extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-03-01 08:01:23 +01:00
Code Issues Packages Projects Releases Wiki Activity

Updates for 2.0.2

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1317 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-05-08 22:31:54 +00:00
parent e023c8b712
commit 84029e5bd4
32 changed files with 6910 additions and 6517 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
Shorewall-docs2/Accounting.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-01-05</pubdate>
<pubdate>2004-04-19</pubdate>
<copyright>
<year>2003-2004</year>
@ -193,9 +193,13 @@
[root@gateway shorewall]#</programlisting>
<para>Here&#39;s how the same example would be constructed on an HTTP server
(READ THAT FOLKS -- IT SAYS <emphasis role="underline">SERVER</emphasis>. If
you want to account for web browsing, you have to reverse the rules below)
with only one interface (eth0):</para>
with only one interface (eth0).</para>
<caution>
<para>READ THE ABOVE CAREFULLY -- IT SAYS <emphasis role="bold">SERVER</emphasis>.
If you want to account for web browsing, you have to reverse the rules
below.</para>
</caution>
<programlisting> #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE
# PORT PORT
@ -228,4 +232,7 @@
8767 727K all -- eth0 * 0.0.0.0/0 0.0.0.0/0
11506 13M all -- * eth0 0.0.0.0/0 0.0.0.0/0
[root@mail shorewall]#</programlisting>
<para>For an example of integrating Shorewall Accounting with MRTG, see
<ulink url="http://www.nightbrawler.com/code/shorewall-stats/">http://www.nightbrawler.com/code/shorewall-stats/</ulink>.</para>
</article>

1182
Shorewall-docs2/Documentation.xml
View File

File diff suppressed because it is too large Load Diff

4
Shorewall-docs2/Documentation_Index.xml
View File

@ -64,7 +64,7 @@
Please review the appropriate guide before trying to use this documentation
directly.</para>
<itemizedlist>
<orderedlist>
<listitem>
<para><ulink url="Accounting.html">Accounting</ulink></para>
</listitem>
@ -391,5 +391,5 @@
<listitem>
<para><ulink url="whitelisting_under_shorewall.htm">White List Creation</ulink></para>
</listitem>
</itemizedlist>
</orderedlist>
</article>

967
Shorewall-docs2/FAQ.xml
View File

File diff suppressed because it is too large Load Diff

25
Shorewall-docs2/FTP.xml
View File

@ -15,11 +15,13 @@
</author>
</authorgroup>
<pubdate>2003-12-01</pubdate>
<pubdate>2004-04-26</pubdate>
<copyright>
<year>2003</year>
<year>2004</year>
<holder>Thomas M. Eastep</holder>
</copyright>
@ -62,6 +64,27 @@
</orderedlist>
</important>
<important>
<para><trademark>Mandrake</trademark> have done it again with their 10.0
release. This time, they have decided that kernel modules should have
&#34;ko.gz&#34; for their suffix. If you are having problems with Mandrake
10.0 and FTP, change your <filename>/etc/shorewall/conf</filename> file
definition of MODULE_SUFFIX as follows:</para>
<programlisting>MODULE_SUFFIX=&#34;o gz ko o.gz ko.gz&#34;</programlisting>
<para>The version of <command>insmod</command> shipped with 10.0 also does
not comprehend these module files so you will also need to change
<filename>/usr/share/shorewall/firewall</filename> -- replace the line
that reads:</para>
<programlisting> insmod $modulefile $*</programlisting>
<para>with:</para>
<programlisting> modprobe $modulename $*</programlisting>
</important>
<section>
<title>FTP Protocol</title>

265
Shorewall-docs2/IPSEC.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-03-20</pubdate>
<pubdate>2004-05-04</pubdate>
<copyright>
<year>2001-2004</year>
@ -29,7 +29,8 @@
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
@ -38,9 +39,10 @@
Linux Kernel. David Hollis has provided i<ulink
url="http://lists.shorewall.net/pipermail/shorewall-users/2003-December/010417.html">nformation
about how to set up a simple tunnel under 2.6</ulink>. One important point
that is not made explicit in David&#39;s post is that the <emphasis
that is not made explicit in David's post is that the <emphasis
role="bold">vpn</emphasis> zone must be defined before the <emphasis
role="bold">net</emphasis> zone in <filename>/etc/shorewall/zones</filename>.</para>
role="bold">net</emphasis> zone in
<filename>/etc/shorewall/zones</filename>.</para>
</warning>
<section>
@ -54,7 +56,8 @@
<warning>
<para>IPSEC and Proxy ARP do not work unless you are running Shorewall
2.0.1 Beta 3 or later or unless you have installed the fix to Shorewall
2.0.0 available from the <ulink url="errata.htm">Errata Page</ulink>.</para>
2.0.0 available from the <ulink url="errata.htm">Errata
Page</ulink>.</para>
</warning>
<important>
@ -187,30 +190,111 @@ conn packetdefault
<title>VPN</title>
<para>You need to define a zone for the remote subnet or include it in
your local zone. In this example, we&#39;ll assume that you have created
a zone called <quote>vpn</quote> to represent the remote subnet.</para>
your local zone. In this example, we'll assume that you have created a
zone called <quote>vpn</quote> to represent the remote subnet.</para>
<para><table><title>/etc/shorewall/zones local</title><tgroup cols="3"><thead><row><entry
align="center">ZONE</entry><entry align="center">DISPLAY</entry><entry
align="center">COMMENTS</entry></row></thead><tbody><row><entry>vpn</entry><entry>VPN</entry><entry>Remote
Subnet</entry></row></tbody></tgroup></table></para>
<para><table>
<title>/etc/shorewall/zones local</title>
<tgroup cols="3">
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">DISPLAY</entry>
<entry align="center">COMMENTS</entry>
</row>
</thead>
<tbody>
<row>
<entry>vpn</entry>
<entry>VPN</entry>
<entry>Remote Subnet</entry>
</row>
</tbody>
</tgroup>
</table></para>
<para>At both systems, ipsec0 would be included in
/etc/shorewall/interfaces as a <quote>vpn</quote> interface:</para>
<para><table><title>/etc/shorewall/interfaces system local &#38; remote</title><tgroup
cols="4"><thead><row><entry align="center">ZONE</entry><entry
align="center">INTERFACE</entry><entry align="center">BROADCAST</entry><entry
align="center">OPTIONS</entry></row></thead><tbody><row><entry>vpn</entry><entry>ipsec0</entry><entry></entry><entry></entry></row></tbody></tgroup></table></para>
<para><table>
<title>/etc/shorewall/interfaces system local &amp; remote</title>
<tgroup cols="4">
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">INTERFACE</entry>
<entry align="center">BROADCAST</entry>
<entry align="center">OPTIONS</entry>
</row>
</thead>
<tbody>
<row>
<entry>vpn</entry>
<entry>ipsec0</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table></para>
<para>You will need to allow traffic between the <quote>vpn</quote> zone
and the <quote>loc</quote> zone -- if you simply want to admit all
traffic in both directions, you can use the policy file:</para>
<para><table><title>/etc/shorewall/policy local &#38; remote</title><tgroup
cols="4"><thead><row><entry align="center">SOURCE</entry><entry
align="center">DEST</entry><entry align="center">POLICY</entry><entry
align="center">LOG LEVEL</entry></row></thead><tbody><row><entry>loc</entry><entry>vpn</entry><entry>ACCEPT</entry><entry></entry></row><row><entry>vpn</entry><entry>loc</entry><entry>ACCEPT</entry><entry></entry></row></tbody></tgroup></table></para>
<para><table>
<title>/etc/shorewall/policy local &amp; remote</title>
<tgroup cols="4">
<thead>
<row>
<entry align="center">SOURCE</entry>
<entry align="center">DEST</entry>
<entry align="center">POLICY</entry>
<entry align="center">LOG LEVEL</entry>
</row>
</thead>
<tbody>
<row>
<entry>loc</entry>
<entry>vpn</entry>
<entry>ACCEPT</entry>
<entry></entry>
</row>
<row>
<entry>vpn</entry>
<entry>loc</entry>
<entry>ACCEPT</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table></para>
<para>Once you have these entries in place, restart Shorewall (type
shorewall restart); you are now ready to configure the tunnel in <ulink
@ -299,7 +383,7 @@ conn packetdefault
<para>In /etc/shorewall/tunnels on systems B and C, we would have:</para>
<table>
<title>/etc/shorewall/tunnels system B &#38; C</title>
<title>/etc/shorewall/tunnels system B &amp; C</title>
<tgroup cols="4">
<thead>
@ -376,7 +460,7 @@ conn packetdefault
<para>On systems B and C:</para>
<table>
<title>/etc/shorewall/zones system B &#38; C</title>
<title>/etc/shorewall/zones system B &amp; C</title>
<tgroup cols="3">
<thead>
@ -434,7 +518,8 @@ conn packetdefault
</tgroup>
</table>
<para>The /etc/shorewall/hosts file on system A defines the two VPN zones:</para>
<para>The /etc/shorewall/hosts file on system A defines the two VPN
zones:</para>
<table>
<title>/etc/shorewall/hosts system A</title>
@ -474,7 +559,7 @@ conn packetdefault
following in /etc/shorewall/interfaces:</para>
<table>
<title>/etc/shorewall/interfaces system B &#38; C</title>
<title>/etc/shorewall/interfaces system B &amp; C</title>
<tgroup cols="4">
<thead>
@ -575,7 +660,7 @@ conn packetdefault
policy file entries on all three gateways:</para>
<table>
<title>/etc/shorewall/policy system B &#38; C</title>
<title>/etc/shorewall/policy system B &amp; C</title>
<tgroup cols="4">
<thead>
@ -616,7 +701,8 @@ conn packetdefault
<para>Once you have the Shorewall entries added, restart Shorewall on each
gateway (type shorewall restart); you are now ready to configure the
tunnels in <ulink url="http://www.xs4all.nl/%7Efreeswan/">FreeS/WAN</ulink>.</para>
tunnels in <ulink
url="http://www.xs4all.nl/%7Efreeswan/">FreeS/WAN</ulink>.</para>
<note>
<para>to allow traffic between the networks attached to systems B and C,
@ -684,27 +770,75 @@ conn packetdefault
<title>Road Warrior VPN</title>
<para>You need to define a zone for the laptop or include it in your
local zone. In this example, we&#39;ll assume that you have created a
zone called <quote>vpn</quote> to represent the remote host.</para>
local zone. In this example, we'll assume that you have created a zone
called <quote>vpn</quote> to represent the remote host.</para>
<para><table><title>/etc/shorewall/zones local</title><tgroup cols="3"><thead><row><entry
align="center">ZONE</entry><entry align="center">DISPLAY</entry><entry
align="center">COMMENTS</entry></row></thead><tbody><row><entry>vpn</entry><entry>VPN</entry><entry>Remote
Subnet</entry></row></tbody></tgroup></table></para>
<para><table>
<title>/etc/shorewall/zones local</title>
<tgroup cols="3">
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">DISPLAY</entry>
<entry align="center">COMMENTS</entry>
</row>
</thead>
<tbody>
<row>
<entry>vpn</entry>
<entry>VPN</entry>
<entry>Remote Subnet</entry>
</row>
</tbody>
</tgroup>
</table></para>
<para>In this instance, the mobile system (B) has IP address 134.28.54.2
but that cannot be determined in advance. In the /etc/shorewall/tunnels
file on system A, the following entry should be made:</para>
<para><table><title>/etc/shorewall/tunnels system A</title><tgroup
cols="4"><thead><row><entry align="center">TYPE</entry><entry
align="center">ZONE</entry><entry align="center">GATEWAY</entry><entry
align="center">GATEWAY ZONE</entry></row></thead><tbody><row><entry>ipsec</entry><entry>net</entry><entry>0.0.0.0/0</entry><entry>vpn</entry></row></tbody></tgroup></table></para>
<para><table>
<title>/etc/shorewall/tunnels system A</title>
<para><note><para>the GATEWAY ZONE column contains the name of the zone
corresponding to peer subnetworks. This indicates that the gateway
system itself comprises the peer subnetwork; in other words, the remote
gateway is a standalone system.</para></note></para>
<tgroup cols="4">
<thead>
<row>
<entry align="center">TYPE</entry>
<entry align="center">ZONE</entry>
<entry align="center">GATEWAY</entry>
<entry align="center">GATEWAY ZONE</entry>
</row>
</thead>
<tbody>
<row>
<entry>ipsec</entry>
<entry>net</entry>
<entry>0.0.0.0/0</entry>
<entry>vpn</entry>
</row>
</tbody>
</tgroup>
</table></para>
<para><note>
<para>the GATEWAY ZONE column contains the name of the zone
corresponding to peer subnetworks. This indicates that the gateway
system itself comprises the peer subnetwork; in other words, the
remote gateway is a standalone system.</para>
</note></para>
<para>You will need to configure /etc/shorewall/interfaces and establish
your <quote>through the tunnel</quote> policy as shown under the first
@ -717,7 +851,11 @@ conn packetdefault
<para>Beginning with Shorewall release 1.3.10, you can define multiple VPN
zones and add and delete remote endpoints dynamically using
/sbin/shorewall. In /etc/shorewall/zones:</para>
/sbin/shorewall. With Shorewall 2.0.2 Beta 1 and later versions, this
capability must be enabled by setting DYNAMIC_ZONES=Yes in <ulink
url="Documentation.htm#Conf">shorewall.conf</ulink>.</para>
<para>In /etc/shorewall/zones:</para>
<table>
<title>/etc/shorewall/zones</title>
@ -801,7 +939,8 @@ conn packetdefault
a different updown script that adds the remote station to the appropriate
zone when the connection comes up and that deletes the remote station when
the connection comes down. For example, when 134.28.54.2 connects for the
vpn2 zone the <quote>up</quote> part of the script will issue the command:</para>
vpn2 zone the <quote>up</quote> part of the script will issue the
command:</para>
<programlisting>/sbin/shorewall add ipsec0:134.28.54.2 vpn2</programlisting>
@ -818,11 +957,45 @@ conn packetdefault
<example>
<title>dyn=dynamic zone</title>
<para><informaltable><tgroup cols="7"><thead><row><entry
align="center">ACTION</entry><entry align="center">SOURCE</entry><entry
align="center">DESTINATION</entry><entry align="center">PROTOCOL</entry><entry
align="center">PORT(S)</entry><entry align="center">CLIENT PORT(S)</entry><entry
align="center">ORIGINAL DESTINATION</entry></row></thead><tbody><row><entry>DNAT</entry><entry>z!dyn</entry><entry>loc:192.168.1.3</entry><entry>tcp</entry><entry>80</entry><entry></entry><entry></entry></row></tbody></tgroup></informaltable></para>
<para><informaltable>
<tgroup cols="7">
<thead>
<row>
<entry align="center">ACTION</entry>
<entry align="center">SOURCE</entry>
<entry align="center">DESTINATION</entry>
<entry align="center">PROTOCOL</entry>
<entry align="center">PORT(S)</entry>
<entry align="center">CLIENT PORT(S)</entry>
<entry align="center">ORIGINAL DESTINATION</entry>
</row>
</thead>
<tbody>
<row>
<entry>DNAT</entry>
<entry>z!dyn</entry>
<entry>loc:192.168.1.3</entry>
<entry>tcp</entry>
<entry>80</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</informaltable></para>
<para>Dynamic changes to the zone <emphasis role="bold">dyn</emphasis>
will have no effect on the above rule.</para>

