mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-08 16:54:10 +01:00
Documentation Updates
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1663 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
757b144de2
commit
8434b752f7
@ -2027,6 +2027,28 @@ ACCEPT fw net tcp www</programlisting>
|
||||
<emphasis role="bold">THAT IS THE ONLY THING THAT THIS LABEL IS GOOD
|
||||
FOR AND IT MAY NOT APPEAR ANYWHERE ELSE IN YOUR SHOREWALL
|
||||
CONFIGURATION.</emphasis></para>
|
||||
|
||||
<para>Normally MASQUERADE/SNAT rules are evaluated after one-to-one
|
||||
NAT rules defined in the <link
|
||||
linkend="NAT"><filename>/etc/shorewall/nat</filename></link> file.
|
||||
Beginning with Shorewall 2.1.1, if you preceed the interface name
|
||||
with a plus sign ("+") then the rule will be evaluated before
|
||||
one-to-one NAT.</para>
|
||||
|
||||
<para>Examples:</para>
|
||||
|
||||
<programlisting>+eth0
|
||||
+eth1:192.0.2.32/27</programlisting>
|
||||
|
||||
<para>Also new in the Shorewall 2.1 series, the effect of
|
||||
ADD_SNAT_ALIASES=Yes can be negated for an entry by following the
|
||||
interface name by ":" but no digit. </para>
|
||||
|
||||
<para>Examples:</para>
|
||||
|
||||
<programlisting>eth0:
|
||||
eth1::192.0.2.32/27
|
||||
+eth3</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -2382,6 +2404,14 @@ eth0 eth1 206.124.146.176</programlisting>
|
||||
the ipconfig utility. <emphasis role="bold">THAT IS THE ONLY THING
|
||||
THAT THIS LABEL IS GOOD FOR AND IT MAY NOT APPEAR ANYWHERE ELSE IN
|
||||
YOUR SHOREWALL CONFIGURATION.</emphasis></para>
|
||||
|
||||
<para>Beginning with Shorewall 2.1.1, the effect of
|
||||
ADD_IP_ALIASES=Yes can be negated for an entry by following the
|
||||
interface name by ":" but no digit. </para>
|
||||
|
||||
<para>Example:</para>
|
||||
|
||||
<programlisting>eth0:</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -3627,6 +3657,16 @@ eth1 -</programlisting>
|
||||
<title>Revision History</title>
|
||||
|
||||
<para><revhistory>
|
||||
<revision>
|
||||
<revnumber>1.19</revnumber>
|
||||
|
||||
<date>2004-09012</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Changes for Shorewall 2.1.</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.18</revnumber>
|
||||
|
||||
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-06-25</pubdate>
|
||||
<pubdate>2004-09-12</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001</year>
|
||||
@ -35,7 +35,8 @@
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
@ -45,11 +46,13 @@
|
||||
<para>If you install using the .deb, you will find that your <filename
|
||||
class="directory">/etc/shorewall</filename> directory is empty. This is
|
||||
intentional. The released configuration file skeletons may be found on
|
||||
your system in the directory <filename class="directory">/usr/share/doc/shorewall/default-config</filename>.
|
||||
your system in the directory <filename
|
||||
class="directory">/usr/share/doc/shorewall/default-config</filename>.
|
||||
Simply copy the files you need from that directory to <filename
|
||||
class="directory">/etc/shorewall</filename> and modify the copies.</para>
|
||||
|
||||
<para>Note that you must copy <filename class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename>
|
||||
<para>Note that you must copy <filename
|
||||
class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename>
|
||||
and /usr/share/doc/shorewall/default-config/modules to <filename
|
||||
class="directory">/etc/shorewall</filename> even if you do not modify
|
||||
those files.</para>
|
||||
@ -60,9 +63,9 @@
|
||||
|
||||
<important>
|
||||
<para>Before attempting installation, I strongly urge you to read and
|
||||
print a copy of the <ulink url="shorewall_quickstart_guide.htm">Shorewall
|
||||
QuickStart</ulink> Guide for the configuration that most closely matches
|
||||
your own.</para>
|
||||
print a copy of the <ulink
|
||||
url="shorewall_quickstart_guide.htm">Shorewall QuickStart</ulink> Guide
|
||||
for the configuration that most closely matches your own.</para>
|
||||
</important>
|
||||
|
||||
<para>To install Shorewall using the RPM:</para>
|
||||
@ -71,14 +74,15 @@
|
||||
<listitem>
|
||||
<para>Install the RPM</para>
|
||||
|
||||
<programlisting><command>rpm -ivh <shorewall rpm></command></programlisting>
|
||||
<programlisting><command>rpm -ivh <shorewall rpm></command></programlisting>
|
||||
|
||||
<note>
|
||||
<para>Some SuSE users have encountered a problem whereby rpm reports
|
||||
a conflict with kernel <= 2.2 even though a 2.4 kernel is
|
||||
installed. If this happens, simply use the --nodeps option to rpm.</para>
|
||||
a conflict with kernel <= 2.2 even though a 2.4 kernel is
|
||||
installed. If this happens, simply use the --nodeps option to
|
||||
rpm.</para>
|
||||
|
||||
<programlisting><filename><command>rpm -ivh --nodeps <shorewall rpm></command></filename></programlisting>
|
||||
<programlisting><filename><command>rpm -ivh --nodeps <shorewall rpm></command></filename></programlisting>
|
||||
</note>
|
||||
|
||||
<note>
|
||||
@ -89,9 +93,10 @@
|
||||
|
||||
<programlisting>error: failed dependencies:iproute is needed by shorewall-1.4.x-1</programlisting>
|
||||
|
||||
<para>This may be worked around by using the --nodeps option of rpm.</para>
|
||||
<para>This may be worked around by using the --nodeps option of
|
||||
rpm.</para>
|
||||
|
||||
<programlisting><command>rpm -ivh --nodeps <shorewall rpm></command></programlisting>
|
||||
<programlisting><command>rpm -ivh --nodeps <shorewall rpm></command></programlisting>
|
||||
</note>
|
||||
</listitem>
|
||||
|
||||
@ -110,6 +115,14 @@
|
||||
</warning>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Enable startup by removing
|
||||
<filename>/etc/shorewall/startup_disabled</filename> (If you are
|
||||
running Shorewall 2.1.3 or later, edit
|
||||
/<filename>etc/shorewall/shorewall.conf</filename> and set
|
||||
STARTUP_ENABLED to Yes).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Start the firewall by typing</para>
|
||||
|
||||
@ -123,9 +136,9 @@
|
||||
|
||||
<important>
|
||||
<para>Before attempting installation, I strongly urge you to read and
|
||||
print a copy of the <ulink url="shorewall_quickstart_guide.htm">Shorewall
|
||||
QuickStart</ulink> Guide for the configuration that most closely matches
|
||||
your own.</para>
|
||||
print a copy of the <ulink
|
||||
url="shorewall_quickstart_guide.htm">Shorewall QuickStart</ulink> Guide
|
||||
for the configuration that most closely matches your own.</para>
|
||||
</important>
|
||||
|
||||
<para>To install Shorewall using the tarball and install script:</para>
|
||||
@ -141,18 +154,19 @@
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>If you are running <ulink url="http://www.slackware.com">Slackware</ulink>,
|
||||
you need Shorewall 2.0.2 RC1 or later. If you are installing a
|
||||
Shorewall version earlier than 2.0.3 Beta 1 then you must also edit
|
||||
the install.sh file and change the lines</para>
|
||||
<para>If you are running <ulink
|
||||
url="http://www.slackware.com">Slackware</ulink>, you need Shorewall
|
||||
2.0.2 RC1 or later. If you are installing a Shorewall version earlier
|
||||
than 2.0.3 Beta 1 then you must also edit the install.sh file and
|
||||
change the lines</para>
|
||||
|
||||
<programlisting>DEST="/etc/init.d"
|
||||
INIT="shorewall"</programlisting>
|
||||
<programlisting>DEST="/etc/init.d"
|
||||
INIT="shorewall"</programlisting>
|
||||
|
||||
<para>to</para>
|
||||
|
||||
<programlisting>DEST="/etc/rc.d"
|
||||
INIT="rc.firewall"</programlisting>
|
||||
<programlisting>DEST="/etc/rc.d"
|
||||
INIT="rc.firewall"</programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -172,9 +186,26 @@ INIT="rc.firewall"</programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Enable Startup by removing <filename>/etc/shorewall/startup_disabled</filename>
|
||||
(Debian users will edit <filename>/etc/default/shorewall</filename>
