mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-15 10:51:02 +01:00
Shorewall 1.4.6 RC1
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@660 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
defe814ca5
commit
88e1eb7e4d
@ -12,6 +12,7 @@
|
|||||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||||
<title>Shorewall FAQ</title>
|
<title>Shorewall FAQ</title>
|
||||||
|
|
||||||
|
|
||||||
<meta name="Microsoft Theme" content="none">
|
<meta name="Microsoft Theme" content="none">
|
||||||
</head>
|
</head>
|
||||||
<body>
|
<body>
|
||||||
@ -39,9 +40,9 @@
|
|||||||
</h1>
|
</h1>
|
||||||
|
|
||||||
<p align="left"><b>1. </b><a href="#faq1"> I want to <b>forward</b> UDP <b>
|
<p align="left"><b>1. </b><a href="#faq1"> I want to <b>forward</b> UDP <b>
|
||||||
port</b> 7777 to my my personal PC with IP address
|
port</b> 7777 to my my personal PC with IP
|
||||||
192.168.1.5. I've looked everywhere and can't
|
address 192.168.1.5. I've looked everywhere and
|
||||||
find <b>how to do it</b>.</a></p>
|
can't find <b>how to do it</b>.</a></p>
|
||||||
|
|
||||||
<p align="left"><b>1a. </b><a href="#faq1a">Ok -- I followed those instructions
|
<p align="left"><b>1a. </b><a href="#faq1a">Ok -- I followed those instructions
|
||||||
but it doesn't work.<br>
|
but it doesn't work.<br>
|
||||||
@ -67,9 +68,9 @@ the connection to port 22 on local system 192.168.1.3</b>. How do I do that?</a>
|
|||||||
<p align="left"><b>2a. </b><a href="#faq3">I have a zone "Z" with an RFC1918
|
<p align="left"><b>2a. </b><a href="#faq3">I have a zone "Z" with an RFC1918
|
||||||
subnet and I use <b>static NAT</b> to assign
|
subnet and I use <b>static NAT</b> to assign
|
||||||
non-RFC1918 addresses to hosts in Z. Hosts in Z
|
non-RFC1918 addresses to hosts in Z. Hosts in Z
|
||||||
cannot communicate with each other using their external
|
cannot communicate with each other using their external
|
||||||
(non-RFC1918 addresses) so they <b>can't access each other
|
(non-RFC1918 addresses) so they <b>can't access each other
|
||||||
using their DNS names.</b></a></p>
|
using their DNS names.</b></a></p>
|
||||||
|
|
||||||
<h1><b>NETMEETING/MSN<br>
|
<h1><b>NETMEETING/MSN<br>
|
||||||
</b></h1>
|
</b></h1>
|
||||||
@ -86,8 +87,8 @@ using their DNS names.</b></a></p>
|
|||||||
as 'closed' rather than 'blocked'.</b> Why?</a></p>
|
as 'closed' rather than 'blocked'.</b> Why?</a></p>
|
||||||
|
|
||||||
<p align="left"><b>4a. </b><a href="#faq4a">I just ran an <b>nmap UDP scan</b>
|
<p align="left"><b>4a. </b><a href="#faq4a">I just ran an <b>nmap UDP scan</b>
|
||||||
of my firewall and it showed 100s of ports as
|
of my firewall and it showed 100s of ports
|
||||||
open!!!!<br>
|
as open!!!!<br>
|
||||||
</a></p>
|
</a></p>
|
||||||
<b>4b</b>. <a href="#faq4b">I have a port that I can't close no matter
|
<b>4b</b>. <a href="#faq4b">I have a port that I can't close no matter
|
||||||
how I change my rules. </a>
|
how I change my rules. </a>
|
||||||
@ -110,13 +111,13 @@ using their DNS names.</b></a></p>
|
|||||||
|
|
||||||
<p align="left"><b>6b. <a href="#faq6b">DROP messages</a></b><a
|
<p align="left"><b>6b. <a href="#faq6b">DROP messages</a></b><a
|
||||||
href="#faq6b"> on port 10619 are <b>flooding the logs</b> with their connect
|
href="#faq6b"> on port 10619 are <b>flooding the logs</b> with their connect
|
||||||
requests. Can i exclude these error messages for this port temporarily
|
requests. Can i exclude these error messages for this port
|
||||||
from logging in Shorewall?</a><br>
|
temporarily from logging in Shorewall?</a><br>
|
||||||
</p>
|
</p>
|
||||||
|
|
||||||
<p align="left"><b>6c. </b><a href="#faq6c">All day long I get a steady flow
|
<p align="left"><b>6c. </b><a href="#faq6c">All day long I get a steady flow
|
||||||
of these <b>DROP messages from port 53</b> <b>to some high numbered
|
of these <b>DROP messages from port 53</b> <b>to some high
|
||||||
port</b>. They get dropped, but what the heck are they?</a><br>
|
numbered port</b>. They get dropped, but what the heck are they?</a><br>
|
||||||
</p>
|
</p>
|
||||||
|
|
||||||
<p align="left"><b>6d.</b> <a href="#faq6d">Why is the <b>MAC address</b>
|
<p align="left"><b>6d.</b> <a href="#faq6d">Why is the <b>MAC address</b>
|
||||||
@ -131,8 +132,8 @@ using their DNS names.</b></a></p>
|
|||||||
<a href="#faq17">How do I find out <b>why this traffic is</b>
|
<a href="#faq17">How do I find out <b>why this traffic is</b>
|
||||||
getting <b>logged?</b></a><br>
|
getting <b>logged?</b></a><br>
|
||||||
<b><br>
|
<b><br>
|
||||||
21. </b><a href="#faq21">I see these <b>strange log entries
|
21. </b><a href="#faq21">I see these <b>strange log
|
||||||
</b>occasionally; what are they?</a><br>
|
entries </b>occasionally; what are they?</a><br>
|
||||||
|
|
||||||
<h1>STARTING AND STOPPING<br>
|
<h1>STARTING AND STOPPING<br>
|
||||||
</h1>
|
</h1>
|
||||||
@ -152,9 +153,10 @@ stop', I can't connect to anything</b>. Why doesn't that command
|
|||||||
|
|
||||||
<p align="left"><b>9. </b><a href="FAQ.htm#faq9">Why can't Shorewall <b>detect
|
<p align="left"><b>9. </b><a href="FAQ.htm#faq9">Why can't Shorewall <b>detect
|
||||||
my interfaces </b>properly at startup?</a></p>
|
my interfaces </b>properly at startup?</a></p>
|
||||||
<b>22. </b><a href="#faq22">I
|
<b>22. </b><a
|
||||||
have some <b>iptables commands </b>that I want to <b>run
|
href="#faq22">I have some <b>iptables commands </b>that I
|
||||||
when Shorewall starts.</b> Which file do I put them in?</a><br>
|
want to <b>run when Shorewall starts.</b> Which file do I put them
|
||||||
|
in?</a><br>
|
||||||
|
|
||||||
<h1>ABOUT SHOREWALL<br>
|
<h1>ABOUT SHOREWALL<br>
|
||||||
</h1>
|
</h1>
|
||||||
@ -167,25 +169,26 @@ when Shorewall starts.</b> Which file do I put them in?</a><br>
|
|||||||
<p align="left"><b>12. </b><a href="#faq12">Is there a <b>GUI?</b></a></p>
|
<p align="left"><b>12. </b><a href="#faq12">Is there a <b>GUI?</b></a></p>
|
||||||
|
|
||||||
<p align="left"><b>13. </b><a href="#faq13">Why do you call it <b>"Shorewall"?</b></a></p>
|
<p align="left"><b>13. </b><a href="#faq13">Why do you call it <b>"Shorewall"?</b></a></p>
|
||||||
<b>23. </b><a href="#faq23">Why do you
|
<b>23. </b><a href="#faq23">Why do
|
||||||
use such <b>ugly fonts</b> on your <b>web site</b>?</a><br>
|
you use such <b>ugly fonts</b> on your <b>web site</b>?</a><br>
|
||||||
<b><br>
|
<b><br>
|
||||||
25. </b><a href="#faq25">How to I tell <b>which version of Shorewall</b>
|
25. </b><a href="#faq25">How to I tell <b>which version of
|
||||||
I am <b>running</b>?</a><br>
|
Shorewall</b> I am <b>running</b>?</a><br>
|
||||||
|
|
||||||
<h1>RFC 1918<br>
|
<h1>RFC 1918<br>
|
||||||
</h1>
|
</h1>
|
||||||
|
|
||||||
<p align="left"><b>14. </b><a href="#faq14">I'm connected via a cable modem
|
<p align="left"><b>14. </b><a href="#faq14">I'm connected via a cable modem
|
||||||
and it has an internel web server that allows
|
and it has an internel web server that allows
|
||||||
me to configure/monitor it but as expected if I enable
|
me to configure/monitor it but as expected if I
|
||||||
<b> rfc1918 blocking</b> for my eth0 interface, it also
|
enable <b> rfc1918 blocking</b> for my eth0 interface,
|
||||||
blocks the <b>cable modems web server</b></a>.</p>
|
it also blocks the <b>cable modems web server</b></a>.</p>
|
||||||
|
|
||||||
<p align="left"><b>14a. </b><a href="#faq14a">Even though it assigns public
|
<p align="left"><b>14a. </b><a href="#faq14a">Even though it assigns public
|
||||||
IP addresses, my ISP's DHCP server has an RFC
|
IP addresses, my ISP's DHCP server has an RFC
|
||||||
1918 address. If I enable RFC 1918 filtering on my
|
1918 address. If I enable RFC 1918 filtering on
|
||||||
external interface, <b>my DHCP client cannot renew its lease</b>.</a></p>
|