126
Shorewall-docs2/Install.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-03-01</pubdate>
<pubdate>2004-05-07</pubdate>
<copyright>
<year>2001</year>
@ -35,7 +35,8 @@
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
@ -44,9 +45,9 @@
<important>
<para>Before attempting installation, I strongly urge you to read and
print a copy of the <ulink url="shorewall_quickstart_guide.htm">Shorewall
QuickStart</ulink> Guide for the configuration that most closely matches
your own.</para>
print a copy of the <ulink
url="shorewall_quickstart_guide.htm">Shorewall QuickStart</ulink> Guide
for the configuration that most closely matches your own.</para>
</important>
<warning>
@ -64,14 +65,15 @@
<listitem>
<para>Install the RPM</para>
<programlisting><command>rpm -ivh &#60;shorewall rpm&#62;</command></programlisting>
<programlisting><command>rpm -ivh &lt;shorewall rpm&gt;</command></programlisting>
<note>
<para>Some SuSE users have encountered a problem whereby rpm reports
a conflict with kernel &#60;= 2.2 even though a 2.4 kernel is
installed. If this happens, simply use the --nodeps option to rpm.</para>
a conflict with kernel &lt;= 2.2 even though a 2.4 kernel is
installed. If this happens, simply use the --nodeps option to
rpm.</para>
<programlisting><filename><command>rpm -ivh --nodeps &#60;shorewall rpm&#62;</command></filename></programlisting>
<programlisting><filename><command>rpm -ivh --nodeps &lt;shorewall rpm&gt;</command></filename></programlisting>
</note>
<note>
@ -82,9 +84,10 @@
<programlisting>error: failed dependencies:iproute is needed by shorewall-1.4.x-1</programlisting>
<para>This may be worked around by using the --nodeps option of rpm.</para>
<para>This may be worked around by using the --nodeps option of
rpm.</para>
<programlisting><command>rpm -ivh --nodeps &#60;shorewall rpm&#62;</command></programlisting>
<programlisting><command>rpm -ivh --nodeps &lt;shorewall rpm&gt;</command></programlisting>
</note>
</listitem>
@ -116,9 +119,9 @@
<important>
<para>Before attempting installation, I strongly urge you to read and
print a copy of the <ulink url="shorewall_quickstart_guide.htm">Shorewall
QuickStart</ulink> Guide for the configuration that most closely matches
your own.</para>
print a copy of the <ulink
url="shorewall_quickstart_guide.htm">Shorewall QuickStart</ulink> Guide
for the configuration that most closely matches your own.</para>
</important>
<para>To install Shorewall using the tarball and install script:</para>
@ -134,14 +137,19 @@
</listitem>
<listitem>
<para>If you are using <ulink
url="http://www.caldera.com/openstore/openlinux/">Caldera</ulink>,
<ulink url="http://www.redhat.com">RedHat</ulink>, <ulink
url="http://www.linux-mandrake.com">Mandrake</ulink>, <ulink
url="http://www.corel.com">Corel</ulink>, <ulink
url="http://www.suse.com">SuSe</ulink>,<ulink
url="http://www.slackware.com/"> Slackware</ulink> or <ulink
url="http://www.debian.org">Debian/Gentoo</ulink> then type</para>
<para>If you are running <ulink
url="http://www.slackware.com">Slackware</ulink>, edit the install.sh
file and change the line</para>
<programlisting>DEST=""</programlisting>
<para>to</para>
<programlisting>DEST="/etc/rc.d"</programlisting>
</listitem>
<listitem>
<para>Type</para>
<programlisting><command>./install.sh</command></programlisting>
</listitem>
@ -152,9 +160,10 @@
</listitem>
<listitem>
<para>Enable Startup by removing <filename>/etc/shorewall/startup_disabled</filename>
(Debian users will edit <filename>/etc/default/shorewall</filename>
and set startup=1).</para>
<para>Enable Startup by removing
<filename>/etc/shorewall/startup_disabled</filename> (Debian users
will edit <filename>/etc/default/shorewall</filename> and set
startup=1).</para>
</listitem>
<listitem>
@ -166,7 +175,8 @@
<listitem>
<para>If the install script was unable to configure Shorewall to be
started automatically at boot, see <ulink
url="starting_and_stopping_shorewall.htm">these instructions</ulink>.</para>
url="starting_and_stopping_shorewall.htm">these
instructions</ulink>.</para>
</listitem>
</orderedlist>
</section>
@ -176,15 +186,16 @@
<important>
<para>Before attempting installation, I strongly urge you to read and
print a copy of the <ulink url="shorewall_quickstart_guide.htm">Shorewall
QuickStart</ulink> Guide for the configuration that most closely matches
your own.</para>
print a copy of the <ulink
url="shorewall_quickstart_guide.htm">Shorewall QuickStart</ulink> Guide
for the configuration that most closely matches your own.</para>
</important>
<para>To install my version of Shorewall on a fresh Bering disk, simply
replace the <quote>shorwall.lrp</quote> file on the image with the file
that you downloaded. See the <ulink url="two-interface.htm">two-interface
QuickStart Guide</ulink> for information about further steps required.</para>
QuickStart Guide</ulink> for information about further steps
required.</para>
</section>
<section id="Upgrade_RPM">
@ -204,22 +215,23 @@
please check your /etc/shorewall/interfaces file to be sure that it
contains an entry for each interface mentioned in the hosts file. Also,
there are certain 1.2 rule forms that are no longer supported under 1.4
(you must use the new 1.4 syntax). See <ulink url="errata.htm#Upgrade">the
upgrade issues</ulink> for details.</para>
(you must use the new 1.4 syntax). See <ulink
url="errata.htm#Upgrade">the upgrade issues</ulink> for details.</para>
</important>
<orderedlist>
<listitem>
<para>Upgrade the RPM</para>
<programlisting><command>rpm -Uvh &#60;shorewall rpm file&#62;</command></programlisting>
<programlisting><command>rpm -Uvh &lt;shorewall rpm file&gt;</command></programlisting>
<note>
<para>Some SuSE users have encountered a problem whereby rpm reports
a conflict with kernel &#60;= 2.2 even though a 2.4 kernel is
installed. If this happens, simply use the --nodeps option to rpm.</para>
a conflict with kernel &lt;= 2.2 even though a 2.4 kernel is
installed. If this happens, simply use the --nodeps option to
rpm.</para>
<programlisting><command>rpm -Uvh --nodeps &#60;shorewall rpm&#62;</command></programlisting>
<programlisting><command>rpm -Uvh --nodeps &lt;shorewall rpm&gt;</command></programlisting>
</note>
<note>
@ -230,15 +242,17 @@
<programlisting>error: failed dependencies:iproute is needed by shorewall-1.4.0-1</programlisting>
<para>This may be worked around by using the --nodeps option of rpm.</para>
<para>This may be worked around by using the --nodeps option of
rpm.</para>
<programlisting><command>rpm -Uvh --nodeps &#60;shorewall rpm&#62;</command></programlisting>
<programlisting><command>rpm -Uvh --nodeps &lt;shorewall rpm&gt;</command></programlisting>
</note>
</listitem>
<listitem>
<para>See if there are any incompatibilities between your
configuration and the new Shorewall version and correct as necessary.</para>
configuration and the new Shorewall version and correct as
necessary.</para>
<programlisting><command>shorewall check</command></programlisting>
</listitem>
@ -268,8 +282,8 @@
please check your /etc/shorewall/interfaces file to be sure that it
contains an entry for each interface mentioned in the hosts file. Also,
there are certain 1.2 rule forms that are no longer supported under 1.4
(you must use the new 1.4 syntax). See <ulink url="errata.htm#Upgrade">the
upgrade issues</ulink> for details.</para>
(you must use the new 1.4 syntax). See <ulink
url="errata.htm#Upgrade">the upgrade issues</ulink> for details.</para>
</important>
<orderedlist>
@ -285,21 +299,27 @@
</listitem>
<listitem>
<para>If you are using <ulink
url="http://www.caldera.com/openstore/openlinux/">Caldera</ulink>,
<ulink url="http://www.redhat.com">RedHat</ulink>, <ulink
url="http://www.linux-mandrake.com">Mandrake</ulink>, <ulink
url="http://www.corel.com">Corel</ulink>, <ulink
url="http://www.suse.com">SuSe</ulink>, <ulink
url="http://www.slackware.com/">Slackware</ulink> or <ulink
url="http://www.debian.org">Debian/Gentoo</ulink> then type</para>
<para>If you are running <ulink
url="http://www.slackware.com">Slackware</ulink>, edit the install.sh
file and change the line</para>
<programlisting>DEST=""</programlisting>
<para>to</para>
<programlisting>DEST="/etc/rc.d"</programlisting>
</listitem>
<listitem>
<para>Type</para>
<programlisting><command>./install.sh</command></programlisting>
</listitem>
<listitem>
<para>See if there are any incompatibilities between your
configuration and the new Shorewall version and correct as necessary.</para>
configuration and the new Shorewall version and correct as
necessary.</para>
<programlisting><command>shorewall check</command></programlisting>
</listitem>
@ -313,7 +333,8 @@
<listitem>
<para>If the install script was unable to configure Shorewall to be
started automatically at boot, see <ulink
url="starting_and_stopping_shorewall.htm">these instructions</ulink>.</para>
url="starting_and_stopping_shorewall.htm">these
instructions</ulink>.</para>
</listitem>
</orderedlist>
</section>
@ -342,6 +363,7 @@
<section>
<title>Uninstall/Fallback</title>
<para>See <quote><ulink url="fallback.htm">Fallback and Uninstall</ulink></quote>.</para>
<para>See <quote><ulink url="fallback.htm">Fallback and
Uninstall</ulink></quote>.</para>
</section>
</article>

24
Shorewall-docs2/PPTP.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2003-12-23</pubdate>
<pubdate>2004-04-15</pubdate>
<copyright>
<year>2001</year>
@ -24,6 +24,8 @@
<year>2003</year>
<year>2004</year>
<holder>Thomas M. Eastep</holder>
</copyright>
@ -37,6 +39,16 @@
</legalnotice>
<revhistory>
<revision>
<revnumber>1.2</revnumber>
<date>2004-04-15</date>
<authorinitials>TE</authorinitials>
<revremark>Revised instructions regarding PPTP conntrack patch.</revremark>
</revision>
<revision>
<revnumber>1.1</revnumber>
@ -909,14 +921,16 @@ esac</programlisting>
<para>You shouldn&#39;t have to take any special action for this case
unless you wish to connect multiple clients to the same external server.
In that case, you will need to follow the instructions at <ulink
url="http://www.impsec.org/linux/masquerade/ip_masq_vpn.html">http://www.impsec.org/linux/masquerade/ip_masq_vpn.html</ulink>.
I recommend that you also add these three lines to your
In that case, you must install the PPTP connection/tracking and NAT patch
from <ulink url="http://www.netfilter.org">Netfilter Patch-O-Mati</ulink>c
(some distributions are now shipping with this patch installed). I
recommend that you also add these four lines to your
/etc/shorewall/modules file:</para>
<programlisting>loadmodule ip_conntrack_proto_gre
loadmodule ip_conntrack_pptp
loadmodule ip_nat_pptp</programlisting>
loadmodule ip_nat_pptp
loadmodule ip_nat_proto_gre</programlisting>
<para>For LEAF/Bering users, the 2.4.20 kernel as already been patched as
described at the URL above and the three modules are included in the

6
Shorewall-docs2/Shorewall_Squid_Usage.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-03-29</pubdate>
<pubdate>2004-04-19</pubdate>
<copyright>
<year>2003-2004</year>
@ -153,7 +153,7 @@ REDIRECT loc 3228 tcp www - !206.124.146.
<para>In /etc/shorewall/init, put:</para>
<programlisting><command>if [ -z &#34;`ip rule list | grep www.out`&#34; ] ; then
ip rule add fwmark 202 table www.out
ip rule add fwmark CA table www.out # Note 0xCA = 202
ip route add default via 192.168.1.3 dev eth1 table www.out
ip route flush cache
echo 0 &#62; /proc/sys/net/ipv4/conf/eth1/send_redirects
@ -232,7 +232,7 @@ chkconfig --level 35 iptables on</command></programlisting>
<para>In /etc/shorewall/init, put:</para>
<programlisting><command>if [ -z &#34;`ip rule list | grep www.out`&#34; ] ; then
ip rule add fwmark 202 table www.out
ip rule add fwmark CA table www.out # Note 0xCA = 202
ip route add default via 192.0.2.177 dev eth1 table www.out
ip route flush cache
fi</command></programlisting>

6
Shorewall-docs2/bridge.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-04-05</pubdate>
<pubdate>2004-04-12</pubdate>
<copyright>
<year>2004</year>
@ -152,7 +152,7 @@
<section>
<title>Configuring the Bridge</title>
<para>Configuring the bridge itself is quite simple and used the
<para>Configuring the bridge itself is quite simple and uses the
<command>brctl</command> utility from the bridge-utils package. Bridge
configuration information may be found at <ulink
url="http://bridge.sf.net">http://bridge.sf.net</ulink>.</para>
@ -334,7 +334,7 @@ dmz br0:eth2</programlisting>
<section>
<title>Limitations</title>
<para>Bridging doesn&#39; t work with wireless cards — see <ulink
<para>Bridging doesn&#39; t work with some wireless cards — see <ulink
url="http://bridge.sf.net">http://bridge.sf.net</ulink>.</para>
</section>
</article>

21
Shorewall-docs2/configuration_file_basics.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-04-03</pubdate>
<pubdate>2004-04-20</pubdate>
<copyright>
<year>2001-2004</year>
@ -93,6 +93,16 @@
and modify the copy</emphasis>.</para></listitem></itemizedlist></para>
</section>
<section>
<title>Special Note about /etc/shorewall/shorewall.conf</title>
<para>It is a good idea to modify your /etc/shorewall/shorewall.conf file,
even if you just add a comment that says &#34;I modified this file&#34;.
That way, your package manager won&#39;t overwrite the file with future
updated versions. Such overwrites can cause unwanted changes in the
behavior of Shorewall.</para>
</section>
<section id="Comments">
<title>Comments</title>
@ -381,9 +391,12 @@ DNAT net loc:192.168.1.3 tcp 4000:4100</programlisting>
<title>Using MAC Addresses</title>
<para>Media Access Control (MAC) addresses can be used to specify packet
source in several of the configuration files. To use this feature, your
kernel must have MAC Address Match support (CONFIG_IP_NF_MATCH_MAC)
included.</para>
source in several of the configuration files. In order to control traffic
to/from a host by its MAC address, the host must be on the same network as
the firewall.</para>
<para>To use this feature, your kernel must have MAC Address Match support
(CONFIG_IP_NF_MATCH_MAC) included.</para>
<para>MAC addresses are 48 bits wide and each Ethernet Controller has a
unique MAC address.</para>

353
Shorewall-docs2/errata.xml
View File

@ -13,7 +13,7 @@
</author>
</authorgroup>
<pubdate>2004-03-20</pubdate>
<pubdate>2004-05-03</pubdate>
<copyright>
<year>2001-2004</year>
@ -27,7 +27,8 @@
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
@ -55,9 +56,9 @@
<listitem>
<para><emphasis role="bold">DO NOT INSTALL CORRECTED COMPONENTS ON A
RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW.</emphasis>
For example, do NOT install the 1.3.9a firewall script if you are
running 1.3.7c.</para>
RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER
BELOW.</emphasis> For example, do NOT install the 1.3.9a firewall
script if you are running 1.3.7c.</para>
</listitem>
</itemizedlist>
</caution>
@ -65,7 +66,8 @@
<section>
<title>RFC1918 File</title>
<para><ulink url="http://shorewall.net/pub/shorewall/errata/1.4.8/rfc1918">Here</ulink>
<para><ulink
url="http://shorewall.net/pub/shorewall/errata/1.4.10/rfc1918">Here</ulink>
is the most up to date version of the <ulink
url="Documentation.htm#rfc1918">rfc1918 file</ulink>. This file only
applies to Shorewall version 2.0.0 and its bugfix updates. In Shorewall
@ -75,9 +77,75 @@
url="shorewall_setup_guide.htm#RFC1918">RFC 1918</ulink>.</para>
</section>
<section>
<title>Bogons File</title>
<para><ulink
url="http://shorewall.net/pub/shorewall/errata/2.0.1/bogons">Here</ulink>
is the most up to date version of the <ulink
url="Documentation.htm#Bogons">bogons file</ulink>.</para>
</section>
<section>
<title>Problems in Version 2.0</title>
<section>
<title>Shorewall 2.0.1</title>
<itemizedlist>
<listitem>
<para>Confusing message mentioning IPV6 occur at startup.</para>
</listitem>
<listitem>
<para>Modules listed in /etc/shorewall/modules don't load or produce
errors on Mandrake 10.0 Final.</para>
</listitem>
<listitem>
<para>The <command>shorewall delete</command> command does not
remove all dynamic rules pertaining to the host(s) being
deleted.</para>
</listitem>
</itemizedlist>
<para>These problems are corrected in <ulink
url="http://shorewall.net/pub/shorewall/errata/2.0.1/firewall">this
firewall script</ulink> which may be installed in
<filename>/usr/share/shorewall/firewall</filename> as described
above.</para>
<itemizedlist>
<listitem>
<para>When run on a SuSE system, the install.sh script fails to
configure Shorewall to start at boot time. That problem is corrected
in <ulink
url="http://shorewall.net/pub/shorewall/errata/2.0.1/install.sh">this
version of the script</ulink>.</para>
</listitem>
</itemizedlist>
</section>
<section>
<title>Shorewall 2.0.1/2.0.0</title>
<itemizedlist>
<listitem>
<para>On Debian systems, an install using the tarball results in an
inability to start Shorewall at system boot. If you already have
this problem, install <ulink
url="http://shorewall.net/pub/shorewall/errata/2.0.1/init.debian.sh">this
file</ulink> as /etc/init.d/shorewall (replacing the existing file
with that name). If you are just installing or upgrading to
Shorewall 2.0.0 or 2.0.1, then replace the
<filename>init.debian.sh</filename> file in the Shorewall
distribution directory (shorewall-2.0.x) with the updated file
before running <command>install.sh</command> from that
directory.</para>
</listitem>
</itemizedlist>
</section>
<section>
<title>Shorewall 2.0.0</title>
@ -95,11 +163,13 @@
</listitem>
</itemizedlist>
<para>The first problem has been corrected in Shorewall update 2.0.0a.</para>
<para>The first problem has been corrected in Shorewall update
2.0.0a.</para>
<para>All of these problems may be corrected by installing <ulink
url="http://shorewall.net/pub/shorewall/errata/2.0.0/firewall">this
firewall script</ulink> in /usr/share/shorewall as described above.</para>
firewall script</ulink> in /usr/share/shorewall as described
above.</para>
</section>
</section>
@ -111,118 +181,12 @@
</section>
<section>
<title>Problem with iptables version 1.2.3</title>
<title>Problem with iptables 1.2.9</title>
<para>There are a couple of serious bugs in iptables 1.2.3 that prevent it
from working with Shorewall. Regrettably, RedHat released this buggy
iptables in RedHat 7.2.&#x00A0;</para>
<para>I have built a <ulink
url="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">corrected
1.2.3 rpm which you can download here</ulink>&#x00A0; and I have also
built an <ulink
url="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">iptables-1.2.4
rpm which you can download here</ulink>. If you are currently running
RedHat 7.1, you can install either of these RPMs before you upgrade to
RedHat 7.2.</para>
<para><emphasis role="bold">Update 11/9/2001:</emphasis> RedHat has
released an iptables-1.2.4 RPM of their own which you can download from
<ulink url="http://www.redhat.com/support/errata/RHSA-2001-144.html.">http://www.redhat.com/support/errata/RHSA-2001-144.html</ulink>.I
have installed this RPM on my firewall and it works fine.</para>
<para>If you would like to patch iptables 1.2.3 yourself, the patches are
available for download. This <ulink
url="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</ulink>
which corrects a problem with parsing of the --log-level specification
while this <ulink
url="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</ulink>
corrects a problem in handling the&#x00A0; TOS target.</para>
<para>To install one of the above patches:<programlisting> cd iptables-1.2.3/extensions
patch -p0 &#60; the-patch-file</programlisting></para>
</section>
<section>
<title>Problems with kernels &#62;= 2.4.18 and RedHat iptables</title>
<para>Users who use RedHat iptables RPMs and who upgrade to kernel
2.4.18/19 may experience the following:</para>
<blockquote>
<programlisting># shorewall start
Processing /etc/shorewall/shorewall.conf ...
Processing /etc/shorewall/params ...
Starting Shorewall...
Loading Modules...
Initializing...
Determining Zones...
Zones: net
Validating interfaces file...
Validating hosts file...
Determining Hosts in Zones...
Net Zone: eth0:0.0.0.0/0
iptables: libiptc/libip4tc.c:380: do_check: Assertion
`h-&#62;info.valid_hooks == (1 &#60;&#60; 0 | 1 &#60;&#60; 3)&#39; failed.
Aborted (core dumped)
iptables: libiptc/libip4tc.c:380: do_check: Assertion
`h-&#62;info.valid_hooks == (1 &#60;&#60; 0 | 1 &#60;&#60; 3)&#39; failed.
Aborted (core dumped)</programlisting>
</blockquote>
<para>The RedHat iptables RPM is compiled with debugging enabled but the
user-space debugging code was not updated to reflect recent changes in the
Netfilter <quote>mangle</quote> table. You can correct the problem by
installing <ulink
url="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">this
iptables RPM</ulink>. If you are already running a 1.2.5 version of
iptables, you will need to specify the --oldpackage option to rpm (e.g.,
<quote>iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm</quote>).</para>
</section>
<section>
<title>Problems with iptables version 1.2.7 and MULTIPORT=Yes</title>
<para>The iptables 1.2.7 release of iptables has made an incompatible
change to the syntax used to specify multiport match rules; as a
consequence, if you install iptables 1.2.7 you must be running Shorewall
1.3.7a or later or:</para>
<itemizedlist>
<listitem>
<para>set MULTIPORT=No in /etc/shorewall/shorewall.conf; or</para>
</listitem>
<listitem>
<para>If you are running Shorewall 1.3.6 you may install <ulink
url="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">this
firewall script</ulink> in /usr/lib/shorewall/firewall as described
above.</para>
</listitem>
</itemizedlist>
</section>
<section>
<title>Problems with RH Kernel 2.4.18-10 and NAT</title>
<para>/etc/shorewall/nat entries of the following form will result in
Shorewall being unable to start:</para>
<programlisting> #EXTERNAL&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0; INTERFACE&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0; INTERNAL&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0; ALL INTERFACES&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0; LOCAL
192.0.2.22&#x00A0;&#x00A0;&#x00A0; eth0&#x00A0;&#x00A0;&#x00A0; 192.168.9.22&#x00A0;&#x00A0; yes&#x00A0;&#x00A0;&#x00A0;&#x00A0; yes
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
<para>Error message is:</para>
<programlisting> Setting up NAT...
iptables: Invalid argument
Terminated</programlisting>
<para>The solution is to put <quote>no</quote> in the LOCAL column. Kernel
support for LOCAL=yes has never worked properly and 2.4.18-10 has disabled
it. The 2.4.19 kernel contains corrected support under a new kernel
configuraiton option; see <ulink
url="http://www.shorewall.net/Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</ulink>.</para>
<para>If you want to use the new features in Shorewall 2.0.2 (Betas, RCs,
Final) or later then you need to patch your iptables 1.2.9 with <ulink
url="http://shorewall.net/pub/shorewall/errata/iptables-1.2.9.diff">this
patch</ulink>.</para>
</section>
<section>
@ -233,24 +197,151 @@ Aborted (core dumped)</programlisting>
--reject-with tcp-reset</quote> is broken. The symptom most commonly seen
is that REJECT rules act just like DROP rules when dealing with TCP. A
kernel patch and precompiled modules to fix this problem are available at
<ulink url="ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel">ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel</ulink></para>
<ulink
url="ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel">ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel</ulink></para>
<note>
<para>RedHat have corrected this problem in their 2.4.20-27.x kernels.</para>
<para>RedHat have corrected this problem in their 2.4.20-27.x
kernels.</para>
</note>
</section>
<appendix>
<title>Revision History4</title>
<title>Revision History</title>
<para><revhistory><revision><revnumber>1.6</revnumber><date>2004-03-20</date><authorinitials>TE</authorinitials><revremark>Proxy
ARP/IPSEC fix.</revremark></revision><revision><revnumber>1.6</revnumber><date>2004-03-17</date><authorinitials>TE</authorinitials><revremark>Action
rules are reported as policies.</revremark></revision><revision><revnumber>1.5</revnumber><date>2004-02-03</date><authorinitials>TE</authorinitials><revremark>Update
for Shorewall 2.0.0.</revremark></revision><revision><revnumber>1.4</revnumber><date>2004-01-19</date><authorinitials>TE</authorinitials><revremark>IPV6
address problems. Make RFC1918 file section more prominent.</revremark></revision><revision><revnumber>1.3</revnumber><date>2004-01-14</date><authorinitials>TE</authorinitials><revremark>Confusing
template file in 1.4.9</revremark></revision><revision><revnumber>1.3</revnumber><date>2004-01-03</date><authorinitials>TE</authorinitials><revremark>Added
note about REJECT RedHat Kernal problem being corrected.</revremark></revision><revision><revnumber>1.2</revnumber><date>2003-12-29</date><authorinitials>TE</authorinitials><revremark>Updated
RFC1918 file</revremark></revision><revision><revnumber>1.1</revnumber><date>2003-12-17</date><authorinitials>TE</authorinitials><revremark>Initial
Conversion to Docbook XML</revremark></revision></revhistory></para>
<para><revhistory>
<revision>
<revnumber>1.12</revnumber>
<date>2004-05-04</date>
<authorinitials>TE</authorinitials>
<revremark>Add Alex Wilms's "install.sh" fix.</revremark>
</revision>
<revision>
<revnumber>1.11</revnumber>
<date>2004-05-03</date>
<authorinitials>TE</authorinitials>
<revremark>Add Stefan Engel's "shorewall delete" fix.</revremark>
</revision>
<revision>
<revnumber>1.10</revnumber>
<date>2004-04-28</date>
<authorinitials>TE</authorinitials>
<revremark>Add iptables 1.2.9 iptables-save bug notice.</revremark>
</revision>
<revision>
<revnumber>1.9</revnumber>
<date>2004-04-21</date>
<authorinitials>TE</authorinitials>
<revremark>Debian initialization script problem. Deleted obsolete
sections.</revremark>
</revision>
<revision>
<revnumber>1.8</revnumber>
<date>2004-04-20</date>
<authorinitials>TE</authorinitials>
<revremark>Updated RFC1918 and BOGONS files.</revremark>
</revision>
<revision>
<revnumber>1.7</revnumber>
<date>2004-03-20</date>
<authorinitials>TE</authorinitials>
<revremark>Proxy ARP/IPSEC fix.</revremark>
</revision>
<revision>
<revnumber>1.6</revnumber>
<date>2004-03-17</date>
<authorinitials>TE</authorinitials>
<revremark>Action rules are reported as policies.</revremark>
</revision>
<revision>
<revnumber>1.5</revnumber>
<date>2004-02-03</date>
<authorinitials>TE</authorinitials>
<revremark>Update for Shorewall 2.0.0.</revremark>
</revision>
<revision>
<revnumber>1.4</revnumber>
<date>2004-01-19</date>
<authorinitials>TE</authorinitials>
<revremark>IPV6 address problems. Make RFC1918 file section more
prominent.</revremark>
</revision>
<revision>
<revnumber>1.3</revnumber>
<date>2004-01-14</date>
<authorinitials>TE</authorinitials>
<revremark>Confusing template file in 1.4.9</revremark>
</revision>
<revision>
<revnumber>1.3</revnumber>
<date>2004-01-03</date>
<authorinitials>TE</authorinitials>
<revremark>Added note about REJECT RedHat Kernal problem being
corrected.</revremark>
</revision>
<revision>
<revnumber>1.2</revnumber>
<date>2003-12-29</date>
<authorinitials>TE</authorinitials>
<revremark>Updated RFC1918 file</revremark>
</revision>
<revision>
<revnumber>1.1</revnumber>
<date>2003-12-17</date>
<authorinitials>TE</authorinitials>
<revremark>Initial Conversion to Docbook XML</revremark>
</revision>
</revhistory></para>
</appendix>
</article>

