From 86f1411985da19a1047dc36400c565bae5d90097 Mon Sep 17 00:00:00 2001 From: teastep Date: Thu, 4 Dec 2003 22:36:23 +0000 Subject: [PATCH] Minor Updates git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@804 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-docs/Banner.html | 4 +++- Shorewall-docs/mailing_list.htm | 22 ++++++++++++++---- Shorewall-docs/myfiles.htm | 11 ++++++--- Shorewall-docs/seattlefirewall_index.htm | 15 +++++++++++- Shorewall-docs/shorewall_prerequisites.htm | 4 ++-- Shorewall-docs/sourceforge_index.htm | 15 +++++++++++- Shorewall-docs/support.htm | 27 ++++++++++++++++++---- 7 files changed, 82 insertions(+), 16 deletions(-) diff --git a/Shorewall-docs/Banner.html b/Shorewall-docs/Banner.html index cd2fe8127..0ff0100eb 100755 --- a/Shorewall-docs/Banner.html +++ b/Shorewall-docs/Banner.html @@ -34,7 +34,9 @@ is unavailable Daily 0200-0330 GMT.
value="htdig">         Extended Search

+ style="color: rgb(255, 255, 255);">Extended Search including Mailing +List Archives
+

diff --git a/Shorewall-docs/mailing_list.htm b/Shorewall-docs/mailing_list.htm index 2cb7b84ea..acb9055d5 100644 --- a/Shorewall-docs/mailing_list.htm +++ b/Shorewall-docs/mailing_list.htm @@ -145,14 +145,28 @@ in your browser. If you don't wish to trust my certificates then you can either use unencrypted access when subscribing to Shorewall mailing lists or you can use secure access (SSL) and accept the server's certificate when prompted by your browser.
+

Shorewall Newbies Mailing List

+This list provides a place where people who are new to Shorewall can +get questions answered and can receive help with problems.
+

Before posting +to this list, please see the problem +reporting guidelines.
+

+

To subscribe: https//lists.shorewall.net/mailman/listinfo/shorewall-newbies

+

To post to the list, post to shorewall-newbies@lists.shorewall.net.

Shorewall Users Mailing List

The Shorewall Users Mailing list provides a way for users to get answers to questions and to report problems. Information of general interest to the Shorewall user community is also posted to -this list.

+this list.
+

+

The Shorewall author does not monitor this list.
+

Before posting -to this list, please see the problem +to this list, please see the problem reporting guidelines.

To subscribe:

Frustrated by having to Rebuild Mailman to use it with Postfix?

Check out these instructions

-

Last updated 10/27/2003 - Last updated 12/03/2003 - Tom Eastep

Copyright © diff --git a/Shorewall-docs/myfiles.htm b/Shorewall-docs/myfiles.htm index 1bbce51fe..67e664b57 100644 --- a/Shorewall-docs/myfiles.htm +++ b/Shorewall-docs/myfiles.htm @@ -50,7 +50,7 @@ configuration and expecting them to work for you. What you copy may or may not work in your configuration.

Warning 2: The -configuration shown here corresponds to Shorewall version 1.4.7. It may +configuration shown here corresponds to Shorewall version 1.4.9. It may use features not available in earlier Shorewall releases.

I have DSL service and have 5 static IP addresses @@ -197,9 +197,14 @@ visitors with laptops.

#TYPE			ZONE    GATEWAY         GATEWAY ZONE    PORT
gre                     net     $TEXAS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

+

Actions File

+
#ACTION
Mirrors		#Action that accepts traffic from our mirrors
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
+

/etc/shorewall/action.Mirrors
+

+
#TARGET  SOURCE         DEST            PROTO   DEST    SOURCE     ORIGINAL     RATE
#                                               PORT    PORT(S)    DEST         LIMIT
ACCEPT   $MIRRORS			
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Rules File (The shell variables are set in /etc/shorewall/params):