|
||||
and set startup=1).</para>
|
||||
<para>Enable Startup:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>Users running Shorewall 2.1.3 or later, edit
|
||||
<filename>/etc/shorewall/shorewall.conf</filename> and set
|
||||
STARTUP_ENABLED=Yes.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Users running Shorewall 2.1.2 or earlier and using the .deb
|
||||
should edit <filename>/etc/default/shorewall</filename> and set
|
||||
startup=1.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>All other users, remove the file
|
||||
<filename>/etc/shorewall/startup_disabled</filename></para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -186,7 +217,8 @@ INIT="rc.firewall"</programlisting>
|
||||
<listitem>
|
||||
<para>If the install script was unable to configure Shorewall to be
|
||||
started automatically at boot, see <ulink
|
||||
url="starting_and_stopping_shorewall.htm">these instructions</ulink>.</para>
|
||||
url="starting_and_stopping_shorewall.htm">these
|
||||
instructions</ulink>.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</section>
|
||||
@ -196,15 +228,16 @@ INIT="rc.firewall"</programlisting>
|
||||
|
||||
<important>
|
||||
<para>Before attempting installation, I strongly urge you to read and
|
||||
print a copy of the <ulink url="shorewall_quickstart_guide.htm">Shorewall
|
||||
QuickStart</ulink> Guide for the configuration that most closely matches
|
||||
your own.</para>
|
||||
print a copy of the <ulink
|
||||
url="shorewall_quickstart_guide.htm">Shorewall QuickStart</ulink> Guide
|
||||
for the configuration that most closely matches your own.</para>
|
||||
</important>
|
||||
|
||||
<para>To install my version of Shorewall on a fresh Bering disk, simply
|
||||
replace the <quote>shorwall.lrp</quote> file on the image with the file
|
||||
that you downloaded. See the <ulink url="two-interface.htm">two-interface
|
||||
QuickStart Guide</ulink> for information about further steps required.</para>
|
||||
QuickStart Guide</ulink> for information about further steps
|
||||
required.</para>
|
||||
</section>
|
||||
|
||||
<section id="Upgrade_RPM">
|
||||
@ -224,22 +257,23 @@ INIT="rc.firewall"</programlisting>
|
||||
please check your /etc/shorewall/interfaces file to be sure that it
|
||||
contains an entry for each interface mentioned in the hosts file. Also,
|
||||
there are certain 1.2 rule forms that are no longer supported under 1.4
|
||||
(you must use the new 1.4 syntax). See <ulink url="errata.htm#Upgrade">the
|
||||
upgrade issues</ulink> for details.</para>
|
||||
(you must use the new 1.4 syntax). See <ulink
|
||||
url="errata.htm#Upgrade">the upgrade issues</ulink> for details.</para>
|
||||
</important>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>Upgrade the RPM</para>
|
||||
|
||||
<programlisting><command>rpm -Uvh <shorewall rpm file></command></programlisting>
|
||||
<programlisting><command>rpm -Uvh <shorewall rpm file></command></programlisting>
|
||||
|
||||
<note>
|
||||
<para>Some SuSE users have encountered a problem whereby rpm reports
|
||||
a conflict with kernel <= 2.2 even though a 2.4 kernel is
|
||||
installed. If this happens, simply use the --nodeps option to rpm.</para>
|
||||
a conflict with kernel <= 2.2 even though a 2.4 kernel is
|
||||
installed. If this happens, simply use the --nodeps option to
|
||||
rpm.</para>
|
||||
|
||||
<programlisting><command>rpm -Uvh --nodeps <shorewall rpm></command></programlisting>
|
||||
<programlisting><command>rpm -Uvh --nodeps <shorewall rpm></command></programlisting>
|
||||
</note>
|
||||
|
||||
<note>
|
||||
@ -250,15 +284,17 @@ INIT="rc.firewall"</programlisting>
|
||||
|
||||
<programlisting>error: failed dependencies:iproute is needed by shorewall-1.4.0-1</programlisting>
|
||||
|
||||
<para>This may be worked around by using the --nodeps option of rpm.</para>
|
||||
<para>This may be worked around by using the --nodeps option of
|
||||
rpm.</para>
|
||||
|
||||
<programlisting><command>rpm -Uvh --nodeps <shorewall rpm></command></programlisting>
|
||||
<programlisting><command>rpm -Uvh --nodeps <shorewall rpm></command></programlisting>
|
||||
</note>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>See if there are any incompatibilities between your
|
||||
configuration and the new Shorewall version and correct as necessary.</para>
|
||||
configuration and the new Shorewall version and correct as
|
||||
necessary.</para>
|
||||
|
||||
<programlisting><command>shorewall check</command></programlisting>
|
||||
</listitem>
|
||||
@ -288,8 +324,8 @@ INIT="rc.firewall"</programlisting>
|
||||
please check your /etc/shorewall/interfaces file to be sure that it
|
||||
contains an entry for each interface mentioned in the hosts file. Also,
|
||||
there are certain 1.2 rule forms that are no longer supported under 1.4
|
||||
(you must use the new 1.4 syntax). See <ulink url="errata.htm#Upgrade">the
|
||||
upgrade issues</ulink> for details.</para>
|
||||
(you must use the new 1.4 syntax). See <ulink
|
||||
url="errata.htm#Upgrade">the upgrade issues</ulink> for details.</para>
|
||||
</important>
|
||||
|
||||
<orderedlist>
|
||||
@ -305,18 +341,19 @@ INIT="rc.firewall"</programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>If you are running <ulink url="http://www.slackware.com">Slackware</ulink>,
|
||||
you should use Shorewall 2.0.2 RC1 or later. If you are installing a
|
||||
Shorewall version earlier than 2.0.3 Beta 1 then you must also edit
|
||||
the install.sh file and change the lines</para>
|
||||
<para>If you are running <ulink
|
||||
url="http://www.slackware.com">Slackware</ulink>, you should use
|
||||
Shorewall 2.0.2 RC1 or later. If you are installing a Shorewall
|
||||
version earlier than 2.0.3 Beta 1 then you must also edit the
|
||||
install.sh file and change the lines</para>
|
||||
|
||||
<programlisting>DEST="/etc/init.d"
|
||||
INIT="shorewall"</programlisting>
|
||||
<programlisting>DEST="/etc/init.d"
|
||||
INIT="shorewall"</programlisting>
|
||||
|
||||
<para>to</para>
|
||||
|
||||
<programlisting>DEST="/etc/rc.d"
|
||||
INIT="rc.firewall"</programlisting>
|
||||
<programlisting>DEST="/etc/rc.d"
|
||||
INIT="rc.firewall"</programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -332,7 +369,8 @@ INIT="rc.firewall"</programlisting>
|
||||
|
||||
<listitem>
|
||||
<para>See if there are any incompatibilities between your
|
||||
configuration and the new Shorewall version and correct as necessary.</para>
|
||||
configuration and the new Shorewall version and correct as
|
||||
necessary.</para>
|
||||
|
||||
<programlisting><command>shorewall check</command></programlisting>
|
||||
</listitem>
|
||||
@ -346,7 +384,8 @@ INIT="rc.firewall"</programlisting>
|
||||
<listitem>
|
||||
<para>If the install script was unable to configure Shorewall to be
|
||||
started automatically at boot, see <ulink
|
||||
url="starting_and_stopping_shorewall.htm">these instructions</ulink>.</para>
|
||||
url="starting_and_stopping_shorewall.htm">these
|
||||
instructions</ulink>.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</section>
|
||||
@ -375,6 +414,7 @@ INIT="rc.firewall"</programlisting>
|
||||
<section>
|
||||
<title>Uninstall/Fallback</title>
|
||||
|
||||
<para>See <quote><ulink url="fallback.htm">Fallback and Uninstall</ulink></quote>.</para>
|
||||
<para>See <quote><ulink url="fallback.htm">Fallback and
|
||||
Uninstall</ulink></quote>.</para>
|
||||
</section>
|
||||
</article>
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-03-25</pubdate>
|
||||
<pubdate>2004-09-17</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2003</year>
|
||||
@ -31,28 +31,33 @@
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<section>
|
||||
<title>Creating a New Action</title>
|
||||
|
||||
<para>Prior to Shorewall version 1.4.9, rules in <filename>/etc/shorewall/rules</filename>
|
||||
were limited to those defined by Netfilter (ACCEPT, DROP, REJECT, etc.).