my external interface, <b>my DHCP client cannot renew its
|
||||||
|
lease</b>.</a></p>
|
||||||
|
|
||||||
<h1>ALIAS IP ADDRESSES/VIRTUAL INTERFACES<br>
|
<h1>ALIAS IP ADDRESSES/VIRTUAL INTERFACES<br>
|
||||||
</h1>
|
</h1>
|
||||||
@ -195,26 +198,32 @@ when Shorewall starts.</b> Which file do I put them in?</a><br>
|
|||||||
|
|
||||||
<h1>MISCELLANEOUS<br>
|
<h1>MISCELLANEOUS<br>
|
||||||
</h1>
|
</h1>
|
||||||
<b>19. </b><a href="#faq19">I have added <b>entries to
|
<b>19. </b><a href="#faq19">I have added <b>entries
|
||||||
/etc/shorewall/tcrules</b> but they <b>don't </b>seem to <b>do
|
to /etc/shorewall/tcrules</b> but they <b>don't </b>seem to
|
||||||
anything</b>. Why?</a><br>
|
<b>do anything</b>. Why?</a><br>
|
||||||
<br>
|
<br>
|
||||||
<b>20. </b><a
|
<b>20. </b><a
|
||||||
href="#faq20">I have just set up a server. <b>Do I have
|
href="#faq20">I have just set up a server. <b>Do I have
|
||||||
to change Shorewall to allow access to my server from the internet?</b></a><br>
|
to change Shorewall to allow access to my server from the internet?</b></a><br>
|
||||||
<br>
|
<br>
|
||||||
<b>24. </b><a href="#faq24">How can I <b>allow
|
<b>24. </b><a href="#faq24">How can I <b>allow
|
||||||
conections</b> to let's say the ssh port only<b> from specific
|
conections</b> to let's say the ssh port only<b> from specific
|
||||||
IP Addresses</b> on the internet?</a><br>
|
IP Addresses</b> on the internet?</a><br>
|
||||||
<br>
|
<br>
|
||||||
<b>26. </b><a href="#faq26">When I try to use any of the
|
<b>26. </b><a href="#faq26">When I try to use any of
|
||||||
<b>SYN options in nmap</b> on or behind the firewall, I get "<b>operation
|
the <b>SYN options in nmap</b> on or behind the firewall, I get "<b>operation
|
||||||
not permitted</b>". How can I use nmap with Shorewall?"</a><br>
|
not permitted</b>". How can I use nmap with Shorewall?"</a><br>
|
||||||
|
<br>
|
||||||
|
<b>27. </b><a href="#faq27">I am compiling a <b>new kernel</b> for my firewall<b>.</b>
|
||||||
|
What should I look out for?</a><br>
|
||||||
|
<br>
|
||||||
|
<b>28. </b><a href="#faq28">How do I use Shorewall as a <b>Bridging Firewall</b>?</a><br>
|
||||||
|
|
||||||
<hr>
|
<hr>
|
||||||
<h4 align="left"><a name="faq1"></a>1. I want to forward UDP port 7777 to
|
<h4 align="left"><a name="faq1"></a>1. I want to forward UDP port 7777 to
|
||||||
my my personal PC with IP address 192.168.1.5.
|
my my personal PC with IP address 192.168.1.5.
|
||||||
I've looked everywhere and can't find how to do it.</h4>
|
I've looked everywhere and can't find how to do
|
||||||
|
it.</h4>
|
||||||
|
|
||||||
<p align="left"><b>Answer: </b>The <a
|
<p align="left"><b>Answer: </b>The <a
|
||||||
href="Documentation.htm#PortForward"> first example</a> in the <a
|
href="Documentation.htm#PortForward"> first example</a> in the <a
|
||||||
@ -245,9 +254,11 @@ not permitted</b>". How can I use nmap with Shorewall?"</a><br>
|
|||||||
<td><i><protocol></i></td>
|
<td><i><protocol></i></td>
|
||||||
<td><i><port
|
<td><i><port
|
||||||
#></i></td>
|
#></i></td>
|
||||||
<td> <br>
|
<td>
|
||||||
|
<br>
|
||||||
</td>
|
</td>
|
||||||
<td> <br>
|
<td>
|
||||||
|
<br>
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
|
|
||||||
@ -279,9 +290,11 @@ not permitted</b>". How can I use nmap with Shorewall?"</a><br>
|
|||||||
<td>loc:192.168.1.5</td>
|
<td>loc:192.168.1.5</td>
|
||||||
<td>udp</td>
|
<td>udp</td>
|
||||||
<td>7777</td>
|
<td>7777</td>
|
||||||
<td> <br>
|
<td>
|
||||||
|
<br>
|
||||||
</td>
|
</td>
|
||||||
<td> <br>
|
<td>
|
||||||
|
<br>
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
|
|
||||||
@ -290,9 +303,9 @@ not permitted</b>". How can I use nmap with Shorewall?"</a><br>
|
|||||||
</blockquote>
|
</blockquote>
|
||||||
|
|
||||||
<div align="left"> <font face="Courier"> </font>If
|
<div align="left"> <font face="Courier"> </font>If
|
||||||
you want to forward requests directed to a particular address
|
you want to forward requests directed to a particular
|
||||||
( <i><external IP></i> ) on your firewall to an internal
|
address ( <i><external IP></i> ) on your firewall to
|
||||||
system:</div>
|
an internal system:</div>
|
||||||
|
|
||||||
<blockquote>
|
<blockquote>
|
||||||
<table border="1" cellpadding="2" cellspacing="0"
|
<table border="1" cellpadding="2" cellspacing="0"
|
||||||
@ -335,13 +348,14 @@ not permitted</b>". How can I use nmap with Shorewall?"</a><br>
|
|||||||
things:</p>
|
things:</p>
|
||||||
|
|
||||||
<ul>
|
<ul>
|
||||||
<li>You are
|
<li>You
|
||||||
trying to test from inside your firewall (no, that
|
are trying to test from inside your firewall (no, that
|
||||||
won't work -- see <a href="#faq2">FAQ #2</a>).</li>
|
won't work -- see <a href="#faq2">FAQ #2</a>).</li>
|
||||||
<li>You have
|
<li>You
|
||||||
a more basic problem with your local system such as
|
have a more basic problem with your local system such
|
||||||
an incorrect default gateway configured (it should be
|
as an incorrect default gateway configured (it should
|
||||||
set to the IP address of your firewall's internal interface).</li>
|
be set to the IP address of your firewall's internal
|
||||||
|
interface).</li>
|
||||||
<li>Your ISP is blocking that particular port inbound.<br>
|
<li>Your ISP is blocking that particular port inbound.<br>
|
||||||
</li>
|
</li>
|
||||||
|
|
||||||
@ -353,38 +367,38 @@ set to the IP address of your firewall's internal interface).</l
|
|||||||
diagnose this problem:<br>
|
diagnose this problem:<br>
|
||||||
|
|
||||||
<ul>
|
<ul>
|
||||||
<li>As root, type "iptables
|
<li>As root, type
|
||||||
-t nat -Z". This clears the NetFilter counters in
|
"iptables -t nat -Z". This clears the NetFilter counters
|
||||||
the nat table.</li>
|
in the nat table.</li>
|
||||||
<li>Try to connect to
|
<li>Try to connect
|
||||||
the redirected port from an external host.</li>
|
to the redirected port from an external host.</li>
|
||||||
<li>As root type "shorewall
|
<li>As root type "shorewall
|
||||||
show nat"</li>
|
show nat"</li>
|
||||||
<li>Locate the appropriate
|
<li>Locate the appropriate
|
||||||
DNAT rule. It will be in a chain called <i><source
|
DNAT rule. It will be in a chain called <i><source
|
||||||
zone></i>_dnat ('net_dnat' in the above examples).</li>
|
zone></i>_dnat ('net_dnat' in the above examples).</li>
|
||||||
<li>Is the packet count
|
<li>Is the packet
|
||||||
in the first column non-zero? If so, the connection
|
count in the first column non-zero? If so, the connection
|
||||||
request is reaching the firewall and is being redirected
|
request is reaching the firewall and is being redirected
|
||||||
to the server. In this case, the problem is usually a missing
|
to the server. In this case, the problem is usually a missing
|
||||||
or incorrect default gateway setting on the server (the
|
or incorrect default gateway setting on the server (the
|
||||||
server's default gateway should be the IP address of the firewall's
|
server's default gateway should be the IP address of the
|
||||||
interface to the server).</li>
|
firewall's interface to the server).</li>
|
||||||
<li>If the packet count
|
<li>If the packet
|
||||||
is zero:</li>
|
count is zero:</li>
|
||||||
|
|
||||||
<ul>
|
<ul>
|
||||||
<li>the connection
|
<li>the connection
|
||||||
request is not reaching your server (possibly it is
|
request is not reaching your server (possibly it is
|
||||||
being blocked by your ISP); or</li>
|
being blocked by your ISP); or</li>
|
||||||
<li>you are trying
|
<li>you are trying
|
||||||
to connect to a secondary IP address on your firewall
|
to connect to a secondary IP address on your firewall
|
||||||
and your rule is only redirecting the primary IP address (You
|
and your rule is only redirecting the primary IP address (You
|
||||||
need to specify the secondary IP address in the "ORIG. DEST."