- 
################################################################################################################################################################
#RESULT         CLIENT(S)                       SERVER(S)               PROTO   PORT(S)                                 CLIENT          ORIGINAL DEST:SNAT
################################################################################################################################################################
# Local Network to Internet - Reject attempts by Trojans to call home
#
REJECT:$LOG     loc                             net                     tcp     6667
#
# Stop NETBIOS crap since our policy is ACCEPT
#
REJECT          loc                             net                     tcp     137,445
REJECT          loc                             net                     udp     137:139
################################################################################################################################################################
# Local Network to Firewall
#
DROP            loc:!192.168.1.0/24             fw
ACCEPT          loc                             fw                      tcp     ssh,time,10000,swat,137,139,445
ACCEPT          loc                             fw                      udp     snmp,ntp,445
ACCEPT          loc                             fw                      udp     137:139
ACCEPT          loc                             fw                      udp     1024:                                   137
################################################################################################################################################################
# Local Network to DMZ
#
ACCEPT          loc                             dmz                     udp     domain,xdmcp
ACCEPT          loc                             dmz                     tcp     www,smtp,domain,ssh,imap,https,imaps,cvspserver,ftp,10000,8080,pop3     -
################################################################################################################################################################
# Me to DMZ (This compensates for the broken RH kernel running in the DMZ -- that kernel's REJECT target is broken and Evolution requires a REJECT from smtps).
#
REJECT		me				dmz			tcp	465
################################################################################################################################################################
# Internet to DMZ
#
ACCEPT          net                             dmz                     tcp     smtp,www,ftp,imaps,domain,cvspserver,https   -
ACCEPT          net                             dmz                     udp     domain
ACCEPT          net:$MIRRORS                    dmz                     tcp     rsync
ACCEPT:$LOG     net                             dmz                     tcp     32768:61000                             20
DROP            net                             dmz                     tcp     1433
################################################################################################################################################################
#
# Net to Local
#
# When I'm "on the road", the following two rules allow me VPN access back home.
#
ACCEPT          net                             loc:192.168.1.5         tcp     1723
ACCEPT          net                             loc:192.168.1.5         gre
#
# ICQ
#
ACCEPT          net                             loc:192.168.1.5         tcp     4000:4100
#
# Real Audio
#
ACCEPT          net                             loc:192.168.1.5         udp     6790
################################################################################################################################################################
# Net to me
#
ACCEPT          net                             loc:192.168.1.3         tcp     4000:4100
################################################################################################################################################################
# DMZ to Internet
#
ACCEPT          dmz                             net                     tcp     smtp,domain,www,https,whois,echo,2702,21,2703,ssh
ACCEPT          dmz                             net                     udp     domain
#ACCEPT         dmz                             net:$POPSERVERS         tcp     pop3
#ACCEPT         dmz                             net:206.191.151.2       tcp     pop3
#ACCEPT         dmz                             net:66.216.26.115       tcp     pop3
#
# Something is wrong with the FTP connection tracking code or there is some client out there
# that is sending a PORT command which that code doesn't understand. Either way,
# the following works around the problem.
#
ACCEPT:$LOG     dmz                             net                     tcp     1024:                                   20
################################################################################################################################################################
# DMZ to Firewall -- ntp & snmp, Silently reject Auth
#
ACCEPT          dmz                             fw                      udp     ntp                                     ntp