|
||||
Beginning with Shorewall version 1.4.9, users may use sequences of these
|
||||
elementary operations to define more complex actions.</para>
|
||||
<para>Prior to Shorewall version 1.4.9, rules in
|
||||
<filename>/etc/shorewall/rules</filename> were limited to those defined by
|
||||
Netfilter (ACCEPT, DROP, REJECT, etc.). Beginning with Shorewall version
|
||||
1.4.9, users may use sequences of these elementary operations to define
|
||||
more complex actions.</para>
|
||||
|
||||
<para>To define a new action:</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>Add a line to <filename><filename>/etc/shorewall/actions</filename></filename>
|
||||
that names your new action. Action names must be valid shell variable
|
||||
names as well as valid Netfilter chain names. It is recommended that
|
||||
the name you select for a new action begins with with a capital
|
||||
letter; that way, the name won't conflict with a Shorewall-defined
|
||||
chain name.</para>
|
||||
<para>Add a line to
|
||||
<filename><filename>/etc/shorewall/actions</filename></filename> that
|
||||
names your new action. Action names must be valid shell variable names
|
||||
((must begin with a letter and be composed of letters, digits and
|
||||
underscore characters) as well as valid Netfilter chain names. If you
|
||||
intend to log from the action, the name must have a maximum of 11
|
||||
characters. It is recommended that the name you select for a new
|
||||
action begins with with a capital letter; that way, the name won't
|
||||
conflict with a Shorewall-defined chain name.</para>
|
||||
|
||||
<para>Beginning with Shorewall-2.0.0-Beta1, the name of the action may
|
||||
be optionally followed by a colon (<quote>:</quote>) and ACCEPT, DROP
|
||||
@ -71,8 +76,9 @@
|
||||
|
||||
<listitem>
|
||||
<para>Once you have defined your new action name (ActionName), then
|
||||
copy /usr/share/shorewall/action.template to <filename>/etc/shorewall/action.ActionName</filename>
|
||||
(for example, if your new action name is <quote>Foo</quote> then copy
|
||||
copy /usr/share/shorewall/action.template to
|
||||
<filename>/etc/shorewall/action.ActionName</filename> (for example, if
|
||||
your new action name is <quote>Foo</quote> then copy
|
||||
<filename>/usr/share/shorewall/action.template</filename> to
|
||||
<filename>/etc/shorewall/action.Foo</filename>).</para>
|
||||
</listitem>
|
||||
@ -87,10 +93,11 @@
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>TARGET - Must be ACCEPT, DROP, REJECT, LOG, CONTINUE, QUEUE or
|
||||
<<emphasis>action</emphasis>> where <<emphasis>action</emphasis>>
|
||||
is a previously-defined action (that is, it must precede the action
|
||||
being defined in this file in your <filename>/etc/shorewall/actions</filename>
|
||||
file). These actions have the same meaning as they do in the
|
||||
<<emphasis>action</emphasis>> where
|
||||
<<emphasis>action</emphasis>> is a previously-defined action
|
||||
(that is, it must precede the action being defined in this file in
|
||||
your <filename>/etc/shorewall/actions</filename> file). These actions
|
||||
have the same meaning as they do in the
|
||||
<filename>/etc/shorewall/rules</filename> file (CONTINUE terminates
|
||||
processing of the current action and returns to the point where that
|
||||
action was invoked). The TARGET may optionally be followed by a colon
|
||||
@ -120,13 +127,14 @@
|
||||
MAC addresses are not allowed.</para>
|
||||
|
||||
<para>Unlike in the SOURCE column, you may specify a range of up to
|
||||
256 IP addresses using the syntax <<emphasis>first ip</emphasis>>-<<emphasis>last
|
||||
ip</emphasis>>.</para>
|
||||
256 IP addresses using the syntax <<emphasis>first
|
||||
ip</emphasis>>-<<emphasis>last ip</emphasis>>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>PROTO - Protocol - Must be <quote>tcp</quote>, <quote>udp</quote>,
|
||||
<quote>icmp</quote>, a number, or <quote>all</quote>.</para>
|
||||
<para>PROTO - Protocol - Must be <quote>tcp</quote>,
|
||||
<quote>udp</quote>, <quote>icmp</quote>, a number, or
|
||||
<quote>all</quote>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -135,8 +143,8 @@
|
||||
ranges; if the protocol is <quote>icmp</quote>, this column is
|
||||
interpreted as the destination icmp-type(s).</para>
|
||||
|
||||
<para>A port range is expressed as <<emphasis>low port</emphasis>>:<<emphasis>high
|
||||
port</emphasis>>.</para>
|
||||
<para>A port range is expressed as <<emphasis>low
|
||||
port</emphasis>>:<<emphasis>high port</emphasis>>.</para>
|
||||
|
||||
<para>This column is ignored if PROTOCOL = all but must be entered if
|
||||
any of the following ields are supplied. In that case, it is suggested
|
||||
@ -156,7 +164,8 @@
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
|
||||
<para>Otherwise, a separate rule will be generated for each port.</para>
|
||||
<para>Otherwise, a separate rule will be generated for each
|
||||
port.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -164,9 +173,8 @@
|
||||
source port is acceptable. Specified as a comma-separated list of port
|
||||
names, port numbers or port ranges.</para>
|
||||
|
||||
<para>If you don't want to restrict client ports but need to
|
||||
specify an ADDRESS in the next column, then place "-" in this
|
||||
column.</para>
|
||||
<para>If you don't want to restrict client ports but need to specify
|
||||
an ADDRESS in the next column, then place "-" in this column.</para>
|
||||
|
||||
<para>If your kernel contains multi-port match support, then only a
|
||||
single Netfilter rule will be generated if in this list and in the
|
||||
@ -182,18 +190,19 @@
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
|
||||
<para>Otherwise, a separate rule will be generated for each port.</para>
|
||||
<para>Otherwise, a separate rule will be generated for each
|
||||
port.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>RATE LIMIT - You may rate-limit the rule by placing a value in
|
||||
this column:</para>
|
||||
|
||||
<para><programlisting> <<emphasis>rate</emphasis>>/<<emphasis>interval</emphasis>>[:<<emphasis>burst</emphasis>>]</programlisting>where
|
||||
<<emphasis>rate</emphasis>> is the number of connections per
|
||||
<<emphasis>interval</emphasis>> (<quote>sec</quote> or
|
||||
<quote>min</quote>) and <<emphasis>burst</emphasis>> is the
|
||||
largest burst permitted. If no <<emphasis>burst</emphasis>> is
|
||||
<para><programlisting> <<emphasis>rate</emphasis>>/<<emphasis>interval</emphasis>>[:<<emphasis>burst</emphasis>>]</programlisting>where
|
||||
<<emphasis>rate</emphasis>> is the number of connections per
|
||||
<<emphasis>interval</emphasis>> (<quote>sec</quote> or
|
||||
<quote>min</quote>) and <<emphasis>burst</emphasis>> is the
|
||||
largest burst permitted. If no <<emphasis>burst</emphasis>> is
|
||||
given, a value of 5 is assumed. There may be no whitespace embedded in
|
||||
the specification.</para>
|
||||
|
||||
@ -207,30 +216,33 @@
|
||||
any of the following:</para>
|
||||
|
||||
<simplelist>
|
||||
<member>[!]<<emphasis>user number</emphasis>>[:]</member>
|
||||
<member>[!]<<emphasis>user number</emphasis>>[:]</member>
|
||||
|
||||
<member>[!]<<emphasis>user name</emphasis>>[:]</member>
|
||||
<member>[!]<<emphasis>user name</emphasis>>[:]</member>
|
||||
|
||||
<member>[!]:<<emphasis>group number</emphasis>></member>
|
||||
<member>[!]:<<emphasis>group number</emphasis>></member>
|
||||
|
||||
<member>[!]:<<emphasis>group name</emphasis>></member>
|
||||
<member>[!]:<<emphasis>group name</emphasis>></member>
|
||||
|
||||
<member>[!]<<emphasis>user number</emphasis>>:<<emphasis>group