BIN
Shorewall-docs2/images/State_Diagram.png
View File

Binary file not shown.

619
Shorewall-docs2/images/State_Diagram.vdx
View File

File diff suppressed because it is too large Load Diff

BIN
Shorewall-docs2/images/staticnat.png
View File

Binary file not shown.

598
Shorewall-docs2/images/staticnat.vdx
View File

File diff suppressed because it is too large Load Diff

122
Shorewall-docs2/myfiles.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-04-03</pubdate>
<pubdate>2004-04-27</pubdate>
<copyright>
<year>2001-2004</year>
@ -47,16 +47,16 @@
<caution>
<para>The configuration shown here corresponds to Shorewall version
2.0.1 (that&#39;s right -- I am running a version of Shorewall that is
not yet released). My configuration uses features not available in
earlier Shorewall releases.</para>
2.0.1. My configuration uses features not available in earlier Shorewall
releases.</para>
</caution>
<para>I have DSL service and have 5 static IP addresses
(206.124.146.176-180). My DSL <quote>modem</quote> (Fujitsu Speedport) is
connected to eth0. I have a local network connected to eth2 (subnet
192.168.1.0/24) and a DMZ connected to eth1 (206.124.146.176/32). Note
that the IP address of eth1 is a duplicate of one on eth0.</para>
that I configure the same IP address on both <filename class="devicefile">eth0</filename>
and <filename class="devicefile">eth1</filename>.</para>
<para>In this configuration:</para>
@ -127,8 +127,9 @@
<para>I run an SNMP server on my firewall to serve <ulink
url="http://www.ee.ethz.ch/~oetiker/webtools/mrtg/">MRTG</ulink> running
in the DMZ.<graphic align="center" fileref="images/network.png" />The
ethernet interface in the Server is configured with IP address
in the DMZ.</para>
<para>The ethernet interface in the Server is configured with IP address
206.124.146.177, netmask 255.255.255.0. The server&#39;s default gateway
is 206.124.146.254 (Router at my ISP. This is the same default gateway
used by the firewall itself). On the firewall, an entry in my
@ -136,6 +137,8 @@
206.124.146.177 through eth1 when that interface is brought up.</para>
<para>Tarry (192.168.1.4) runs a PPTP server for Road Warrior access.</para>
<para><graphic align="center" fileref="images/network.png" /></para>
</section>
<section>
@ -241,27 +244,6 @@ eth2 -
</blockquote>
</section>
<section id="RFC1918">
<title>RFC1918 File</title>
<blockquote>
<para>I use a stripped-down file which doesn&#39;t have to be updated
when the IANA allocates a block of IP addresses.</para>
</blockquote>
<blockquote>
<programlisting>#SUBNET TARGET
169.254.0.0/16 DROP # DHCP autoconfig
172.16.0.0/12 logdrop # RFC 1918
192.0.2.0/24 logdrop # Example addresses
192.168.0.0/16 logdrop # RFC 1918
10.24.60.56 DROP # Some idiot in my broadcast domain
# has a box configured with this
# address.
10.0.0.0/8 logdrop # Reserved (RFC 1918)</programlisting>
</blockquote>
</section>
<section>
<title>Blacklist File (Partial)</title>
@ -554,90 +536,6 @@ iface eth1 inet static
</emphasis>...</programlisting>
</blockquote>
</section>
<section id="Dhcpd">
<title>/etc/dhcpd.conf (MAC Addresses Omitted)</title>
<blockquote>
<para>While this is a little off-topic, I&#39;ve included it to show
how to set up DHCP on two interfaces.<programlisting>default-lease-time 67200; max-lease-time 67200;
get-lease-hostnames on;
group {
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.1.255;
option routers 192.168.1.254;
option ntp-servers 192.168.1.254;
option domain-name-servers 192.168.1.193;
option netbios-name-servers 192.168.1.254;
option domain-name &#34;shorewall.net&#34;;
option netbios-dd-server 192.168.1.254;
option netbios-node-type 8;
option netbios-scope &#34;&#34;;
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.11 192.168.1.20;
}
host ursa.shorewall.net {
hardware ethernet …;
fixed-address 192.168.1.5;
}
host eastept1 {
hardware ethernet …;
fixed-address 192.168.1.7;
}
host tarry {
hardware ethernet …;
fixed-address 192.168.1.4;
}
host wookie.shorewall.net {
hardware ethernet …;
fixed-address 192.168.1.3;
}
host testws.shorewall.net {
hardware ethernet …;
fixed-address 192.168.1.6;
}
host printer.shorewall.net {
hardware ethernet …;
fixed-address 192.168.1.10;
}
}
group {
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.3.255;
option routers 192.168.3.254;
option ntp-servers 192.168.3.254;
option domain-name-servers 206.124.146.177;
option netbios-name-servers 192.168.3.254;
option domain-name &#34;shorewall.net&#34;;
option netbios-dd-server 192.168.3.254;
option netbios-node-type 8;
option netbios-scope &#34;&#34;;
subnet 192.168.3.0 netmask 255.255.255.0 {
range 192.168.3.11 192.168.3.20;
}
host easteplaptop {
hardware ethernet …;
fixed-address 192.168.3.7;
}
host tipper.shorewall.net {
hardware ethernet …;
fixed-address 192.168.3.8;
}</programlisting></para>
</blockquote>
</section>
</section>
<section>

25
Shorewall-docs2/ports.xml
View File

@ -13,7 +13,7 @@
</author>
</authorgroup>
<pubdate>2004-03-27</pubdate>
<pubdate>2004-04-24</pubdate>
<copyright>
<year>2001-2002</year>
@ -101,14 +101,10 @@ ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62
</section>
<section>
<title>ICQ</title>
<title>ICQ/AIM</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> udp 4000
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 4000:4100</programlisting>
<para>UDP Port 4000. You will also need to open a range of TCP ports which
you can specify to your ICQ client. By default, clients use 4000-4100.</para>
ACCEPT <emphasis>&#60;source&#62;</emphasis> net tcp 5190</programlisting>
</section>
<section>
@ -208,7 +204,16 @@ ACCEPT <emphasis>&#60;destination&#62;</emphasis> <emphasis>&#60;source&#62
<title>SMTP</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 25</programlisting>
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 25 #Insecure SMTP
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 465 #SMTP over SSL (TLS)</programlisting>
</section>
<section>
<title>SNMP</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> udp 161:162
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 161</programlisting>
</section>
<section>
@ -275,7 +280,9 @@ ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62
<appendix>
<title>Revision History</title>
<para><revhistory><revision><revnumber>1.7</revnumber><date>2004-02-18</date><authorinitials>TE</authorinitials><revremark>Make
<para><revhistory><revision><revnumber>1.8</revnumber><date>2004-04-24</date><authorinitials>TE</authorinitials><revremark>Revised
ICQ/AIM.</revremark></revision><revision><revnumber>1.8</revnumber><date>2004-04-23</date><authorinitials>TE</authorinitials><revremark>Added
SNMP.</revremark></revision><revision><revnumber>1.7</revnumber><date>2004-02-18</date><authorinitials>TE</authorinitials><revremark>Make
NFS work for everyone.</revremark></revision><revision><revnumber>1.6</revnumber><date>2004-02-14</date><authorinitials>TE</authorinitials><revremark>Add
PCAnywhere.</revremark></revision><revision><revnumber>1.5</revnumber><date>2004-02-05</date><authorinitials>TE</authorinitials><revremark>Added
information about VNC viewers in listen mode.</revremark></revision><revision><revnumber>1.4</revnumber><date>2004-01-26</date><authorinitials>TE</authorinitials><revremark>Correct

112
Shorewall-docs2/shorewall_extension_scripts.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-02-04</pubdate>
<pubdate>2004-05-04</pubdate>
<copyright>
<year>2001-2004</year>
@ -29,7 +29,8 @@
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
@ -64,7 +65,8 @@
</listitem>
<listitem>
<para>start -- invoked after the firewall has been started or restarted.</para>
<para>start -- invoked after the firewall has been started or
restarted.</para>
</listitem>
<listitem>
@ -92,27 +94,90 @@
</listitem>
</itemizedlist>
<para><emphasis role="bold">If your version of Shorewall doesn&#39;t have
the file that you want to use from the above list, you can simply create the
<para><emphasis role="bold">If your version of Shorewall doesn't have the
file that you want to use from the above list, you can simply create the
file yourself.</emphasis> You can also supply a script with the same name as
any of the filter chains in the firewall and the script will be invoked
after the /etc/shorewall/rules file has been processed but before the
/etc/shorewall/policy file has been processed.</para>
<para>Beginning with Shorewall 2.0.0, you can also define a
<emphasis>common action</emphasis> to be performed immediately before a
policy of ACCEPT, DROP or REJECT is applied. Separate actions can be
assigned to each policy type so for example you can have a different common
action for DROP and REJECT policies. The most common usage of common actions
is to silently drop traffic that you don&#39;t wish to have logged by the
policy.</para>
<para>There are a couple of special considerations for commands in extension
scripts:</para>
<itemizedlist>
<listitem>
<para>When you want to run <command>iptables</command>, use the command
<command>run_iptables</command> instead. <command>run_iptables</command>
will run the iptables utility passing the arguments to
<command>run_iptables</command> and if the command fails, the firewall
will be stopped (Shorewall version &lt; 2.0.2 Beta 1 or there is no
<filename>/var/lib/shorewall/restore</filename> file) or restored
(Shorewall version &gt;= 2.0.2 Beta 1 and
<filename>/var/lib/shorewall/restore</filename> exists).</para>
</listitem>
<listitem>
<para>With Shorewall 2.0.2 Beta 1 and later versions, if you run
commands other than <command>iptables</command> that must be re-run in
order to restore the firewall to its current state then you must save
the commands to the <firstterm>restore file</firstterm>. The restore
file is a temporary file in <filename
class="directory">/var/lib/shorewall</filename> that will be renamed
<filename>/var/lib/shorewall/restore-base</filename> at the successful
completion of the Shorewall command. The <command>shorewall
save</command> command combines
<filename>/var/lib/shorewall/restore-base</filename> with the output of
<command>iptables-save</command> to produce the
<filename>/var/lib/shorewall/restore</filename> script.</para>
<para>Here are three functions that are useful when running commands
other than <command>iptables</command>:</para>
<orderedlist>
<listitem>
<para><emphasis role="bold">save_command() </emphasis>-- saves the
passed command to the restore file.</para>
<para>Example: <programlisting>save_command echo Operation Complete</programlisting></para>
<para>That command would simply write "echo Operation Complete" to
the restore file.</para>
</listitem>
<listitem>
<para><emphasis role="bold">run_and_save_command()</emphasis> --
saves the passed command to the restore file then executes it. The
return value is the exit status of the command. Example:
<programlisting>run_and_save_command "echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_all"</programlisting></para>
<para>Note that as in this example, when the command involves file
redirection then the entire command must be enclosed in quotes. This
applies to all of the functions described here.</para>
</listitem>
<listitem>
<para><emphasis role="bold">ensure_and_save_command()</emphasis> --
runs the passed command. If the command fails, the firewall is
restored to it's prior saved state and the operation is terminated.
If the command succeeds, the command is written to the restore
file</para>
</listitem>
</orderedlist>
</listitem>
</itemizedlist>
<para>Beginning with Shorewall 2.0.0, you can also define a <emphasis>common
action</emphasis> to be performed immediately before a policy of ACCEPT,
DROP or REJECT is applied. Separate <ulink
url="User_defined_Actions.html">actions</ulink> can be assigned to each
policy type so for example you can have a different common action for DROP
and REJECT policies. The most common usage of common actions is to silently
drop traffic that you don't wish to have logged by the policy.</para>
<para>As released, Shorewall defines a number of actions which are cataloged
in the <filename>/etc/shorewall/actions.std</filename> file. The default
<filename>/etc/shorewall/actions</filename> file contains <quote>INCLUDE
/etc/shorewall/actions.std</quote> so that the Shorewall-defined actions are
included by default. Among the entries in <filename>/etc/shorewall/actions.std</filename>
are:</para>
in the <filename>/usr/share/shorewall/actions.std</filename> file. That file
is processed before /etc/shorewall/actions. Among the entries in
<filename>/usr/share/shorewall/actions.std</filename> are:</para>
<programlisting>Drop:DROP
Reject:REJECT</programlisting>
@ -120,21 +185,20 @@ Reject:REJECT</programlisting>
<para>So the action named <quote>Drop</quote> is performed immediately
before DROP policies are applied and the action called <quote>Reject</quote>
is performed before REJECT policies are applied. These actions are defined
in the files <filename>/etc/shorewall/action.Drop</filename> and
<filename>/etc/shorewall/action.Reject</filename> respectively.</para>
in the files <filename>/usr/share/shorewall/action.Drop</filename> and
<filename>/usr/share/shorewall/action.Reject</filename> respectively.</para>
<para>You can override these defaults with entries in your
/etc/shorewall/actions file. For example, if that file were to contain
<quote>MyDrop:DROP</quote> then the common action for DROP policies would
become <quote>MyDrop</quote>. For an example, see <ulink url="myfiles.htm">my
configuration files</ulink>.</para>
become <quote>MyDrop</quote>.</para>
<para>One final note. The chain created to perform an action has the same
name as the action. You can use an extension script by that name to add
rules to the action&#39;s chain in the same way as you can any other chain.
So if you create the new action <quote>Dagger</quote> and define it in
rules to the action's chain in the same way as you can any other chain. So
if you create the new action <quote>Dagger</quote> and define it in
<filename>/etc/shorewall/action.Dagger</filename>, you can also have an
extension script named <filename>/etc/shorewall/Dagger</filename> that can
add rules to the <quote>Dagger</quote> chain that can&#39;t be created using
add rules to the <quote>Dagger</quote> chain that can't be created using
<filename>/etc/shorewall/action.Dagger</filename>.</para>
</article>

50
Shorewall-docs2/shorewall_features.xml
View File

@ -13,7 +13,7 @@
<surname>Eastep</surname>
</author>
<pubdate>2004-04-04</pubdate>
<pubdate>2004-05-07</pubdate>
<copyright>
<year>2001-2004</year>
@ -27,7 +27,8 @@
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
@ -36,7 +37,7 @@
<itemizedlist>
<listitem>
<para>Uses Netfilter&#39;s connection tracking facilities for stateful
<para>Uses Netfilter's connection tracking facilities for stateful
packet filtering.</para>
</listitem>
@ -54,9 +55,10 @@
</listitem>
<listitem>
<para>Allows you to partitions the network into <ulink
<para>Allows you to partition the network into <ulink
url="Documentation.htm#Zones">zones</ulink> and gives you complete
control over the connections permitted between each pair of zones.</para>
control over the connections permitted between each pair of
zones.</para>
</listitem>
<listitem>
@ -78,26 +80,30 @@
<listitem>
<para>A <emphasis role="bold">GUI</emphasis> is available via Webmin
1.060 and later (<ulink url="http://www.webmin.com">http://www.webmin.com</ulink>)</para>
1.060 and later (<ulink
url="http://www.webmin.com">http://www.webmin.com</ulink>)</para>
</listitem>
<listitem>
<para>Extensive <emphasis role="bold"><ulink
url="Documentation_Index.html">documentation</ulink></emphasis>
included in the .tgz and .rpm downloads.</para>
url="Documentation_Index.html">documentation</ulink></emphasis> in
available in both XML and HTML formats.</para>
</listitem>
<listitem>
<para><emphasis role="bold">Flexible address management/routing
support</emphasis> (and you can use all types in the same firewall):</para>
support</emphasis> (and you can use all types in the same
firewall):</para>
<itemizedlist>
<listitem>
<para><ulink url="Documentation.htm#Masq">Masquerading/SNAT</ulink>.</para>
<para><ulink
url="Documentation.htm#Masq">Masquerading/SNAT</ulink>.</para>
</listitem>
<listitem>
<para><ulink url="FAQ.htm#faq1">Port Forwarding (DNAT)</ulink>.</para>
<para><ulink url="FAQ.htm#faq1">Port Forwarding
(DNAT)</ulink>.</para>
</listitem>
<listitem>
@ -107,6 +113,11 @@
<listitem>
<para><ulink url="ProxyARP.htm">Proxy ARP</ulink>.</para>
</listitem>
<listitem>
<para><ulink url="netmap.html">NETMAP</ulink> (requires a 2.6
kernel or a patched 2.4 kernel).</para>
</listitem>
</itemizedlist>
</listitem>
@ -146,15 +157,16 @@
</listitem>
<listitem>
<para><ulink url="PPTP.htm">PPTP</ulink> clients and Servers.</para>
<para><ulink url="PPTP.htm">PPTP</ulink> clients and
Servers.</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>Support for <ulink url="traffic_shaping.htm"><emphasis
role="bold">Traffic</emphasis> Control/<emphasis role="bold">Shaping</emphasis></ulink>
integration.</para>
role="bold">Traffic</emphasis> Control/<emphasis
role="bold">Shaping</emphasis></ulink> integration.</para>
</listitem>
<listitem>
@ -171,7 +183,7 @@
<listitem>
<para>Includes automated <ulink url="Install.htm">install,
upgrade, fallback and uninstall facilities</ulink> for users who
can&#39;t use or choose not to use the RPM or Debian packages.</para>
can't use or choose not to use the RPM or Debian packages.</para>
</listitem>
<listitem>
@ -184,7 +196,8 @@
<listitem>
<para><ulink url="MAC_Validation.html">Media Access Control (<emphasis
role="bold">MAC</emphasis>) Address <emphasis role="bold">Verification</emphasis></ulink>.</para>
role="bold">MAC</emphasis>) Address <emphasis
role="bold">Verification</emphasis></ulink>.</para>
</listitem>
<listitem>
@ -193,8 +206,9 @@
</listitem>
<listitem>
<para><ulink url="bridge.html"><emphasis role="bold">Bridge</emphasis>/Firewall
support</ulink> (requires a 2.6 kernel or a patched 2.4 kernel).</para>
<para><ulink url="bridge.html"><emphasis
role="bold">Bridge</emphasis>/Firewall support</ulink> (requires a 2.6
kernel or a patched 2.4 kernel).</para>
</listitem>
</itemizedlist>
</section>