|
need to specify the secondary IP address in the "ORIG. DEST."
|
||||||
column in your DNAT rule); or</li>
|
column in your DNAT rule); or</li>
|
||||||
<li>your DNAT rule
|
<li>your DNAT rule
|
||||||
doesn't match the connection request in some other
|
doesn't match the connection request in some other
|
||||||
way. In that case, you may have to use a packet sniffer such
|
way. In that case, you may have to use a packet sniffer such
|
||||||
as tcpdump or ethereal to further diagnose the problem.<br>
|
as tcpdump or ethereal to further diagnose the problem.<br>
|
||||||
</li>
|
</li>
|
||||||
|
|
||||||
@ -394,7 +408,7 @@ way. In that case, you may have to use a packet sniffer such
|
|||||||
|
|
||||||
<h4 align="left"><a name="faq1c"></a><b>1c. </b>From the internet, I want
|
<h4 align="left"><a name="faq1c"></a><b>1c. </b>From the internet, I want
|
||||||
to connect to port 1022 on my firewall and have the firewall forward
|
to connect to port 1022 on my firewall and have the firewall forward
|
||||||
the connection to port 22 on local system 192.168.1.3. How do I do that?</h4>
|
the connection to port 22 on local system 192.168.1.3. How do I do that?</h4>
|
||||||
|
|
||||||
<div align="left">
|
<div align="left">
|
||||||
<blockquote>
|
<blockquote>
|
||||||
@ -433,23 +447,23 @@ the connection to port 22 on local system 192.168.1.3. How do I do that?</h4>
|
|||||||
|
|
||||||
<h4 align="left"><a name="faq2"></a>2. I port forward www requests to www.mydomain.com
|
<h4 align="left"><a name="faq2"></a>2. I port forward www requests to www.mydomain.com
|
||||||
(IP 130.151.100.69) to system 192.168.1.5 in
|
(IP 130.151.100.69) to system 192.168.1.5 in
|
||||||
my local network. External clients can browse http://www.mydomain.com
|
my local network. External clients can browse http://www.mydomain.com
|
||||||
but internal clients can't.</h4>
|
but internal clients can't.</h4>
|
||||||
|
|
||||||
<p align="left"><b>Answer: </b>I have two objections to this setup.</p>
|
<p align="left"><b>Answer: </b>I have two objections to this setup.</p>
|
||||||
|
|
||||||
<ul>
|
<ul>
|
||||||
<li>Having
|
<li>Having
|
||||||
an internet-accessible server in your local network
|
an internet-accessible server in your local network
|
||||||
is like raising foxes in the corner of your hen house.
|
is like raising foxes in the corner of your hen house.
|
||||||
If the server is compromised, there's nothing between
|
If the server is compromised, there's nothing between
|
||||||
that server and your other internal systems. For the cost
|
that server and your other internal systems. For the
|
||||||
of another NIC and a cross-over cable, you can put your
|
cost of another NIC and a cross-over cable, you can put
|
||||||
server in a DMZ such that it is isolated from your local systems
|
your server in a DMZ such that it is isolated from your local systems
|
||||||
- assuming that the Server can be located near the Firewall,
|
- assuming that the Server can be located near the Firewall,
|
||||||
of course :-)</li>
|
of course :-)</li>
|
||||||
<li>The accessibility
|
<li>The
|
||||||
problem is best solved using <a
|
accessibility problem is best solved using <a
|
||||||
href="shorewall_setup_guide.htm#DNS">Bind Version 9 "views"</a>
|
href="shorewall_setup_guide.htm#DNS">Bind Version 9 "views"</a>
|
||||||
(or using a separate DNS server for local clients) such that www.mydomain.com
|
(or using a separate DNS server for local clients) such that www.mydomain.com
|
||||||
resolves to 130.141.100.69 externally and 192.168.1.5
|
resolves to 130.141.100.69 externally and 192.168.1.5
|
||||||
@ -615,13 +629,14 @@ releases.<br>
|
|||||||
<h4 align="left"><a name="faq2a"></a>2a. I have a zone "Z" with an RFC1918
|
<h4 align="left"><a name="faq2a"></a>2a. I have a zone "Z" with an RFC1918
|
||||||
subnet and I use static NAT to assign non-RFC1918
|
subnet and I use static NAT to assign non-RFC1918
|
||||||
addresses to hosts in Z. Hosts in Z cannot communicate
|
addresses to hosts in Z. Hosts in Z cannot communicate
|
||||||
with each other using their external (non-RFC1918 addresses)
|
with each other using their external (non-RFC1918
|
||||||
so they can't access each other using their DNS names.</h4>
|
addresses) so they can't access each other using their DNS
|
||||||
|
names.</h4>
|
||||||
|
|
||||||
<p align="left"><b>Answer: </b>This is another problem that is best solved
|
<p align="left"><b>Answer: </b>This is another problem that is best solved
|
||||||
using Bind Version 9 "views". It allows both
|
using Bind Version 9 "views". It allows both
|
||||||
external and internal clients to access a NATed host
|
external and internal clients to access a NATed
|
||||||
using the host's DNS name.</p>
|
host using the host's DNS name.</p>
|
||||||
|
|
||||||
<p align="left">Another good way to approach this problem is to switch from
|
<p align="left">Another good way to approach this problem is to switch from
|
||||||
static NAT to Proxy ARP. That way, the hosts
|
static NAT to Proxy ARP. That way, the hosts
|
||||||
@ -638,7 +653,8 @@ Z->Z traffic through your firewall then:</p>
|
|||||||
Example:</p>
|
Example:</p>
|
||||||
|
|
||||||
<p align="left">Zone: dmz<br>
|
<p align="left">Zone: dmz<br>
|
||||||
Interface: eth2<br>
|
Interface:
|
||||||
|
eth2<br>
|
||||||
Subnet: 192.168.2.0/24</p>
|
Subnet: 192.168.2.0/24</p>
|
||||||
|
|
||||||
<p align="left">In /etc/shorewall/interfaces:</p>
|
<p align="left">In /etc/shorewall/interfaces:</p>
|
||||||
@ -682,7 +698,8 @@ Z->Z traffic through your firewall then:</p>
|
|||||||
<td>dmz</td>
|
<td>dmz</td>
|
||||||
<td>dmz</td>
|
<td>dmz</td>
|
||||||
<td>ACCEPT</td>
|
<td>ACCEPT</td>
|
||||||
<td> <br>
|
<td>
|
||||||
|
<br>
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
|
|
||||||
@ -725,9 +742,9 @@ Z->Z traffic through your firewall then:</p>
|
|||||||
href="http://www.kfki.hu/%7Ekadlec/sw/netfilter/newnat-suite/"> H.323 connection
|
href="http://www.kfki.hu/%7Ekadlec/sw/netfilter/newnat-suite/"> H.323 connection
|
||||||
tracking/NAT module</a> that may help with Netmeeting.
|
tracking/NAT module</a> that may help with Netmeeting.
|
||||||
Look <a href="http://linux-igd.sourceforge.net">here</a> for
|
Look <a href="http://linux-igd.sourceforge.net">here</a> for
|
||||||
a solution for MSN IM but be aware that there are significant security
|
a solution for MSN IM but be aware that there are significant
|
||||||
risks involved with this solution. Also check the Netfilter
|
security risks involved with this solution. Also check the Netfilter
|
||||||
mailing list archives at <a
|
mailing list archives at <a
|
||||||
href="http://www.netfilter.org">http://www.netfilter.org</a>.
|
href="http://www.netfilter.org">http://www.netfilter.org</a>.
