mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-22 23:53:30 +01:00
Misc doc changes
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1122 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
a4fc4c2ea0
commit
863bd01657
@ -15,7 +15,7 @@
|
|||||||
</author>
|
</author>
|
||||||
</authorgroup>
|
</authorgroup>
|
||||||
|
|
||||||
<pubdate>2004-01-21</pubdate>
|
<pubdate>2004-02-04</pubdate>
|
||||||
|
|
||||||
<copyright>
|
<copyright>
|
||||||
<year>2001-2003</year>
|
<year>2001-2003</year>
|
||||||
@ -23,7 +23,7 @@
|
|||||||
<holder>Thomas M. Eastep</holder>
|
<holder>Thomas M. Eastep</holder>
|
||||||
</copyright>
|
</copyright>
|
||||||
|
|
||||||
<edition>1.4.9</edition>
|
<edition>1.4.10</edition>
|
||||||
|
|
||||||
<legalnotice>
|
<legalnotice>
|
||||||
<para>Permission is granted to copy, distribute and/or modify this
|
<para>Permission is granted to copy, distribute and/or modify this
|
||||||
@ -221,7 +221,8 @@
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><ulink url="myfiles.htm">My Shorewall Configuration</ulink> (How I
|
<para><ulink url="myfiles.htm">My Shorewall Configuration</ulink> (How I
|
||||||
personally use Shorewall)</para>
|
personally use Shorewall) (<ulink url="myfiles2.html">Shorewall 2.0
|
||||||
|
Configuration</ulink>)</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -272,6 +273,10 @@
|
|||||||
<para><ulink url="shorewall_prerequisites.htm">Requirements</ulink></para>
|
<para><ulink url="shorewall_prerequisites.htm">Requirements</ulink></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para><ulink url="Multiple_Zones.html">Routing on One Interface</ulink></para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><ulink url="samba.htm">Samba</ulink></para>
|
<para><ulink url="samba.htm">Samba</ulink></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
@ -1367,6 +1367,17 @@ Creating input Chains...
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
|
<section>
|
||||||
|
<title>Given that the Debian Stable Release includes Shorewall 1.2.12,
|
||||||
|
how can you not support that version?</title>
|
||||||
|
|
||||||
|
<para>The first release of Shorewall was in March of 2001. Shorewall
|
||||||
|
1.2.12 was released in May of 2002. It is now the year 2004 and soon
|
||||||
|
Shorewall 2.0 will be available. Shorewall 1.2.12 is poorly documented
|
||||||
|
and is missing many of the features that Shorewall users find essential
|
||||||
|
today.</para>
|
||||||
|
</section>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
|
@ -5,7 +5,7 @@
|
|||||||
<!--$Id$-->
|
<!--$Id$-->
|
||||||
|
|
||||||
<articleinfo>
|
<articleinfo>
|
||||||
<title>Multiple Zones per Interface</title>
|
<title>Routing on One Interface</title>
|
||||||
|
|
||||||
<authorgroup>
|
<authorgroup>
|
||||||
<author>
|
<author>
|
||||||
@ -15,7 +15,7 @@
|
|||||||
</author>
|
</author>
|
||||||
</authorgroup>
|
</authorgroup>
|
||||||
|
|
||||||
<pubdate>2003-11-21</pubdate>
|
<pubdate>2004-02-04</pubdate>
|
||||||
|
|
||||||
<copyright>
|
<copyright>
|
||||||
<year>2003</year>
|
<year>2003</year>
|
||||||
@ -181,149 +181,35 @@
|
|||||||
loc1 to the internet doesn't match any rules for loc1->net
|
loc1 to the internet doesn't match any rules for loc1->net
|
||||||
then it will be checked against the loc->net rules.</para>
|
then it will be checked against the loc->net rules.</para>
|
||||||
|
|
||||||
<table>
|
<para><filename>/etc/shorewall/zones</filename></para>
|
||||||
<title>/etc/shorewall/zones</title>
|
|
||||||
|
|
||||||
<tgroup cols="3">
|
<programlisting>#ZONE DISPLAY COMMENTS
|
||||||
<thead>
|
loc1 Local1 Hosts accessed through internal router
|
||||||
<row>
|
loc Local All hosts accessed via eth1</programlisting>
|
||||||
<entry align="center">ZONE</entry>
|
|
||||||
|
|
||||||
<entry align="center">DISPLAY</entry>
|
|
||||||
|
|
||||||
<entry align="center">COMMENTS</entry>
|
|
||||||
</row>
|
|
||||||
</thead>
|
|
||||||
|
|
||||||
<tbody>
|
|
||||||
<row>
|
|
||||||
<entry>loc1</entry>
|
|
||||||
|
|
||||||
<entry>Local2</entry>
|
|
||||||
|
|
||||||
<entry>Hosts access through internal router</entry>
|
|
||||||
</row>
|
|
||||||
|
|
||||||
<row>
|
|
||||||
<entry>loc</entry>
|
|
||||||
|
|
||||||
<entry>Local</entry>
|
|
||||||
|
|
||||||
<entry>All hosts accessed via eth1</entry>
|
|
||||||
</row>
|
|
||||||
</tbody>
|
|
||||||
</tgroup>
|
|
||||||
</table>
|
|
||||||
|
|
||||||
<note>
|
<note>
|
||||||
<para>the sub-zone (loc1) is defined first!</para>
|
<para>the sub-zone (loc1) is defined first!</para>
|
||||||
</note>
|
</note>
|
||||||
|
|
||||||
<table>
|
<para><filename>/etc/shorewall/interfaces</filename></para>
|
||||||
<title>/etc/shorewall/interfaces</title>
|
|
||||||
|
|
||||||
<tgroup cols="4">
|
<programlisting>#ZONE INTERFACE BROADCAST
|
||||||
<thead>
|
loc eth1 192.168.1.255</programlisting>
|
||||||
<row>
|
|
||||||
<entry align="center">ZONE</entry>
|
|
||||||
|
|
||||||
<entry align="center">INTERFACE</entry>
|
<para><filename>/etc/shorewall/hosts</filename></para>
|
||||||
|
|
||||||
<entry align="center">BROADCAST</entry>
|
<programlisting>#ZONE HOSTS
|
||||||
|
loc1 eth1:192.168.2.0/24</programlisting>
|
||||||
<entry align="center">OPTIONS</entry>
|
|
||||||
</row>
|
|
||||||
</thead>
|
|
||||||
|
|
||||||
<tbody>
|
|
||||||
<row>
|
|
||||||
<entry>loc</entry>
|
|
||||||
|
|
||||||
<entry>eth1</entry>
|
|
||||||
|
|
||||||
<entry>192.168.1.255</entry>
|
|
||||||
|
|
||||||
<entry>...</entry>
|
|
||||||
</row>
|
|
||||||
</tbody>
|
|
||||||
</tgroup>
|
|
||||||
</table>
|
|
||||||
|
|
||||||
<table>
|
|
||||||
<title>/etc/shorewall/hosts</title>
|
|
||||||
|
|
||||||
<tgroup cols="3">
|
|
||||||
<thead>
|
|
||||||
<row>
|
|
||||||
<entry align="center">ZONE</entry>
|
|
||||||
|
|
||||||
<entry align="center">HOSTS</entry>
|
|
||||||
|
|
||||||
<entry align="center">OPTIONS</entry>
|
|
||||||
</row>
|
|
||||||
</thead>