6
Shorewall-docs2/shorewall_logging.xml
View File

@ -15,10 +15,10 @@
</author>
</authorgroup>
<pubdate>2003-12-18</pubdate>
<pubdate>2004-04-25</pubdate>
<copyright>
<year>2001 - 2003</year>
<year>2001 - 2004</year>
<holder>Thomas M. Eastep</holder>
</copyright>
@ -142,7 +142,7 @@
</section>
<section>
<title>Configuring a Separate Log for Shorewall Messages</title>
<title>Configuring a Separate Log for Shorewall Messages (ulogd)</title>
<para>There are a couple of limitations to syslogd-based logging:</para>

20
Shorewall-docs2/shorewall_quickstart_guide.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-02-04</pubdate>
<pubdate>2004-04-16</pubdate>
<copyright>
<year>2001-2004</year>
@ -36,6 +36,12 @@
<para>With thanks to Richard who reminded me once again that we must all
first walk before we can run.</para>
<para>The French Translations of the single-IP guides are courtesy of
Patrice Vetsel. Updated for Shorewall 2.0 by Fabien Demassieux.</para>
<para>The French Translation of the Shorewall Setup Guide is courtesy of
Fabien Demassieux.</para>
<section id="Guides">
<title>The Guides</title>
@ -50,11 +56,14 @@
you want to learn more about Shorewall than is explained in these simple
guides then the <ulink url="shorewall_setup_guide.htm">Shorewall Setup
Guide</ulink> is for you.<itemizedlist><listitem><para><ulink
url="standalone.htm">Standalone</ulink> Linux System</para></listitem><listitem><para><ulink
url="standalone.htm">Standalone</ulink> Linux System (<ulink
url="standalone_fr.html">Version Française</ulink>)</para></listitem><listitem><para><ulink
url="two-interface.htm">Two-interface</ulink> Linux System acting as a
firewall/router for a small local network</para></listitem><listitem><para><ulink
firewall/router for a small local network (<ulink
url="two-interface_fr.html">Version Française</ulink>)</para></listitem><listitem><para><ulink
url="three-interface.htm">Three-interface</ulink> Linux System acting as
a firewall/router for a small local network and a DMZ.</para></listitem></itemizedlist></para>
a firewall/router for a small local network and a DMZ.. (<ulink
url="three-interface_fr.html">Version Française</ulink>)</para></listitem></itemizedlist></para>
</section>
<section>
@ -64,7 +73,8 @@
(See Index Below) outlines the steps necessary to set up a firewall
where there are multiple public IP addresses involved or if you want to
learn more about Shorewall than is explained in the single-address
guides above </para>
guides above (<ulink url="shorewall_setup_guide_fr.htm">Version
Française</ulink>)</para>
</section>
</section>
</article>

3352
Shorewall-docs2/shorewall_setup_guide_fr.xml
View File

File diff suppressed because it is too large Load Diff

11
Shorewall-docs2/standalone.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-02-16</pubdate>
<pubdate>2004-04-22</pubdate>
<copyright>
<year>2002-2004</year>
@ -187,10 +187,11 @@
first checked against the <filename><filename>/etc/shorewall/rules</filename></filename>
file. If no rule in that file matches the connection request then the
first policy in <filename>/etc/shorewall/policy</filename> that matches
the request is applied. If that policy is REJECT or DROP the request is
first checked against the rules in /etc/shorewall/common if that file
exists; otherwise the rules in <filename>/etc/shorewall/common.def</filename>
are checked.</para>
the request is applied. If there is a <ulink
url="shorewall_extension_scripts.htm">comon action</ulink> defined for the
policy in <filename>/etc/shorewall/actions</filename> or
<filename>/usr/share/shorewall/actions.std</filename> then that action is
peformed before the action is applied.</para>
<para>The <filename>/etc/shorewall/policy</filename> file included with
the one-interface sample has the following policies:</para>