|
||||||
</p>
|
</p>
|
||||||
|
|
||||||
@ -737,11 +754,11 @@ mailing list archives at <a
|
|||||||
|
|
||||||
<p align="left"><b>Answer: </b>The common.def included with version 1.3.x
|
<p align="left"><b>Answer: </b>The common.def included with version 1.3.x
|
||||||
always rejects connection requests on TCP
|
always rejects connection requests on TCP
|
||||||
port 113 rather than dropping them. This is necessary
|
port 113 rather than dropping them. This is necessary
|
||||||
to prevent outgoing connection problems to services
|
to prevent outgoing connection problems to services
|
||||||
that use the 'Auth' mechanism for identifying requesting
|
that use the 'Auth' mechanism for identifying requesting
|
||||||
users. Shorewall also rejects TCP ports 135, 137 and
|
users. Shorewall also rejects TCP ports 135, 137 and
|
||||||
139 as well as UDP ports 137-139. These are ports that are
|
139 as well as UDP ports 137-139. These are ports that are
|
||||||
used by Windows (Windows <u>can</u> be configured to use the
|
used by Windows (Windows <u>can</u> be configured to use the
|
||||||
DCE cell locator on port 135). Rejecting these connection requests
|
DCE cell locator on port 135). Rejecting these connection requests
|
||||||
rather than dropping them cuts down slightly on the amount of
|
rather than dropping them cuts down slightly on the amount of
|
||||||
@ -767,12 +784,12 @@ REJECT, restart Shorewall and do the nmap UDP scan again.<br>
|
|||||||
I change my rules. </h4>
|
I change my rules. </h4>
|
||||||
I had a rule that allowed telnet from my local network to my firewall;
|
I had a rule that allowed telnet from my local network to my firewall;
|
||||||
I removed that rule and restarted Shorewall but my telnet session still
|
I removed that rule and restarted Shorewall but my telnet session still
|
||||||
works!!!<br>
|
works!!!<br>
|
||||||
<br>
|
<br>
|
||||||
<b>Answer: </b> Rules only govern the establishment of new connections.
|
<b>Answer: </b> Rules only govern the establishment of new connections.
|
||||||
Once a connection is established through the firewall it will be usable
|
Once a connection is established through the firewall it will be usable
|
||||||
until disconnected (tcp) or until it times out (other protocols). If you
|
until disconnected (tcp) or until it times out (other protocols). If you
|
||||||
stop telnet and try to establish a new session your firerwall will block
|
stop telnet and try to establish a new session your firerwall will block
|
||||||
that attempt.<br>
|
that attempt.<br>
|
||||||
|
|
||||||
<h4 align="left"><a name="faq5"></a>5. I've installed Shorewall and now I
|
<h4 align="left"><a name="faq5"></a>5. I've installed Shorewall and now I
|
||||||
@ -783,10 +800,10 @@ that attempt.<br>
|
|||||||
|
|
||||||
<p align="left">a) Create /etc/shorewall/common if it doesn't already exist.
|
<p align="left">a) Create /etc/shorewall/common if it doesn't already exist.
|
||||||
<br>
|
<br>
|
||||||
b) Be sure that
|
b) Be sure
|
||||||
the first command in the file is ". /etc/shorewall/common.def"<br>
|
that the first command in the file is ". /etc/shorewall/common.def"<br>
|
||||||
c) Add the following
|
c) Add the
|
||||||
to /etc/shorewall/common </p>
|
following to /etc/shorewall/common </p>
|
||||||
|
|
||||||
<blockquote>
|
<blockquote>
|
||||||
<p align="left">run_iptables -A icmpdef -p ICMP --icmp-type echo-request
|
<p align="left">run_iptables -A icmpdef -p ICMP --icmp-type echo-request
|
||||||
@ -839,14 +856,14 @@ see "man syslog") in your <a href="Documentation.htm#Policy">policies</a>
|
|||||||
<a href="http://gege.org/iptables">http://gege.org/iptables</a><br>
|
<a href="http://gege.org/iptables">http://gege.org/iptables</a><br>
|
||||||
</p>
|
</p>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
I personnaly use Logwatch. It emails
|
I personnaly use Logwatch. It
|
||||||
me a report each day from my various systems with each
|
emails me a report each day from my various systems with
|
||||||
report summarizing the logged activity on the corresponding
|
each report summarizing the logged activity on the corresponding
|
||||||
system.
|
system.
|
||||||
<h4 align="left"><b><a name="faq6b"></a>6b. DROP messages</b> on port 10619
|
<h4 align="left"><b><a name="faq6b"></a>6b. DROP messages</b> on port 10619
|
||||||
are <b>flooding the logs</b> with their connect requests. Can
|
are <b>flooding the logs</b> with their connect requests. Can
|
||||||
i exclude these error messages for this port temporarily from logging
|
i exclude these error messages for this port temporarily from
|
||||||
in Shorewall?</h4>
|
logging in Shorewall?</h4>
|
||||||
Temporarily add the following rule:<br>
|
Temporarily add the following rule:<br>
|
||||||
|
|
||||||
<pre> DROP net fw udp 10619</pre>
|
<pre> DROP net fw udp 10619</pre>
|
||||||
@ -860,7 +877,7 @@ report summarizing the logged activity on the corresponding
|
|||||||
|
|
||||||
<ol>
|
<ol>
|
||||||
<li>They are late-arriving replies to DNS
|
<li>They are late-arriving replies to DNS
|
||||||
queries.</li>
|
queries.</li>
|
||||||
<li>They are corrupted reply packets.</li>
|
<li>They are corrupted reply packets.</li>
|
||||||
|
|
||||||
</ol>
|
</ol>
|
||||||
@ -875,7 +892,7 @@ queries.</li>
|
|||||||
<pre>#<br># Include the standard common.def file<br>#<br>. /etc/shorewall/common.def<br>#<br># The following rule is non-standard and compensates for tardy<br># DNS replies<br>#<br>run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP</pre>
|
<pre>#<br># Include the standard common.def file<br>#<br>. /etc/shorewall/common.def<br>#<br># The following rule is non-standard and compensates for tardy<br># DNS replies<br>#<br>run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP</pre>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
The above file is also include in all of my
|
The above file is also include in all of my
|
||||||
sample configurations available in the <a
|
sample configurations available in the <a
|
||||||
href="shorewall_quickstart_guide.htm">Quick Start Guides</a> and in
|
href="shorewall_quickstart_guide.htm">Quick Start Guides</a> and in
|
||||||
the common.def file in Shorewall 1.4.0 and later.<br>
|
the common.def file in Shorewall 1.4.0 and later.<br>
|
||||||
|
|
||||||
@ -908,9 +925,9 @@ sample configurations available in the <a
|
|||||||
|
|
||||||
<p align="left">The 'stop' command is intended to place your firewall into
|
<p align="left">The 'stop' command is intended to place your firewall into
|
||||||
a safe state whereby only those hosts listed
|
a safe state whereby only those hosts listed
|
||||||
in /etc/shorewall/routestopped' are activated. If
|
in /etc/shorewall/routestopped' are activated.