|
|
||||||
|
|
||||||
<tbody>
|
|
||||||
<row>
|
|
||||||
<entry>loc1</entry>
|
|
||||||
|
|
||||||
<entry>eth1:192.168.2.0/24</entry>
|
|
||||||
|
|
||||||
<entry></entry>
|
|
||||||
</row>
|
|
||||||
</tbody>
|
|
||||||
</tgroup>
|
|
||||||
</table>
|
|
||||||
|
|
||||||
<para>If you don't need Shorewall to set up infrastructure to
|
<para>If you don't need Shorewall to set up infrastructure to
|
||||||
route traffic between <quote>loc</quote> and <quote>loc1</quote>, add
|
route traffic between <quote>loc</quote> and <quote>loc1</quote>, add
|
||||||
these two policies:</para>
|
these two policies.</para>
|
||||||
|
|
||||||
<table>
|
<para>/etc/shorewall/policy</para>
|
||||||
<title>/etc/shorewall/policy</title>
|
|
||||||
|
|
||||||
<tgroup cols="5">
|
<programlisting>#SOURCE DEST POLICY
|
||||||
<thead>
|
loc loc1 NONE
|
||||||
<row>
|
loc1 loc NONE</programlisting>
|
||||||
<entry align="center">SOURCE</entry>
|
|
||||||
|
|
||||||
<entry align="center">DEST</entry>
|
|
||||||
|
|
||||||
<entry align="center">POLICY</entry>
|
|
||||||
|
|
||||||
<entry align="center">LOG LEVEL</entry>
|
|
||||||
|
|
||||||
<entry align="center">RATE:BURST</entry>
|
|
||||||
</row>
|
|
||||||
</thead>
|
|
||||||
|
|
||||||
<tbody>
|
|
||||||
<row>
|
|
||||||
<entry>loc</entry>
|
|
||||||
|
|
||||||
<entry>loc1</entry>
|
|
||||||
|
|
||||||
<entry>NONE</entry>
|
|
||||||
|
|
||||||
<entry></entry>
|
|
||||||
|
|
||||||
<entry></entry>
|
|
||||||
</row>
|
|
||||||
|
|
||||||
<row>
|
|
||||||
<entry>loc1</entry>
|
|
||||||
|
|
||||||
<entry>loc</entry>
|
|
||||||
|
|
||||||
<entry>NONE</entry>
|
|
||||||
|
|
||||||
<entry></entry>
|
|
||||||
|
|
||||||
<entry></entry>
|
|
||||||
</row>
|
|
||||||
</tbody>
|
|
||||||
</tgroup>
|
|
||||||
</table>
|
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
@ -334,157 +220,34 @@
|
|||||||
|
|
||||||
<graphic fileref="images/MultiZone1B.png" />
|
<graphic fileref="images/MultiZone1B.png" />
|
||||||
|
|
||||||
<table>
|
<para><filename>/etc/shorewall/zones</filename></para>
|
||||||
<title>/etc/shorewall/zones</title>
|
|
||||||
|
|
||||||
<tgroup cols="3">
|
<programlisting>#ZONE DISPLAY COMMENTS
|
||||||
<thead>
|
loc1 Local1 Hosts accessed Directly from Firewall
|
||||||
<row>
|
loc2 Local2 Hosts accessed via the internal Router</programlisting>
|
||||||
<entry align="center">ZONE</entry>
|
|
||||||
|
|
||||||
<entry align="center">DISPLAY</entry>
|
|
||||||
|
|
||||||
<entry align="center">COMMENTS</entry>
|
|
||||||
</row>
|
|
||||||
</thead>
|
|
||||||
|
|
||||||
<tbody>
|
|
||||||
<row>
|
|
||||||
<entry>loc1</entry>
|
|
||||||
|
|
||||||
<entry>Local1</entry>
|
|
||||||
|
|
||||||
<entry>Hosts accessed Directly from Firewall</entry>
|
|
||||||
</row>
|
|
||||||
|
|
||||||
<row>
|
|
||||||
<entry>loc2</entry>
|
|
||||||
|
|
||||||
<entry>Local2</entry>
|
|
||||||
|
|
||||||
<entry>Hosts accessed via internal Router</entry>
|
|
||||||
</row>
|
|
||||||
</tbody>
|
|
||||||
</tgroup>
|
|
||||||
</table>
|
|
||||||
|
|
||||||
<note>
|
<note>
|
||||||
<para>Here it doesn't matter which zone is defined first.</para>
|
<para>Here it doesn't matter which zone is defined first.</para>
|
||||||
</note>
|
</note>
|
||||||
|
|
||||||
<table>
|
<para><filename>/etc/shorewall/interfaces</filename></para>
|
||||||
<title>/etc/shorewall/interfaces</title>
|
|
||||||
|
|
||||||
<tgroup cols="4">
|
<programlisting>#ZONE INTERFACE BROADCAST
|
||||||
<thead>
|
- eth1 192.168.1.255</programlisting>
|
||||||
<row>
|
|
||||||
<entry align="center">ZONE</entry>
|
|
||||||
|
|
||||||
<entry align="center">INTERFACE</entry>
|
<para><filename>/etc/shorewall/hosts</filename></para>
|
||||||
|
|
||||||
<entry align="center">BROADCAST</entry>
|
<programlisting>#ZONE HOSTS
|
||||||
|
loc1 eth1:192.168.1.0/24
|
||||||
|
loc2 eth1:192.168.2.0/24</programlisting>
|
||||||
|
|
||||||
<entry align="center">OPTIONS</entry>
|
<para>You don't need Shorewall to set up infrastructure to route
|
||||||
</row>
|
traffic between <quote>loc</quote> and <quote>loc1</quote>, so add
|
||||||
</thead>
|
|
||||||
|
|
||||||
<tbody>
|
|
||||||
<row>
|
|
||||||
<entry>-</entry>
|
|
||||||
|
|
||||||
<entry>eth1</entry>
|
|
||||||
|
|
||||||
<entry>192.168.1.255</entry>
|
|
||||||
|
|
||||||
<entry>...</entry>
|
|
||||||
</row>
|
|
||||||
</tbody>
|
|
||||||
</tgroup>
|
|
||||||
</table>
|
|
||||||
|
|
||||||
<table>
|
|
||||||
<title>/etc/shorewall/hosts</title>
|
|
||||||
|
|
||||||
<tgroup cols="3">
|
|
||||||
<thead>
|
|
||||||
<row>
|
|
||||||
<entry align="center">ZONE</entry>
|
|
||||||
|
|
||||||
<entry align="center">HOSTS</entry>
|
|
||||||
|
|
||||||
<entry align="center">OPTIONS</entry>
|
|
||||||
</row>
|
|
||||||
</thead>
|
|
||||||
|
|
||||||
<tbody>
|
|
||||||
<row>
|
|
||||||
<entry>loc1</entry>
|
|
||||||
|
|
||||||
<entry>eth1:192.168.1.0/24</entry>
|
|
||||||
|
|
||||||
<entry></entry>
|
|
||||||
</row>
|
|
||||||
|
|
||||||
<row>
|
|
||||||
<entry>loc2</entry>
|
|
||||||
|
|
||||||
<entry>eth1:192.168.2.0/24</entry>
|
|
||||||
|
|
||||||
<entry></entry>
|
|
||||||
</row>
|
|
||||||
</tbody>
|
|
||||||
</tgroup>
|
|
||||||
</table>
|
|
||||||
|
|
||||||
<para>If you don't need Shorewall to set up infrastructure to
|
|
||||||
route traffic between <quote>loc</quote> and <quote>loc1</quote>, add
|
|
||||||
these two policies:</para>
|
these two policies:</para>
|
||||||
|
|
||||||
<table>
|
<programlisting>#SOURCE DEST POLICY
|
||||||
<title>/etc/shorewall/policy</title>
|
loc1 loc2 NONE
|
||||||
|
loc2 loc1 NONE</programlisting>
|
||||||
<tgroup cols="5">
|
|
||||||
<thead>
|
|
||||||
<row>
|
|
||||||
<entry align="center">SOURCE</entry>
|
|
||||||
|
|
||||||
<entry align="center">DEST</entry>
|
|
||||||
|
|
||||||
<entry align="center">POLICY</entry>
|
|
||||||
|
|
||||||
<entry align="center">LOG LEVEL</entry>
|
|
||||||
|
|
||||||
<entry align="center">RATE:BURST</entry>
|
|