ACCEPT          dmz                             fw                      tcp     snmp,ssh
ACCEPT          dmz                             fw                      udp     snmp
REJECT          dmz                             fw                      tcp     auth
################################################################################################################################################################
#
# DMZ to Local Network
#
ACCEPT          dmz                             loc                     tcp     smtp,6001:6010
################################################################################################################################################################
#
# DMZ to Me -- NFS
#
ACCEPT          dmz                             me                      tcp     111
ACCEPT          dmz                             me                      udp     111
ACCEPT          dmz                             me                      udp     2049
ACCEPT          dmz                             me                      udp     32700:
################################################################################################################################################################
# Internet to Firewall
#
REJECT          net                             fw                      tcp     www
DROP            net                             fw                      tcp     1433
################################################################################################################################################################
# WiFi to Firewall (SMB and NTP)
#
ACCEPT          WiFi                            fw                      tcp     ssh,137,139,445
ACCEPT          WiFi                            fw                      udp     137:139,445
ACCEPT
###############################################################################################################################################################
# WIFI to loc
#
ACCEPT		WiFi				loc			udp	137:139
ACCEPT		WiFi				loc			tcp	22,80,137,139,445,3389
ACCEPT		WiFi				loc			udp	1024:					137
ACCEPT		WiFi				loc			udp	177
###############################################################################################################################################################
# loc to WiFi
#
ACCEPT		loc				WiFi			udp	137:139
ACCEPT		loc				WiFi			tcp	137,139,445
ACCEPT		loc				WiFi			udp	1024:					137
ACCEPT		loc				WiFi			tcp	6000:6010
       WiFi                            fw                      udp     1024:                                   137
ACCEPT          WiFi                            fw                      udp     ntp                                     ntp
################################################################################################################################################################
# Firewall to WiFi (SMB)
#
ACCEPT          fw                              WiFi                    tcp     137,139,445
ACCEPT          fw                              WiFi                    udp     137:139,445
ACCEPT          fw                              WiFi                    udp     1024:                                   137
###############################################################################################################################################################
# WiFi to DMZ
#
DNAT-           WiFi                            dmz:206.124.146.177     all     -                                       -               192.168.1.193
ACCEPT          WiFi                            dmz                     tcp     smtp,www,ftp,imaps,domain,https,ssh     -
ACCEPT          WiFi                            dmz                     udp     domain
################################################################################################################################################################
# Firewall to Internet
#
ACCEPT          fw                              net:$NTPSERVERS         udp     ntp                                     ntp
ACCEPT          fw                              net:$POPSERVERS         tcp     pop3
ACCEPT          fw                              net                     udp     domain
ACCEPT          fw                              net                     tcp     domain,www,https,ssh,1723,whois,1863,ftp,2702,2703,7
ACCEPT          fw                              net                     udp     33435:33535
ACCEPT          fw                              net                     icmp    8
################################################################################################################################################################
# Firewall to DMZ
#
ACCEPT          fw                              dmz                     tcp     www,ftp,ssh,smtp
ACCEPT          fw                              dmz                     udp     domain
ACCEPT          fw                              dmz                     icmp    8
REJECT          fw                              dmz                     udp     137:139