|
||||||
you want to totally open up your firewall, you must use the
|
If you want to totally open up your firewall, you must use
|
||||||
'shorewall clear' command. </p>
|
the 'shorewall clear' command. </p>
|
||||||
|
|
||||||
<h4 align="left"><a name="faq8"></a>8. When I try to start Shorewall on RedHat,
|
<h4 align="left"><a name="faq8"></a>8. When I try to start Shorewall on RedHat,
|
||||||
I get messages about insmod failing -- what's wrong?</h4>
|
I get messages about insmod failing -- what's wrong?</h4>
|
||||||
@ -974,8 +991,8 @@ local zone is defined as all hosts connected through eth1</p>
|
|||||||
<h4 align="left"><a name="faq12"></a>12. Is there a GUI?</h4>
|
<h4 align="left"><a name="faq12"></a>12. Is there a GUI?</h4>
|
||||||
|
|
||||||
<p align="left"><b>Answer: </b>Yes. Shorewall support is included in Webmin
|
<p align="left"><b>Answer: </b>Yes. Shorewall support is included in Webmin
|
||||||
1.060 and later versions. See <a href="http://www.webmin.com">http://www.webmin.com</a>
|
1.060 and later versions. See <a
|
||||||
</p>
|
href="http://www.webmin.com">http://www.webmin.com</a> </p>
|
||||||
|
|
||||||
<h4 align="left"> <a name="faq13"></a>13. Why do you call it "Shorewall"?</h4>
|
<h4 align="left"> <a name="faq13"></a>13. Why do you call it "Shorewall"?</h4>
|
||||||
|
|
||||||
@ -988,13 +1005,13 @@ local zone is defined as all hosts connected through eth1</p>
|
|||||||
<h4 align="left"> <a name="faq14"></a>14. I'm connected via a cable modem
|
<h4 align="left"> <a name="faq14"></a>14. I'm connected via a cable modem
|
||||||
and it has an internal web server that allows
|
and it has an internal web server that allows
|
||||||
me to configure/monitor it but as expected if I
|
me to configure/monitor it but as expected if I
|
||||||
enable rfc1918 blocking for my eth0 interface (the internet
|
enable rfc1918 blocking for my eth0 interface (the internet
|
||||||
one), it also blocks the cable modems web server.</h4>
|
one), it also blocks the cable modems web server.</h4>
|
||||||
|
|
||||||
<p align="left">Is there any way it can add a rule before the rfc1918 blocking
|
<p align="left">Is there any way it can add a rule before the rfc1918 blocking
|
||||||
that will let all traffic to and from the 192.168.100.1
|
that will let all traffic to and from the 192.168.100.1
|
||||||
address of the modem in/out but still block all other
|
address of the modem in/out but still block all
|
||||||
rfc1918 addresses?</p>
|
other rfc1918 addresses?</p>
|
||||||
|
|
||||||
<p align="left"><b>Answer: </b>If you are running a version of Shorewall
|
<p align="left"><b>Answer: </b>If you are running a version of Shorewall
|
||||||
earlier than 1.3.1, create /etc/shorewall/start and in it, place the
|
earlier than 1.3.1, create /etc/shorewall/start and in it, place the
|
||||||
@ -1036,8 +1053,8 @@ following:</p>
|
|||||||
|
|
||||||
<p align="left">Note: If you add a second IP address to your external firewall
|
<p align="left">Note: If you add a second IP address to your external firewall
|
||||||
interface to correspond to the modem address,
|
interface to correspond to the modem address,
|
||||||
you must also make an entry in /etc/shorewall/rfc1918
|
you must also make an entry in /etc/shorewall/rfc1918
|
||||||
for that address. For example, if you configure the address
|
for that address. For example, if you configure the address
|
||||||
192.168.100.2 on your firewall, then you would add two entries
|
192.168.100.2 on your firewall, then you would add two entries
|
||||||
to /etc/shorewall/rfc1918: <br>
|
to /etc/shorewall/rfc1918: <br>
|
||||||
</p>
|
</p>
|
||||||
@ -1091,10 +1108,10 @@ its lease.</h4>
|
|||||||
the net</h4>
|
the net</h4>
|
||||||
|
|
||||||
<p align="left"><b>Answer: </b>Every time I read "systems can't see out to
|
<p align="left"><b>Answer: </b>Every time I read "systems can't see out to
|
||||||
the net", I wonder where the poster bought computers
|
the net", I wonder where the poster bought
|
||||||
with eyes and what those computers will "see" when
|
computers with eyes and what those computers will
|
||||||
things are working properly. That aside, the most
|
"see" when things are working properly. That aside,
|
||||||
common causes of this problem are:</p>
|
the most common causes of this problem are:</p>
|
||||||
|
|
||||||
<ol>
|
<ol>
|
||||||
<li>
|
<li>
|
||||||
@ -1111,8 +1128,8 @@ common causes of this problem are:</p>
|
|||||||
|
|
||||||
<p align="left">The DNS settings on the local systems are wrong or the
|
<p align="left">The DNS settings on the local systems are wrong or the
|
||||||
user is running a DNS server on the firewall
|
user is running a DNS server on the firewall
|
||||||
and hasn't enabled UDP and TCP port 53 from the
|
and hasn't enabled UDP and TCP port 53 from
|
||||||
firewall to the internet.</p>
|
the firewall to the internet.</p>
|
||||||
</li>
|
</li>
|
||||||
|
|
||||||
</ol>
|
</ol>
|
||||||
@ -1122,11 +1139,11 @@ common causes of this problem are:</p>
|
|||||||
|
|
||||||
<p align="left"><b>Answer: </b>If you are running Shorewall version 1.4.4
|
<p align="left"><b>Answer: </b>If you are running Shorewall version 1.4.4
|
||||||
or 1.4.4a then check the <a href="errata.htm">errata.</a> Otherwise, see
|
or 1.4.4a then check the <a href="errata.htm">errata.</a> Otherwise, see
|
||||||
the 'dmesg' man page ("man dmesg"). You must add a suitable 'dmesg' command
|
the 'dmesg' man page ("man dmesg"). You must add a suitable 'dmesg' command
|
||||||
to your startup scripts or place it in /etc/shorewall/start.
|
to your startup scripts or place it in /etc/shorewall/start.
|
||||||
Under RedHat, the max log level that is sent
|
Under RedHat, the max log level that is sent
|
||||||
to the console is specified in /etc/sysconfig/init in
|
to the console is specified in /etc/sysconfig/init
|
||||||
the LOGLEVEL variable.<br>
|
in the LOGLEVEL variable.<br>
|
||||||
</p>
|
</p>
|
||||||
|
|
||||||
<h4><a name="faq17"></a>17. How do I find out why this traffic is getting
|
<h4><a name="faq17"></a>17. How do I find out why this traffic is getting
|
||||||
@ -1146,9 +1163,9 @@ the 'dmesg' man page ("man dmesg"). You must add a suitable 'dmesg' command
|
|||||||
href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
|
href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
|
||||||
<li><b>all2<zone></b>,
|
<li><b>all2<zone></b>,
|
||||||
<b><zone>2all</b> or <b>all2all
|
<b><zone>2all</b> or <b>all2all
|
||||||
</b>- You have a<a href="Documentation.htm#Policy"> policy</a> that
|
</b>- You have a<a href="Documentation.htm#Policy"> policy</a>
|
||||||
specifies a log level and this packet is being logged
|
that specifies a log level and this packet is being
|
||||||
under that policy. If you intend to ACCEPT this traffic
|
logged under that policy. If you intend to ACCEPT this traffic
|
||||||
then you need a <a href="Documentation.htm#Rules">rule</a> to that effect.<br>
|
then you need a <a href="Documentation.htm#Rules">rule</a> to that effect.<br>
|
||||||
</li>
|
</li>
|
||||||
<li><b><zone1>2<zone2>
|
<li><b><zone1>2<zone2>
|
||||||
@ -1157,7 +1174,7 @@ then you need a <a href="Documentation.htm#Rules">rule</a> to that effect.<br
|
|||||||
</b>to <b><zone2></b> that specifies a log level and
|
</b>to <b><zone2></b> that specifies a log level and
|
||||||
this packet is being logged under that policy or this packet
|
this packet is being logged under that policy or this packet
|
||||||
matches a <a href="Documentation.htm#Rules">rule</a> that
|
matches a <a href="Documentation.htm#Rules">rule</a> that
|
||||||
includes a log level.</li>
|
includes a log level.</li>
|
||||||
<li><b><interface>_mac</b>
|
<li><b><interface>_mac</b>
|
||||||
- The packet is being logged under the <b>maclist</b>
|
- The packet is being logged under the <b>maclist</b>
|
||||||
<a href="Documentation.htm#Interfaces">interface option</a>.<br>
|
<a href="Documentation.htm#Interfaces">interface option</a>.<br>
|
||||||
@ -1165,8 +1182,8 @@ includes a log level.</li>
|
|||||||
<li><b>logpkt</b>
|
<li><b>logpkt</b>
|
||||||
- The packet is being logged under the <b>logunclean</b>
|
- The packet is being logged under the <b>logunclean</b>
|
||||||
<a href="Documentation.htm#Interfaces">interface option</a>.</li>
|
<a href="Documentation.htm#Interfaces">interface option</a>.</li>
|
||||||
<li><b>badpkt </b>-
|
<li><b>badpkt
|
||||||
The packet is being logged under the <b>dropunclean</b>
|
</b>- The packet is being logged under the <b>dropunclean</b>
|
||||||
<a href="Documentation.htm#Interfaces">interface option</a>
|
<a href="Documentation.htm#Interfaces">interface option</a>
|
||||||
as specified in the <b>LOGUNCLEAN </b>setting in <a
|
as specified in the <b>LOGUNCLEAN </b>setting in <a
|
||||||
href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.</li>
|
href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.</li>
|
||||||
@ -1175,19 +1192,20 @@ includes a log level.</li>
|
|||||||
is blacklisted in the<a href="Documentation.htm#Blacklist"> /etc/shorewall/blacklist
|
is blacklisted in the<a href="Documentation.htm#Blacklist"> /etc/shorewall/blacklist
|
||||||
</a>file.</li>
|
</a>file.</li>
|
||||||
<li><b>newnotsyn
|
<li><b>newnotsyn
|
||||||
</b>- The packet is being logged because it is a
|
</b>- The packet is being logged because it is
|
||||||
TCP packet that is not part of any current connection yet
|
a TCP packet that is not part of any current connection
|
||||||
it is not a syn packet. Options affecting the logging of such
|
yet it is not a syn packet. Options affecting the logging
|
||||||
packets include <b>NEWNOTSYN </b>and <b>LOGNEWNOTSYN
|
of such packets include <b>NEWNOTSYN </b>and
|
||||||
</b>in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
|
<b>LOGNEWNOTSYN </b>in <a
|
||||||
|
href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
|
||||||
<li><b>INPUT</b>
|
<li><b>INPUT</b>
|
||||||
or <b>FORWARD</b> - The packet has a source IP address
|
or <b>FORWARD</b> - The packet has a source IP address
|
||||||
that isn't in any of your defined zones ("shorewall check"
|
that isn't in any of your defined zones ("shorewall check"
|
||||||
and look at the printed zone definitions) or the chain is
|
and look at the printed zone definitions) or the chain is
|
||||||
FORWARD and the destination IP isn't in any of your defined
|
FORWARD and the destination IP isn't in any of your defined
|
||||||
zones.</li>
|
zones.</li>
|
||||||
<li><b>logflags </b>- The
|
<li><b>logflags </b>- The
|
||||||
packet is being logged because it failed the checks implemented
|
packet is being logged because it failed the checks implemented
|
||||||
by the <b>tcpflags </b><a
|
by the <b>tcpflags </b><a
|
||||||
href="Documentation.htm#Interfaces">interface option</a>.<br>
|
href="Documentation.htm#Interfaces">interface option</a>.<br>
|
||||||
</li>
|
</li>
|
||||||
@ -1197,14 +1215,14 @@ packet is being logged because it failed the checks implemen
|
|||||||
<h4><a name="faq18"></a>18. Is there any way to use <b>aliased ip addresses</b>
|
<h4><a name="faq18"></a>18. Is there any way to use <b>aliased ip addresses</b>
|
||||||
with Shorewall, and maintain separate rulesets for
|
with Shorewall, and maintain separate rulesets for
|
||||||
different IPs?</h4>
|
different IPs?</h4>
|
||||||
<b>Answer: </b>Yes. See
|
<b>Answer: </b>Yes.