||||||
</row>
|
|
||||||
</thead>
|
|
||||||
|
|
||||||
<tbody>
|
|
||||||
<row>
|
|
||||||
<entry>loc</entry>
|
|
||||||
|
|
||||||
<entry>loc1</entry>
|
|
||||||
|
|
||||||
<entry>NONE</entry>
|
|
||||||
|
|
||||||
<entry></entry>
|
|
||||||
|
|
||||||
<entry></entry>
|
|
||||||
</row>
|
|
||||||
|
|
||||||
<row>
|
|
||||||
<entry>loc1</entry>
|
|
||||||
|
|
||||||
<entry>loc</entry>
|
|
||||||
|
|
||||||
<entry>NONE</entry>
|
|
||||||
|
|
||||||
<entry></entry>
|
|
||||||
|
|
||||||
<entry></entry>
|
|
||||||
</row>
|
|
||||||
</tbody>
|
|
||||||
</tgroup>
|
|
||||||
</table>
|
|
||||||
</section>
|
</section>
|
||||||
</section>
|
</section>
|
||||||
</section>
|
</section>
|
||||||
@ -500,148 +263,32 @@
|
|||||||
<para>In this example, addresses 192.168.1.8 - 192.168.1.15
|
<para>In this example, addresses 192.168.1.8 - 192.168.1.15
|
||||||
(192.168.1.8/29) are to be treated as their own zone (loc1).</para>
|
(192.168.1.8/29) are to be treated as their own zone (loc1).</para>
|
||||||
|
|
||||||
<table>
|
<para><filename>/etc/shorewall/zones</filename></para>
|
||||||
<title>/etc/shorewall/zones</title>
|
|
||||||
|
|
||||||
<tgroup cols="3">
|
<programlisting>#ZONE DISPLAY COMMENTS
|
||||||
<thead>
|
loc1 Local1 192.168.1.8-192.168.1.15
|
||||||
<row>
|
loc Local All hosts accessed via eth1</programlisting>
|
||||||
<entry align="center">ZONE</entry>
|
|
||||||
|
|
||||||
<entry align="center">DISPLAY</entry>
|
|
||||||
|
|
||||||
<entry align="center">COMMENTS</entry>
|
|
||||||
</row>
|
|
||||||
</thead>
|
|
||||||
|
|
||||||
<tbody>
|
|
||||||
<row>
|
|
||||||
<entry>loc1</entry>
|
|
||||||
|
|
||||||
<entry>Local2</entry>
|
|
||||||
|
|
||||||
<entry>192.168.1.8 - 192.168.1.15</entry>
|
|
||||||
</row>
|
|
||||||
|
|
||||||
<row>
|
|
||||||
<entry>loc</entry>
|
|
||||||
|
|
||||||
<entry>Local</entry>
|
|
||||||
|
|
||||||
<entry>All hosts accessed via eth1</entry>
|
|
||||||
</row>
|
|
||||||
</tbody>
|
|
||||||
</tgroup>
|
|
||||||
</table>
|
|
||||||
|
|
||||||
<note>
|
<note>
|
||||||
<para>the sub-zone (loc1) is defined first!</para>
|
<para>the sub-zone (loc1) is defined first!</para>
|
||||||
</note>
|
</note>
|
||||||
|
|
||||||
<table>
|
<para><filename>/etc/shorewall/interfaces</filename></para>
|
||||||
<title>/etc/shorewall/interfaces</title>
|
|
||||||
|
|
||||||
<tgroup cols="4">
|
<programlisting>#ZONE INTERFACE BROADCAST
|
||||||
<thead>
|
loc eth1 192.168.1.255</programlisting>
|
||||||
<row>
|
|
||||||
<entry align="center">ZONE</entry>
|
|
||||||
|
|
||||||
<entry align="center">INTERFACE</entry>
|
<para><filename>/etc/shorewall/hosts</filename><programlisting>#ZONE HOSTS
|
||||||
|
loc1 eth1:192.168.1.8/29</programlisting></para>
|
||||||
<entry align="center">BROADCAST</entry>
|
|
||||||
|
|
||||||
<entry align="center">OPTIONS</entry>
|
|
||||||
</row>
|
|
||||||
</thead>
|
|
||||||
|
|
||||||
<tbody>
|
|
||||||
<row>
|
|
||||||
<entry>loc</entry>
|
|
||||||
|
|
||||||
<entry>eth1</entry>
|
|
||||||
|
|
||||||
<entry>192.168.1.255</entry>
|
|
||||||
|
|
||||||
<entry>...</entry>
|
|
||||||
</row>
|
|
||||||
</tbody>
|
|
||||||
</tgroup>
|
|
||||||
</table>
|
|
||||||
|
|
||||||
<table>
|
|
||||||
<title>/etc/shorewall/hosts</title>
|
|
||||||
|
|
||||||
<tgroup cols="3">
|
|
||||||
<thead>
|
|
||||||
<row>
|
|
||||||
<entry align="center">ZONE</entry>
|
|
||||||
|
|
||||||
<entry align="center">HOSTS</entry>
|
|
||||||
|
|
||||||
<entry align="center">OPTIONS</entry>
|
|
||||||
</row>
|
|
||||||
</thead>
|
|
||||||
|
|
||||||
<tbody>
|
|
||||||
<row>
|
|
||||||
<entry>loc1</entry>
|
|
||||||
|
|
||||||
<entry>eth1:192.168.2.0/24</entry>
|
|
||||||
|
|
||||||
<entry></entry>
|
|
||||||
</row>
|
|
||||||
</tbody>
|
|
||||||
</tgroup>
|
|
||||||
</table>
|
|
||||||
|
|
||||||
<para>You probably don't want Shorewall to set up infrastructure to
|
<para>You probably don't want Shorewall to set up infrastructure to
|
||||||
route traffic between <quote>loc</quote> and <quote>loc1</quote> so you
|
route traffic between <quote>loc</quote> and <quote>loc1</quote> so you
|
||||||
should add these two policies:</para>
|
should add these two policies.</para>
|
||||||
|
|
||||||
<table>
|
<para><filename>/etc/shorewall/policy</filename></para>
|
||||||
<title>/etc/shorewall/policy</title>
|
|
||||||
|
|
||||||
<tgroup cols="5">
|
<programlisting>#SOURCE DEST POLICY
|
||||||
<thead>
|
loc loc1 NONE
|
||||||
<row>
|
loc1 loc NONE</programlisting>
|
||||||
<entry align="center">SOURCE</entry>
|
|
||||||
|
|
||||||
<entry align="center">DEST</entry>
|
|
||||||
|
|
||||||
<entry align="center">POLICY</entry>
|
|
||||||
|
|
||||||
<entry align="center">LOG LEVEL</entry>
|
|
||||||
|
|
||||||
<entry align="center">RATE:BURST</entry>
|
|
||||||
</row>
|
|
||||||
</thead>
|
|
||||||
|
|
||||||
<tbody>
|
|
||||||
<row>
|
|
||||||
<entry>loc</entry>
|
|
||||||
|
|
||||||
<entry>loc1</entry>
|
|
||||||
|
|
||||||
<entry>NONE</entry>
|
|
||||||
|
|
||||||
<entry></entry>
|
|
||||||
|
|
||||||
<entry></entry>
|
|
||||||
</row>
|
|
||||||
|
|
||||||
<row>
|
|
||||||
<entry>loc1</entry>
|
|
||||||
|
|
||||||
<entry>loc</entry>
|
|
||||||
|
|
||||||
<entry>NONE</entry>
|
|
||||||
|
|
||||||
<entry></entry>
|
|
||||||
|
|
||||||
<entry></entry>
|
|
||||||
</row>
|
|
||||||
</tbody>
|
|
||||||
</tgroup>
|
|
||||||
</table>
|
|
||||||
</section>
|
</section>
|
||||||
</article>
|
</article>
|
622
Shorewall-docs/myfiles2.xml
Normal file
622
Shorewall-docs/myfiles2.xml
Normal file
@ -0,0 +1,622 @@
|
|||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||||
|
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
||||||
|
<article>
|
||||||
|
<!--$Id$-->
|
||||||
|
|
||||||
|
<articleinfo>
|
||||||
|
<title>About My Network</title>
|
||||||
|
|
||||||
|
<authorgroup>
|
||||||
|
<author>
|
||||||
|
<firstname>Tom</firstname>
|
||||||
|
|
||||||
|
<surname>Eastep</surname>
|
||||||
|
</author>