|
||||
number</emphasis>></member>
|
||||
<member>[!]<<emphasis>user
|
||||
number</emphasis>>:<<emphasis>group
|
||||
number</emphasis>></member>
|
||||
|
||||
<member>[!]<<emphasis>user name</emphasis>>:<<emphasis>group
|
||||
number</emphasis>></member>
|
||||
<member>[!]<<emphasis>user
|
||||
name</emphasis>>:<<emphasis>group
|
||||
number</emphasis>></member>
|
||||
|
||||
<member>[!]<<emphasis>user inumber</emphasis>>:<<emphasis>group
|
||||
name</emphasis>></member>
|
||||
<member>[!]<<emphasis>user
|
||||
inumber</emphasis>>:<<emphasis>group
|
||||
name</emphasis>></member>
|
||||
|
||||
<member>[!]<<emphasis>user name</emphasis>>:<<emphasis>group
|
||||
name</emphasis>></member>
|
||||
<member>[!]<<emphasis>user
|
||||
name</emphasis>>:<<emphasis>group name</emphasis>></member>
|
||||
</simplelist>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>Omitted column entries should be entered using a dash ("-:).</para>
|
||||
<para>Omitted column entries should be entered using a dash ("-:).</para>
|
||||
|
||||
<para>Example:</para>
|
||||
|
||||
@ -244,13 +256,123 @@
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
LogAndAccept loc fw tcp 22</programlisting>
|
||||
|
||||
<para>Prior to Shorewall 2.1.2, specifying a log level (and optionally a
|
||||
log tag) on a rule that specified a user-defined (or Shorewall-defined)
|
||||
action would log all traffic passed to the action. Beginning with
|
||||
Shorewall 2.1.2, specifying a log level in a rule that specifies a user-
|
||||
or Shorewall-defined action will cause each rule in the action to be
|
||||
logged with the specified level (and tag).</para>
|
||||
|
||||
<para>The extent to which logging of action rules occur is goverend by the
|
||||
following:</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>When you invoke an action and specify a log level, only those
|
||||
rules in the action that have no log level will be changed to log at
|
||||
the level specified at the action invocation.</para>
|
||||
|
||||
<para>Example:</para>
|
||||
|
||||
<para>/etc/shorewall/action.foo</para>
|
||||
|
||||
<programlisting>#TARGET SOURCE DEST PROTO DEST PORT(S)
|
||||
ACCEPT - - tcp 22
|
||||
bar:info</programlisting>
|
||||
|
||||
<para>/etc/shorewall/rules:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
foo:debug fw net</programlisting>
|
||||
|
||||
<para>Logging in the invoke 'foo' action will be as if foo had been
|
||||
defined as:</para>
|
||||
|
||||
<programlisting>#TARGET SOURCE DEST PROTO DEST PORT(S)
|
||||
ACCEPT:debug - - tcp 22
|
||||
bar:info</programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>If you follow the log level with "!" then logging will be at
|
||||
that level for all rules recursively invoked by the action.</para>
|
||||
|
||||
<para>Example:</para>
|
||||
|
||||
<para>/etc/shorewall/action.foo</para>
|
||||
|
||||
<programlisting>#TARGET SOURCE DEST PROTO DEST PORT(S)
|
||||
ACCEPT - - tcp 22
|
||||
bar:info</programlisting>
|
||||
|
||||
<para>/etc/shorewall/rules:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
foo:debug! fw net</programlisting>
|
||||
|
||||
<para>Logging in the invoke 'foo' action will be as if foo had been
|
||||
defined as:</para>
|
||||
|
||||
<programlisting>#TARGET SOURCE DEST PROTO DEST PORT(S)
|
||||
ACCEPT:debug - - tcp 22
|
||||
bar:debug</programlisting>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
|
||||
<para>The change in Shorewall 2.1.2 has an effect on extension scripts
|
||||
used with user-defined actions. If you define an action 'acton' and you
|
||||
have an <filename>/etc/shorewall/acton</filename> script then when that
|
||||
script is invoked, the following three variables will be set for use by
|
||||
the script:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>$CHAIN = the name of the chain where your rules are to be
|
||||
placed. When logging is used on an action invocation, Shorewall
|
||||
creates a chain with a slightly different name from the action
|
||||
itself.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>$LEVEL = Log level. If empty, no logging was specified.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>$TAG = Log Tag.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>Example:</para>
|
||||
|
||||
<para><filename>/etc/shorewall/rules</filename>:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST
|
||||
acton:info:test fw net</programlisting>
|
||||
|
||||
<para>Your /etc/shorewall/acton file will be run with:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>$CHAIN="%acton1"</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>$LEVEL="info"</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>$TAG="test"</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Standard Actions In Shorewall 2.0</title>
|
||||
|
||||
<para>Beginning with Shorewall 2.0.0-Beta1, Shorewall includes a number of
|
||||
defined actions. These defined actions are listed in <filename>/usr/share/shorewall/actions.std</filename>.</para>
|
||||
defined actions. These defined actions are listed in
|
||||
<filename>/usr/share/shorewall/actions.std</filename>.</para>
|
||||
|
||||
<para>The <filename>/usr/share/shorewall/actions.std</filename> file
|
||||
includes the common actions <quote>Drop</quote> for DROP policies and
|
||||
@ -268,27 +390,32 @@ AllowFTP loc fw</programlisting>
|
||||
|
||||
<para><filename>/usr/share/shorewall/actions.std</filename> is processed
|
||||
before <filename>/etc/shorewall/actions</filename> and if you have any
|
||||
actions defined with the same name as one in <filename>/usr/share/shorewall/actions.std</filename>,
|
||||
your version in <filename class="directory">/etc/shorewall</filename> will
|
||||
be the one used. So if you wish to modify a standard action, simply copy
|
||||
the associated action file from <filename class="directory">/usr/share/shorewall
|
||||
</filename>to <filename class="directory">/etc/shorewall and modify</filename>
|
||||
it to suit your needs. The next <command>shorewall restart</command> will
|
||||
cause your action to be installed in place of the standard one. In
|
||||
particular, if you want to modify the common actions <quote>Drop</quote>
|
||||
or <quote>Reject</quote>, simply copy <filename>action.Drop</filename> or
|
||||
<filename>Action.Reject</filename> to <filename class="directory">/etc/shorewall</filename>
|
||||
and modify that copy as desired.</para>
|
||||
actions defined with the same name as one in
|
||||
<filename>/usr/share/shorewall/actions.std</filename>, your version in
|
||||
<filename class="directory">/etc/shorewall</filename> will be the one
|
||||
used. So if you wish to modify a standard action, simply copy the
|
||||
associated action file from <filename
|
||||
class="directory">/usr/share/shorewall </filename>to <filename
|
||||
class="directory">/etc/shorewall and modify</filename> it to suit your
|
||||
needs. The next <command>shorewall restart</command> will cause your
|
||||
action to be installed in place of the standard one. In particular, if you
|
||||
want to modify the common actions <quote>Drop</quote> or
|
||||
<quote>Reject</quote>, simply copy <filename>action.Drop</filename> or
|
||||
<filename>Action.Reject</filename> to <filename
|
||||
class="directory">/etc/shorewall</filename> and modify that copy as
|
||||
desired.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Creating an Action using an Extension Script</title>
|
||||
|
||||
<para>There may be cases where you wish to create a chain with rules that
|
||||
can't be constructed using the tools defined in the action.template.
