need to add
|
||||
the following two Bering-specific rules to /etc/shorewall/rules:</p>
|
||||
Jacques's. You need to follow the <a href="two-interface.htm">instructions
|
||||
for setting up a two-interface firewall</a> plus you also need to
|
||||
add the following two Bering-specific rules to /etc/shorewall/rules:</p>
|
||||
|
||||
<blockquote>
|
||||
<pre># Bering specific rules:<br># allow loc to fw udp/53 for dnscache to work<br># allow loc to fw tcp/80 for weblet to work<br>#<br>ACCEPT loc fw udp 53<br>ACCEPT loc fw tcp 80</pre>
|
||||
</blockquote>
|
||||
</blockquote>
|
||||
|
||||
<h3 align="left">Version 1.3.6 and 1.3.7</h3>
|
||||
|
||||
<p align="left">If you have a pair of firewall systems configured for
|
||||
failover or if you have asymmetric routing, you will need to modify
|
||||
your firewall setup slightly under Shorewall versions 1.3.6
|
||||
and 1.3.7</p>
|
||||
your firewall setup slightly under Shorewall versions 1.3.6
|
||||
and 1.3.7</p>
|
||||
|
||||
<ol>
|
||||
<li>
|
||||
<li>
|
||||
|
||||
<p align="left">Create the file /etc/shorewall/newnotsyn and in it add
|
||||
the following rule<br>
|
||||
<br>
|
||||
<font face="Courier">run_iptables -A newnotsyn -j RETURN
|
||||
# So that the connection tracking table can be rebuilt<br>
|
||||
# from non-SYN
|
||||
packets after takeover.<br>
|
||||
</font> </p>
|
||||
</li>
|
||||
<li>
|
||||
the following rule<br>
|
||||
<br>
|
||||
<font face="Courier">run_iptables -A newnotsyn
|
||||
-j RETURN # So that the connection tracking table can be
|
||||
rebuilt<br>
|
||||
# from non-SYN
|
||||
packets after takeover.<br>
|
||||
</font> </p>
|
||||
</li>
|
||||
<li>
|
||||
|
||||
<p align="left">Create /etc/shorewall/common (if you don't already
|
||||
have that file) and include the following:<br>
|
||||
<br>
|
||||
<font face="Courier">run_iptables -A common -p tcp
|
||||
--tcp-flags ACK,FIN,RST ACK -j ACCEPT #Accept Acks to rebuild
|
||||
connection<br>
|
||||
|
||||
#tracking table. <br>
|
||||
. /etc/shorewall/common.def</font> </p>
|
||||
</li>
|
||||
<br>
|
||||
<font face="Courier">run_iptables -A common -p
|
||||
tcp --tcp-flags ACK,FIN,RST ACK -j ACCEPT #Accept Acks
|
||||
to rebuild connection<br>
|
||||
|
||||
#tracking table. <br>
|
||||
. /etc/shorewall/common.def</font> </p>
|
||||
</li>
|
||||
|
||||
</ol>
|
||||
|
||||
@ -263,48 +367,43 @@ connection<br>
|
||||
|
||||
<div align="left">
|
||||
<pre> ACCEPT net loc:192.168.1.12:22 tcp 11111 - all</pre>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<p align="left">Must be replaced with:</p>
|
||||
|
||||
<div align="left">
|
||||
<pre> DNAT net loc:192.168.1.12:22 tcp 11111</pre>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<p align="left">Example 2:</p>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<pre> ACCEPT loc fw::3128 tcp 80 - all</pre>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<p align="left">Must be replaced with:</p>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<pre> REDIRECT loc 3128 tcp 80</pre>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<h3 align="left">Version >= 1.3.2</h3>
|
||||
|
||||
<p align="left">The functions and versions files together with the
|
||||
'firewall' symbolic link have moved from /etc/shorewall to /var/lib/shorewall.
|
||||
If you have applications that access these files, those applications
|
||||
should be modified accordingly.</p>
|
||||
If you have applications that access these files, those
|
||||
applications should be modified accordingly.</p>
|
||||
|
||||
<p><font size="2"> Last updated 3/6/2003 -
|
||||
<a href="support.htm">Tom Eastep</a></font> </p>
|
||||
<p><font size="2"> Last updated 3/18/2003 -
|
||||
<a href="support.htm">Tom Eastep</a></font> </p>
|
||||
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
|
@ -5,3 +5,5 @@ Changes since 1.4.0
|
||||
2. Never create rules for <iface>:<subnet> to itself.
|
||||
|
||||
3. Always allow intrazone traffic.
|
||||
|
||||
4. Correct building of ECN interface list under ash.
|
||||
|
@ -28,7 +28,7 @@
|
||||
# shown below. Simply run this script to revert to your prior version of
|
||||
# Shoreline Firewall.
|
||||
|
||||
VERSION=1.4.0
|
||||
VERSION=1.4.1
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -54,7 +54,7 @@
|
||||
# /etc/rc.d/rc.local file is modified to start the firewall.
|
||||
#
|
||||
|
||||
VERSION=1.4.0
|
||||
VERSION=1.4.1
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -1,5 +1,5 @@
|
||||
%define name shorewall
|
||||
%define version 1.4.0
|
||||
%define version 1.4.1
|
||||
%define release 1
|
||||
%define prefix /usr
|
||||
|
||||
@ -105,6 +105,8 @@ fi
|
||||
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
|
||||
|
||||
%changelog
|
||||
* Fri Mar 21 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.1-1
|
||||
* Mon Mar 17 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.0-1
|
||||
* Fri Mar 07 2003 Tom Eastep <tom@shorewall.net>
|
||||
|
@ -26,7 +26,7 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Seattle Firewall
|
||||
|
||||
VERSION=1.4.0
|
||||
VERSION=1.4.1
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
Loading…
Reference in New Issue
Block a user