|
||||||
|
</authorgroup>
|
||||||
|
|
||||||
|
<pubdate>2004-02-04</pubdate>
|
||||||
|
|
||||||
|
<copyright>
|
||||||
|
<year>2001-2004</year>
|
||||||
|
|
||||||
|
<holder>Thomas M. Eastep</holder>
|
||||||
|
</copyright>
|
||||||
|
|
||||||
|
<legalnotice>
|
||||||
|
<para>Permission is granted to copy, distribute and/or modify this
|
||||||
|
document under the terms of the GNU Free Documentation License, Version
|
||||||
|
1.2 or any later version published by the Free Software Foundation; with
|
||||||
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||||
|
Texts. A copy of the license is included in the section entitled
|
||||||
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
||||||
|
</legalnotice>
|
||||||
|
</articleinfo>
|
||||||
|
|
||||||
|
<section>
|
||||||
|
<title>My Current Network</title>
|
||||||
|
|
||||||
|
<caution>
|
||||||
|
<para>I use a combination of One-to-one NAT and Proxy ARP, neither of
|
||||||
|
which are relevant to a simple configuration with a single public IP
|
||||||
|
address. If you have just a single public IP address, most of what you
|
||||||
|
see here won't apply to your setup so beware of copying parts of
|
||||||
|
this configuration and expecting them to work for you. What you copy may
|
||||||
|
or may not work in your configuration.</para>
|
||||||
|
</caution>
|
||||||
|
|
||||||
|
<caution>
|
||||||
|
<para>The configuration shown here corresponds to Shorewall version
|
||||||
|
2.0.0-Alpha2. It may use features not available in earlier Shorewall
|
||||||
|
releases.</para>
|
||||||
|
</caution>
|
||||||
|
|
||||||
|
<para>I have DSL service and have 5 static IP addresses
|
||||||
|
(206.124.146.176-180). My DSL <quote>modem</quote> (Fujitsu Speedport) is
|
||||||
|
connected to eth0. I have a local network connected to eth2 (subnet
|
||||||
|
192.168.1.0/24), a DMZ connected to eth1 (192.168.2.0/24) and a Wireless
|
||||||
|
network connected to eth3 (192.168.3.0/24).</para>
|
||||||
|
|
||||||
|
<para>I use:</para>
|
||||||
|
|
||||||
|
<itemizedlist>
|
||||||
|
<listitem>
|
||||||
|
<para>One-to-one NAT for Ursa (my personal system that dual-boots
|
||||||
|
Mandrake 9.2 and Windows XP) - Internal address 192.168.1.5 and
|
||||||
|
external address 206.124.146.178.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>One-to-one NAT for EastepLaptop (My work system -- Windows XP
|
||||||
|
SP2). Internal address 192.168.1.7 and external address
|
||||||
|
206.124.146.180.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>SNAT through 206.124.146.179 for  my SuSE 9.0 Linux
|
||||||
|
system (Wookie), my Wife's Windows XP system (Tarry), and
|
||||||
|
our  Windows XP laptop (Tipper) which connects through the
|
||||||
|
Wireless Access Point (wap) via a Wireless Bridge (bridge).<note><para>While
|
||||||
|
the distance between the WAP and where I usually use the laptop
|
||||||
|
isn't very far (25 feet or so), using a WAC11 (CardBus wireless
|
||||||
|
card) has proved very unsatisfactory (lots of lost connections). By
|
||||||
|
replacing the WAC11 with the WET11 wireless bridge, I have virtually
|
||||||
|
eliminated these problems (Being an old radio tinkerer (K7JPV), I was
|
||||||
|
also able to eliminate the disconnects by hanging a piece of aluminum
|
||||||
|
foil on the family room wall. Needless to say, my wife Tarry rejected
|
||||||
|
that as a permanent solution :-).</para></note></para>
|
||||||
|
</listitem>
|
||||||
|
</itemizedlist>
|
||||||
|
|
||||||
|
<para>The firewall runs on a 256MB PII/233 with Debian Sarge (Testing).</para>
|
||||||
|
|
||||||
|
<para>Wookie, Ursa and the Firewall all run Samba and the Firewall acts as
|
||||||
|
a WINS server.</para>
|
||||||
|
|
||||||
|
<para>The wireless network connects to eth3 via a LinkSys WAP11. 
|
||||||
|
In additional to using the rather weak WEP 40-bit encryption (64-bit with
|
||||||
|
the 24-bit preamble), I use <ulink url="MAC_Validation.html">MAC
|
||||||
|
verification</ulink>. This is still a weak combination and if I lived near
|
||||||
|
a wireless <quote>hot spot</quote>, I would probably add IPSEC or
|
||||||
|
something similar to my WiFi->local connections.</para>
|
||||||
|
|
||||||
|
<para>The single system in the DMZ (address 206.124.146.177) runs postfix,
|
||||||
|
Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP
|
||||||
|
server (Pure-ftpd) under RedHat 9.0. The system also runs fetchmail to
|
||||||
|
fetch our email from our old and current ISPs. That server is managed
|
||||||
|
through Proxy ARP.</para>
|
||||||
|
|
||||||
|
<para>The firewall system itself runs a DHCP server that serves the local
|
||||||
|
network.</para>
|
||||||
|
|
||||||
|
<para>All administration and publishing is done using ssh/scp. I have a
|
||||||
|
desktop environment installed on the firewall but I am not usually logged
|
||||||
|
in to it. X applications tunnel through SSH to Ursa. The server also has a
|
||||||
|
desktop environment installed and that desktop environment is available
|
||||||
|
via XDMCP from the local zone. For the most part though, X tunneled
|
||||||
|
through SSH is used for server administration and the server runs at run
|
||||||
|
level 3 (multi-user console mode on RedHat).</para>
|
||||||
|
|
||||||
|
<para>I run an SNMP server on my firewall to serve <ulink
|
||||||
|
url="http://www.ee.ethz.ch/~oetiker/webtools/mrtg/">MRTG</ulink> running
|
||||||
|
in the DMZ.<graphic align="center" fileref="images/network.png" />The
|
||||||
|
ethernet interface in the Server is configured with IP address
|
||||||
|
206.124.146.177, netmask 255.255.255.0. The server's default gateway
|
||||||
|
is 206.124.146.254 (Router at my ISP. This is the same default gateway
|
||||||
|
used by the firewall itself). On the firewall, an entry in my
|
||||||
|
/etc/network/interfaces file (see below) adds a host route to
|
||||||
|