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
+ 
################################################################################################################################################################
#RESULT         CLIENT(S)                       SERVER(S)               PROTO   PORT(S)                                 CLIENT          ORIGINAL DEST:SNAT
################################################################################################################################################################
# Local Network to Internet - Reject attempts by Trojans to call home
#
REJECT:$LOG     loc                             net                     tcp     6667
#
# Stop NETBIOS crap since our policy is ACCEPT
#
REJECT          loc                             net                     tcp     137,445
REJECT          loc                             net                     udp     137:139
################################################################################################################################################################
# Local Network to Firewall
#
DROP            loc:!192.168.1.0/24             fw
ACCEPT          loc                             fw                      tcp     ssh,time,10000,swat,137,139,445
ACCEPT          loc                             fw                      udp     snmp,ntp,445
ACCEPT          loc                             fw                      udp     137:139
ACCEPT          loc                             fw                      udp     1024:                                   137
################################################################################################################################################################
# Local Network to DMZ
#
ACCEPT          loc                             dmz                     udp     domain,xdmcp
ACCEPT          loc                             dmz                     tcp     www,smtp,domain,ssh,imap,https,imaps,cvspserver,ftp,10000,8080,pop3     -
################################################################################################################################################################
# Me to DMZ (This compensates for the broken RH kernel running in the DMZ -- that kernel's REJECT target is broken and Evolution requires a REJECT from smtps).
#
REJECT		me				dmz			tcp	465
################################################################################################################################################################
# Internet to DMZ
#
ACCEPT          net                             dmz                     tcp     smtp,www,ftp,imaps,domain,cvspserver,https   -
ACCEPT          net                             dmz                     udp     domain
Mirrors         net	                        dmz                     tcp     rsync
ACCEPT:$LOG     net                             dmz                     tcp     32768:61000                             20
DROP            net                             dmz                     tcp     1433
################################################################################################################################################################
#
# Net to Local
#
# When I'm "on the road", the following two rules allow me VPN access back home.
#
ACCEPT          net                             loc:192.168.1.5         tcp     1723
ACCEPT          net                             loc:192.168.1.5         gre
#
# ICQ
#
ACCEPT          net                             loc:192.168.1.5         tcp     4000:4100
#
# Real Audio
#
ACCEPT          net                             loc:192.168.1.5         udp     6790
################################################################################################################################################################
# Net to me
#
ACCEPT          net                             loc:192.168.1.3         tcp     4000:4100
################################################################################################################################################################
# DMZ to Internet
#
ACCEPT          dmz                             net                     tcp     smtp,domain,www,https,whois,echo,2702,21,2703,ssh
ACCEPT          dmz                             net                     udp     domain
#ACCEPT         dmz                             net:$POPSERVERS         tcp     pop3
#ACCEPT         dmz                             net:206.191.151.2       tcp     pop3
#ACCEPT         dmz                             net:66.216.26.115       tcp     pop3
#
# Something is wrong with the FTP connection tracking code or there is some client out there
# that is sending a PORT command which that code doesn't understand. Either way,
# the following works around the problem.
#
ACCEPT:$LOG     dmz                             net                     tcp     1024:                                   20
################################################################################################################################################################
# DMZ to Firewall -- ntp & snmp, Silently reject Auth
#
ACCEPT          dmz                             fw                      udp     ntp                                     ntp
ACCEPT          dmz                             fw                      tcp     snmp,ssh
ACCEPT          dmz                             fw                      udp     snmp
REJECT          dmz                             fw                      tcp     auth
################################################################################################################################################################
#
# DMZ to Local Network
#
ACCEPT          dmz                             loc                     tcp     smtp,6001:6010
################################################################################################################################################################
#
# DMZ to Me -- NFS
#
ACCEPT          dmz                             me                      tcp     111
ACCEPT          dmz                             me                      udp     111
ACCEPT          dmz                             me                      udp     2049
ACCEPT          dmz                             me                      udp     32700:
################################################################################################################################################################
# Internet to Firewall
#
REJECT          net                             fw                      tcp     www
DROP            net                             fw                      tcp     1433
################################################################################################################################################################
# WiFi to Firewall (SMB and NTP)
#
ACCEPT          WiFi                            fw                      tcp     ssh,137,139,445
ACCEPT          WiFi                            fw                      udp     137:139,445
ACCEPT
###############################################################################################################################################################
# WIFI to loc
#
ACCEPT		WiFi				loc			udp	137:139
ACCEPT		WiFi				loc			tcp	22,80,137,139,445,3389
ACCEPT		WiFi				loc			udp	1024:					137
ACCEPT		WiFi				loc			udp	177
###############################################################################################################################################################
# loc to WiFi
#
ACCEPT		loc				WiFi			udp	137:139
ACCEPT		loc				WiFi			tcp	137,139,445
ACCEPT		loc				WiFi			udp	1024:					137
ACCEPT		loc				WiFi			tcp	6000:6010
       WiFi                            fw                      udp     1024:                                   137
ACCEPT          WiFi                            fw                      udp     ntp                                     ntp
################################################################################################################################################################
# Firewall to WiFi (SMB)
#
ACCEPT          fw                              WiFi                    tcp     137,139,445
ACCEPT          fw                              WiFi                    udp     137:139,445
ACCEPT          fw                              WiFi                    udp     1024:                                   137
###############################################################################################################################################################
# WiFi to DMZ
#
DNAT-           WiFi                            dmz:206.124.146.177     all     -                                       -               192.168.1.193
ACCEPT          WiFi                            dmz                     tcp     smtp,www,ftp,imaps,domain,https,ssh     -
ACCEPT          WiFi                            dmz                     udp     domain
################################################################################################################################################################
# Firewall to Internet
#
ACCEPT          fw                              net:$NTPSERVERS         udp     ntp                                     ntp
ACCEPT          fw                              net:$POPSERVERS         tcp     pop3
ACCEPT          fw                              net                     udp     domain
ACCEPT          fw                              net                     tcp     domain,www,https,ssh,1723,whois,1863,ftp,2702,2703,7
ACCEPT          fw                              net                     udp     33435:33535
ACCEPT          fw                              net                     icmp    8
################################################################################################################################################################
# Firewall to DMZ
#
ACCEPT          fw                              dmz                     tcp     www,ftp,ssh,smtp
ACCEPT          fw                              dmz                     udp     domain
ACCEPT          fw                              dmz                     icmp    8
REJECT          fw                              dmz                     udp     137:139