|
||||
In that case, you can use an extension script.<note><para>If you actually
|
||||
need an action to drop broadcast packets, use the <command>dropBcast</command>
|
||||
standard action rather than create one like this.</para></note></para>
|
||||
can't be constructed using the tools defined in the action.template. In
|
||||
that case, you can use an extension script.<note>
|
||||
<para>If you actually need an action to drop broadcast packets, use
|
||||
the <command>dropBcast</command> standard action rather than create
|
||||
one like this.</para>
|
||||
</note></para>
|
||||
|
||||
<example>
|
||||
<title>An action to drop all broadcast packets</title>
|
||||
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-09-23</pubdate>
|
||||
<pubdate>2004-10-04</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2004</year>
|
||||
@ -433,6 +433,12 @@ loc eth1 detect</programlisting></para>
|
||||
net br0:eth0
|
||||
dmz br0:eth2</programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The DMZ systems need a route to the 192.168.201.0/24 network via
|
||||
192.0.2.176 to enable them to communicate with the local
|
||||
network.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</section>
|
||||
|
||||
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-09-07</pubdate>
|
||||
<pubdate>2004-10-02</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2004</year>
|
||||
@ -213,8 +213,7 @@ OMAK=<ip address of tipper while we are at our second home>
|
||||
LOG=info
|
||||
EXT_IF=eth1
|
||||
INT_IF=eth0
|
||||
DMZ_IF=eth2
|
||||
</programlisting></para>
|
||||
DMZ_IF=eth2</programlisting></para>
|
||||
</blockquote>
|
||||
</section>
|
||||
|
||||
@ -223,10 +222,10 @@ DMZ_IF=eth2
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#ZONE DISPLAY COMMENTS
|
||||
omak Omak Our Laptop at our second home
|
||||
net Internet Internet
|
||||
dmz DMZ Demilitarized zone
|
||||
loc Local Local networks
|
||||
omak Omak Our Laptop at our second home
|
||||
tx Texas Peer Network in Dallas
|
||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
||||
</programlisting>
|
||||
@ -242,7 +241,7 @@ tx Texas Peer Network in Dallas
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net $EXT_IF 206.124.146.255 dhcp,norfc1918,routefilter,blacklist,tcpflags,nosmurfs
|
||||
loc $INT_IF detect dhcp
|
||||
loc $INT_IF 192.168.1.255 dhcp
|
||||
dmz $DMZ_IF -
|
||||
- texas -
|
||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
||||
@ -351,9 +350,8 @@ all all REJECT $LOG
|
||||
|
||||
<blockquote>
|
||||
<para>Although most of our internal systems use one-to-one NAT, my
|
||||
wife's system (192.168.1.4) uses IP Masquerading (actually SNAT) as do
|
||||
my SuSE system (192.168.1.3), our laptop (192.168.3.8) and visitors
|
||||
with laptops.</para>
|
||||
wife's system (192.168.1.4) uses IP Masquerading (actually SNAT) as
|
||||
does our laptop (192.168.3.8) and visitors with laptops.</para>
|
||||
|
||||
<para>The first entry allows access to the DSL modem and uses features
|
||||
introduced in Shorewall 2.1.1. The leading plus sign ("+_") causes the
|
||||
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-07-14</pubdate>
|
||||
<pubdate>2004-09-12</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2002-2004</year>
|
||||
@ -29,7 +29,8 @@
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
@ -39,9 +40,9 @@
|
||||
<para>Setting up Shorewall on a standalone Linux system is very easy if
|
||||
you understand the basics and follow the documentation.</para>
|
||||
|
||||
<para>This guide doesn't attempt to acquaint you with all of the
|
||||
features of Shorewall. It rather focuses on what is required to configure
|
||||
Shorewall in one of its most common configurations:</para>
|
||||
<para>This guide doesn't attempt to acquaint you with all of the features
|
||||
of Shorewall. It rather focuses on what is required to configure Shorewall
|
||||
in one of its most common configurations:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
@ -62,11 +63,11 @@
|
||||
<title>Requirements</title>
|
||||
|
||||
<para>Shorewall requires that you have the iproute/iproute2 package
|
||||
installed (on RedHat, the package is called <emphasis>iproute</emphasis>).
|
||||
You can tell if this package is installed by the presence of an
|
||||
<emphasis role="bold">ip</emphasis> program on your firewall system. As
|
||||
root, you can use the <quote>which</quote> command to check for this
|
||||
program:</para>
|
||||
installed (on RedHat, the package is called
|
||||
<emphasis>iproute</emphasis>). You can tell if this package is installed
|
||||
by the presence of an <emphasis role="bold">ip</emphasis> program on
|
||||
your firewall system. As root, you can use the <quote>which</quote>
|
||||
command to check for this program:</para>
|
||||
|
||||
<programlisting>[root@gateway root]# <command>which ip</command>
|
||||
/sbin/ip
|
||||
@ -77,8 +78,8 @@
|
||||
<title>Before you start</title>
|
||||
|
||||
<para>I recommend that you read through the guide first to familiarize
|
||||
yourself with what's involved then go back through it again making
|
||||
your configuration changes.</para>
|
||||
yourself with what's involved then go back through it again making your
|
||||
configuration changes.</para>
|
||||
|
||||
<caution>
|
||||
<para>If you edit your configuration files on a Windows system, you
|
||||
@ -92,8 +93,9 @@
|
||||
<member><ulink url="http://www.simtel.net/pub/pd/51438.html">Windows
|
||||
Version of dos2unix</ulink></member>
|
||||
|
||||
<member><ulink url="http://www.megaloman.com/~hany/software/hd2u/">Linux
|
||||
Version of dos2unix</ulink></member>
|
||||
<member><ulink
|
||||
url="http://www.megaloman.com/~hany/software/hd2u/">Linux Version of
|
||||
dos2unix</ulink></member>
|
||||
</simplelist>
|
||||
</caution>
|
||||
</section>
|
||||
@ -102,7 +104,8 @@
|
||||
<title>Conventions</title>
|
||||
|
||||
<para>Points at which configuration changes are recommended are flagged
|
||||
with <inlinegraphic fileref="images/BD21298_.gif" format="GIF" />.</para>
|
||||
with <inlinegraphic fileref="images/BD21298_.gif"
|
||||
format="GIF" />.</para>
|
||||
</section>
|
||||
</section>
|
||||
|
||||
@ -112,10 +115,11 @@
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
|
||||
<para>If you have an ADSL Modem and you use PPTP to communicate with a
|
||||
server in that modem, you must make the <ulink url="PPTP.htm#PPTP_ADSL">changes
|
||||
recommended here</ulink> <emphasis role="underline">in addition to those
|
||||
described in the steps below</emphasis>. ADSL with PPTP is most commonly
|
||||
found in Europe, notably in Austria.</para>
|
||||
server in that modem, you must make the <ulink
|
||||
url="PPTP.htm#PPTP_ADSL">changes recommended here</ulink> <emphasis
|
||||
role="underline">in addition to those described in the steps
|
||||
below</emphasis>. ADSL with PPTP is most commonly found in Europe, notably
|
||||
in Austria.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
@ -126,12 +130,13 @@
|
||||
<para>The configuration files for Shorewall are contained in the directory
|
||||
<filename class="directory">/etc/shorewall</filename> -- for simple
|
||||
setups, you only need to deal with a few of these as described in this
|
||||
guide. After you have <ulink url="Install.htm">installed Shorewall</ulink>,
|
||||
<emphasis role="bold">download the <ulink
|
||||
guide. After you have <ulink url="Install.htm">installed
|
||||
Shorewall</ulink>, <emphasis role="bold">download the <ulink
|
||||
url="http://www1.shorewall.net/pub/shorewall/Samples/">one-interface
|
||||
sample</ulink>, un-tar it (tar -zxvf one-interface.tgz) and and copy the
|
||||
files to /etc/shorewall (they will replace files with the same names that
|
||||
were placed in /etc/shorewall during Shorewall installation)</emphasis>.</para>
|
||||
were placed in /etc/shorewall during Shorewall
|
||||
installation)</emphasis>.</para>
|
||||
|
||||
<warning>
|
||||
<para><emphasis role="bold">Note to Debian Users</emphasis></para>
|
||||
@ -139,11 +144,14 @@
|
||||
<para>If you install using the .deb, you will find that your <filename
|
||||
class="directory">/etc/shorewall</filename> directory is empty. This is
|
||||
intentional. The released configuration file skeletons may be found on
|
||||
your system in the directory <filename class="directory">/usr/share/doc/shorewall/default-config</filename>.