206.124.146.177 through eth1 when that interface is brought up.</para>
|
||||||
|
|
||||||
|
<para>Ursa (192.168.1.5 A.K.A. 206.124.146.178) runs a PPTP server for
|
||||||
|
Road Warrior access.</para>
|
||||||
|
|
||||||
|
<section>
|
||||||
|
<title>Shorewall.conf</title>
|
||||||
|
|
||||||
|
<blockquote>
|
||||||
|
<programlisting>LOGFILE=/var/log/messages
|
||||||
|
LOGRATE=
|
||||||
|
LOGBURST=
|
||||||
|
LOGUNCLEAN=$LOG
|
||||||
|
BLACKLIST_LOGLEVEL=
|
||||||
|
LOGNEWNOTSYN=$LOG
|
||||||
|
MACLIST_LOG_LEVEL=$LOG
|
||||||
|
TCP_FLAGS_LOG_LEVEL=$LOG
|
||||||
|
RFC1918_LOG_LEVEL=$LOG
|
||||||
|
SMURF_LOG_LEVEL=
|
||||||
|
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||||
|
SHOREWALL_SHELL=/bin/ash
|
||||||
|
SUBSYSLOCK= #I run Debian which doesn't use service locks
|
||||||
|
STATEDIR=/var/state/shorewall
|
||||||
|
MODULESDIR=
|
||||||
|
FW=fw
|
||||||
|
IP_FORWARDING=On
|
||||||
|
ADD_IP_ALIASES=Yes
|
||||||
|
ADD_SNAT_ALIASES=Yes
|
||||||
|
TC_ENABLED=Yes
|
||||||
|
CLEAR_TC=No
|
||||||
|
MARK_IN_FORWARD_CHAIN=No
|
||||||
|
CLAMPMSS=Yes
|
||||||
|
ROUTE_FILTER=No
|
||||||
|
DETECT_DNAT_IPADDRS=Yes
|
||||||
|
MUTEX_TIMEOUT=60
|
||||||
|
NEWNOTSYN=Yes
|
||||||
|
BLACKLISTNEWONLY=Yes
|
||||||
|
BLACKLIST_DISPOSITION=DROP
|
||||||
|
MACLIST_DISPOSITION=REJECT
|
||||||
|
TCP_FLAGS_DISPOSITION=DROP
|
||||||
|
</programlisting>
|
||||||
|
</blockquote>
|
||||||
|
</section>
|
||||||
|
|
||||||
|
<section>
|
||||||
|
<title>Params File (Edited)</title>
|
||||||
|
|
||||||
|
<blockquote>
|
||||||
|
<para><programlisting>MIRRORS=<list of shorewall mirror ip addresses>
|
||||||
|
NTPSERVERS=<list of the NTP servers I sync with>
|
||||||
|
TEXAS=<ip address of gateway in Dallas>
|
||||||
|
LOG=info</programlisting></para>
|
||||||
|
</blockquote>
|
||||||
|
</section>
|
||||||
|
|
||||||
|
<section>
|
||||||
|
<title>Zones File</title>
|
||||||
|
|
||||||
|
<blockquote>
|
||||||
|
<programlisting>#ZONE DISPLAY COMMENTS
|
||||||
|
net Internet Internet
|
||||||
|
WiFi Wireless Wireless Network on eth3
|
||||||
|
dmz DMZ Demilitarized zone
|
||||||
|
loc Local Local networks
|
||||||
|
tx Texas Peer Network in Dallas
|
||||||
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
||||||
|
</blockquote>
|
||||||
|
</section>
|
||||||
|
|
||||||
|
<section>
|
||||||
|
<title>Interfaces File</title>
|
||||||
|
|
||||||
|
<blockquote>
|
||||||
|
<para>This is set up so that I can start the firewall before bringing
|
||||||
|
up my Ethernet interfaces.</para>
|
||||||
|
|
||||||
|
<programlisting>#ZONE INERFACE BROADCAST OPTIONS
|
||||||
|
net eth0 206.124.146.255 dhcp,norfc1918,routefilter,blacklist,tcpflags,nosmurfs
|
||||||
|
loc eth2 192.168.1.255 dhcp,detectnets
|
||||||
|
dmz eth1 192.168.2.255
|
||||||
|
WiFi eth3 192.168.3.255 dhcp,maclist,detectnets
|
||||||
|
- texas 192.168.9.255
|
||||||
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
||||||
|
</blockquote>
|
||||||
|
</section>
|
||||||
|
|
||||||
|
<section>
|
||||||
|
<title>Hosts File</title>
|
||||||
|
|
||||||
|
<blockquote>
|
||||||
|
<programlisting>#ZONE HOST(S) OPTIONS
|
||||||
|
tx              texas:192.168.8.0/22
|
||||||
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
||||||
|
</blockquote>
|
||||||
|
</section>
|
||||||
|
|
||||||
|
<section>
|
||||||
|
<title>Routestopped File</title>
|
||||||
|
|
||||||
|
<blockquote>
|
||||||
|
<programlisting>#INTERFACE HOST(S)
|
||||||
|
eth1 206.124.146.177
|
||||||
|
eth2 -
|
||||||
|
eth3 192.168.3.0/24
|
||||||
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
||||||
|
</blockquote>
|
||||||
|
</section>
|
||||||
|
|
||||||
|
<section id="RFC1918">
|
||||||
|
<title>RFC1918 File</title>
|
||||||
|
|
||||||
|
<blockquote>
|
||||||
|
<para>I use a stripped-down file which doesn't have to be updated
|
||||||
|
when the IANA allocates a block of IP addresses.</para>
|
||||||
|
</blockquote>
|
||||||
|
|
||||||
|
<blockquote>
|
||||||
|
<programlisting>#SUBNET TARGET
|
||||||
|
169.254.0.0/16 DROP # DHCP autoconfig
|
||||||
|
172.16.0.0/12 logdrop # RFC 1918
|
||||||
|
192.0.2.0/24 logdrop # Example addresses
|
||||||
|
192.168.0.0/16 logdrop # RFC 1918
|
||||||
|
10.24.60.56 DROP # Some idiot in my broadcast domain
|
||||||
|
# has a box configured with this
|
||||||
|
# address.
|
||||||
|
10.0.0.0/8 logdrop # Reserved (RFC 1918)</programlisting>
|
||||||
|
</blockquote>
|
||||||
|
</section>
|
||||||
|
|
||||||
|
<section>
|
||||||
|
<title>Blacklist File (Partial)</title>
|
||||||
|
|
||||||
|
<blockquote>
|
||||||
|
<programlisting>#ADDRESS/SUBNET PROTOCOL PORT
|
||||||
|
0.0.0.0/0 udp 1434
|
||||||
|
0.0.0.0/0 tcp 1433
|
||||||
|
0.0.0.0/0 tcp 8081
|
||||||
|
0.0.0.0/0 tcp 57
|
||||||
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
||||||
|
</blockquote>
|
||||||
|
</section>
|
||||||
|
|
||||||
|
<section>
|
||||||
|
<title>Policy File</title>
|
||||||
|
|
||||||
|
<blockquote>
|
||||||
|
<programlisting>#SOURCE DESTINATION POLICY LOG LEVEL BURST:LIMIT
|
||||||
|
fw fw ACCEPT # For testing fw->fw rules
|
||||||
|
loc net ACCEPT # Allow all net traffic from local net
|
||||||
|
$FW loc ACCEPT # Allow local access from the firewall
|
||||||
|
$FW tx ACCEPT # Allow firewall access to texas
|
||||||
|
loc tx ACCEPT # Allow local net access to texas
|
||||||
|
loc fw REJECT $LOG # Reject loc->fw and log
|
||||||
|
WiFi net ACCEPT # Allow internet access from wirless
|
||||||
|
net all DROP $LOG 10/sec:40 # Rate limit and
|
||||||
|
# DROP net->all
|
||||||
|
all all REJECT $LOG # Reject and log the rest
|
||||||
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
||||||
|
</blockquote>
|
||||||
|
</section>
|
||||||
|
|
||||||
|
<section>
|
||||||
|
<title>Masq File</title>
|
||||||
|
|
||||||
|
<blockquote>
|
||||||
|
<para>Although most of our internal systems use one-to-one NAT, my
|
||||||
|
wife's system (192.168.1.4) uses IP Masquerading (actually SNAT)