|
||||||
<a href="Shorewall_and_Aliased_Interfaces.html">Shorewall and Aliased Interfaces</a>.
|
See <a href="Shorewall_and_Aliased_Interfaces.html">Shorewall and Aliased
|
||||||
|
Interfaces</a>.
|
||||||
<h4><b><a name="faq19"></a>19. </b>I have added entries to /etc/shorewall/tcrules
|
<h4><b><a name="faq19"></a>19. </b>I have added entries to /etc/shorewall/tcrules
|
||||||
but they don't seem to do anything. Why?</h4>
|
but they don't seem to do anything. Why?</h4>
|
||||||
You probably haven't set
|
You probably haven't set
|
||||||
TC_ENABLED=Yes in /etc/shorewall/shorewall.conf so
|
TC_ENABLED=Yes in /etc/shorewall/shorewall.conf so
|
||||||
the contents of the tcrules file are simply being ignored.<br>
|
the contents of the tcrules file are simply being ignored.<br>
|
||||||
|
|
||||||
<h4><a name="faq20"></a><b>20. </b>I have just set up a server. <b>Do I have
|
<h4><a name="faq20"></a><b>20. </b>I have just set up a server. <b>Do I have
|
||||||
to change Shorewall to allow access to my server from
|
to change Shorewall to allow access to my server from
|
||||||
@ -1223,45 +1241,45 @@ rules for your server.<br>
|
|||||||
<pre>Nov 25 18:58:52 linux kernel: Shorewall:net2all:DROP:IN=eth1 OUT= MAC=00:60:1d:f0:a6:f9:00:60:1d:f6:35:50:08:00<br> SRC=206.124.146.179 DST=192.0.2.3 LEN=56 TOS=0x00 PREC=0x00 TTL=110 ID=18558 PROTO=ICMP TYPE=3 CODE=3 <br> [SRC=192.0.2.3 DST=172.16.1.10 LEN=128 TOS=0x00 PREC=0x00 TTL=47 ID=0 DF PROTO=UDP SPT=53 DPT=2857 LEN=108 ]<br></pre>
|
<pre>Nov 25 18:58:52 linux kernel: Shorewall:net2all:DROP:IN=eth1 OUT= MAC=00:60:1d:f0:a6:f9:00:60:1d:f6:35:50:08:00<br> SRC=206.124.146.179 DST=192.0.2.3 LEN=56 TOS=0x00 PREC=0x00 TTL=110 ID=18558 PROTO=ICMP TYPE=3 CODE=3 <br> [SRC=192.0.2.3 DST=172.16.1.10 LEN=128 TOS=0x00 PREC=0x00 TTL=47 ID=0 DF PROTO=UDP SPT=53 DPT=2857 LEN=108 ]<br></pre>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
192.0.2.3 is external on my
|
192.0.2.3 is external on my
|
||||||
firewall... 172.16.0.0/24 is my internal LAN<br>
|
firewall... 172.16.0.0/24 is my internal LAN<br>
|
||||||
<br>
|
<br>
|
||||||
<b>Answer: </b>While most people
|
<b>Answer: </b>While most
|
||||||
associate the Internet Control Message Protocol (ICMP)
|
people associate the Internet Control Message Protocol
|
||||||
with 'ping', ICMP is a key piece of the internet. ICMP is
|
(ICMP) with 'ping', ICMP is a key piece of the internet.
|
||||||
used to report problems back to the sender of a packet; this
|
ICMP is used to report problems back to the sender of a packet;
|
||||||
is what is happening here. Unfortunately, where NAT is involved
|
this is what is happening here. Unfortunately, where NAT is involved
|
||||||
(including SNAT, DNAT and Masquerade), there are a lot of broken
|
(including SNAT, DNAT and Masquerade), there are a lot of broken
|
||||||
implementations. That is what you are seeing with these messages.<br>
|
implementations. That is what you are seeing with these messages.<br>
|
||||||
<br>
|
<br>
|
||||||
Here is my interpretation of
|
Here is my interpretation of
|
||||||
what is happening -- to confirm this analysis, one would
|
what is happening -- to confirm this analysis, one would
|
||||||
have to have packet sniffers placed a both ends of the connection.<br>
|
have to have packet sniffers placed a both ends of the connection.<br>
|
||||||
<br>
|
<br>
|
||||||
Host 172.16.1.10 behind NAT gateway
|
Host 172.16.1.10 behind NAT
|
||||||
206.124.146.179 sent a UDP DNS query to 192.0.2.3 and
|
gateway 206.124.146.179 sent a UDP DNS query to 192.0.2.3
|
||||||
your DNS server tried to send a response (the response information
|
and your DNS server tried to send a response (the response information
|
||||||
is in the brackets -- note source port 53 which marks this as
|
is in the brackets -- note source port 53 which marks this as
|
||||||
a DNS reply). When the response was returned to to 206.124.146.179,
|
a DNS reply). When the response was returned to to 206.124.146.179,
|
||||||
it rewrote the destination IP TO 172.16.1.10 and forwarded the
|
it rewrote the destination IP TO 172.16.1.10 and forwarded the
|
||||||
packet to 172.16.1.10 who no longer had a connection on UDP port
|
packet to 172.16.1.10 who no longer had a connection on UDP port
|
||||||
2857. This causes a port unreachable (type 3, code 3) to be generated
|
2857. This causes a port unreachable (type 3, code 3) to be generated
|
||||||
back to 192.0.2.3. As this packet is sent back through 206.124.146.179,
|
back to 192.0.2.3. As this packet is sent back through 206.124.146.179,
|
||||||
that box correctly changes the source address in the packet to 206.124.146.179
|
that box correctly changes the source address in the packet to 206.124.146.179
|
||||||
but doesn't reset the DST IP in the original DNS response similarly.
|
but doesn't reset the DST IP in the original DNS response similarly.
|
||||||
When the ICMP reaches your firewall (192.0.2.3), your firewall has
|
When the ICMP reaches your firewall (192.0.2.3), your firewall has
|
||||||
no record of having sent a DNS reply to 172.16.1.10 so this ICMP doesn't
|
no record of having sent a DNS reply to 172.16.1.10 so this ICMP
|
||||||
appear to be related to anything that was sent. The final result
|
doesn't appear to be related to anything that was sent. The final
|
||||||
is that the packet gets logged and dropped in the all2all chain. I
|
result is that the packet gets logged and dropped in the all2all chain.
|
||||||
have also seen cases where the source IP in the ICMP itself isn't set
|
I have also seen cases where the source IP in the ICMP itself isn't
|
||||||
back to the external IP of the remote NAT gateway; that causes your
|
set back to the external IP of the remote NAT gateway; that causes your
|
||||||
firewall to log and drop the packet out of the rfc1918 chain because
|
firewall to log and drop the packet out of the rfc1918 chain because
|
||||||
the source IP is reserved by RFC 1918.<br>
|
the source IP is reserved by RFC 1918.<br>
|
||||||
|
|
||||||
<h4><a name="faq22"></a><b>22. </b>I have some <b>iptables commands </b>that
|
<h4><a name="faq22"></a><b>22. </b>I have some <b>iptables commands </b>that
|
||||||
I want to <b>run when Shorewall starts.</b> Which file do
|
I want to <b>run when Shorewall starts.</b> Which file
|
||||||
I put them in?</h4>
|
do I put them in?</h4>
|
||||||
You can place these commands
|
You can place these commands
|
||||||
in one of the <a href="shorewall_extension_scripts.htm">Shorewall Extension
|
in one of the <a href="shorewall_extension_scripts.htm">Shorewall Extension
|
||||||
Scripts</a>. Be sure that you look at the contents of the chain(s)
|
Scripts</a>. Be sure that you look at the contents of the chain(s)
|
||||||
that you will be modifying with your commands to be sure
|
that you will be modifying with your commands to be sure
|
||||||
that the commands will do what they are intended. Many iptables
|
that the commands will do what they are intended. Many iptables
|
||||||
@ -1274,17 +1292,17 @@ or REJECT rule and any rules that you add after that will be ignored.