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
The next three files deal with redirecting html requests to Squid on the DMZ server.
@@ -237,7 +242,7 @@ file.
#!/bin/sh

case $1 in
	eth1)
		ip route add 206.124.146.177 dev eth1
		;;
esac
-

Last updated 11/13/2003 - Tom +

Last updated 12/042003 - Tom Eastep

Copyright © 2001, 2002, 2003 Thomas M. Eastep.
diff --git a/Shorewall-docs/seattlefirewall_index.htm b/Shorewall-docs/seattlefirewall_index.htm index b15df5a38..c15aeda91 100644 --- a/Shorewall-docs/seattlefirewall_index.htm +++ b/Shorewall-docs/seattlefirewall_index.htm @@ -104,6 +104,19 @@ setup that matches the documentation on this site. See the Two-interface QuickStart Guide for details.

News

+

12/03/2003 - Support Torch Passed (New)

+

Effective today, I am reducing my participation in the +day-to-day support of Shorewall. As part of this shift to +community-based Shorewall support a new Shorewall +Newbies mailing list has been established to field questions and +problems from new users. I will not monitor that list personally. I +will continue my active development of Shorewall +and will be available via the development list to handle development +issues -- Tom.
+

11/07/2003 - Shorewall 1.4.8 (New)
@@ -335,7 +348,7 @@ Children's Foundation. Thanks!
-

Updated 11/13/2003 - Tom Eastep +

Updated 12/02/2003 - Tom Eastep

diff --git a/Shorewall-docs/shorewall_prerequisites.htm b/Shorewall-docs/shorewall_prerequisites.htm index 171dd4006..66a25a2e1 100644 --- a/Shorewall-docs/shorewall_prerequisites.htm +++ b/Shorewall-docs/shorewall_prerequisites.htm @@ -13,7 +13,7 @@ Shorewall Requires:
  • A kernel that supports netfilter. I've tested with 2.4.2 - -2.4.23-rc2. With current releases of Shorewall, Traffic +2.4.23. With current releases of Shorewall, Traffic Shaping/Control requires at least 2.4.18.  Check here for kernel configuration information. If you are looking for a firewall @@ -48,7 +48,7 @@ shell prompt by:
  • The firewall monitoring display is greatly improved if you have awk (gawk) installed.
-

Last updated 11/20/2003 - Last updated 12/04/2003 - Tom Eastep

Copyright © 2001, 2002, 2003 Thomas M. diff --git a/Shorewall-docs/sourceforge_index.htm b/Shorewall-docs/sourceforge_index.htm index b730008b1..a5d9160fa 100644 --- a/Shorewall-docs/sourceforge_index.htm +++ b/Shorewall-docs/sourceforge_index.htm @@ -93,6 +93,19 @@ setup that matches the documentation on this site. See the

News

+

12/03/2003 - Support Torch Passed (New)

+Effective today, I am reducing my participation in the +day-to-day support of Shorewall. As part of this shift to +community-based Shorewall support a new Shorewall +Newbies mailing list +has been established to field questions and problems from new users. I +will not monitor that list personally. I will continue my active +development of Shorewall +and will be available via the development list to handle development +issues -- Tom.

11/01/2003 - Shorewall 1.4.8 RC2 (New) @@ -325,7 +338,7 @@ Children's Foundation. Thanks!

-

Updated 11/17/2003 - Tom Eastep +

Updated 12/03/2003 - Tom Eastep

diff --git a/Shorewall-docs/support.htm b/Shorewall-docs/support.htm index 76dd2c49c..409acd60d 100644 --- a/Shorewall-docs/support.htm +++ b/Shorewall-docs/support.htm @@ -97,6 +97,15 @@ to B fails, say so (and see below for information about reporting Neighborhood" then say so.

+
  • Please give details about what doesn't work. Reports that say "I +followed the directions and it didn't work" will elicit sympathy but +probably little in the way of help. Again -- if ping from A +to B fails, say so (and see below for information about reporting +'ping' problems). If Computer B doesn't show up in "Network +Neighborhood" then say so. If access by IP address works but by DNS +names it doesn't then say so.
    +
    +
  • Please don't describe your environment and then ask us to send you custom configuration files. We're here to answer your questions but we can't do your job for you.
    @@ -191,8 +200,7 @@ unless one also knows the policies).

  • If an error occurs when you try to "shorewall -start", include a trace (See the Troubleshooting +start", include a trace (See the Troubleshooting section for instructions).

    • @@ -228,7 +236,13 @@ will appreciate it if you just post in plain text to begin with.

    If you run Shorewall under Bering -- please post your question or problem to the LEAF Users mailing list.

    - If you run Shorewall under MandrakeSoft Multi Network Firewall + If you are new to Shorewall and have +a question or need help with a problem, please post to the Shorewall Newbies +mailing list.
    +
    +     If you run Shorewall under MandrakeSoft Multi Network +Firewall (MNF) and you have not purchased an MNF license from MandrakeSoft then you can post non MNF-specific Shorewall questions to the Shorewall users @@ -240,6 +254,11 @@ you are not subscribed to the list, please say so -- otherwise, you will not be included in any replies.

    +

    Subscribing to the Newbies Mailing List
    +

    +To Subscribe to the mailing list go to     https//lists.shorewall.net/mailman/listinfo/shorewall-newbies.

    Subscribing to the Users Mailing List

    @@ -251,7 +270,7 @@ will not be included in any replies.

    For information on other Shorewall mailing lists, go to http://lists.shorewall.net

    -

    Last Updated 11/12/2003 - Tom Eastep

    +

    Last Updated 12/02/2003 - Tom Eastep

    Copyright © 2001, 2002, 2003 Thomas M. Eastep.