|
||||||
|
as does my SuSE system (192.168.1.3), our laptop (192.168.3.8) and
|
||||||
|
visitors with laptops.</para>
|
||||||
|
|
||||||
|
<programlisting>#INTERFACE SUBNET ADDRESS
|
||||||
|
eth0:2 eth2 206.124.146.179
|
||||||
|
eth0 eth3 206.124.146.179
|
||||||
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
||||||
|
</programlisting>
|
||||||
|
</blockquote>
|
||||||
|
</section>
|
||||||
|
|
||||||
|
<section>
|
||||||
|
<title>NAT File</title>
|
||||||
|
|
||||||
|
<blockquote>
|
||||||
|
<programlisting>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
|
||||||
|
206.124.146.178 eth0:0 192.168.1.5 No No
|
||||||
|
206.124.146.180 eth0:1 192.168.1.7 No No
|
||||||
|
#
|
||||||
|
# The following entry allows the server to be accessed through an address in
|
||||||
|
# the local network. This is convenient when I'm on the road and connected
|
||||||
|
# to the PPTP server. By doing this, I don't need to set my client's default
|
||||||
|
# gateway to route through the tunnel.
|
||||||
|
#
|
||||||
|
192.168.1.193 eth2:0 206.124.146.177 No No
|
||||||
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||||
|
</blockquote>
|
||||||
|
</section>
|
||||||
|
|
||||||
|
<section id="ProxyARP">
|
||||||
|
<title>Proxy ARP File</title>
|
||||||
|
|
||||||
|
<blockquote>
|
||||||
|
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
|
||||||
|
206.124.146.177 eth1 eth0 Yes
|
||||||
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||||
|
</blockquote>
|
||||||
|
</section>
|
||||||
|
|
||||||
|
<section>
|
||||||
|
<title>Tunnels File (Shell variable TEXAS set in /etc/shorewall/params)</title>
|
||||||
|
|
||||||
|
<blockquote>
|
||||||
|
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE PORT
|
||||||
|
gre net $TEXAS
|
||||||
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||||
|
</blockquote>
|
||||||
|
</section>
|
||||||
|
|
||||||
|
<section>
|
||||||
|
<title>Actions File</title>
|
||||||
|
|
||||||
|
<blockquote>
|
||||||
|
<programlisting>#ACTION
|
||||||
|
DropBcast #Silently Drops Broadcast Traffic
|
||||||
|
DropSMB #Silently Drops Microsoft SMB Traffic
|
||||||
|
RejectSMB #Silently Reject Microsoft SMB Traffic
|
||||||
|
DropUPnP #Silently Drop UPnP Probes
|
||||||
|
DropNonSyn #Silently Drop Non-syn TCP packets
|
||||||
|
RejectAuth #Silently Reject Auth
|
||||||
|
DropPing #Silently Drop Ping
|
||||||
|
DropDNSrep #Silently Drop DNS Replies
|
||||||
|
AllowPing #Accept Ping
|
||||||
|
|
||||||
|
Mirrors #Accept traffic from the Shorewall Mirror sites
|
||||||
|
|
||||||
|
MyDrop:DROP #My DROP common action
|
||||||
|
MyReject:REJECT #My REJECT common action
|
||||||
|
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
||||||
|
</blockquote>
|
||||||
|
</section>
|
||||||
|
|
||||||
|
<section>
|
||||||
|
<title>action.Mirrors File</title>
|
||||||
|
|
||||||
|
<blockquote>
|
||||||
|
<para>The $MIRRORS variable expands to a list of approximately 10 IP
|
||||||
|
addresses. So moving these checks into a separate chain reduces the
|
||||||
|
number of rules that most net->dmz traffic needs to traverse.</para>
|
||||||
|
|
||||||
|
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
|
||||||
|
# PORT PORT(S) DEST LIMIT
|
||||||
|
ACCEPT $MIRRORS
|
||||||
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||||
|
</blockquote>
|
||||||
|
</section>
|
||||||
|
|
||||||
|
<section>
|
||||||
|
<title>action.MyDrop</title>
|
||||||
|
|
||||||
|
<blockquote>
|
||||||
|
<para>This is my common action for the DROP policy. It is like the
|
||||||
|
standard <emphasis role="bold">Reject</emphasis> action except that it
|
||||||
|
allows <quote>Ping</quote>.</para>
|
||||||
|
|
||||||
|
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||||
|
# PORT(S) PORT(S) LIMIT GROUP
|
||||||
|
RejectAuth
|
||||||
|
AllowPing
|
||||||
|
DropBcast
|
||||||
|
DropSMB
|
||||||
|
DropUPnP
|
||||||
|
DropNonSyn
|
||||||
|
DropDNSrep</programlisting>
|
||||||
|
</blockquote>
|
||||||
|
</section>
|
||||||
|
|
||||||
|
<section>
|
||||||
|
<title>action.MyReject</title>
|
||||||
|
|
||||||
|
<blockquote>
|
||||||
|
<para>This is my common action for the REJECT policy. It is like the
|
||||||
|
standard <emphasis role="bold">Drop</emphasis> action except that it
|
||||||
|
allows <quote>Ping</quote>.</para>
|
||||||
|
|
||||||
|
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||||
|
# PORT(S) PORT(S) LIMIT GROUP
|
||||||
|
RejectAuth
|
||||||
|
AllowPing
|
||||||
|
DropBcast
|
||||||
|
RejectSMB
|
||||||
|
DropUPnP
|
||||||
|
DropNonSyn
|
||||||
|
DropDNSrep</programlisting>
|
||||||
|
</blockquote>
|
||||||
|
</section>
|
||||||
|
|
||||||
|
<section>
|
||||||
|
<title>Rules File (The shell variables are set in /etc/shorewall/params)</title>
|
||||||
|
|
||||||
|
<blockquote>
|
||||||
|
<programlisting>###############################################################################################################################################################################
|
||||||
|
#RESULT CLIENT(S) SERVER(S) PROTO PORT(S) CLIENT ORIGINAL RATE USER
|
||||||
|
# PORT(S) DEST:SNAT SET
|
||||||
|
###############################################################################################################################################################################
|
||||||
|
# Local Network to Internet - Reject attempts by Trojans to call home
|
||||||
|
#
|
||||||
|
REJECT:$LOG loc net tcp 6667
|
||||||
|
#
|
||||||
|
# Stop NETBIOS crap since our policy is ACCEPT
|
||||||
|
#
|
||||||
|
REJECT loc net tcp 137,445
|
||||||
|
REJECT loc net udp 137:139
|
||||||
|
#
|
||||||
|
DROP loc:!192.168.1.0/24 net
|
||||||
|
|
||||||
|
QUEUE loc net udp
|
||||||
|
QUEUE loc fw udp
|
||||||
|
QUEUE loc net tcp
|
||||||
|
###############################################################################################################################################################################
|
||||||
|
# Local Network to Firewall
|
||||||
|
#
|
||||||
|
DROP loc:!192.168.1.0/24 fw
|
||||||
|
ACCEPT loc fw tcp ssh,time,10000,swat,137,139,445
|
||||||
|
ACCEPT loc fw udp snmp,ntp,445
|
||||||
|
ACCEPT loc fw udp 137:139
|
||||||
|
ACCEPT loc fw udp 1024: 137
|
||||||
|
###############################################################################################################################################################################
|
||||||
|
# Local Network to DMZ
|
||||||
|
#
|
||||||
|
DROP loc:!192.168.1.0/24 dmz
|
||||||
|
REJECT loc dmz tcp 465
|
||||||
|
ACCEPT loc dmz udp domain,xdmcp
|
||||||
|
ACCEPT loc dmz tcp www,smtp,domain,ssh,imap,https,imaps,cvspserver,ftp,10000,8080,10027,pop3 -
|
||||||
|
###############################################################################################################################################################################
|
||||||
|
# Internet to DMZ
|
||||||
|
#
|
||||||
|
DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.179,206.124.146.178
|
||||||
|
ACCEPT net dmz tcp smtp,www,ftp,imaps,domain,cvspserver,https -
|
||||||
|
ACCEPT net dmz udp domain
|
||||||
|
ACCEPT net dmz udp 33434:33436
|
||||||
|
Mirrors net dmz tcp rsync
|
||||||
|
#ACCEPT:$LOG net dmz tcp 32768:61000 20
|
||||||
|
###############################################################################################################################################################################
|
||||||
|
#
|
||||||
|
# Net to Local
|
||||||
|
#
|
||||||
|
# When I'm "on the road", the following two rules allow me VPN access back home.
|
||||||
|
#
|
||||||
|
ACCEPT net loc:192.168.1.5 tcp 1723
|
||||||
|
ACCEPT net loc:192.168.1.5 gre
|
||||||
|
#
|
||||||
|
# ICQ
|
||||||
|
#
|
||||||
|
ACCEPT net loc:192.168.1.5 tcp 4000:4100
|
||||||
|
#
|
||||||
|
# Real Audio
|
||||||
|
#
|
||||||
|
ACCEPT net loc:192.168.1.5 udp 6970:7170
|
||||||
|
#
|
||||||
|
# Overnet
|
||||||
|
#
|
||||||
|
#ACCEPT net loc:192.168.1.5 tcp 4662
|
||||||
|
#ACCEPT net loc:192.168.1.5 udp 12112
|
||||||
|
###############################################################################################################################################################################