|
|||||||
<h4><a name="faq23"></a><b>23. </b>Why do you use such ugly fonts on your
|
<h4><a name="faq23"></a><b>23. </b>Why do you use such ugly fonts on your
|
||||||
web site?</h4>
|
web site?</h4>
|
||||||
The Shorewall web site is almost font
|
The Shorewall web site is almost font
|
||||||
neutral (it doesn't explicitly specify fonts except on a few
|
neutral (it doesn't explicitly specify fonts except on a
|
||||||
pages) so the fonts you see are largely the default fonts configured
|
few pages) so the fonts you see are largely the default fonts
|
||||||
in your browser. If you don't like them then reconfigure your
|
configured in your browser. If you don't like them then reconfigure
|
||||||
browser.<br>
|
your browser.<br>
|
||||||
|
|
||||||
<h4><a name="faq24"></a>24. How can I <b>allow conections</b> to let's say
|
<h4><a name="faq24"></a>24. How can I <b>allow conections</b> to let's say
|
||||||
the ssh port only<b> from specific IP Addresses</b> on the
|
the ssh port only<b> from specific IP Addresses</b> on the
|
||||||
internet?</h4>
|
internet?</h4>
|
||||||
In the SOURCE column of the rule, follow
|
In the SOURCE column of the rule, follow
|
||||||
"net" by a colon and a list of the host/subnet addresses as
|
"net" by a colon and a list of the host/subnet addresses as
|
||||||
a comma-separated list.<br>
|
a comma-separated list.<br>
|
||||||
|
|
||||||
<pre> net:<ip1>,<ip2>,...<br></pre>
|
<pre> net:<ip1>,<ip2>,...<br></pre>
|
||||||
Example:<br>
|
Example:<br>
|
||||||
@ -1301,17 +1319,34 @@ a comma-separated list.<br>
|
|||||||
<font color="#009900"><b> /sbin/shorewall version</b></font><br>
|
<font color="#009900"><b> /sbin/shorewall version</b></font><br>
|
||||||
|
|
||||||
<h4><a name="faq26"></a><b>26. </b>When I try to use any of the SYN options
|
<h4><a name="faq26"></a><b>26. </b>When I try to use any of the SYN options
|
||||||
in nmap on or behind the firewall, I get "operation not permitted". How can
|
in nmap on or behind the firewall, I get "operation not permitted". How can
|
||||||
I use nmap with Shorewall?"</h4>
|
I use nmap with Shorewall?"</h4>
|
||||||
Edit /etc/shorewall/shorewall.conf and change "NEWNOTSYN=No" to "NEWNOTSYN=Yes"
|
Edit /etc/shorewall/shorewall.conf and change "NEWNOTSYN=No" to "NEWNOTSYN=Yes"
|
||||||
then restart Shorewall.<br>
|
then restart Shorewall.<br>
|
||||||
<br>
|
|
||||||
<font size="2">Last updated 7/5/2003 - <a
|
<h4><a name="faq27">27. I'm compiling a new kernel for my firewall. What should
|
||||||
|
I look out for?</a></h4>
|
||||||
|
First take a look at the <a href="kernel.htm">Shorewall kernel configuration
|
||||||
|
page</a>. You probably also want to be sure that you have selected the "<b>NAT
|
||||||
|
of local connections (READ HELP)</b>" on the Netfilter Configuration menu.
|
||||||
|
Otherwise, DNAT rules with your firewall as the source zone won't work with
|
||||||
|
your new kernel.<br>
|
||||||
|
<h4><a name="faq28"></a>28. How do I use Shorewall as a Bridging Firewall?<br>
|
||||||
|
</h4>
|
||||||
|
Basically, you don't. While there are kernel patches that allow you to route
|
||||||
|
bridge traffic through Netfilter, the environment is so different from the
|
||||||
|
Layer 3 firewalling environment that very little of Shorewall works. In fact,
|
||||||
|
so much of Shorewall doesn't work that my official position is that "Shorewall
|
||||||
|
doesn't work with Layer 2 Bridging".<br>
|
||||||
|
<br>
|
||||||
|
<font size="2">Last updated 7/9/2003 - <a
|
||||||
href="support.htm">Tom Eastep</a></font>
|
href="support.htm">Tom Eastep</a></font>
|
||||||
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||||
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
|
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
|
||||||
</p>
|
</p>
|
||||||
<br>
|
<br>
|
||||||
<br>
|
<br>
|
||||||
|
<br>
|
||||||
|
<br>
|
||||||
</body>
|
</body>
|
||||||
</html>
|
</html>
|
||||||
|
File diff suppressed because it is too large
Load Diff
50
Shorewall-docs/Shorewall_Doesnt.html
Normal file
50
Shorewall-docs/Shorewall_Doesnt.html
Normal file
@ -0,0 +1,50 @@
|
|||||||
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||||
|
<html>
|
||||||
|
<head>
|
||||||
|
<title>What Shorewall Cannot Do</title>
|
||||||
|
|
||||||
|
<meta http-equiv="content-type"
|
||||||
|
content="text/html; charset=ISO-8859-1">
|
||||||
|
|
||||||
|
<meta name="author" content="Tom Eastep">
|
||||||
|
</head>
|
||||||
|
<body>
|
||||||
|
<small> </small><small>
|
||||||
|
</small><small>
|
||||||
|
</small><small>
|
||||||
|
</small><small>
|
||||||
|
</small> <small> </small>
|
||||||
|
<table border="0" cellpadding="0" cellspacing="0"
|
||||||
|
style="border-collapse: collapse;" width="100%" id="AutoNumber4"
|
||||||
|
bgcolor="#400169" height="90">
|
||||||
|
<tbody>
|
||||||
|
<tr>
|
||||||
|
<td width="100%"><small> </small>
|
||||||
|
<h1 align="center"><small><font color="#ffffff">Some things that Shorewall
|
||||||
|
<b>Cannot</b> Do</font></small></h1>
|
||||||
|
<small> </small></td>
|
||||||
|
</tr>
|
||||||
|
|
||||||
|
</tbody>
|
||||||
|
</table>
|
||||||
|
<small><br>
|
||||||
|
</small>Shorewall cannot:<br>
|
||||||
|
|
||||||
|
<ul>
|
||||||
|
<li>Be used on a Linux System that is functioning as a Layer 2 Bridge</li>
|
||||||
|
<li>Act as a "Personal Firewall" that allows internet access by application.</li>
|
||||||
|
<li>Do content filtering -- better to use <a
|
||||||
|
href="Shorewall_Squid_Usage.html">Squid</a> for that.<br>
|
||||||
|
</li>
|
||||||
|
|
||||||
|
</ul>
|
||||||
|
<br>
|
||||||
|
<font size="2">Last updated 7/9/2003 - <a href="support.htm">Tom Eastep</a></font>
|
||||||
|
|
||||||
|
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||||
|
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
|
||||||
|
</p>
|
||||||
|
<br>
|
||||||
|
<br>
|
||||||
|
</body>
|
||||||
|
</html>
|
@ -12,8 +12,8 @@
|
|||||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||||
<title>Shorewall Index</title>
|
<title>Shorewall Index</title>
|
||||||
|
|
||||||
<base target="main">
|
<base
|
||||||
|
target="main">
|
||||||
<meta name="Microsoft Theme" content="none">
|
<meta name="Microsoft Theme" content="none">
|
||||||
</head>
|
</head>
|
||||||
<body>
|
<body>
|
||||||
@ -38,6 +38,8 @@
|
|||||||
href="seattlefirewall_index.htm">Home</a></li>
|
href="seattlefirewall_index.htm">Home</a></li>
|
||||||
<li> <a
|
<li> <a
|
||||||
href="shorewall_features.htm">Features</a></li>
|
href="shorewall_features.htm">Features</a></li>
|
||||||
|
<li><a href="Shorewall_Doesnt.html">What it Cannot Do</a><br>
|
||||||
|
</li>
|
||||||
<li> <a
|
<li> <a
|
||||||
href="shorewall_prerequisites.htm">Requirements</a></li>
|
href="shorewall_prerequisites.htm">Requirements</a></li>
|
||||||
<li> <a
|
<li> <a
|
||||||
@ -50,8 +52,9 @@
|
|||||||
<li> <a
|
<li> <a
|
||||||
href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a><br>
|
href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a><br>
|
||||||
</li>
|
</li>
|
||||||
<li>
|
|
||||||
<b><a href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></b></li>
|
<li> <b><a
|
||||||
|
href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></b></li>
|
||||||
|
|
||||||
<li> <a href="FAQ.htm">FAQs</a></li>
|
<li> <a href="FAQ.htm">FAQs</a></li>
|
||||||
<li><a
|
<li><a
|
||||||
@ -71,8 +74,8 @@
|
|||||||
<li><a href="1.3"
|
<li><a href="1.3"
|
||||||
target="_top">Shorewall 1.3 Site</a></li>
|
target="_top">Shorewall 1.3 Site</a></li>