|
||||
your system in the directory <filename
|
||||
class="directory">/usr/share/doc/shorewall/default-config</filename>.
|
||||
Simply copy the files you need from that directory to <filename
|
||||
class="directory">/etc/shorewall</filename> and modify the copies.</para>
|
||||
class="directory">/etc/shorewall</filename> and modify the
|
||||
copies.</para>
|
||||
|
||||
<para>Note that you must copy <filename class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename>
|
||||
<para>Note that you must copy <filename
|
||||
class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename>
|
||||
and /usr/share/doc/shorewall/default-config/modules to <filename
|
||||
class="directory">/etc/shorewall</filename> even if you do not modify
|
||||
those files.</para>
|
||||
@ -177,10 +185,12 @@
|
||||
</tgroup>
|
||||
</informaltable>
|
||||
|
||||
<para>Shorewall zones are defined in <ulink url="Documentation.htm#Zones"><filename>/etc/shorewall/zones</filename></ulink>.</para>
|
||||
<para>Shorewall zones are defined in <ulink
|
||||
url="Documentation.htm#Zones"><filename>/etc/shorewall/zones</filename></ulink>.</para>
|
||||
|
||||
<para>Shorewall also recognizes the firewall system as its own zone - by
|
||||
default, the firewall itself is known as <emphasis role="bold">fw</emphasis>.</para>
|
||||
default, the firewall itself is known as <emphasis
|
||||
role="bold">fw</emphasis>.</para>
|
||||
|
||||
<para>Rules about what traffic to allow and what traffic to deny are
|
||||
expressed in terms of zones.</para>
|
||||
@ -188,7 +198,8 @@
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>You express your default policy for connections from one zone to
|
||||
another zone in the <ulink url="Documentation.htm#Policy"><filename>/etc/shorewall/policy</filename></ulink>
|
||||
another zone in the <ulink
|
||||
url="Documentation.htm#Policy"><filename>/etc/shorewall/policy</filename></ulink>
|
||||
file.</para>
|
||||
</listitem>
|
||||
|
||||
@ -200,12 +211,13 @@
|
||||
</itemizedlist>
|
||||
|
||||
<para>For each connection request entering the firewall, the request is
|
||||
first checked against the <filename><filename>/etc/shorewall/rules</filename></filename>
|
||||
file. If no rule in that file matches the connection request then the
|
||||
first policy in <filename>/etc/shorewall/policy</filename> that matches
|
||||
the request is applied. If there is a <ulink
|
||||
url="shorewall_extension_scripts.htm">comon action</ulink> defined for the
|
||||
policy in <filename>/etc/shorewall/actions</filename> or
|
||||
first checked against the
|
||||
<filename><filename>/etc/shorewall/rules</filename></filename> file. If no
|
||||
rule in that file matches the connection request then the first policy in
|
||||
<filename>/etc/shorewall/policy</filename> that matches the request is
|
||||
applied. If there is a <ulink url="shorewall_extension_scripts.htm">comon
|
||||
action</ulink> defined for the policy in
|
||||
<filename>/etc/shorewall/actions</filename> or
|
||||
<filename>/usr/share/shorewall/actions.std</filename> then that action is
|
||||
peformed before the action is applied.</para>
|
||||
|
||||
@ -221,7 +233,8 @@ all all REJECT info</programlisting>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>allow all connection requests from the firewall to the internet</para>
|
||||
<para>allow all connection requests from the firewall to the
|
||||
internet</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -244,15 +257,16 @@ all all REJECT info</programlisting>
|
||||
|
||||
<para>The firewall has a single network interface. Where Internet
|
||||
connectivity is through a cable or DSL <quote>Modem</quote>, the
|
||||
<emphasis>External Interface</emphasis> will be the ethernet adapter (<emphasis
|
||||
role="bold">eth0</emphasis>) that is connected to that <quote>Modem</quote>
|
||||
<emphasis role="underline">unless</emphasis> you connect via
|
||||
<emphasis>Point-to-Point Protocol over Ethernet</emphasis> (PPPoE) or
|
||||
<emphasis>Point-to-Point Tunneling Protocol</emphasis> (PPTP) in which
|
||||
case the External Interface will be a <emphasis role="bold">ppp0</emphasis>.