746
Shorewall-docs2/standalone_fr.xml
View File

@ -1,7 +1,9 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article id="IPIP">
<article id="standalone">
<!--$Id$-->
<articleinfo>
<title>Standalone Firewall</title>
@ -11,47 +13,57 @@
<surname>Eastep</surname>
</author>
<author>
<firstname>Patrice</firstname>
<surname>Vetsel</surname>
</author>
<author>
<firstname>Fabien</firstname>
<surname>Demassieux</surname>
</author>
</authorgroup>
<pubdate>2003-12-30</pubdate>
<pubdate>2004-02-16</pubdate>
<copyright>
<year>2001-2003</year>
<year>2002-2004</year>
<holder>Thomas M. Eastep</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
dcument under the terms of the GNU Free Documentation License, Version
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled &#34;<ulink
url="GnuCopyright.htm">GNU Free Documentation License</ulink>&#34;.</para>
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<note>
<para><emphasis role="underline">Notes du traducteur :</emphasis> Je ne
prétends pas être un vrai traducteur dans le sens ou mon travail n&#39;est
pas des plus précis (loin de là...). Je ne me suis pas attaché à une
traduction exacte du texte, mais plutôt à en faire une version française
intelligible par tous (et par moi). Les termes techniques sont la plupart
du temps conservés sous leur forme originale et mis entre parenthèses car
vous pouvez les retrouver dans le reste des documentations ainsi que dans
les fichiers de configuration. N&#39;hésitez pas à me contacter afin
d&#39;améliorer ce document <ulink url="mailto:vetsel.patrice@wanadoo.fr">VETSEL
Patrice</ulink> (merci à JMM pour sa relecture et ses commentaires
pertinents, ainsi qu&#39;à Tom EASTEP pour son formidable outil et sa
disponibilité).</para>
<para><emphasis role="underline">Notes du traducteur :</emphasis> Le guide
initial a été traduit par <ulink
url="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</ulink> que je
remercie. J'en ai assuré la révision pour l'adapter à la version 2 de
Shorewall. J'espère vous faciliter l'accès et la prise en main d'un
firewall performant, efficace, adaptable et facile d'utilisation. Donc
félicitations pour la qualité du travail et la disponibilité offerte par
Thomas M. Eastep. Si vous trouvez des erreurs ou des améliorations à
apporter vous pouvez me contacter <ulink
url="mailto:fd03x@wanadoo.fr">Fabien Demassieux</ulink></para>
</note>
<section id="Documentation">
<section>
<title>Introduction</title>
<para>Mettre en place un système Linux en tant que firewall (écluse) pour
un petit réseau est une chose assez simple, si vous comprenez les bases et
suivez la documentation.</para>
<para>Configurer Shorewall sur un système isolé Linux est très simple si
vous comprenez les bases et suivez la documentation.</para>
<para>Ce guide ne veut pas vous apprendre tous les rouages de Shorewall.
Il se focalise sur ce qui est nécessaire pour configurer Shorewall, dans
@ -72,391 +84,507 @@
</listitem>
</itemizedlist>
<para>Ce guide suppose que vous avez le paquet iproute/iproute2
d&#39;installé. Vous pouvez voir si le paquet est installé en vérifiant la
présence du programme ip sur votre système de firewall. Sous root,
utilisez la commande &#39;which&#39; pour rechercher le programme :</para>
<section>
<title>Pré-requis</title>
<programlisting> [root@gateway root]# which ip
/sbin/ip
[root@gateway root]#
</programlisting>
<para>Shorewall a besoin que le package
<command>iproute</command>/<command>iproute2</command> soit installé
(avec la distribution <trademark>RedHat</trademark>, le package
s'appelle <command>iproute</command>). Vous pouvez vérifier si le
package est installé par la présence du programme <command>ip</command>
sur votre firewall. En tant que <systemitem
class="username">root</systemitem>, vous pouvez utiliser la commande
<command>which</command> pour cela:</para>
<para>Je vous recommande dans un premier temps de parcourir tout le guide
pour vous familiariser avec ce qu&#39;il va se passer, et de revenir au
début en effectuant le changements dans votre configuration. Les points,
où les changements dans la configuration sont recommandées, sont signalés
par une <inlinegraphic fileref="images/BD21298_.gif" /></para>
<programlisting>[root@gateway root]# <command>which ip</command>
/sbin/ip
[root@gateway root]#</programlisting>
</section>
<caution>
<para>Si vous éditez vos fichiers de configuration sur un système
Windows, vous devez les sauver comme des fichiers Unix si votre éditeur
supporte cette option sinon vous devez les faire passer par dos2unix
avant d&#39;essayer de les utiliser. De la même manière, si vous copiez
un fichier de configuration depuis votre disque dur Windows vers une
disquette, vous devez lancer dos2unix sur la copie avant de
l&#39;utiliser avec Shorewall.</para>
<section>
<title>Avant de commencer</title>
<itemizedlist>
<listitem>
<para><ulink url="http://www.simtel.net/pub/pd/51438.html">Windows
Version of dos2unix</ulink></para>
</listitem>
<para>Je recommande en premier la lecture complète du guide afin de se
familiariser avec les tenants et aboutissants puis de revenir sur les
modifications de votre configuration adapté à votre système.</para>
<listitem>
<para><ulink url="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
Version of dos2unix</ulink></para>
</listitem>
</itemizedlist>
</caution>
<caution>
<para>Si vous éditez vos fichiers de configuration sur un système
<trademark>Windows</trademark>, vous devez les sauver comme des
fichiers <trademark>Unix</trademark> si votre éditeur supporte cette
option sinon vous devez les convertir avec <command>dos2unix</command>
avant d'essayer de les utiliser. De la même manière, si vous copiez un
fichier de configuration depuis votre disque dur
<trademark>Windows</trademark> vers une disquette, vous devez lancer
<command>dos2unix</command> sur la copie avant de l'utiliser avec
Shorewall.</para>
<itemizedlist>
<listitem>
<para><ulink
url="http://www.simtel.net/pub/pd/51438.html"><trademark>Windows</trademark>
Version of <command>dos2unix</command></ulink></para>
</listitem>
<listitem>
<para><ulink
url="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
Version of <command>dos2unix</command></ulink></para>
</listitem>
</itemizedlist>
</caution>
</section>
<section>
<title>Conventions</title>
<para>Les points ou les modifications s'imposent sont indiqués par
<inlinegraphic fileref="images/BD21298_.gif" format="GIF" />.</para>
</section>
</section>
<section>
<title>PPTP/ADSL</title>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para>Si vous êtes équipé d'un modem <acronym>ADSL</acronym> et utilisez
<acronym>PPTP</acronym> pour communiquer avec un serveur à travers ce
modem, vous devez faire le changement <ulink
url="PPTP.htm#PPTP_ADSL">suivant</ulink> en plus de ceux ci-dessous.
<acronym>ADSL</acronym> avec <acronym>PPTP</acronym> est commun en Europe,
ainsi qu'en Australie.</para>
</section>
<section>
<title>Les Concepts de Shorewall</title>
<para><inlinegraphic fileref="images/BD21298_.gif" /> Les fichiers de
configuration pour Shorewall sont situés dans le répertoire /etc/shorewall
-- pour de simples paramétrages, vous n&#39;avez à faire qu&#39;avec
quelques un d&#39;entre eux comme décris dans ce guide. Après avoir <ulink
url="Install.htm">installé Shorewall</ulink>, <emphasis role="bold">téléchargez
<ulink url="http://www1.shorewall.net/pub/shorewall/Samples/">le
one-interface sample</ulink>, un-tarez le (tar -zxvf one-interface.tgz) et
copiez les fichiers vers /etc/shorewall (Ils remplaceront les fichiers de
même nom déjà existant dans /etc/shorewall installés lors de
l&#39;installation de Shorewall)</emphasis>.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para>Parallèlement à la description, je vous suggère de jeter un oeil à
ceux physiquement présents sur votre système -- chacun des fichiers
<para>Les fichiers de configuration pour Shorewall sont situés dans le
répertoire /etc/shorewall -- pour de simples paramétrages, vous n'avez à
faire qu'avec quelques un d'entre eux comme décris dans ce guide.<tip>
<para>Après avoir <ulink url="Install.htm">installé Shorewall</ulink>,
téléchargez <ulink
url="http://www1.shorewall.net/pub/shorewall/Samples/">l'exemple
one-interface</ulink>, décompressez le (<command>tar
<option>-zxvf</option>
<filename>one-interface.tgz</filename></command>) et copiez les
fichiers dans <filename class="directory">/etc/shorewall</filename>
<emphasis role="bold">(ces fichiers remplaceront les
initiaux)</emphasis>.</para>
</tip>Parallèlement à la présentation, je vous suggère de jeter un oeil
à ceux physiquement présents sur votre système -- chacun des fichiers
contient des instructions de configuration détaillées et des entrées par
défaut.</para>
<para>Shorewall voit le réseau où il tourne comme composé par un ensemble
de zones. Dans les fichiers de configuration fournis pour une unique
<para>Shorewall voit le réseau où il fonctionne, comme un ensemble de
zones.Dans les fichiers de configuration fournis pour une unique
interface, une seule zone est définie :</para>
<table>
<title>Zones</title>
<informaltable>
<tgroup cols="2">
<tbody>
<thead>
<row>
<entry align="left"><emphasis role="bold">Zone</emphasis></entry>
<entry align="center">Name</entry>
<entry align="left" role="underline"><emphasis role="bold">Description</emphasis></entry>
<entry align="center">Description</entry>
</row>
</thead>
<tbody>
<row>
<entry>net</entry>
<entry>Internet</entry>
<entry>The Internet</entry>
</row>
</tbody>
</tgroup>
</table>
</informaltable>
<para>Les zones de Shorewall sont définies dans /etc/shorewall/zones.</para>
<para>Les zones de Shorewall sont définies dans <ulink
url="Documentation.htm#Zones"><filename>/etc/shorewall/zones</filename></ulink>.</para>
<para>Shorewall reconnaît aussi le système de firewall comme sa propre
zone - par défaut, le firewall lui-même est connu en tant que fw.</para>
zone - par défaut, le firewall est connu comme <emphasis
role="bold"><varname>fw</varname></emphasis>.</para>
<para>Les règles concernant le trafic à autoriser ou à interdire sont
exprimées en utilisant les termes de zones.</para>
<table>
<title>/etc/shorewall/policy</title>
<itemizedlist>
<listitem>
<para>Vous exprimez votre politique par défaut pour les connexions
d'une zone vers une autre zone dans le fichier <ulink
url="Documentation.htm#Policy"><filename
class="directory">/etc/shorewall/</filename><filename>policy</filename></ulink>.</para>
</listitem>
<tgroup cols="5">
<tbody>
<row>
<entry><emphasis role="bold">SOURCE ZONE</emphasis></entry>
<listitem>
<para>Vous définissez les exceptions à ces politiques pas défaut dans
le fichier <ulink url="Documentation.htm#Rules"><filename
class="directory">/etc/shorewall/</filename><filename>rules</filename></ulink>.</para>
</listitem>
</itemizedlist>
<entry><emphasis role="bold">DESTINATION ZONE</emphasis></entry>
<para>Pour chaque connexion demandant à entrer dans le firewall, la
requête est en premier lieu comparée par rapport au fichier <filename
class="directory">/etc/shorewall/</filename><filename>rules</filename>. Si
aucune règle dans ce fichier ne correspond à la demande de connexion alors
la première politique dans le fichier <filename
class="directory">/etc/shorewall/</filename><filename>policy</filename>
qui y correspond sera appliquée. Si cette politique est
<varname>REJECT</varname> ou <varname>DROP</varname> la requête est dans
un premier temps comparée par rapport aux règles contenues dans le fichier
<filename
class="directory">/etc/shorewall/</filename><filename>common</filename>,
si ce fichier existe; sinon les régles dans le fichier <filename
class="directory">/etc/shorewall/</filename><filename>common.def</filename>
sont vérifiées.</para>
<entry><emphasis role="bold">POLICY</emphasis></entry>
<para>Le fichier /etc/shorewall/policy inclus dans l'archive d'exemple
(one-interface) contient les politiques suivantes:</para>
<entry><emphasis role="bold">LOG LEVEL</emphasis></entry>
<entry><emphasis role="bold">LIMIT:BURST</emphasis></entry>
</row>
<row>
<entry>fw</entry>
<entry>net</entry>
<entry>ACCEPT</entry>
<entry></entry>
<entry></entry>
</row>
<row>
<entry>net</entry>
<entry>all</entry>
<entry>DROP</entry>
<entry>info</entry>
<entry></entry>
</row>
<row>
<entry>all</entry>
<entry>all</entry>
<entry>REJECT</entry>
<entry>info</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<programlisting>#SOURCE ZONE DESTINATION ZONE POLICY LOG LEVEL LIMIT:BURST
fw net ACCEPT
net all DROP info
all all REJECT info</programlisting>
<para>Ces politiques vont :</para>
<orderedlist>
<listitem>
<para>permettre toutes demandes de connexion depuis le firewall vers
l&#39;Internet</para>
<para>Permettre toutes demandes de connexion depuis le firewall vers
l'Internet</para>
</listitem>
<listitem>
<para>drop (ignorer) toutes les demandes de connexion depuis
l&#39;Internet vers votre firewall</para>
<para>Drop (ignorer) toutes les demandes de connexion depuis
l'Internet vers votre firewall</para>
</listitem>
<listitem>
<para>rejeter toutes les autres requêtes de connexion (Shorewall à
besoin de cette politique).</para>
<para>Reject (rejeter) toutes les autres requêtes de connexion
(Shorewall à besoin de cette politique).</para>
</listitem>
</orderedlist>
<para><inlinegraphic fileref="images/BD21298_.gif" /> A ce point, éditez
votre /etc/shorewall/policy et faites y les changements que vous désirez.</para>
votre /etc/shorewall/policy et faites y les changements que vous
désirez.</para>
</section>
<section>
<title>Interface Externe</title>
<para>Le firewall possède une seule interface réseau. Lorsque la connexion
Internet passe par un modem câble ou par un routeur ADSL (pas un simple
modem), l&#39;External Interface (interface externe) sera l&#39;adaptateur
ethernet (<emphasis role="bold">eth0</emphasis>) qui y est connecté à
moins que vous vous connectiez par Point-to-Point Protocol over Ethernet
(PPPoE) ou Point-to-Point TunnelingProtocol(PPTP) dans ce cas
l&#39;interface externe sera <emphasis role="bold">ppp0</emphasis>. Si
vous vous connectez par un simple modem (RTC), votre interface externe
sera aussi <emphasis role="bold">ppp0</emphasis>. Si vous vous connectez
en utilisant l&#39;ISDN (numéris), votre interface externe sera <emphasis
role="bold">ippp0</emphasis>.</para>
Internet passe par un modem câble ou par un
<quote>Routeur</quote><acronym> ADSL</acronym>(pas un simple modem),
l'<emphasis>Interface Externe</emphasis> sera l'adaptateur ethernet qui y
est connecté à ce <quote>Modem</quote> (e.g., <filename
class="devicefile">eth0</filename>) à moins d'une connexion par
<emphasis>Point-to-Point Protocol</emphasis> over Ethernet
(<acronym>PPPoE</acronym>) ou <emphasis>Point-to-Point Tunneling
Protocol</emphasis> (<acronym>PPTP</acronym>) dans ce cas l'interface
externe sera (e.g., <filename class="devicefile">ppp0</filename>). Si vous
utilisez par un simple modem (<acronym>RTC</acronym>), votre interface
externe sera aussi <filename class="devicefile">ppp0</filename>. Si vous
utilisez l'<acronym>ISDN</acronym>, votre interface externe sera <filename
class="devicefile">ippp0</filename>.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" /> L&#39;exemple de
configuration de Shorewall pour une interface suppose que votre interface
externe est <emphasis role="bold">eth0</emphasis>. Si votre configuration
est différente, vous devrez modifier le fichier d&#39;exemple
/etc/shorewall/interfaces en conséquence. Puisque vous y êtes, vous
pourriez parcourir la liste d&#39;options qui sont spécifiées pour
l&#39;interface. Quelques astuces :</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<itemizedlist>
<listitem>
<para>Si votre interface externe est <emphasis role="bold">ppp0</emphasis>
ou <emphasis role="bold">ippp0</emphasis>, vous pouvez remplacer le
&#34;detect&#34; dans la seconde colonne par un &#34;-&#34;.</para>
</listitem>
<para>Si votre interface vers l'extérieur est <emphasis
role="bold">ppp0</emphasis> ou <emphasis role="bold">ippp0</emphasis>
alors vous mettrez <varname>CLAMPMSS=yes</varname> dans le fichier
<filename
class="directory">/etc/shorewall/</filename><filename>shorewall.conf</filename>.</para>
<listitem>
<para>Si votre interface externe est <emphasis role="bold">ppp0</emphasis>
ou <emphasis role="bold">ippp0</emphasis> ou bien si vous avez une
adresse IP statique, vous pouvez enlever le &#34;dhcp&#34; de la liste
d&#39;option.</para>
</listitem>
</itemizedlist>
<para>Le fichier de configuration d'exemple pour une interface suppose que
votre interface externe est eth0. Si votre configuration est différente,
vous devrez modifier le fichier<filename
class="directory">/etc/shorewall/</filename><filename>interfaces</filename>
en conséquence. Tant que vous y êtes, vous pourriez parcourir la liste des
options qui sont spécifiées pour les interfaces. Quelques trucs:</para>
<tip>
<para>Si votre interface vers l'extérieur est <filename
class="devicefile">ppp0</filename> ou <filename
class="devicefile">ippp0</filename>, vous pouvez remplacer le detect
dans la seconde colonne par un <quote>-</quote> (sans les
quotes).</para>
</tip>
<tip>
<para>Si votre interface vers l'extérieur est <filename
class="devicefile">ppp0</filename> or <filename
class="devicefile">ippp0</filename> u si vous avez une adresse
<acronym>IP</acronym> statique, vous pouvez enlever
<varname>dhcp</varname> dans la liste des options .</para>
</tip>
<tip>
<para>Si vous spécifiez <emphasis>norfc1918</emphasis> pour votre
interface externe, vous pouvez vérifier périodiquement le <ulink
url="errata.htm">Shorewall Errata</ulink> pour mettre à jour le fichier
<filename>/usr/share/shorewall/rfc1918</filename>. Sinon, vous pouvez
copier le fichier <filename>/usr/share/shorewall/rfc1918</filename> vers
<filename>/etc/shorewall/rfc1918</filename> et <ulink
url="myfiles.htm#RFC1918">adapter votre fichier
<filename>/etc/shorewall/rfc1918</filename> comme je le
fais</ulink>.</para>
</tip>
</section>
<section>
<title>Adresse IP</title>
<para>La RFC 1918 définie plusieurs plage d&#39;adresses IP privée
(PrivateIP) pour l&#39;utilisation dans des réseaux privés :</para>
<programlisting> 10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255</programlisting>
<para>Ces adresses sont parfois désignées comme étant non-routables car
les routeurs sur les backbones Internet ne font pas passer les paquets
dont les adresses de destinations sont définies dans la RFC 1918. Dans
certains cas, les fournisseurs (provider ou ISP) utilisent ces adresses et
utilisent le Network Address Translation afin de récrire les entêtes des
paquets lorsqu&#39;ils les font circuler depuis ou vers l&#39;Internet.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" /> Avant de lancer
Shorewall, vous devriez regarder l&#39;adresse de votre interface externe
et si elle est comprise dans une des plages précédentes, vous devriez
enlever l&#39;option &#39;norfc1918&#39; dans le fichier
/etc/shorewall/interfaces.</para>
</section>
<section>
<title>Permettre d&#39;autres connexions</title>
<para>Si vous désirez autoriser d&#39;autres connexions depuis
l&#39;Internet vers votre firewall, le format général est :<table><title>/etc/shorewall/rules</title><tgroup
cols="7"><tbody><row><entry><emphasis role="bold">ACTION</emphasis></entry><entry><emphasis
role="bold">SOURCE</emphasis></entry><entry><emphasis role="bold">DESTINATION</emphasis></entry><entry><emphasis
role="bold">PROTOCOL</emphasis></entry><entry><emphasis role="bold">PORT</emphasis></entry><entry><emphasis
role="bold">SOURCE PORT</emphasis></entry><entry><emphasis role="bold">ORIGINAL
DEST</emphasis></entry></row><row><entry>ACCEPT</entry><entry>net</entry><entry>fw</entry><entry><emphasis>&#60;protocol&#62;</emphasis></entry><entry><emphasis>&#60;port&#62;</emphasis></entry><entry></entry><entry></entry></row></tbody></tgroup></table></para>
<para>Exemple - Vous voulez faire tourner un serveur Web et un serveur
POP3 sur votre système de firewall :</para>
<para>Avant d'aller plus loin, nous devons dire quelques mots au sujet des
adresses Internet Protocol (<acronym>IP</acronym>). Normalement, votre
fournisseur Internet <acronym>ISP</acronym> vous assignera une seule
adresse IP. Cette adresse peut être assignée par le Dynamic Host
Configuration Protocol (<acronym>DHCP</acronym>) ou lors de
l'établissement de votre connexion (modem standard) ou établissez votre
connexion <acronym>PPP</acronym>. Dans de rares cas , votre provider peut
vous assigner une adresse statique <acronym>IP</acronym> ; cela signifie
que vous devez configurer l'interface externe de votre firewall afin
d'utiliser cette adresse de manière permanente. La <emphasis
role="bold">RFC 1918</emphasis> réserve plusieurs plages d'adresses
privées <emphasis>Private</emphasis> <acronym>IP</acronym> à cet
fin:</para>
<table>
<title>/etc/shorewall/rules</title>
<title>Exemple sous-réseau</title>
<tgroup cols="2">
<colspec align="left" />
<tgroup cols="7">
<tbody>
<row>
<entry><emphasis role="bold">ACTION</emphasis></entry>
<entry>Range:</entry>
<entry><emphasis role="bold">SOURCE</emphasis></entry>
<entry><emphasis role="bold">DESTINATION</emphasis></entry>
<entry><emphasis role="bold">PROTOCOL</emphasis></entry>
<entry><emphasis role="bold">PORT</emphasis></entry>
<entry><emphasis role="bold">SOURCE PORT</emphasis></entry>
<entry><emphasis role="bold">ORIGINAL DEST</emphasis></entry>
<entry><systemitem class="ipaddress">10.10.10.0</systemitem> -
<systemitem class="ipaddress">10.10.10.255</systemitem></entry>
</row>
<row>
<entry>ACCEPT</entry>
<entry>Subnet Address:</entry>
<entry>net</entry>
<entry>fw</entry>
<entry>tcp</entry>
<entry>80</entry>
<entry></entry>
<entry></entry>
<entry><systemitem
class="ipaddress">10.10.10.0</systemitem></entry>
</row>
<row>
<entry>ACCEPT</entry>
<entry>Broadcast Address:</entry>
<entry>net</entry>
<entry><systemitem
class="ipaddress">10.10.10.255</systemitem></entry>
</row>
<entry>fw</entry>
<row>
<entry>CIDR Notation:</entry>
<entry>tcp</entry>
<entry>110</entry>
<entry></entry>
<entry></entry>
<entry><systemitem
class="ipaddress">10.10.10.0/24</systemitem></entry>
</row>
</tbody>
</tgroup>
</table>
<para>Si vous ne savez pas quel port ou protocole une application
particulière utilise, regardez <ulink url="ports.htm">ici</ulink>.
<emphasis role="bold">Important:</emphasis> Je ne vous recommande pas
d&#39;autoriser le telnet depuis ou vers l&#39;Internet car il utilise du
texte en clair (même pour le login et le mot de passe !). Si vous voulez
avoir un accès au shell de votre firewall depuis Internet, utilisez SSH :</para>
<para>Ces adresses sont parfois nommées comme
<emphasis>non-routable</emphasis> car les routeurs centraux d'Internet ne
renvoient pas un paquet dont la destination est réservée par la RFC 1918.
Dans certain cas cependant, les FAI (fournisseurs d'accés Internet)
assignent ces adresses et utilisent ensuite NAT <emphasis>Network Address
Translation</emphasis> pour réécrire les en-têtes de paquets renvoyés
vers/depuis Internet.</para>
<table>
<title>/etc/shorewall/rules</title>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<tgroup cols="7">
<tbody>
<row>
<entry><emphasis role="bold">ACTION</emphasis></entry>
<entry><emphasis role="bold">SOURCE</emphasis></entry>
<entry><emphasis role="bold">DESTINATION</emphasis></entry>
<entry><emphasis role="bold">PROTOCOL</emphasis></entry>
<entry><emphasis role="bold">PORT</emphasis></entry>
<entry><emphasis role="bold">SOURCE PORT</emphasis></entry>
<entry><emphasis role="bold">ORIGINAL DEST</emphasis></entry>
</row>
<row>
<entry>ACCEPT</entry>
<entry>net</entry>
<entry>fw</entry>
<entry>tcp</entry>
<entry>22</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<para><inlinegraphic fileref="images/BD21298_.gif" /> A ce point, éditez
/etc/shorewall/rules pour rajouter les autres connexions désirées.</para>
<para>Avant de lancer Shorewall, regarder l'adresse IP de votre interface
externe, et si elle est dans les plages précédentes, vous devez enlever
l'option 'norfc1918' dans la ligne concernant l'interface externe dans le
fichier <filename
class="directory">/etc/shorewall/</filename><filename>interfaces</filename>.</para>
</section>
<section>
<title>Lancer et Arrêter son Firewall</title>
<title>Permettre d'autres connexions</title>
<para>La <ulink url="Install.htm">procédure d&#39;installation</ulink>
<para>Shorewall version 2.0.0 et postérieure propose une collection
d'actions qui peuvent être utilisées pour rapidemement autoriser ou
refuser des services. Pour voir les actions comprises avec votre version
de Shorewall, regardez dans le fichier
<filename>/etc/shorewall/actions.std</filename>. Le nom de celles qui
acceptent des connexions débutent par <quote>Allow</quote>.</para>
<para>Si vous souhaitez autoriser d'autre connexions depuis internet vers
votre firewall, le format général utilisant l'action type
<quote>Allow</quote> est:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
&lt;<emphasis>action</emphasis>&gt; net fw</programlisting>
<example>
<title>Vous voulez un serveur Web et POP3 accessible de l'extérieur sur
votre firewall:</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
AllowWeb net fw
AllowPOP3 net fw</programlisting>
</example>
<para>Au cas ou Shorewall ne propose pas d'actions définies qui vous
conviennent, vous pouvez les définir vous même ou coder directement les
régles dans <filename>/etc/shorewall/rules</filename> selon le format
suivant:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT net fw <emphasis>&lt;protocol&gt;</emphasis> <emphasis>&lt;port&gt;</emphasis></programlisting>
<example>
<title>Vous voulez un serveur Web et POP3 accessible de l'extérieur sur
votre firewall:</title>
<para><programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT net fw tcp 80
ACCEPT net fw tcp 110</programlisting></para>
</example>
<para>Si vous ne savez pas quel port(s) et protocole(s) requièrent une
application particulière, vous pouvez regarder <ulink
url="ports.htm">ici</ulink>.</para>
<important>
<para>Je ne recommande pas d'autoriser <command>telnet</command> vers/de
l'Internet parce qu'il utilise du texte en clair (même pour le login!).
Si vous voulez un accés shell à votre firewall, utilisez
<acronym>SSH</acronym>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
AllowSSH net fw</programlisting>
</important>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para>Maintenant, éditez votre fichier de configuration <filename
class="directory">/etc/shorewall/</filename><filename>rules</filename>
pour ajouter, modifier ou supprimer les autres connexions voulues.</para>
</section>
<section>
<title>Démarrer et Arrêter Votre Firewall</title>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para>La <ulink url="Install.htm">procédure d'installation</ulink>
configure votre système pour lancer Shorewall au boot du système, mais au
début avec la version 1.3.9 de Shorewall le lancement est désactivé,
n&#39;essayer pas de lancer Shorewall avec que la configuration soit
finie. Une fois que vous en aurez fini avec la configuration du firewall,
vous pouvez permettre le lancement de Shorewall en supprimant le fichier
/etc/shorewall/startup_disabled.</para>
n'essayer pas de lancer Shorewall avec que la configuration soit finie.
Une fois que vous en aurez fini avec la configuration du firewall, vous
pouvez permettre le lancement de Shorewall en supprimant le fichier
<filename
class="directory">/etc/shorewall/</filename><filename>startup_disabled</filename>.</para>
<para><emphasis role="bold">IMPORTANT: Les utilisateurs des paquets .deb
doivent éditer /etc/default/shorewall et mettre &#39;startup=1&#39;.</emphasis></para>
<important>
<para>Les utilisateurs des paquets .deb doivent éditer <filename
class="directory">/etc/default/</filename><filename>shorewall</filename>
and set <varname>startup=1</varname>.</para>
</important>
<para>Le firewall est activé en utilisant la commande &#34;shorewall
start&#34; et arrêté avec &#34;shorewall stop&#34;. Lorsque le firewall
est stoppé, le routage est autorisé sur les hôtes qui possèdent une entrée
dans <ulink url="Documentation.htm#Routestopped">/etc/shorewall/routestopped</ulink>.
Un firewall qui tourne peut être relancé en utilisant la commande
&#34;shorewall restart&#34;. Si vous voulez enlever toutes traces de
Shorewall sur votre configuration de Netfilter, utilisez &#34;shorewall
clear&#34;.</para>
<para>Le firewall est activé en utilisant la commande
<quote><command>shorewall start</command></quote> et arrêté avec
<quote><command>shorewall stop</command></quote>. Lorsque le firewall est
stoppé, le routage est autorisé sur les hôtes qui possèdent une entrée
dans <filename
class="directory">/etc/shorewall/</filename><filename><ulink
url="Documentation.htm#Routestopped">routestopped</ulink></filename>. Un
firewall qui tourne peut être relancé en utilisant la commande
<quote><command>shorewall restart</command></quote> command. Si vous
voulez enlever toutes traces de Shorewall sur votre configuration de
Netfilter, utilisez <quote><command>shorewall
clear</command></quote>.</para>
<para><emphasis role="bold">ATTENTION:</emphasis> Si vous êtes connecté à
votre firewall depuis Internet, n&#39;essayez pas une commande
&#34;shorewall stop&#34; tant que vous n&#39;avez pas ajouté une entrée
pour votre adresse IP (celle à partir de laquelle vous êtes connectée)
dans<ulink url="Documentation.htm#Routestopped">
/etc/shorewall/routestopped</ulink>. De la même manière, je ne vous
recommande pas d&#39;utiliser &#34;shorewall restart&#34;; il est plus
intéressant de créer <ulink url="configuration_file_basics.htm#Configs">une
configuration alternative</ulink> et de la tester en utilisant la commande
&#34;<ulink url="starting_and_stopping_shorewall.htm">shorewall try</ulink>&#34;.</para>
<warning>
<para>Si vous êtes connecté à votre firewall depuis Internet, n'essayez
pas une commande <quote><command>shorewall stop</command></quote> tant
que vous n'avez pas ajouté une entrée pour votre adresse
<acronym>IP</acronym> (celle à partir de laquelle vous êtes connectée)
dans <filename
class="directory">/etc/shorewall/</filename><filename>routestopped</filename>.
De la même manière, je ne vous recommande pas d'utiliser
<quote><command>shorewall restart</command></quote>; il est plus
intéressant de créer <ulink
url="configuration_file_basics.htm#Configs">une configuration
alternative</ulink> et de la tester en utilisant la commande
<quote><command>shorewall try</command></quote>.</para>
</warning>
</section>
<section>
<title>Autres Lectures Recommandées</title>
<para>Je vous recommande vivement de lire la <ulink
url="configuration_file_basics.htm">page des Fonctionnalités Générales des
Fichiers de Configuration</ulink> -- elle contient des trucs sur les
possibilités de Shorewall pour rendre aisé l'administration de votre
firewall Shorewall.</para>
</section>
<appendix>
<title>Historique de Révision</title>
<para><revhistory>
<revision>
<revnumber>1.7</revnumber>
<date>2004-02-16</date>
<authorinitials>TE</authorinitials>
<revremark>Move /etc/shorewall/rfc1918 to
/usr/share/shorewall.</revremark>
</revision>
<revision>
<revnumber>1.6</revnumber>
<date>2004-02-05</date>
<authorinitials>TE</authorinitials>
<revremark>Update for Shorewall 2.0</revremark>
</revision>
<revision>
<revnumber>1.5</revnumber>
<date>2004-01-05</date>
<authorinitials>TE</authorinitials>
<revremark>Standards Changes</revremark>
</revision>
<revision>
<revnumber>1.4</revnumber>
<date>2003-12-30</date>
<authorinitials>TE</authorinitials>
<revremark>Add tip about /etc/shorewall/rfc1918 updates.</revremark>
</revision>
<revision>
<revnumber>1.3</revnumber>
<date>2003-11-15</date>
<authorinitials>TE</authorinitials>
<revremark>Initial Docbook Conversion</revremark>
</revision>
</revhistory></para>
</appendix>
</article>