|
||||||
|
# DMZ to Internet
|
||||||
|
#
|
||||||
|
ACCEPT dmz net tcp smtp,domain,www,https,whois,echo,2702,21,2703,ssh,8080
|
||||||
|
ACCEPT dmz net udp domain
|
||||||
|
ACCEPT dmz net:$POPSERVERS tcp pop3
|
||||||
|
#ACCEPT dmz net:206.191.151.2 tcp pop3
|
||||||
|
#ACCEPT dmz net:66.216.26.115 tcp pop3
|
||||||
|
#
|
||||||
|
# Something is wrong with the FTP connection tracking code or there is some client out there
|
||||||
|
# that is sending a PORT command which that code doesn't understand. Either way,
|
||||||
|
# the following works around the problem.
|
||||||
|
#
|
||||||
|
ACCEPT:$LOG dmz net tcp 1024: 20
|
||||||
|
###############################################################################################################################################################################
|
||||||
|
# DMZ to Firewall -- ntp & snmp, Silently reject Auth
|
||||||
|
#
|
||||||
|
ACCEPT dmz fw udp ntp ntp
|
||||||
|
ACCEPT dmz fw tcp snmp,ssh
|
||||||
|
ACCEPT dmz fw udp snmp
|
||||||
|
REJECT dmz fw tcp auth
|
||||||
|
###############################################################################################################################################################################
|
||||||
|
# DMZ to Internet
|
||||||
|
#
|
||||||
|
ACCEPT dmz net tcp smtp,domain,www,https,whois,echo,2702,21,2703,ssh,8080
|
||||||
|
ACCEPT dmz net udp domain
|
||||||
|
ACCEPT dmz net:$POPSERVERS tcp pop3
|
||||||
|
#ACCEPT dmz net:206.191.151.2 tcp pop3
|
||||||
|
#ACCEPT dmz net:66.216.26.115 tcp pop3
|
||||||
|
#
|
||||||
|
# Something is wrong with the FTP connection tracking code or there is some client out there
|
||||||
|
# that is sending a PORT command which that code doesn't understand. Either way,
|
||||||
|
# the following works around the problem.
|
||||||
|
#
|
||||||
|
ACCEPT:$LOG dmz net tcp 1024: 20
|
||||||
|
###############################################################################################################################################################################
|
||||||
|
# DMZ to Firewall -- ntp & snmp, Silently reject Auth
|
||||||
|
#
|
||||||
|
ACCEPT dmz fw udp ntp ntp
|
||||||
|
ACCEPT dmz fw tcp snmp,ssh
|
||||||
|
ACCEPT dmz fw udp snmp
|
||||||
|
REJECT dmz fw tcp auth
|
||||||
|
###############################################################################################################################################################################
|
||||||
|
#
|
||||||
|
# DMZ to Local Network
|
||||||
|
#
|
||||||
|
ACCEPT dmz loc tcp smtp,6001:6010
|
||||||
|
ACCEPT dmz loc tcp 111
|
||||||
|
ACCEPT dmz loc udp
|
||||||
|
###############################################################################################################################################################################
|
||||||
|
# Internet to Firewall
|
||||||
|
#
|
||||||
|
REJECT net fw tcp www
|
||||||
|
ACCEPT net dmz udp 33434:33435
|
||||||
|
###############################################################################################################################################################################
|
||||||
|
# WIFI to Firewall
|
||||||
|
#
|
||||||
|
ACCEPT WiFi fw tcp ssh,137,139,445
|
||||||
|
ACCEPT WiFi fw udp 137:139,445
|
||||||
|
ACCEPT WiFi fw udp 1024: 137
|
||||||
|
ACCEPT WiFi fw udp ntp ntp
|
||||||
|
###############################################################################################################################################################################
|
||||||
|
# Firewall to WIFI
|
||||||
|
#
|
||||||
|
ACCEPT fw WiFi tcp 137,139,445
|
||||||
|
ACCEPT fw WiFi udp 137:139,445
|
||||||
|
ACCEPT fw WiFi udp 1024: 137
|
||||||
|
ACCEPT fw WiFi udp ntp ntp
|
||||||
|
##############################################################################################################################################################################
|
||||||
|
# WIFI to DMZ
|
||||||
|
#
|
||||||
|
DNAT- WiFi dmz:206.124.146.177 all - - 192.168.1.193
|
||||||
|
ACCEPT WiFi dmz tcp smtp,www,ftp,imaps,domain,https,ssh,8080 -
|
||||||
|
ACCEPT WiFi dmz udp domain
|
||||||
|
##############################################################################################################################################################################
|
||||||
|
# WIFI to loc
|
||||||
|
#
|
||||||
|
ACCEPT WiFi loc udp 137:139
|
||||||
|
ACCEPT WiFi loc tcp 22,80,137,139,445,901,3389
|
||||||
|
ACCEPT WiFi loc udp 1024: 137
|
||||||
|
ACCEPT WiFi loc udp 177
|
||||||
|
##############################################################################################################################################################################
|
||||||
|
# loc to WiFi
|
||||||
|
#
|
||||||
|
ACCEPT loc WiFi udp 137:139
|
||||||
|
ACCEPT loc WiFi tcp 137,139,445
|
||||||
|
ACCEPT loc WiFi udp 1024: 137
|
||||||
|
ACCEPT loc WiFi tcp 6000:6010
|
||||||
|
###############################################################################################################################################################################
|
||||||
|
# Firewall to Internet
|
||||||
|
#
|
||||||
|
ACCEPT fw net:$NTPSERVERS udp ntp ntp
|
||||||
|
#ACCEPT fw net:$POPSERVERS tcp pop3
|
||||||
|
ACCEPT fw net udp domain
|
||||||
|
ACCEPT fw net tcp domain,www,https,ssh,1723,whois,1863,ftp,2702,2703,7
|
||||||
|
ACCEPT fw net udp 33435:33535
|
||||||
|
ACCEPT fw net icmp
|
||||||
|
###############################################################################################################################################################################
|
||||||
|
# Firewall to DMZ
|
||||||
|
#
|
||||||
|
ACCEPT fw dmz tcp www,ftp,ssh,smtp
|
||||||
|
ACCEPT fw dmz udp domain
|
||||||
|
REJECT fw dmz udp 137:139
|
||||||
|
###############################################################################################################################################################################
|
||||||
|
# Ping
|
||||||
|
#
|
||||||
|
ACCEPT all all icmp 8
|
||||||
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||||
|
</blockquote>
|
||||||
|
</section>
|
||||||
|
|
||||||
|
<section>
|
||||||
|
<title>/etc/network/interfaces</title>
|
||||||
|
|
||||||
|
<blockquote>
|
||||||
|
<para>This file is Debian specific. My additional entry (which is
|
||||||
|
displayed in <emphasis role="bold">bold type</emphasis>) adds a route
|
||||||
|
to my DMZ server when eth1 is brought up. It allows me to enter
|
||||||
|
<quote>Yes</quote> in the HAVEROUTE column of <link linkend="ProxyARP">my
|
||||||
|
Proxy ARP file</link>.</para>
|
||||||
|
|
||||||
|
<programlisting>...
|
||||||
|
auto eth1
|
||||||
|
iface eth1 inet static
|
||||||
|
address 192.168.2.1
|
||||||
|
netmask 255.255.255.0
|
||||||
|
network 192.168.2.0
|
||||||
|
broadcast 192.168.2.255
|
||||||
|
<emphasis role="bold">up ip route add 206.124.146.177 dev eth1
|
||||||
|
</emphasis>...</programlisting>
|
||||||
|
</blockquote>
|
||||||
|
</section>
|
||||||
|
</section>
|
||||||
|
</article>
|
@ -1,122 +0,0 @@
|
|||||||
<?xml version="1.0" encoding="UTF-8"?>
|
|
||||||
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
|
||||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
|
||||||
<article>
|
|
||||||
<!--$Id$-->
|
|
||||||
|
|
||||||
<title>Shorewall 1.4.9</title>
|
|
||||||
|
|
||||||
<section>
|
|
||||||
<title>Problems Corrected</title>
|
|
||||||
|
|
||||||
<para>These are the problems corrected since Shorewall 1.4.8</para>
|
|
||||||
|
|
||||||
<orderedlist>
|
|
||||||
<listitem>
|
|
||||||
<para>There has been a low continuing level of confusion over the
|
|
||||||
terms <quote>Source NAT</quote> (SNAT) and <quote>Static NAT</quote>.