|
||||
If you connect via a regular modem, your External Interface will also be
|
||||
<emphasis role="bold">ppp0</emphasis>. If you connect using ISDN, your
|
||||
external interface will be <emphasis role="bold">ippp0</emphasis>.</para>
|
||||
<emphasis>External Interface</emphasis> will be the ethernet adapter
|
||||
(<emphasis role="bold">eth0</emphasis>) that is connected to that
|
||||
<quote>Modem</quote> <emphasis role="underline">unless</emphasis> you
|
||||
connect via <emphasis>Point-to-Point Protocol over Ethernet</emphasis>
|
||||
(PPPoE) or <emphasis>Point-to-Point Tunneling Protocol</emphasis> (PPTP)
|
||||
in which case the External Interface will be a <emphasis
|
||||
role="bold">ppp0</emphasis>. If you connect via a regular modem, your
|
||||
External Interface will also be <emphasis role="bold">ppp0</emphasis>. If
|
||||
you connect using ISDN, your external interface will be <emphasis
|
||||
role="bold">ippp0</emphasis>.</para>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
|
||||
@ -264,25 +278,28 @@ all all REJECT info</programlisting>
|
||||
Some hints:</para>
|
||||
|
||||
<tip>
|
||||
<para>If your external interface is <emphasis role="bold">ppp0</emphasis>
|
||||
or <emphasis role="bold">ippp0</emphasis>, you can replace the
|
||||
<quote>detect</quote> in the second column with <quote>-</quote>.</para>
|
||||
<para>If your external interface is <emphasis
|
||||
role="bold">ppp0</emphasis> or <emphasis role="bold">ippp0</emphasis>,
|
||||
you can replace the <quote>detect</quote> in the second column with
|
||||
<quote>-</quote>.</para>
|
||||
</tip>
|
||||
|
||||
<tip>
|
||||
<para>If your external interface is <emphasis role="bold">ppp0</emphasis>
|
||||
or <emphasis role="bold">ippp0</emphasis> or if you have a static IP
|
||||
address, you can remove <quote>dhcp</quote> from the option list.</para>
|
||||
<para>If your external interface is <emphasis
|
||||
role="bold">ppp0</emphasis> or <emphasis role="bold">ippp0</emphasis> or
|
||||
if you have a static IP address, you can remove <quote>dhcp</quote> from
|
||||
the option list.</para>
|
||||
</tip>
|
||||
|
||||
<tip>
|
||||
<para>If you specify <emphasis>norfc1918</emphasis> for your external
|
||||
interface, you will want to check the <ulink url="errata.htm">Shorewall
|
||||
Errata</ulink> periodically for updates to the <filename>/usr/share/shorewall/rfc1918
|
||||
file</filename>. Alternatively, you can copy <filename>/usr/share/shorewall/rfc1918</filename>
|
||||
to <filename>/etc/shorewall/rfc1918</filename> then <ulink
|
||||
url="myfiles.htm#RFC1918">strip down your <filename>/etc/shorewall/rfc1918</filename>
|
||||
file as I do</ulink>.</para>
|
||||
Errata</ulink> periodically for updates to the
|
||||
<filename>/usr/share/shorewall/rfc1918 file</filename>. Alternatively,
|
||||
you can copy <filename>/usr/share/shorewall/rfc1918</filename> to
|
||||
<filename>/etc/shorewall/rfc1918</filename> then <ulink
|
||||
url="myfiles.htm#RFC1918">strip down your
|
||||
<filename>/etc/shorewall/rfc1918</filename> file as I do</ulink>.</para>
|
||||
</tip>
|
||||
</section>
|
||||
|
||||
@ -296,12 +313,12 @@ all all REJECT info</programlisting>
|
||||
172.16.0.0 - 172.31.255.255
|
||||
192.168.0.0 - 192.168.255.255</programlisting>
|
||||
|
||||
<para>These addresses are sometimes referred to as <emphasis>non-routable</emphasis>
|
||||
because the Internet backbone routers will not forward a packet whose
|
||||
destination address is reserved by RFC 1918. In some cases though, ISPs
|
||||
are assigning these addresses then using <emphasis>Network Address
|
||||
Translation</emphasis> to rewrite packet headers when forwarding to/from
|
||||
the internet.</para>
|
||||
<para>These addresses are sometimes referred to as
|
||||
<emphasis>non-routable</emphasis> because the Internet backbone routers
|
||||
will not forward a packet whose destination address is reserved by RFC
|
||||
1918. In some cases though, ISPs are assigning these addresses then using
|
||||
<emphasis>Network Address Translation</emphasis> to rewrite packet headers
|
||||
when forwarding to/from the internet.</para>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
|
||||
@ -319,7 +336,8 @@ all all REJECT info</programlisting>
|
||||
actions included in your version of Shorewall in the file
|
||||
<filename>/usr/share/shorewall/actions.std</filename>.</para>
|
||||
|
||||
<para>Those actions that allow a connection begin with <quote>Allow</quote>.</para>
|
||||
<para>Those actions that allow a connection begin with
|
||||
<quote>Allow</quote>.</para>
|
||||
|
||||
<para>If you wish to enable connections from the internet to your firewall
|
||||
and you find an appropriate <quote>Allow</quote> action in
|
||||
@ -327,7 +345,7 @@ all all REJECT info</programlisting>
|
||||
rule in <filename>/etc/shorewall/rules</filename> is:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
<<emphasis>action</emphasis>> net fw</programlisting>
|
||||
<<emphasis>action</emphasis>> net fw</programlisting>
|
||||
|
||||
<example>
|
||||
<title>You want to run a Web Server and a POP3 Server on your firewall
|
||||
@ -341,10 +359,11 @@ AllowPOP3 net fw</programlisting>
|
||||
<para>You may also choose to code your rules directly without using the
|
||||
pre-defined actions. This will be necessary in the event that there is not
|
||||
a pre-defined action that meets your requirements. In that case the
|
||||
general format of a rule in <filename>/etc/shorewall/rules</filename> is:</para>
|
||||
general format of a rule in <filename>/etc/shorewall/rules</filename>
|
||||
is:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
ACCEPT net fw <emphasis><protocol></emphasis> <emphasis><port></emphasis></programlisting>
|
||||
ACCEPT net fw <emphasis><protocol></emphasis> <emphasis><port></emphasis></programlisting>
|
||||
|
||||
<example>
|
||||
<title>You want to run a Web Server and a POP3 Server on your firewall
|
||||
@ -355,12 +374,12 @@ ACCEPT net fw tcp 80
|
||||
ACCEPT net fw tcp 110</programlisting></para>
|
||||
</example>
|
||||
|
||||
<para>If you don't know what port and protocol a particular
|
||||
application uses, see <ulink url="ports.htm">here</ulink>.</para>
|
||||
<para>If you don't know what port and protocol a particular application
|
||||
uses, see <ulink url="ports.htm">here</ulink>.</para>
|
||||
|
||||
<important>
|
||||
<para>I don't recommend enabling telnet to/from the internet because
|
||||
it uses clear text (even for login!). If you want shell access to your
|
||||
<para>I don't recommend enabling telnet to/from the internet because it
|
||||
uses clear text (even for login!). If you want shell access to your
|
||||
firewall from the internet, use SSH:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
@ -380,34 +399,46 @@ AllowSSH net fw </programlisting>
|
||||
|
||||
<para>The <ulink url="Install.htm">installation procedure</ulink>
|
||||
configures your system to start Shorewall at system boot but beginning
|
||||
with Shorewall version 1.3.9 startup is disabled so that your system
|
||||
won't try to start Shorewall before configuration is complete. Once
|
||||
you have completed configuration of your firewall, you can enable
|
||||
Shorewall startup by removing the file <filename>/etc/shorewall/startup_disabled</filename>.</para>
|
||||
with Shorewall version 1.3.9 startup is disabled so that your system won't
|
||||
try to start Shorewall before configuration is complete. Once you have
|
||||
completed configuration of your firewall, you can enable Shorewall startup
|
||||
by removing the file
|
||||
<filename>/etc/shorewall/startup_disabled</filename>.</para>
|
||||
|
||||
<important>
|
||||
<para><emphasis role="bold">Users of the .deb package must edit
|
||||
<filename>/etc/default/shorewall</filename> and set <quote>startup=1</quote>.</emphasis></para>
|
||||
<filename>/etc/default/shorewall</filename> and set
|
||||
<quote>startup=1</quote>.</emphasis></para>
|
||||
</important>
|
||||
|
||||
<para>The firewall is started using the <quote><command>shorewall start</command></quote>
|
||||
command and stopped using <quote><command>shorewall stop</command></quote>.
|
||||
When the firewall is stopped, routing is enabled on those hosts that have
|
||||
an entry in <filename><ulink url="Documentation.htm#Routestopped">/etc/shorewall/routestopped</ulink></filename>.
|
||||
<important>
|
||||
<para><emphasis role="bold">If you are running Shorewall 2.1.3 or later,
|
||||
you must enable startup by editing /etc/shorewall/shorewall.conf and
|
||||
setting STARTUP_ENABLED=Yes.</emphasis></para>
|
||||
</important>
|
||||
|
||||
<para>The firewall is started using the <quote><command>shorewall
|
||||
start</command></quote> command and stopped using
|
||||
<quote><command>shorewall stop</command></quote>. When the firewall is
|
||||
stopped, routing is enabled on those hosts that have an entry in
|
||||
<filename><ulink
|
||||
url="Documentation.htm#Routestopped">/etc/shorewall/routestopped</ulink></filename>.