272
Shorewall-docs2/starting_and_stopping_shorewall.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-01-04</pubdate>
<pubdate>2004-05-03</pubdate>
<copyright>
<year>2001-2004</year>
@ -29,7 +29,8 @@
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
@ -41,7 +42,7 @@
url="Install.htm">installation procedure</ulink> attempts to set up the
init scripts to start the firewall in run levels 2-5 and stop it in run
levels 1 and 6. If you want to configure your firewall differently from
this default, you can use your distribution&#39;s run-level editor.</para>
this default, you can use your distribution's run-level editor.</para>
<caution>
<itemizedlist>
@ -49,8 +50,9 @@
<para>Shorewall startup is disabled by default. Once you have
configured your firewall, you can enable startup by removing the
file <filename>/etc/shorewall/startup_disabled</filename>. Note:
Users of the .deb package must edit <filename>/etc/default/shorewall</filename>
and set <quote>startup=1</quote>.</para>
Users of the .deb package must edit
<filename>/etc/default/shorewall</filename> and set
<quote>startup=1</quote>.</para>
</listitem>
<listitem>
@ -68,29 +70,40 @@
<itemizedlist>
<listitem>
<para><command>shorewall start </command>- starts the firewall. It
important to understand that when the firewall is in the <emphasis
role="bold">Started</emphasis> state there is <emphasis>no Shorewall
Program</emphasis> <emphasis>running</emphasis>. It rather means that
Netfilter has been configured to handle traffic as described in your
Shorewall configuration files. Please refer to the <link
linkend="State">Shorewall State Diagram</link> as shown at the bottom
of this page for more information.</para>
<para><command>shorewall [ -q ] [ -f ] start </command>- starts the
firewall. It important to understand that when the firewall is in the
<emphasis role="bold">Started</emphasis> state there is <emphasis>no
Shorewall Program</emphasis> <emphasis>running</emphasis>. It rather
means that Netfilter has been configured to handle traffic as
described in your Shorewall configuration files. Please refer to the
<link linkend="State">Shorewall State Diagram</link> as shown at the
bottom of this page for more information. The -q option was added in
Shorewall 2.0.2 Beta 1 and reduces the amout of output produced. Also
beginning with Shorewall version 2.0.2 Beta 1, the -f option may be
specified; if this option is given and the file
<filename>/var/lib/shorewall/restore</filename> is present (see
<command>shorewall save</command> below), then that script is run to
restore the state of the firewall to the state when
<filename>/var/lib/shorewall/restore</filename> was created. This is
generally must faster than starting the firewall without the -f
option.</para>
</listitem>
<listitem>
<para><command>shorewall stop</command> - stops the firewall; the only
traffic permitted through the firewall is from systems listed in
<filename>/etc/shorewall/routestopped</filename> (Beginning with
version 1.4.7, if ADMINISABSENTMINDED=Yes in <filename>/etc/shorewall/shorewall.conf</filename>
then in addition, all existing connections are permitted and any new
connections originating from the firewall itself are allowed).</para>
version 1.4.7, if ADMINISABSENTMINDED=Yes in
<filename>/etc/shorewall/shorewall.conf</filename> then in addition,
all existing connections are permitted and any new connections
originating from the firewall itself are allowed).</para>
</listitem>
<listitem>
<para><command>shorewall restart </command>- stops the firewall (if it
is in the <emphasis role="bold">Started</emphasis> state) and then
starts it again</para>
<para><command>shorewall [ -q ] restart </command>- stops the firewall
(if it is in the <emphasis role="bold">Started</emphasis> state) and
then starts it again. The -q option was added in Shorewall 2.0.2 Beta
1 and reduces the amout of output produced.</para>
</listitem>
<listitem>
@ -100,7 +113,8 @@
<listitem>
<para><command>shorewall clear</command> - remove all rules and chains
installed by Shoreline Firewall. The firewall is <quote>wide open</quote></para>
installed by Shoreline Firewall. The firewall is <quote>wide
open</quote></para>
</listitem>
<listitem>
@ -108,18 +122,38 @@
involving the broadcast addresses of firewall interfaces, the black
list, traffic control rules and ECN control rules.</para>
</listitem>
<listitem>
<para><command>shorewall save</command> - Beginning with Shorewall
2.0.2 Beta1, this command creates a script
<filename>/var/lib/shorewall/restore</filename> which when run will
restore the state of the firewall to its current state.</para>
</listitem>
<listitem>
<para><command>shorewall restore</command> - Runs the
<filename>/var/lib/shorewall/restore </filename>created by the
<command>shorewall save</command> command.</para>
</listitem>
<listitem>
<para>shorewall forget - Added in Shorewall 2.0.2 Beta 1. Removes the
<filename>/var/lib/shorewall restore</filename> script created by the
<command>shorewall save </command>command.</para>
</listitem>
</itemizedlist>
<para>If you include the keyword debug as the first argument, then a shell
trace of the command is produced as in:</para>
<para><programlisting> <command>shorewall debug start 2&#62; /tmp/trace</command></programlisting>The
<para><programlisting> <command>shorewall debug start 2&gt; /tmp/trace</command></programlisting>The
above command would trace the <quote>start</quote> command and place the
trace information in the file /tmp/trace</para>
<para>Beginning with version 1.4.7, shorewall can give detailed help about
each of its commands: <programlisting> <command>shorewall help [ command | host | address ]</command></programlisting>The
<quote>shorewall</quote> program may also be used to monitor the firewall.</para>
<quote>shorewall</quote> program may also be used to monitor the
firewall.</para>
<itemizedlist>
<listitem>
@ -128,21 +162,24 @@
</listitem>
<listitem>
<para><command>shorewall show &#60;chain1&#62; [ &#60;chain2&#62; ...
]</command> - produce a verbose report about the listed chains (<command>iptables
-L chain -n -v</command>) Note: You may only list one chain in the
show command when running Shorewall version 1.4.6 and earlier. Version
1.4.7 and later allow you to list multiple chains in one command.</para>
<para><command>shorewall show &lt;chain1&gt; [ &lt;chain2&gt; ...
]</command> - produce a verbose report about the listed chains
(<command>iptables -L chain -n -v</command>) Note: You may only list
one chain in the show command when running Shorewall version 1.4.6 and
earlier. Version 1.4.7 and later allow you to list multiple chains in
one command.</para>
</listitem>
<listitem>
<para><command>shorewall show nat</command> - produce a verbose report
about the nat table (<command>iptables -t nat -L -n -v</command>)</para>
about the nat table (<command>iptables -t nat -L -n
-v</command>)</para>
</listitem>
<listitem>
<para><command>shorewall show tos</command> - produce a verbose report
about the mangle table (<command>iptables -t mangle -L -n -v</command>)</para>
about the mangle table (<command>iptables -t mangle -L -n
-v</command>)</para>
</listitem>
<listitem>
@ -161,17 +198,18 @@
</listitem>
<listitem>
<para><command>shorewall monitor [ &#60;delay&#62; ]</command> -
<para><command>shorewall monitor [ &lt;delay&gt; ]</command> -
Continuously display the firewall status, last 20 log entries and nat.
When the log entry display changes, an audible alarm is sounded. The
<emphasis>&#60;delay&#62;</emphasis> indicates the number of seconds
<emphasis>&lt;delay&gt;</emphasis> indicates the number of seconds
between updates with the default being 10 seconds.</para>
</listitem>
<listitem>
<para><command>shorewall hits</command> - Produces several reports
about the Shorewall packet log messages in the current log file named
in the LOGFILE variable in <filename>/etc/shorewall/shorewall.conf</filename>.</para>
in the LOGFILE variable in
<filename>/etc/shorewall/shorewall.conf</filename>.</para>
</listitem>
<listitem>
@ -181,21 +219,27 @@
<listitem>
<para><command>shorewall check</command> - Performs a cursory
validation of the zones, interfaces, hosts, rules and policy files.<caution><para>The
<quote><command>check</command></quote> command is totally unsuppored
and does not parse and validate the generated iptables commands. Even
though the <quote>check</quote> command completes successfully, the
configuration may fail to start. Problem reports that complain about
errors that the <quote>check</quote> command does not detect will not
be accepted.</para><para>See the recommended way to make configuration
changes described below.</para></caution></para>
validation of the zones, interfaces, hosts, rules and policy
files.<caution>
<para>The <quote><command>check</command></quote> command is
totally unsuppored and does not parse and validate the generated
iptables commands. Even though the <quote>check</quote> command
completes successfully, the configuration may fail to start.
Problem reports that complain about errors that the
<quote>check</quote> command does not detect will not be
accepted.</para>
<para>See the recommended way to make configuration changes
described below.</para>
</caution></para>
</listitem>
<listitem>
<para><command>shorewall try &#60;<errortype>configuration-directory</errortype>&#62;
[ &#60;timeout&#62; ]</command> - Restart shorewall using the
specified configuration and if an error occurs or if the
<emphasis>&#60;timeout&#62;</emphasis> option is given and the new
<para><command>shorewall try
&lt;<errortype>configuration-directory</errortype>&gt; [
&lt;timeout&gt; ]</command> - Restart shorewall using the specified
configuration and if an error occurs or if the
<emphasis>&lt;timeout&gt;</emphasis> option is given and the new
configuration has been up for that many seconds then shorewall is
restarted using the standard configuration.</para>
</listitem>
@ -212,16 +256,17 @@
<itemizedlist>
<listitem>
<para><command>shorewall ipcalc [ &#60;address&#62; &#60;mask&#62; |
&#60;address&#62;/&#60;vlsm&#62; ] </command>- displays the network
<para><command>shorewall ipcalc [ &lt;address&gt; &lt;mask&gt; |
&lt;address&gt;/&lt;vlsm&gt; ] </command>- displays the network
address, broadcast address, network in CIDR notation and netmask
corresponding to the input[s].</para>
</listitem>
<listitem>
<para><command>shorewall iprange &#60;address1&#62;-&#60;address2&#62;</command>
- Decomposes the specified range of IP addresses into the equivalent
list of network/host addresses</para>
<para><command>shorewall iprange
&lt;address1&gt;-&lt;address2&gt;</command> - Decomposes the specified
range of IP addresses into the equivalent list of network/host
addresses</para>
</listitem>
</itemizedlist>
@ -230,19 +275,19 @@
<itemizedlist>
<listitem>
<para><command>shorewall drop &#60;ip address list&#62;</command> -
<para><command>shorewall drop &lt;ip address list&gt;</command> -
causes packets from the listed IP addresses to be silently dropped by
the firewall.</para>
</listitem>
<listitem>
<para><command>shorewall reject &#60;ip address list&#62;</command> -
<para><command>shorewall reject &lt;ip address list&gt;</command> -
causes packets from the listed IP addresses to be rejected by the
firewall.</para>
</listitem>
<listitem>
<para><command>shorewall allow &#60;ip address list&#62;</command> -
<para><command>shorewall allow &lt;ip address list&gt;</command> -
re-enables receipt of packets from hosts previously blacklisted by a
drop or reject command.</para>
</listitem>
@ -250,7 +295,10 @@
<listitem>
<para><command>shorewall save</command> - save the dynamic
blacklisting configuration so that it will be automatically restored
the next time that the firewall is restarted.</para>
the next time that the firewall is restarted. Beginning with Shorewall
version 2.0.2 Beta1, this command also creats the
<filename>/var/lib/shorewall/restore</filename> script as described
above.</para>
</listitem>
<listitem>
@ -264,15 +312,15 @@
<itemizedlist>
<listitem>
<para><command>shorewall add &#60;interface&#62;[:&#60;host&#62;]
&#60;zone&#62;</command> - Adds the specified interface (and host if
<para><command>shorewall add &lt;interface&gt;[:&lt;host&gt;]
&lt;zone&gt;</command> - Adds the specified interface (and host if
included) to the specified zone.</para>
</listitem>
<listitem>
<para><command>shorewall delete &#60;interface&#62;[:&#60;host&#62;]
&#60;zone&#62;</command> - Deletes the specified interface (and host
if included) from the specified zone.</para>
<para><command>shorewall delete &lt;interface&gt;[:&lt;host&gt;]
&lt;zone&gt;</command> - Deletes the specified interface (and host if
included) from the specified zone.</para>
<para>Examples:<programlisting> <command>shorewall add ipsec0:192.0.2.24 vpn1</command> -- adds the address 192.0.2.24 from interface ipsec0 to the zone vpn1
<command>shorewall delete ipsec0:192.0.2.24 vpn1</command> -- deletes the address 192.0.2.24 from interface ipsec0 from zone vpn1</programlisting></para>
@ -280,24 +328,51 @@
</itemizedlist>
</section>
<section>
<title>Error Handling</title>
<para>When <command>shorewall start</command>, <command>shorewall
restart</command> or <command>shorewall refresh</command> encounter an
error, the behavior depends on which version of Shorewall you are running
and whether there is a <filename>/var/lib/shorewall/restore</filename>
script available (see <command>shorewall save</command> above).</para>
<itemizedlist>
<listitem>
<para>If you are running a version of Shorewall earlier than 2.0.2
Beta 1 then the effect is as if a <command>shorewall stop</command>
command had been run.</para>
</listitem>
<listitem>
<para>If you have executed a <command>shorewall save</command> command
without a subsequent <command>shorewall forget</command>, then the
firewall is restored to the state when <command>shorewall
save</command> was executed.</para>
</listitem>
</itemizedlist>
</section>
<section>
<title>Alternate Configurations</title>
<para>The <command>shorewall start</command>, <command>shorewall restart</command>,
<command>shorewall check</command>, and <command>shorewall try </command>commands
allow you to specify which Shorewall configuration to use:</para>
<para>The <command>shorewall start</command>, <command>shorewall
restart</command>, <command>shorewall check</command>, and
<command>shorewall try </command>commands allow you to specify which
Shorewall configuration to use:</para>
<programlisting> <command>shorewall [ -c &#60;configuration-directory&#62; ] {start|restart|check}</command>
<command>shorewall try &#60;configuration-directory&#62;</command></programlisting>
<programlisting> <command>shorewall [ -c &lt;configuration-directory&gt; ] {start|restart|check}</command>
<command>shorewall try &lt;configuration-directory&gt;</command></programlisting>
<para>If a <emphasis>&#60;configuration-directory</emphasis>&#62; is
<para>If a <emphasis>&lt;configuration-directory</emphasis>&gt; is
specified, each time that Shorewall is going to use a file in <filename
class="directory">/etc/shorewall</filename> it will first look in the<emphasis>
&#60;configuration-directory&#62;</emphasis> . If the file is present in
the <emphasis>&#60;configuration-directory&#62;,</emphasis> that file will
be used; otherwise, the file in <filename class="directory">/etc/shorewall</filename>
will be used. When changing the configuration of a production firewall, I
recommend the following:</para>
class="directory">/etc/shorewall</filename> it will first look in
the<emphasis> &lt;configuration-directory&gt;</emphasis> . If the file is
present in the <emphasis>&lt;configuration-directory&gt;,</emphasis> that
file will be used; otherwise, the file in <filename
class="directory">/etc/shorewall</filename> will be used. When changing
the configuration of a production firewall, I recommend the
following:</para>
<itemizedlist>
<listitem>
@ -309,8 +384,8 @@
</listitem>
<listitem>
<para>&#60;copy any files that you need to change from /etc/shorewall
to . and change them here&#62;</para>
<para>&lt;copy any files that you need to change from /etc/shorewall
to . and change them here&gt;</para>
</listitem>
<listitem>
@ -318,7 +393,7 @@
</listitem>
<listitem>
<para>&#60;correct any errors found by check and check again&#62;</para>
<para>&lt;correct any errors found by check and check again&gt;</para>
</listitem>
<listitem>
@ -326,10 +401,10 @@
</listitem>
</itemizedlist>
<para>If the configuration starts but doesn&#39;t work, just
<quote>shorewall restart</quote> to restore the old configuration. If the
new configuration fails to start, the <quote>try</quote> command will
automatically start the old one for you.</para>
<para>If the configuration starts but doesn't work, just <quote>shorewall
restart</quote> to restore the old configuration. If the new configuration
fails to start, the <quote>try</quote> command will automatically start
the old one for you.</para>
<para>When the new configuration works then just:</para>
@ -357,7 +432,8 @@
<para>You will note that the commands that result in state transitions use
the word <quote>firewall</quote> rather than <quote>shorewall</quote>.
That is because the actual transitions are done by <command>/usr/share/shorewall/firewall</command>;
That is because the actual transitions are done by
<command>/usr/share/shorewall/firewall</command>;
<command>/sbin/shorewall</command> runs <quote>firewall</quote> according
to the following table:</para>
@ -402,7 +478,8 @@
<entry>firewall restart</entry>
<entry>Logically equivalent to <quote>firewall stop;firewall start</quote></entry>
<entry>Logically equivalent to <quote>firewall stop;firewall
start</quote></entry>
</row>
<row>
@ -450,7 +527,7 @@
<row>
<entry>shorewall try</entry>
<entry>firewall -c &#60;new configuration&#62; restart If
<entry>firewall -c &lt;new configuration&gt; restart If
unsuccessful then firewall start (standard configuration) If
timeout then firewall restart (standard configuration)</entry>
@ -464,9 +541,36 @@
<appendix>
<title>Revision History</title>
<para><revhistory><revision><revnumber>1.3-1.8</revnumber><date>2004-01-04</date><authorinitials>TE</authorinitials><revremark>Docbook
standards</revremark></revision><revision><revnumber>1.2</revnumber><date>2003-12-31</date><authorinitials>TE</authorinitials><revremark>Added
clarification about &#34;Started State&#34;</revremark></revision><revision><revnumber>1.1</revnumber><date>2003-12-29</date><authorinitials>TE</authorinitials><revremark>Initial
Docbook conversion</revremark></revision></revhistory></para>
<para><revhistory>
<revision>
<revnumber>1.3-1.8</revnumber>
<date>2004-01-04</date>
<authorinitials>TE</authorinitials>
<revremark>Docbook standards</revremark>
</revision>
<revision>
<revnumber>1.2</revnumber>
<date>2003-12-31</date>
<authorinitials>TE</authorinitials>
<revremark>Added clarification about "Started State"</revremark>
</revision>
<revision>
<revnumber>1.1</revnumber>
<date>2003-12-29</date>
<authorinitials>TE</authorinitials>
<revremark>Initial Docbook conversion</revremark>
</revision>
</revhistory></para>
</appendix>
</article>

4
Shorewall-docs2/template.xml
View File

@ -18,10 +18,6 @@
<pubdate>YYYY-MM-DD</pubdate>
<copyright>
<year>2001</year>
<year>2002</year>
<year>2003</year>
<holder>Thomas M. Eastep</holder>

11
Shorewall-docs2/three-interface.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-04-03</pubdate>
<pubdate>2004-04-22</pubdate>
<copyright>
<year>2002-2004</year>
@ -228,10 +228,11 @@
first checked against the <filename>/etc/shorewall/rules</filename> file.
If no rule in that file matches the connection request then the first
policy in <filename>/etc/shorewall/policy</filename> that matches the
request is applied. If that policy is REJECT or DROP the request is first
checked against the rules in <filename>/etc/shorewall/common</filename> if
that file exists; otherwise the file <filename>/etc/shorewall/common.def</filename>
is checked</para>
request is applied. If there is a <ulink
url="shorewall_extension_scripts.htm">comon action</ulink> defined for the
policy in <filename>/etc/shorewall/actions</filename> or
<filename>/usr/share/shorewall/actions.std</filename> then that action is
peformed before the action is applied.</para>
<para>The <filename>/etc/shorewall/policy</filename> file included with
the three-interface sample has the following policies:</para>

2012
Shorewall-docs2/three-interface_fr.xml
View File

File diff suppressed because it is too large Load Diff

12
Shorewall-docs2/two-interface.xml
View File

@ -12,7 +12,7 @@
<surname>Eastep</surname>
</author>
<pubdate>2003-04-03</pubdate>
<pubdate>2003-04-22</pubdate>
<copyright>
<year>2002</year>
@ -184,11 +184,11 @@
class="directory">/etc/shorewall/</filename><filename>rules</filename>
file. If no rule in that file matches the connection request then the
first policy in <filename class="directory">/etc/shorewall/</filename><filename>policy</filename>
that matches the request is applied. If that policy is <varname>REJECT</varname>
or <varname>DROP</varname> the request is first checked against the rules
in <filename class="directory">/etc/shorewall/</filename><filename>common</filename>
if that file exists; otherwise the rules in <filename class="directory">/etc/shorewall/</filename><filename>common.def</filename>
are checked.</para>
that matches the request is applied. If there is a <ulink
url="shorewall_extension_scripts.htm">comon action</ulink> defined for the
policy in <filename>/etc/shorewall/actions</filename> or
<filename>/usr/share/shorewall/actions.std</filename> then that action is
peformed before the action is applied.</para>
<para>The <filename class="directory">/etc/shorewall/</filename><filename>policy</filename>
file included with the two-interface sample has the following policies:

1807
Shorewall-docs2/two-interface_fr.xml
View File

File diff suppressed because it is too large Load Diff

654
Shorewall-docs2/upgrade_issues.xml
View File

@ -30,7 +30,8 @@
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink type="" url="copyright.htm">GNU Free Documentation License</ulink></quote>.</para>
<quote><ulink type="" url="copyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
@ -41,10 +42,10 @@
the version number mentioned in the section title is later than what you
are currently running.</para>
<para>In the descriptions that follows, the term <emphasis>group</emphasis>
refers to a particular network or subnetwork (which may be
<literal>0.0.0.0/0</literal> or it may be a host address) accessed through
a particular interface.</para>
<para>In the descriptions that follows, the term
<emphasis>group</emphasis> refers to a particular network or subnetwork
(which may be <literal>0.0.0.0/0</literal> or it may be a host address)
accessed through a particular interface.</para>
<para>Examples:</para>
@ -61,38 +62,95 @@
</section>
<section>
<title>Version &#62;= 2.0.1</title>
<title>Version &gt;= 2.0.2 Beta 1</title>
<itemizedlist>
<listitem>
<para>The function of &#39;norfc1918&#39; is now split between that
option and a new &#39;nobogons&#39; option. The rfc1918 file released
with Shorewall now contains entries for only those three address
ranges reserved by RFC 1918. A &#39;nobogons&#39; interface option has
been added which handles bogon source addresses (those which are
reserved by the IANA, those reserved for DHCP auto-configuration and
the class C test-net reserved for testing and documentation examples).
This will allow users to perform RFC 1918 filtering without having to
deal with out of date data from IANA. Those who are willing to update
their <filename>/usr/share/shorewall/bogons</filename> file regularly
can specify the &#39;nobogons&#39; option in addition to
&#39;norfc1918&#39;. The level at which bogon packets are logged is
specified in the new BOGON_LOG_LEVEL variable in shorewall.conf. If
that option is not specified or is specified as empty (e.g,
BOGON_LOG_LEVEL=&#34;&#34;) then bogon packets whose TARGET is
&#39;logdrop&#39; in <filename>/usr/share/shorewall/bogons</filename>
are logged at the &#39;info&#39; level.</para>
<para>Extension Scripts - In order for extension scripts to work
properly with the new iptables-save/restore integration introduced in
Shorewall 2.0.2 Beta 1, some change may be required to your extension
scripts.</para>
<para>If your extension scripts are executing commands other than
iptables then those commands must also be written to the restore file
(a temporary file in <filename
class="directory">/var/lib/shorewall</filename> that is renamed
<filename>/var/lib/shorewall/restore-base</filename> at the
completeion of the <filename>/sbin/shorewall</filename> command). The
following functions should be of help:</para>
<orderedlist>
<listitem>
<para>save_command() -- saves the passed command to the restore
file.</para>
<para>Example: <programlisting>save_command echo Operation Complete</programlisting></para>
<para>That command would simply write "echo Operation Complete" to
the restore file.</para>
</listitem>
<listitem>
<para> run_and_save_command() -- saves the passed command to the
restore file then executes it. The return value is the exit status
of the command. Example: <programlisting>run_and_save_command "echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_all"</programlisting></para>
<para>Note that as in this example, when the command involves file
redirection then the entire command must be enclosed in quotes.
This applies to all of the functions described here.</para>
</listitem>
<listitem>
<para>ensure_and_save_command() -- runs the passed command. If the
command fails, the firewall is restored to it's prior saved state
and the operation is terminated. If the command succeeds, the
command is written to the restore file</para>
</listitem>
</orderedlist>
</listitem>
<listitem>
<para>Dynamic Zone support. - If you don't need to use the
<command>shorewall add</command> and <command>shorewall
delete</command> commands, you should set DYNAMIC_ZONES=No in
<filename>/etc/shorewall/shorewall.conf</filename>.</para>
</listitem>
</itemizedlist>
</section>
<section>
<title>VERSION &#62;= 2.0.0-Beta1</title>
<title>Version &gt;= 2.0.1</title>
<itemizedlist>
<listitem>
<para>The &#39;dropunclean&#39; and &#39;logunclean&#39; interface
options are no longer supported. If either option is specified in
<para>The function of 'norfc1918' is now split between that option and
a new 'nobogons' option. The rfc1918 file released with Shorewall now
contains entries for only those three address ranges reserved by RFC
1918. A 'nobogons' interface option has been added which handles bogon
source addresses (those which are reserved by the IANA, those reserved
for DHCP auto-configuration and the class C test-net reserved for
testing and documentation examples). This will allow users to perform
RFC 1918 filtering without having to deal with out of date data from
IANA. Those who are willing to update their
<filename>/usr/share/shorewall/bogons</filename> file regularly can
specify the 'nobogons' option in addition to 'norfc1918'. The level at
which bogon packets are logged is specified in the new BOGON_LOG_LEVEL
variable in shorewall.conf. If that option is not specified or is
specified as empty (e.g, BOGON_LOG_LEVEL="") then bogon packets whose
TARGET is 'logdrop' in
<filename>/usr/share/shorewall/bogons</filename> are logged at the
'info' level.</para>
</listitem>
</itemizedlist>
</section>
<section>
<title>VERSION &gt;= 2.0.0-Beta1</title>
<itemizedlist>
<listitem>
<para>The 'dropunclean' and 'logunclean' interface options are no
longer supported. If either option is specified in
<filename>/etc/shorewall/interfaces</filename>, a threatening message
will be generated.</para>
</listitem>
@ -101,18 +159,19 @@
<para>The NAT_BEFORE_RULES option has been removed from
<filename>shorewall.conf</filename>. The behavior of Shorewall 2.0 is
as if NAT_BEFORE_RULES=No had been specified. In other words, DNAT
rules now always take precidence over one-to-one NAT specifications.</para>
rules now always take precidence over one-to-one NAT
specifications.</para>
</listitem>
<listitem>
<para>The default value for the ALL INTERFACES column in
<filename>/etc/shorewall/nat</filename> has changed. In Shorewall 1.*,
if the column was left empty, a value of &#34;Yes&#34; was assumed.
This has been changed so that a value of &#34;No&#34; is now assumed.</para>
if the column was left empty, a value of "Yes" was assumed. This has
been changed so that a value of "No" is now assumed.</para>
</listitem>
<listitem>
<para>The following files don&#39;t exist in Shorewall 2.0:</para>
<para>The following files don't exist in Shorewall 2.0:</para>
<simplelist>
<member><filename>/etc/shorewall/common.def</filename></member>
@ -122,13 +181,14 @@
<member><filename>/etc/shorewall/icmpdef</filename></member>
<member><filename>/etc/shorewall/action.template</filename> (moved
to <filename>/usr/share/shorewall/action.template</filename>)</member>
to
<filename>/usr/share/shorewall/action.template</filename>)</member>
</simplelist>
<para>The <filename>/etc/shorewall/action</filename> file now allows
an action to be designated as the &#34;common&#34; action for a
particular policy type by following the action name with &#34;:&#34;
and the policy (DROP, REJECT or ACCEPT).</para>
an action to be designated as the "common" action for a particular
policy type by following the action name with ":" and the policy
(DROP, REJECT or ACCEPT).</para>
<para>The file /usr/share/shorewall/actions.std has been added to
define those actions that are released as part of Shorewall 2.0 In
@ -144,28 +204,29 @@
policies while the <quote>Reject</quote> action is the default action
for REJECT policies. These actions will be performed on packets prior
to applying the DROP or REJECT policy respectively. In the first
release, the difference between &#34;Reject&#34; and &#34;Drop&#34; is
that &#34;Reject&#34; REJECTs SMB traffic while &#34;Drop&#34;
silently drops such traffic.</para>
release, the difference between "Reject" and "Drop" is that "Reject"
REJECTs SMB traffic while "Drop" silently drops such traffic.</para>
<para>As described above, Shorewall allows a common action for ACCEPT
policies but does not specify such an action in the default
configuration.</para>
<para>For more information see the <ulink
url="User_defined_Actions.html">User-defined Action Page</ulink>.</para>
url="User_defined_Actions.html">User-defined Action
Page</ulink>.</para>
</listitem>
<listitem>
<para>The <filename>/etc/shorewall</filename> directory no longer
contains <filename>users</filename> file or a <filename>usersets</filename>
file. Similar functionality is now available using user-defined
actions.</para>
contains <filename>users</filename> file or a
<filename>usersets</filename> file. Similar functionality is now
available using user-defined actions.</para>
<para>Now, action files created by copying <filename>/usr/share/shorewall/action.template</filename>
may now specify a USER and or GROUP name/id in the final column just
like in the rules file (see below). It is thus possible to create
actions that control traffic from a list of users and/or groups.</para>
<para>Now, action files created by copying
<filename>/usr/share/shorewall/action.template</filename> may now
specify a USER and or GROUP name/id in the final column just like in
the rules file (see below). It is thus possible to create actions that
control traffic from a list of users and/or groups.</para>
</listitem>
<listitem>
@ -173,57 +234,69 @@
now labeled USER/GROUP and may contain:</para>
<simplelist>
<member>[!]&#60;<emphasis>user number</emphasis>&#62;[:]</member>
<member>[!]&lt;<emphasis>user number</emphasis>&gt;[:]</member>
<member>[!]&#60;<emphasis>user name</emphasis>&#62;[:]</member>
<member>[!]&lt;<emphasis>user name</emphasis>&gt;[:]</member>
<member>[!]:&#60;<emphasis>group number</emphasis>&#62;</member>
<member>[!]:&lt;<emphasis>group number</emphasis>&gt;</member>
<member>[!]:&#60;<emphasis>group name</emphasis>&#62;</member>
<member>[!]:&lt;<emphasis>group name</emphasis>&gt;</member>
<member>[!]&#60;<emphasis>user number</emphasis>&#62;:&#60;<emphasis>group
number</emphasis>&#62;</member>
<member>[!]&lt;<emphasis>user
number</emphasis>&gt;:&lt;<emphasis>group
number</emphasis>&gt;</member>
<member>[!]&#60;<emphasis>user name</emphasis>&#62;:&#60;<emphasis>group
number</emphasis>&#62;</member>
<member>[!]&lt;<emphasis>user
name</emphasis>&gt;:&lt;<emphasis>group
number</emphasis>&gt;</member>
<member>[!]&#60;<emphasis>user inumber</emphasis>&#62;:&#60;<emphasis>group
name</emphasis>&#62;</member>
<member>[!]&lt;<emphasis>user
inumber</emphasis>&gt;:&lt;<emphasis>group
name</emphasis>&gt;</member>
<member>[!]&#60;<emphasis>user name</emphasis>&#62;:&#60;<emphasis>group
name</emphasis>&#62;</member>
<member>[!]&lt;<emphasis>user
name</emphasis>&gt;:&lt;<emphasis>group name</emphasis>&gt;</member>
</simplelist>
</listitem>
<listitem>
<para>If your kernel has IPV6 support (recent
<trademark>SuSe</trademark> for example), and you don't use IPV6 then
you will probably want to set DISABLE_IPV6=Yes in <ulink
url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>.
You must have ipv6tables installed.</para>
</listitem>
</itemizedlist>
</section>
<section>
<title>Version &#62;= 1.4.8</title>
<title>Version &gt;= 1.4.8</title>
<itemizedlist mark="bullet">
<listitem>
<para>The meaning of <varname>ROUTE_FILTER=Yes</varname> has changed.
Previously this setting was documented as causing route filtering to
occur on all network interfaces; this didn&#39;t work. Beginning with
this release, <varname>ROUTE_FILTER=Yes</varname> causes route
filtering to occur on all interfaces brought up while Shorewall is
running. This means that it may be appropriate to set
occur on all network interfaces; this didn't work. Beginning with this
release, <varname>ROUTE_FILTER=Yes</varname> causes route filtering to
occur on all interfaces brought up while Shorewall is running. This
means that it may be appropriate to set
<varname>ROUTE_FILTER=Yes</varname> and use the routefilter option in
<filename class="directory">/etc/shorewall/</filename><filename>interfaces</filename>
<filename
class="directory">/etc/shorewall/</filename><filename>interfaces</filename>
entries.</para>
</listitem>
</itemizedlist>
</section>
<section>
<title>Version &#62;= 1.4.6</title>
<title>Version &gt;= 1.4.6</title>
<itemizedlist mark="bullet">
<listitem>
<para>The <varname>NAT_ENABLED</varname>, <varname>MANGLE_ENABLED</varname>
and <varname>MULTIPORT</varname> options have been removed from
<filename>shorewall.conf</filename>. These capabilities are now
automatically detected by Shorewall.</para>
<para>The <varname>NAT_ENABLED</varname>,
<varname>MANGLE_ENABLED</varname> and <varname>MULTIPORT</varname>
options have been removed from <filename>shorewall.conf</filename>.
These capabilities are now automatically detected by Shorewall.</para>
</listitem>
<listitem>
@ -239,39 +312,48 @@ zone eth1:192.168.1.0/24,192.168.2.0/24
</section>
<section>
<title>Version &#62;= 1.4.4</title>
<title>Version &gt;= 1.4.4</title>
<para>If you are upgrading from 1.4.3 and have set the <varname>LOGMARKER</varname>
variable in <filename class="directory">/etc/shorewall/</filename><filename>shorewall.conf</filename>,
<para>If you are upgrading from 1.4.3 and have set the
<varname>LOGMARKER</varname> variable in <filename
class="directory">/etc/shorewall/</filename><filename>shorewall.conf</filename>,
then you must set the new <varname>LOGFORMAT</varname> variable
appropriately and remove your setting of <varname>LOGMARKER</varname>.</para>
appropriately and remove your setting of
<varname>LOGMARKER</varname>.</para>
</section>
<section>
<title>Version 1.4.4</title>
<para>If you have zone names that are 5 characters long, you may
experience problems starting Shorewall because the <option>--log-prefix</option>
in a logging rule is too long. Upgrade to Version 1.4.4a to fix this
problem.</para>
experience problems starting Shorewall because the
<option>--log-prefix</option> in a logging rule is too long. Upgrade to
Version 1.4.4a to fix this problem.</para>
</section>
<section>
<title>Version &#62;= 1.4.2</title>
<title>Version &gt;= 1.4.2</title>
<para>There are some cases where you may want to handle traffic from a
particular group to itself. While I personally think that such a setups
are ridiculous, there are two cases covered in this documentation where it
can occur: <itemizedlist><listitem><para><ulink url="FAQ.htm#faq2">In FAQ
#2</ulink></para></listitem><listitem><para><ulink
url="Shorewall_Squid_Usage.html">When running <application>Squid</application>
as a transparent proxy in your local zone.</ulink></para></listitem></itemizedlist>
If you have either of these cases, you will want to review the current
documentation and change your configuration accordingly.</para>
can occur: <itemizedlist>
<listitem>
<para><ulink url="FAQ.htm#faq2">In FAQ #2</ulink></para>
</listitem>
<listitem>
<para><ulink url="Shorewall_Squid_Usage.html">When running
<application>Squid</application> as a transparent proxy in your
local zone.</ulink></para>
</listitem>
</itemizedlist> If you have either of these cases, you will want to
review the current documentation and change your configuration
accordingly.</para>
</section>
<section>
<title>Version &#62;= 1.4.1</title>
<title>Version &gt;= 1.4.1</title>
<itemizedlist mark="bullet">
<listitem>
@ -280,11 +362,10 @@ zone eth1:192.168.1.0/24,192.168.2.0/24
was treated just like any other traffic; any matching rules were
applied followed by enforcement of the appropriate policy. With 1.4.1
and later versions, unless you have explicit rules for traffic from Z
to Z or you have an explicit Z to Z policy (where &#34;Z&#34; is some
zone) then traffic between the groups in zone Z will be accepted. If
you do have one or more explicit rules for Z to Z or if you have an
explicit Z to Z policy then the behavior is as it was in prior
versions.</para>
to Z or you have an explicit Z to Z policy (where "Z" is some zone)
then traffic between the groups in zone Z will be accepted. If you do
have one or more explicit rules for Z to Z or if you have an explicit
Z to Z policy then the behavior is as it was in prior versions.</para>
<orderedlist numeration="arabic">
<listitem>
@ -296,26 +377,29 @@ zone eth1:192.168.1.0/24,192.168.2.0/24
<listitem>
<para>If you have a Z Z DROP or Z Z REJECT policy or you have
Z-&#62;Z rules then your configuration should not require any
Z-&gt;Z rules then your configuration should not require any
change.</para>
</listitem>
<listitem>
<para>If you are currently relying on a implicit policy (one that
has &#34;all&#34; in either the SOURCE or DESTINATION column) to
prevent traffic between two interfaces to a zone Z and you have no
rules for Z-&#62;Z then you should add an explicit DROP or REJECT
policy for Z to Z.</para>
has "all" in either the SOURCE or DESTINATION column) to prevent
traffic between two interfaces to a zone Z and you have no rules
for Z-&gt;Z then you should add an explicit DROP or REJECT policy
for Z to Z.</para>
</listitem>
</orderedlist>
</listitem>
<listitem>
<para>Sometimes, you want two separate zones on one interface but you
don&#39;t want Shorewall to set up any infrastructure to handle
traffic between them. <example><title>The <filename>zones</filename>,
<filename>interfaces</filename> and, <filename>hosts</filename> file
contents</title><programlisting>
don't want Shorewall to set up any infrastructure to handle traffic
between them. <example>
<title>The <filename>zones</filename>,
<filename>interfaces</filename> and, <filename>hosts</filename>
file contents</title>
<programlisting>
<filename class="directory">/etc/shorewall/</filename><filename>zones</filename>
z1 Zone1 The first Zone
z2 Zone2 The second Zone
@ -325,17 +409,21 @@ z2 eth1 192.168.1.255
<filename class="directory">/etc/shorewall/</filename><filename>hosts</filename>
z1 eth1:192.168.1.3
</programlisting></example> Here, zone z1 is nested in zone z2 and the
firewall is not going to be involved in any traffic between these two
zones. Beginning with Shorewall 1.4.1, you can prevent Shorewall from
setting up any infrastructure to handle traffic between z1 and z2 by
using the new NONE policy: <example><title>The contents of
<filename>policy</filename></title><programlisting>
</programlisting>
</example> Here, zone z1 is nested in zone z2 and the firewall is
not going to be involved in any traffic between these two zones.
Beginning with Shorewall 1.4.1, you can prevent Shorewall from setting
up any infrastructure to handle traffic between z1 and z2 by using the
new NONE policy: <example>
<title>The contents of <filename>policy</filename></title>
<programlisting>
<filename class="directory">/etc/shorewall/</filename><filename>policy</filename>
z1 z2 NONE
z2 z1 NONE
</programlisting></example> Note that NONE policies are generally used in
pairs unless there is asymetric routing where only the traffic on one
</programlisting>
</example> Note that NONE policies are generally used in pairs
unless there is asymetric routing where only the traffic on one
direction flows through the firewall and you are using a NONE polciy
in the other direction.</para>
</listitem>
@ -348,21 +436,21 @@ z2 z1 NONE
<itemizedlist mark="bullet">
<listitem>
<para>In Version 1.4.1, Shorewall will never create rules to deal with
traffic from a given group back to itself. The <varname>multi</varname>
interface option is no longer available so if you want to route
traffic between two subnetworks on the same interface then I recommend
that you upgrade to Version 1.4.2 and use the <varname>routeback</varname>
interface or host option.</para>
traffic from a given group back to itself. The
<varname>multi</varname> interface option is no longer available so if
you want to route traffic between two subnetworks on the same
interface then I recommend that you upgrade to Version 1.4.2 and use
the <varname>routeback</varname> interface or host option.</para>
</listitem>
</itemizedlist>
</section>
<section>
<title>Version &#62;= 1.4.0</title>
<title>Version &gt;= 1.4.0</title>
<important>
<para>Shorewall &#62;=1.4.0 requires the <command>iproute</command>
package (&#39;<literal>ip</literal>&#39; utility).</para>
<para>Shorewall &gt;=1.4.0 requires the <command>iproute</command>
package ('<literal>ip</literal>' utility).</para>