|
|
||||||
To avoid future confusion, all instances of <quote>Static NAT</quote>
|
|
||||||
have been replaced with <quote>One-to-one NAT</quote> in the
|
|
||||||
documentation and configuration files.</para>
|
|
||||||
</listitem>
|
|
||||||
|
|
||||||
<listitem>
|
|
||||||
<para>The description of NEWNOTSYN in shorewall.conf has been reworded
|
|
||||||
for clarity.</para>
|
|
||||||
</listitem>
|
|
||||||
|
|
||||||
<listitem>
|
|
||||||
<para>Wild-card rules (those involving <quote>all</quote> as SOURCE or
|
|
||||||
DEST) will no longer produce an error if they attempt to add a rule
|
|
||||||
that would override a NONE policy. The logic for expanding these
|
|
||||||
wild-card rules now simply skips those (SOURCE,DEST) pairs that have a
|
|
||||||
NONE policy.</para>
|
|
||||||
</listitem>
|
|
||||||
</orderedlist>
|
|
||||||
</section>
|
|
||||||
|
|
||||||
<section>
|
|
||||||
<title>Migration Considerations</title>
|
|
||||||
|
|
||||||
<para>None.</para>
|
|
||||||
</section>
|
|
||||||
|
|
||||||
<section>
|
|
||||||
<title>New Features</title>
|
|
||||||
|
|
||||||
<para>These are the new features added since Shorewall 1.4.8</para>
|
|
||||||
|
|
||||||
<orderedlist>
|
|
||||||
<listitem>
|
|
||||||
<para>To cut down on the number of <quote>Why are these ports closed
|
|
||||||
rather than stealthed?</quote> questions, the SMB-related rules in
|
|
||||||
/etc/shorewall/common.def have been changed from <quote>reject</quote>
|
|
||||||
to <quote>DROP</quote>.</para>
|
|
||||||
</listitem>
|
|
||||||
|
|
||||||
<listitem>
|
|
||||||
<para>For easier identification, packets logged under the
|
|
||||||
<quote>norfc1918</quote> interface option are now logged out of chains
|
|
||||||
named <quote>rfc1918</quote>. Previously, such packets were logged
|
|
||||||
under chains named <quote>logdrop</quote>.</para>
|
|
||||||
</listitem>
|
|
||||||
|
|
||||||
<listitem>
|
|
||||||
<para>Distributors and developers seem to be regularly inventing new
|
|
||||||
naming conventions for kernel modules. To avoid the need to change
|
|
||||||
Shorewall code for each new convention, the MODULE_SUFFIX option has
|
|
||||||
been added to shorewall.conf. MODULE_SUFFIX may be set to the suffix
|
|
||||||
for module names in your particular distribution. If MODULE_SUFFIX is
|
|
||||||
not set in shorewall.conf, Shorewall will use the list <quote>o gz ko
|
|
||||||
o.gz</quote>. To see what suffix is used by your distribution:</para>
|
|
||||||
|
|
||||||
<programlisting>ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter</programlisting>
|
|
||||||
|
|
||||||
<para>All of the files listed should have the same suffix (extension).
|
|
||||||
Set MODULE_SUFFIX to that suffix. Examples:</para>
|
|
||||||
|
|
||||||
<orderedlist>
|
|
||||||
<listitem>
|
|
||||||
<para>If all files end in <quote>.kzo</quote> then set
|
|
||||||
MODULE_SUFFIX="kzo"</para>
|
|
||||||
</listitem>
|
|
||||||
|
|
||||||
<listitem>
|
|
||||||
<para>If all files end in <quote>.kz.o</quote> then set
|
|
||||||
MODULE_SUFFIX="kz.o"</para>
|
|
||||||
</listitem>
|
|
||||||
</orderedlist>
|
|
||||||
</listitem>
|
|
||||||
|
|
||||||
<listitem>
|
|
||||||
<para>Support for user defined rule ACTIONS has been implemented
|
|
||||||
through two new files: <itemizedlist><listitem><para>/etc/shorewall/actions
|
|
||||||
- used to list the user-defined ACTIONS.</para></listitem><listitem><para>/etc/shorewall/action.template
|
|
||||||
- For each user defined <action>:</para><orderedlist><listitem><para>copy
|
|
||||||
this file to /etc/shorewall/action.<action></para></listitem><listitem><para>Add
|
|
||||||
the appropriate rules in that file for the <action>.</para></listitem></orderedlist></listitem></itemizedlist>Once
|
|
||||||
an <action> has been defined, it may be used like any of the
|
|
||||||
builtin ACTIONS (ACCEPT, DROP, etc.) in /etc/shorewall/rules.</para>
|
|
||||||
|
|
||||||
<para>Example: You want an action that logs a packet at the
|
|
||||||
<quote>info</quote> level and accepts the connection.</para>
|
|
||||||
|
|
||||||
<para>In /etc/shorewall/actions, you would add:</para>
|
|
||||||
|
|
||||||
<simplelist>
|
|
||||||
<member>LogAndAccept</member>
|
|
||||||
</simplelist>
|
|
||||||
|
|
||||||
<para>You would then copy /etc/shorewall/action.template to
|
|
||||||
/etc/shorewall/action.LogAndAccept and in that file, you would add the
|
|
||||||
two rules:</para>
|
|
||||||
|
|
||||||
<simplelist>
|
|
||||||
<member>LOG:info</member>
|
|
||||||
|
|
||||||
<member>ACCEPT</member>
|
|
||||||
</simplelist>
|
|
||||||
</listitem>
|
|
||||||
</orderedlist>
|
|
||||||
</section>
|
|
||||||
</article>
|
|
@ -15,14 +15,10 @@
|
|||||||
</author>
|
</author>
|
||||||
</authorgroup>
|
</authorgroup>
|
||||||
|
|
||||||
<pubdate>2003-06-30</pubdate>
|
<pubdate>2004-02-01</pubdate>
|
||||||
|
|
||||||
<copyright>
|
<copyright>
|
||||||
<year>2001</year>
|
<year>2001-2004</year>
|
||||||
|
|
||||||
<year>2002</year>
|
|
||||||
|
|
||||||
<year>2003</year>
|
|
||||||
|
|
||||||
<holder>Thomas M. Eastep</holder>
|
<holder>Thomas M. Eastep</holder>
|
||||||
</copyright>
|
</copyright>
|
||||||
@ -115,13 +111,12 @@
|
|||||||
|
|
||||||
<para>/etc/shorewall/common:</para>
|
<para>/etc/shorewall/common:</para>
|
||||||
|
|
||||||
<programlisting> . /etc/shorewall/common.def
|
<programlisting> <add your rules here>
|
||||||
<add your rules here></programlisting>
|
. /etc/shorewall/common.def</programlisting>
|
||||||
|
|
||||||
<para>If you need to supercede a rule in the released common.def file, you
|
<para>Using this technique allows you to add new rules while still getting
|
||||||
can add the superceding rule before the <quote>.</quote> command. Using this
|
the benefit of the latest common.def file. Remember that
|
||||||
technique allows you to add new rules while still getting the benefit of the
|
/etc/shorewall/common defines rules that are only applied if the applicable
|
||||||
latest common.def file. Remember that /etc/shorewall/common defines rules
|
policy is DROP or REJECT. These rules are NOT applied if the policy is
|
||||||
that are only applied if the applicable policy is DROP or REJECT. These
|
ACCEPT or CONTINUE</para>
|
||||||
rules are NOT applied if the policy is ACCEPT or CONTINUE</para>
|
|
||||||
</article>
|
</article>
|
@ -743,7 +743,7 @@ ACCEPT net fw tcp 80 </programlisting><it
|
|||||||
added an entry for the IP address that you are connected from to <ulink
|
added an entry for the IP address that you are connected from to <ulink
|
||||||
url="Documentation.htm#Routestopped"><filename>/etc/shorewall/routestopped</filename></ulink>.
|
url="Documentation.htm#Routestopped"><filename>/etc/shorewall/routestopped</filename></ulink>.
|
||||||
Also, I don't recommend using <command>shorewall restart</command>; it
|
Also, I don't recommend using <command>shorewall restart</command>; it
|
||||||
is better to create an <ulink url="configuration_file_basics.htm#Configs">alternate
|
is better to create an <ulink url="configuration_file_basics.htm#Levels">alternate
|
||||||
configuration</ulink> and test it using the <ulink
|
configuration</ulink> and test it using the <ulink
|
||||||
url="starting_and_stopping_shorewall.htm"><command>shorewall try</command>
|
url="starting_and_stopping_shorewall.htm"><command>shorewall try</command>
|
||||||
command</ulink>.</para></warning></para>
|
command</ulink>.</para></warning></para>
|
||||||
|
Loading…
Reference in New Issue
Block a user