|
||||
A running firewall may be restarted using the <quote><command>shorewall
|
||||
restart</command></quote> command. If you want to totally remove any trace
|
||||
of Shorewall from your Netfilter configuration, use <quote><command>shorewall
|
||||
clear</command></quote>.</para>
|
||||
of Shorewall from your Netfilter configuration, use
|
||||
<quote><command>shorewall clear</command></quote>.</para>
|
||||
|
||||
<warning>
|
||||
<para>If you are connected to your firewall from the internet, do not
|
||||
issue a <quote><command>shorewall stop</command></quote> command unless
|
||||
you have added an entry for the IP address that you are connected from
|
||||
to <ulink url="Documentation.htm#Routestopped"><filename>/etc/shorewall/routestopped</filename></ulink>.
|
||||
Also, I don't recommend using <quote><command>shorewall restart</command></quote>;
|
||||
it is better to create an <emphasis><ulink
|
||||
url="configuration_file_basics.htm#Configs">alternate configuration</ulink></emphasis>
|
||||
and test it using the <ulink url="starting_and_stopping_shorewall.htm"><quote><command>shorewall
|
||||
to <ulink
|
||||
url="Documentation.htm#Routestopped"><filename>/etc/shorewall/routestopped</filename></ulink>.
|
||||
Also, I don't recommend using <quote><command>shorewall
|
||||
restart</command></quote>; it is better to create an <emphasis><ulink
|
||||
url="configuration_file_basics.htm#Configs">alternate
|
||||
configuration</ulink></emphasis> and test it using the <ulink
|
||||
url="starting_and_stopping_shorewall.htm"><quote><command>shorewall
|
||||
try</command></quote> command</ulink>.</para>
|
||||
</warning>
|
||||
</section>
|
||||
@ -424,11 +455,57 @@ AllowSSH net fw </programlisting>
|
||||
<appendix>
|
||||
<title>Revision History</title>
|
||||
|
||||
<para><revhistory><revision><revnumber>1.7</revnumber><date>2004-02-16</date><authorinitials>TE</authorinitials><revremark>Move
|
||||
/etc/shorewall/rfc1918 to /usr/share/shorewall.</revremark></revision><revision><revnumber>1.6</revnumber><date>2004-02-05</date><authorinitials>TE</authorinitials><revremark>Update
|
||||
for Shorewall 2.0</revremark></revision><revision><revnumber>1.5</revnumber><date>2004-01-05</date><authorinitials>TE</authorinitials><revremark>Standards
|
||||
Changes</revremark></revision><revision><revnumber>1.4</revnumber><date>2003-12-30</date><authorinitials>TE</authorinitials><revremark>Add
|
||||
tip about /etc/shorewall/rfc1918 updates.</revremark></revision><revision><revnumber>1.3</revnumber><date>2003-11-15</date><authorinitials>TE</authorinitials><revremark>Initial
|
||||
Docbook Conversion</revremark></revision></revhistory></para>
|
||||
<para><revhistory>
|
||||
<revision>
|
||||
<revnumber>1.7</revnumber>
|
||||
|
||||
<date>2004-02-16</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Move /etc/shorewall/rfc1918 to
|
||||
/usr/share/shorewall.</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.6</revnumber>
|
||||
|
||||
<date>2004-02-05</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Update for Shorewall 2.0</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.5</revnumber>
|
||||
|
||||
<date>2004-01-05</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Standards Changes</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.4</revnumber>
|
||||
|
||||
<date>2003-12-30</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Add tip about /etc/shorewall/rfc1918 updates.</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.3</revnumber>
|
||||
|
||||
<date>2003-11-15</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Initial Docbook Conversion</revremark>
|
||||
</revision>
|
||||
</revhistory></para>
|
||||
</appendix>
|
||||
</article>
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-08-10</pubdate>
|
||||
<pubdate>2004-09-12</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2004</year>
|
||||
@ -176,7 +176,10 @@
|
||||
file <filename>/etc/shorewall/startup_disabled</filename>. Note:
|
||||
Users of the .deb package must edit
|
||||
<filename>/etc/default/shorewall</filename> and set
|
||||
<quote>startup=1</quote>.</para>
|
||||
<quote>startup=1</quote> while users who are running Shorewall
|
||||
2.1.3 or later must edit
|
||||
<filename>/etc/shorewall/shorewall.conf</filename> and set
|
||||
STARTUP_ENABLED=Yes.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-09-07</pubdate>
|
||||
<pubdate>2004-09-21</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2004</year>
|
||||
@ -269,7 +269,8 @@
|
||||
<section>
|
||||
<title>Where to Send your Problem Report or to Ask for Help</title>
|
||||
|
||||
<para><emphasis role="bold">If you run the current development
|
||||
<para><emphasis role="bold">If you run the current development release and
|
||||
your question involves a feature that is only available in the development
|
||||
release</emphasis> (see the <ulink url="ReleaseModel.html">Shorewall
|
||||
Release Model page</ulink>) -- please post your question or problem to the
|
||||
<ulink url="mailto:shorewall-devel@lists.shorewall.net">Shorewall
|
||||
@ -303,72 +304,4 @@
|
||||
url="http://lists.shorewall.net">http://lists.shorewall.net</ulink>
|
||||
.</para>
|
||||
</section>
|
||||
|
||||
<appendix>
|
||||
<title>Revision History</title>
|
||||
|
||||
<para><revhistory>
|
||||
<revision>
|
||||
<revnumber>1.6</revnumber>
|
||||
|
||||
<date>2003-07-03</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>New Release Model</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.5</revnumber>
|
||||
|
||||
<date>2003-05-16</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Add link to the troubleshooting section</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.4</revnumber>
|
||||
|
||||
<date>2003-03-15</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Remove Newbies Mailing List.</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.3</revnumber>
|
||||
|
||||
<date>2003-02-19</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Admonish against including "iptables -L"
|
||||
output.</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.2</revnumber>
|
||||
|
||||
<date>2003-01-01</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Removed .GIF and moved note about unsupported releases.
|
||||
Move Revision History to this Appendix.</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.1</revnumber>
|
||||
|
||||
<date>2003-12-19</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Corrected URL for Newbies List</revremark>
|
||||
</revision>
|
||||
</revhistory></para>
|
||||
</appendix>
|
||||
</article>
|
@ -5,7 +5,7 @@
|
||||
<!--$Id$-->
|
||||
|
||||
<articleinfo>
|
||||
<title>Operating Shorewall</title>
|
||||
<title></title>
|
||||
|
||||
<authorgroup>
|
||||
<author>
|
||||
@ -29,7 +29,8 @@
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-09-06</pubdate>
|
||||
<pubdate>2004-09-12</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2002-2004</year>
|
||||
@ -931,6 +931,10 @@ ACCEPT net fw tcp 80 </programlisting><it
|
||||
<para>Users of the <filename>.deb</filename> package must edit
|
||||
<filename>/etc/default/shorewall</filename> and set
|
||||
<varname>startup=1</varname>.</para>
|
||||
</important><important>
|
||||
<para>Users running Shorewall 2.1.3 or later should edit
|
||||
<filename>/etc/shorewall/shorewall.conf</filename> and set
|
||||
STARTUP_ENABLED=Yes.</para>
|
||||
</important>The firewall is started using the <command>shorewall
|
||||
start</command> command and stopped using <command>shorewall
|
||||
stop</command>. When the firewall is stopped, routing is enabled on those
|
||||
|
@ -859,6 +859,9 @@ ACCEPT loc fw tcp 80 #Allow Weblet to work</progra
|
||||
<para>Users of the .deb package must edit <filename
|
||||
class="directory">/etc/default/</filename><filename>shorewall</filename>
|
||||
and set <varname>startup=1</varname>.</para>
|
||||
</important><important>
|
||||
<para>Users running Shorewall 2.1.3 or later must edit
|
||||
/etc/shorewall/shorewall.conf and set STARTUP_ENABLED=Yes.</para>
|
||||
</important> The firewall is started using the <quote><command>shorewall
|
||||
start</command></quote> command and stopped using
|
||||
<quote><command>shorewall stop</command></quote>. When the firewall is
|
||||
|
Loading…
Reference in New Issue
Block a user