</important>
<note>
@ -370,46 +458,89 @@ z2 z1 NONE
<command>iproute2</command> which will cause the upgrade of Shorewall to
fail with the diagnostic: <synopsis>
error: failed dependencies:iproute is needed by shorewall-1.4.0-1
</synopsis> This may be worked around by using the <option>--nodeps</option>
option of <command>rpm</command> (<command>rpm -Uvh --nodeps
</synopsis> This may be worked around by using the
<option>--nodeps</option> option of <command>rpm</command> (<command>rpm
-Uvh --nodeps
<filename>your_shorewall_rpm.rpm</filename></command>).</para>
</note>
<para>If you are upgrading from a version &#60; 1.4.0, then: <itemizedlist
mark="bullet"><listitem><para>The <varname>noping</varname> and
<varname>forwardping</varname> interface options are no longer supported
nor is the <varname>FORWARDPING</varname> option in <filename>shorewall.conf</filename>.
ICMP echo-request (ping) packets are treated just like any other
connection request and are subject to rules and policies.</para></listitem><listitem><para>Interface
names of the form <varname>&#60;device&#62;:&#60;integer&#62;</varname> in
<filename class="directory">/etc/shorewall/</filename><filename>interfaces</filename>
now generate a Shorewall error at startup (they always have produced
warnings in <application class="software">iptables</application>).</para></listitem><listitem><para>The
<varname>MERGE_HOSTS</varname> variable has been removed from
<filename>shorewall.conf</filename>. Shorewall 1.4 behaves like 1.3 did
when <varname>MERGE_HOSTS=Yes</varname>; that is zone contents are
determined by <emphasis>BOTH</emphasis> the interfaces and hosts files
when there are entries for the zone in both files.</para></listitem><listitem><para>The
<varname>routestopped</varname> option in the interfaces and hosts file
has been eliminated; use entries in the <filename>routestopped</filename>
file instead.</para></listitem><listitem><para>The Shorewall 1.2 syntax
for <varname>DNAT</varname> and <varname>REDIRECT</varname> rules is no
longer accepted; you must convert to using the new syntax.</para></listitem><listitem><para>The
<varname>ALLOWRELATED</varname> variable in <filename>shorewall.conf</filename>
is no longer supported. Shorewall 1.4 behavior is the same as 1.3 with
<varname>ALLOWRELATED=Yes</varname>.</para></listitem><listitem><para>Late-arriving
DNS replies are now dropped by default; there is no need for your own
<filename class="directory">/etc/shorewall/</filename><filename>common</filename>
file simply to avoid logging these packets.</para></listitem><listitem><para>The
<filename>firewall</filename>, <filename>functions</filename> and
<filename>version</filename> files have been moved to <filename
class="directory">/usr/share/shorewall</filename>.</para></listitem><listitem><para>The
<filename>icmp.def</filename> file has been removed. If you include it
from <filename class="directory">/etc/shorewall/</filename><filename>icmpdef</filename>,
you will need to modify that file.</para></listitem><listitem><para>If you
followed the advice in FAQ #2 and call <varname>find_interface_address</varname>
in <filename class="directory">/etc/shorewall/</filename><filename>params</filename>,
that code should be moved to <filename class="directory">/etc/shorewall/</filename><filename>init</filename>.</para></listitem></itemizedlist></para>
<para>If you are upgrading from a version &lt; 1.4.0, then: <itemizedlist
mark="bullet">
<listitem>
<para>The <varname>noping</varname> and
<varname>forwardping</varname> interface options are no longer
supported nor is the <varname>FORWARDPING</varname> option in
<filename>shorewall.conf</filename>. ICMP echo-request (ping)
packets are treated just like any other connection request and are
subject to rules and policies.</para>
</listitem>
<listitem>
<para>Interface names of the form
<varname>&lt;device&gt;:&lt;integer&gt;</varname> in <filename
class="directory">/etc/shorewall/</filename><filename>interfaces</filename>
now generate a Shorewall error at startup (they always have produced
warnings in <application
class="software">iptables</application>).</para>
</listitem>
<listitem>
<para>The <varname>MERGE_HOSTS</varname> variable has been removed
from <filename>shorewall.conf</filename>. Shorewall 1.4 behaves like
1.3 did when <varname>MERGE_HOSTS=Yes</varname>; that is zone
contents are determined by <emphasis>BOTH</emphasis> the interfaces
and hosts files when there are entries for the zone in both
files.</para>
</listitem>
<listitem>
<para>The <varname>routestopped</varname> option in the interfaces
and hosts file has been eliminated; use entries in the
<filename>routestopped</filename> file instead.</para>
</listitem>
<listitem>
<para>The Shorewall 1.2 syntax for <varname>DNAT</varname> and
<varname>REDIRECT</varname> rules is no longer accepted; you must
convert to using the new syntax.</para>
</listitem>
<listitem>
<para>The <varname>ALLOWRELATED</varname> variable in
<filename>shorewall.conf</filename> is no longer supported.
Shorewall 1.4 behavior is the same as 1.3 with
<varname>ALLOWRELATED=Yes</varname>.</para>
</listitem>
<listitem>
<para>Late-arriving DNS replies are now dropped by default; there is
no need for your own <filename
class="directory">/etc/shorewall/</filename><filename>common</filename>
file simply to avoid logging these packets.</para>
</listitem>
<listitem>
<para>The <filename>firewall</filename>,
<filename>functions</filename> and <filename>version</filename>
files have been moved to <filename
class="directory">/usr/share/shorewall</filename>.</para>
</listitem>
<listitem>
<para>The <filename>icmp.def</filename> file has been removed. If
you include it from <filename
class="directory">/etc/shorewall/</filename><filename>icmpdef</filename>,
you will need to modify that file.</para>
</listitem>
<listitem>
<para>If you followed the advice in FAQ #2 and call
<varname>find_interface_address</varname> in <filename
class="directory">/etc/shorewall/</filename><filename>params</filename>,
that code should be moved to <filename
class="directory">/etc/shorewall/</filename><filename>init</filename>.</para>
</listitem>
</itemizedlist></para>
</section>
<section>
@ -420,44 +551,69 @@ error: failed dependencies:iproute is needed by shorewall-1.4.0-1
<para>The <varname>multi</varname> interface option is no longer
supported. Shorewall will generate rules for sending packets back out
the same interface that they arrived on in two cases: <itemizedlist
mark="hollow"><listitem><para>There is an <emphasis>explicit</emphasis>
policy for the source zone to or from the destination zone. An
explicit policy names both zones and does not use the
<varname>all</varname> reserved word.</para></listitem><listitem><para>There
are one or more rules for traffic for the source zone to or from the
destination zone including rules that use the <varname>all</varname>
reserved word. Exception: if the source zone and destination zone are
the same then the rule must be explicit - it must name the zone in
both the <varname>SOURCE</varname> and <varname>DESTINATION</varname>
columns.</para></listitem></itemizedlist></para>
mark="hollow">
<listitem>
<para>There is an <emphasis>explicit</emphasis> policy for the
source zone to or from the destination zone. An explicit policy
names both zones and does not use the <varname>all</varname>
reserved word.</para>
</listitem>
<listitem>
<para>There are one or more rules for traffic for the source
zone to or from the destination zone including rules that use
the <varname>all</varname> reserved word. Exception: if the
source zone and destination zone are the same then the rule must
be explicit - it must name the zone in both the
<varname>SOURCE</varname> and <varname>DESTINATION</varname>
columns.</para>
</listitem>
</itemizedlist></para>
</listitem>
</itemizedlist>
</section>
<section>
<title>Version &#62;= 1.3.14</title>
<title>Version &gt;= 1.3.14</title>
<para>Beginning in version 1.3.14, Shorewall treats entries in <filename
class="directory">/etc/shorewall/</filename><filename>masq</filename>
differently. The change involves entries with an <emphasis role="bold">interface
name</emphasis> in the <varname>SUBNET</varname> (second) <emphasis
role="bold">column</emphasis>: <itemizedlist mark="bullet"><listitem><para>Prior
to 1.3.14, Shorewall would detect the FIRST subnet on the interface (as
shown by <quote>ip addr show interface</quote>) and would masquerade
traffic from that subnet. Any other subnets that routed through
<literal>eth1</literal> needed their own entry in <filename
class="directory">/etc/shorewall/</filename><filename>masq</filename> to
be masqueraded or to have <acronym>SNAT</acronym> applied.</para></listitem><listitem><para>Beginning
with Shorewall 1.3.14, Shorewall uses the firewall&#39;s routing table to
determine ALL subnets routed through the named interface. Traffic
originating in ANY of those subnets is masqueraded or has SNAT applied.</para></listitem></itemizedlist>
You will need to make a change to your configuration if: <orderedlist
numeration="arabic"><listitem><para>You have one or more entries in
<filename class="directory">/etc/shorewall/</filename><filename>masq</filename>
with an interface name in the <varname>SUBNET</varname> (second) column;
and</para></listitem><listitem><para>That interface connects to more than
one subnetwork.</para></listitem></orderedlist> Two examples: <example
label="1"><title>Suppose that your current config is as follows:</title><programlisting>
differently. The change involves entries with an <emphasis
role="bold">interface name</emphasis> in the <varname>SUBNET</varname>
(second) <emphasis role="bold">column</emphasis>: <itemizedlist
mark="bullet">
<listitem>
<para>Prior to 1.3.14, Shorewall would detect the FIRST subnet on
the interface (as shown by <quote>ip addr show interface</quote>)
and would masquerade traffic from that subnet. Any other subnets
that routed through <literal>eth1</literal> needed their own entry
in <filename
class="directory">/etc/shorewall/</filename><filename>masq</filename>
to be masqueraded or to have <acronym>SNAT</acronym> applied.</para>
</listitem>
<listitem>
<para>Beginning with Shorewall 1.3.14, Shorewall uses the firewall's
routing table to determine ALL subnets routed through the named
interface. Traffic originating in ANY of those subnets is
masqueraded or has SNAT applied.</para>
</listitem>
</itemizedlist> You will need to make a change to your configuration if:
<orderedlist numeration="arabic">
<listitem>
<para>You have one or more entries in <filename
class="directory">/etc/shorewall/</filename><filename>masq</filename>
with an interface name in the <varname>SUBNET</varname> (second)
column; and</para>
</listitem>
<listitem>
<para>That interface connects to more than one subnetwork.</para>
</listitem>
</orderedlist> Two examples: <example label="1">
<title>Suppose that your current config is as follows:</title>
<programlisting>
<!-- I added a space below the end of the config file for clarity -->
[root@gateway test]# cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
@ -469,10 +625,13 @@ eth0 192.168.10.0/24 206.124.146.176
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]#
</programlisting></example> In this case, the second entry in <filename
</programlisting>
</example> In this case, the second entry in <filename
class="directory">/etc/shorewall/</filename><filename>masq</filename> is
no longer required. <example label="2"><title>What if your current
configuration is like this?</title><programlisting>
no longer required. <example label="2">
<title>What if your current configuration is like this?</title>
<programlisting>
[root@gateway test]# cat /etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
@ -482,20 +641,23 @@ eth0 eth2 206.124.146.176
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]#
</programlisting></example> In this case, you would want to change the
entry in /etc/shorewall/masq to: <programlisting>
</programlisting>
</example> In this case, you would want to change the entry in
/etc/shorewall/masq to: <programlisting>
#INTERFACE SUBNET ADDRESS
eth0 192.168.1.0/24 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
</programlisting> Version 1.3.14 also introduced simplified ICMP
echo-request (ping) handling. The option <varname>OLD_PING_HANDLING=Yes</varname>
in <filename class="directory">/etc/shorewall/</filename><filename>shorewall.conf</filename>
echo-request (ping) handling. The option
<varname>OLD_PING_HANDLING=Yes</varname> in <filename
class="directory">/etc/shorewall/</filename><filename>shorewall.conf</filename>
is used to specify that the old (pre-1.3.14) ping handling is to be used
(If the option is not set in your <filename class="directory">/etc/shorewall/</filename>shorewall.conf
then <varname>OLD_PING_HANDLING=Yes</varname> is assumed). I don&#39;t
plan on supporting the old handling indefinitely so I urge current users
to migrate to using the new handling as soon as possible. See the
&#39;Ping&#39; handling documentation for details.</para>
(If the option is not set in your <filename
class="directory">/etc/shorewall/</filename>shorewall.conf then
<varname>OLD_PING_HANDLING=Yes</varname> is assumed). I don't plan on
supporting the old handling indefinitely so I urge current users to
migrate to using the new handling as soon as possible. See the 'Ping'
handling documentation for details.</para>
</section>
<section>
@ -513,7 +675,7 @@ rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm
</section>
<section>
<title>Version &#62;= 1.3.9</title>
<title>Version &gt;= 1.3.9</title>
<itemizedlist>
<listitem>
@ -527,22 +689,23 @@ rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm
</section>
<section>
<title>Version &#62;= 1.3.8</title>
<title>Version &gt;= 1.3.8</title>
<itemizedlist>
<listitem>
<para>If you have a pair of firewall systems configured for failover
or if you have asymmetric routing, you will need to modify your
firewall setup slightly under Shorewall versions &#62;= 1.3.8.
Beginning with version 1.3.8, you must set <varname>NEWNOTSYN=Yes</varname>
in your <filename class="directory">/etc/shorewall/</filename><filename>shorewall.conf</filename>
firewall setup slightly under Shorewall versions &gt;= 1.3.8.
Beginning with version 1.3.8, you must set
<varname>NEWNOTSYN=Yes</varname> in your <filename
class="directory">/etc/shorewall/</filename><filename>shorewall.conf</filename>
file.</para>
</listitem>
</itemizedlist>
</section>
<section>
<title>Version &#62;= 1.3.7</title>
<title>Version &gt;= 1.3.7</title>
<itemizedlist>
<listitem>
@ -550,14 +713,14 @@ rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm
class="directory">/etc/</filename><filename>shorewall.conf</filename>
will need to include the following rules in their <filename
class="directory">/etc/shorewall/</filename><filename>icmpdef</filename>
file (creating this file if necessary):
<programlisting>
file (creating this file if necessary): <programlisting>
run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT
</programlisting> Users having an <filename class="directory">/etc/shorewall/</filename><filename>icmpdef</filename>
</programlisting> Users having an <filename
class="directory">/etc/shorewall/</filename><filename>icmpdef</filename>
file may remove the <command>./etc/shorewall/icmp.def</command>
command from that file since the <filename>icmp.def</filename> file is
now empty.</para>
@ -566,24 +729,37 @@ run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT
</section>
<section>
<title>Upgrading Bering to Shorewall &#62;= 1.3.3</title>
<title>Upgrading Bering to Shorewall &gt;= 1.3.3</title>
<itemizedlist>
<listitem>
<para>To properly upgrade with Shorewall version 1.3.3 and later:
<orderedlist numeration="arabic"><listitem><para>Be sure you have a
backup -- you will need to transcribe any Shorewall configuration
changes that you have made to the new configuration.</para></listitem><listitem><para>Replace
the <filename>shorwall.lrp</filename> package provided on the Bering
floppy with the later one. If you did not obtain the later version
from Jacques&#39;s site, see additional instructions below.</para></listitem><listitem><para>Edit
the <filename class="directory">/var/lib/lrpkg/</filename><filename>root.exclude.list</filename>
file and remove the <filename>/var/lib/shorewall</filename> entry if
present. Then do not forget to backup <filename>root.lrp</filename>!</para></listitem></orderedlist>
The .lrp that I release isn&#39;t set up for a two-interface firewall
like Jacques&#39;s. You need to follow the instructions for setting up
a two-interface firewall plus you also need to add the following two
Bering-specific rules to <filename class="directory">/etc/shorewall/</filename><filename>rules</filename>:
<orderedlist numeration="arabic">
<listitem>
<para>Be sure you have a backup -- you will need to transcribe
any Shorewall configuration changes that you have made to the
new configuration.</para>
</listitem>
<listitem>
<para>Replace the <filename>shorwall.lrp</filename> package
provided on the Bering floppy with the later one. If you did not
obtain the later version from Jacques's site, see additional
instructions below.</para>
</listitem>
<listitem>
<para>Edit the <filename
class="directory">/var/lib/lrpkg/</filename><filename>root.exclude.list</filename>
file and remove the <filename>/var/lib/shorewall</filename>
entry if present. Then do not forget to backup
<filename>root.lrp</filename>!</para>
</listitem>
</orderedlist> The .lrp that I release isn't set up for a
two-interface firewall like Jacques's. You need to follow the
instructions for setting up a two-interface firewall plus you also
need to add the following two Bering-specific rules to <filename
class="directory">/etc/shorewall/</filename><filename>rules</filename>:
<programlisting>
# Bering specific rules:
# allow loc to fw udp/53 for dnscache to work
@ -604,41 +780,55 @@ ACCEPT loc fw tcp 80
<para>If you have a pair of firewall systems configured for failover
or if you have asymmetric routing, you will need to modify your
firewall setup slightly under Shorewall versions 1.3.6 and 1.3.7
<orderedlist><listitem><para>Create the file <filename
class="directory">/etc/shorewall/</filename><filename>newnotsyn</filename>
and in it add the following rule: <!-- The following code wraps off of the document. I have added the comment above the command. -->
<programlisting>
<orderedlist>
<listitem>
<para>Create the file <filename
class="directory">/etc/shorewall/</filename><filename>newnotsyn</filename>
and in it add the following rule: <!-- The following code wraps off of the document. I have added the comment above the command. -->
<programlisting>
# So that the connection tracking table can be rebuilt
# from non-SYN packets after takeover.
run_iptables -A newnotsyn -j RETURN
</programlisting></para></listitem><listitem><para>Create <filename
class="directory">/etc/shorewall/</filename><filename>common</filename>
(if you don&#39;t already have that file) and include the following:
<programlisting>
</programlisting></para>
</listitem>
<listitem>
<para>Create <filename
class="directory">/etc/shorewall/</filename><filename>common</filename>
(if you don't already have that file) and include the following:
<programlisting>
#Accept Acks to rebuild connection tracking table.
run_iptables -A common -p tcp --tcp-flags ACK,FIN,RST ACK -j ACCEPT
./etc/shorewall/common.def
</programlisting></para></listitem></orderedlist></para>
</programlisting></para>
</listitem>
</orderedlist></para>
</listitem>
</itemizedlist>
</section>
<section>
<title>Versions &#62;= 1.3.5</title>
<title>Versions &gt;= 1.3.5</title>
<itemizedlist>
<listitem>
<para>Some forms of pre-1.3.0 rules file syntax are no longer
supported. <example label="1"><title></title><programlisting>
supported. <example label="1">
<title></title>
<programlisting>
ACCEPT net loc:192.168.1.12:22 tcp 11111 - all
</programlisting></example> Must be replaced with:
<programlisting>
</programlisting>
</example> Must be replaced with: <programlisting>
DNAT net loc:192.168.1.12:22 tcp 11111
</programlisting> <example label="2"><title></title><programlisting>
</programlisting> <example label="2">
<title></title>
<programlisting>
ACCEPT loc fw::3128 tcp 80 - all
</programlisting></example> Must be replaced with:
<programlisting>
</programlisting>
</example> Must be replaced with: <programlisting>
REDIRECT loc 3128 tcp 80
</programlisting></para>
</listitem>
@ -646,7 +836,7 @@ REDIRECT loc 3128 tcp 80
</section>
<section>
<title>Version &#62;= 1.3.2</title>
<title>Version &gt;= 1.3.2</title>
<itemizedlist>
<listitem>