|
||||||
<li><a
|
<li><a
|
||||||
href="http://www1.shorewall.net/1.2/index.htm" target="_top">Shorewall
|
href="http://www1.shorewall.net/1.2/index.htm" target="_top">Shorewall 1.2
|
||||||
1.2 Site</a></li>
|
Site</a></li>
|
||||||
<li><a href="shorewall_mirrors.htm">Mirrors</a>
|
<li><a href="shorewall_mirrors.htm">Mirrors</a>
|
||||||
|
|
||||||
|
|
||||||
@ -136,6 +139,7 @@
|
|||||||
|
|
||||||
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||||
size="2">2001-2003 Thomas M. Eastep.</font></a><br>
|
size="2">2001-2003 Thomas M. Eastep.</font></a><br>
|
||||||
</p>
|
</p>
|
||||||
|
<br>
|
||||||
</body>
|
</body>
|
||||||
</html>
|
</html>
|
||||||
|
@ -38,6 +38,8 @@
|
|||||||
href="seattlefirewall_index.htm">Home</a></li>
|
href="seattlefirewall_index.htm">Home</a></li>
|
||||||
<li> <a
|
<li> <a
|
||||||
href="shorewall_features.htm">Features</a></li>
|
href="shorewall_features.htm">Features</a></li>
|
||||||
|
<li><a href="Shorewall_Doesnt.html">What it Cannot Do</a><br>
|
||||||
|
</li>
|
||||||
<li> <a
|
<li> <a
|
||||||
href="shorewall_prerequisites.htm">Requirements</a></li>
|
href="shorewall_prerequisites.htm">Requirements</a></li>
|
||||||
<li> <a
|
<li> <a
|
||||||
@ -71,11 +73,12 @@
|
|||||||
</li>
|
</li>
|
||||||
<li><a href="1.3" target="_top">Shorewall 1.3 Site</a></li>
|
<li><a href="1.3" target="_top">Shorewall 1.3 Site</a></li>
|
||||||
<li><a
|
<li><a
|
||||||
href="http://www1.shorewall.net/1.2/index.htm" target="_top">Shorewall 1.2
|
href="http://www1.shorewall.net/1.2/index.htm" target="_top">Shorewall
|
||||||
Site</a></li>
|
1.2 Site</a></li>
|
||||||
<li><a href="shorewall_mirrors.htm">Mirrors</a>
|
<li><a href="shorewall_mirrors.htm">Mirrors</a>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<ul>
|
<ul>
|
||||||
<li><a
|
<li><a
|
||||||
target="_top" href="http://slovakia.shorewall.net">Slovak Republic</a></li>
|
target="_top" href="http://slovakia.shorewall.net">Slovak Republic</a></li>
|
||||||
@ -135,6 +138,7 @@ Site</a></li>
|
|||||||
|
|
||||||
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||||
size="2">2001-2003 Thomas M. Eastep.</font></a><br>
|
size="2">2001-2003 Thomas M. Eastep.</font></a><br>
|
||||||
</p>
|
</p>
|
||||||
|
<br>
|
||||||
</body>
|
</body>
|
||||||
</html>
|
</html>
|
||||||
|
@ -75,14 +75,14 @@
|
|||||||
|
|
||||||
<h2 align="left">Not able to Post Mail to shorewall.net?</h2>
|
<h2 align="left">Not able to Post Mail to shorewall.net?</h2>
|
||||||
|
|
||||||
<p align="left">You can report such problems by sending mail to tmeastep at
|
<p align="left">You can report such problems by sending mail to tmeastep
|
||||||
hotmail dot com.</p>
|
at hotmail dot com.</p>
|
||||||
|
|
||||||
<h2>A Word about the SPAM Filters at Shorewall.net <a
|
<h2>A Word about the SPAM Filters at Shorewall.net <a
|
||||||
href="http://osirusoft.com/"> </a></h2>
|
href="http://osirusoft.com/"> </a></h2>
|
||||||
|
|
||||||
<p>Please note that the mail server at shorewall.net checks
|
<p>Please note that the mail server at shorewall.net
|
||||||
incoming mail:<br>
|
checks incoming mail:<br>
|
||||||
</p>
|
</p>
|
||||||
|
|
||||||
<ol>
|
<ol>
|
||||||
@ -93,34 +93,27 @@ incoming mail:<br>
|
|||||||
<li>to ensure that the sender address is fully
|
<li>to ensure that the sender address is fully
|
||||||
qualified.</li>
|
qualified.</li>
|
||||||
<li>to verify that the sender's domain has an
|
<li>to verify that the sender's domain has an
|
||||||
A or MX record in DNS.</li>
|
A or MX record in DNS.</li>
|
||||||
<li>to ensure that the host name in the HELO/EHLO
|
<li>to ensure that the host name in the HELO/EHLO
|
||||||
command is a valid fully-qualified DNS name that resolves.</li>
|
command is a valid fully-qualified DNS name that resolves.</li>
|
||||||
<li>to ensure that the sending system has a valid PTR record in DNS.</li>
|
|
||||||
|
|
||||||
</ol>
|
</ol>
|
||||||
<big><font color="#cc0000"><b>This last point is important. If you run your
|
|
||||||
own outgoing mail server and it doesn't have a valid DNS PTR record, your
|
|
||||||
email won't reach the lists unless/until the postmaster notices that your
|
|
||||||
posts are being rejected. To avoid this problem, you should configure your
|
|
||||||
MTA to forward posts to shorewall.net through an MTA that <u>does</u> have
|
|
||||||
a valid PTR record (such as the one at your ISP). </b></font></big><br>
|
|
||||||
|
|
||||||
<h2>Please post in plain text</h2>
|
<h2>Please post in plain text</h2>
|
||||||
A growing number of MTAs serving list subscribers are
|
A growing number of MTAs serving list subscribers are
|
||||||
rejecting all HTML traffic. At least one MTA has gone so far as to
|
rejecting all HTML traffic. At least one MTA has gone so far as
|
||||||
blacklist shorewall.net "for continuous abuse" because it has been my
|
to blacklist shorewall.net "for continuous abuse" because it has been
|
||||||
policy to allow HTML in list posts!!<br>
|
my policy to allow HTML in list posts!!<br>
|
||||||
<br>
|
<br>
|
||||||
I think that blocking all HTML is a Draconian way to
|
I think that blocking all HTML is a Draconian way to
|
||||||
control spam and that the ultimate losers here are not the spammers
|
control spam and that the ultimate losers here are not the spammers
|
||||||
but the list subscribers whose MTAs are bouncing all shorewall.net
|
but the list subscribers whose MTAs are bouncing all shorewall.net
|
||||||
mail. As one list subscriber wrote to me privately "These e-mail admin's
|
mail. As one list subscriber wrote to me privately "These e-mail admin's
|
||||||
need to get a <i>(explitive deleted)</i> life instead of trying to rid
|
need to get a <i>(explitive deleted)</i> life instead of trying to rid
|
||||||
the planet of HTML based e-mail". Nevertheless, to allow subscribers
|
the planet of HTML based e-mail". Nevertheless, to allow subscribers to
|
||||||
to receive list posts as must as possible, I have now configured the
|
receive list posts as must as possible, I have now configured the list
|
||||||
list server at shorewall.net to strip all HTML from outgoing posts.
|
server at shorewall.net to strip all HTML from outgoing posts. This
|
||||||
This means that HTML-only posts will be bounced by the list server.<br>
|
means that HTML-only posts will be bounced by the list server.<br>
|
||||||
|
|
||||||
<p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br>
|
<p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br>
|
||||||
</p>
|
</p>
|
||||||
@ -156,34 +149,34 @@ This means that HTML-only posts will be bounced by the list server.<br>
|
|||||||
<option value="revtime">Reverse Time </option>
|
<option value="revtime">Reverse Time </option>
|
||||||
<option value="revtitle">Reverse Title </option>
|
<option value="revtitle">Reverse Title </option>
|
||||||
</select>
|
</select>
|
||||||
</font> <input type="hidden" name="config"
|
</font> <input type="hidden"
|
||||||
value="htdig"> <input type="hidden" name="restrict"
|
name="config" value="htdig"> <input type="hidden" name="restrict"
|
||||||
value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden"
|
value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden"
|
||||||
name="exclude" value=""> <br>
|
name="exclude" value=""> <br>
|
||||||
Search: <input type="text" size="30"
|
Search: <input type="text" size="30"
|
||||||
name="words" value=""> <input type="submit" value="Search"> </p>
|
name="words" value=""> <input type="submit" value="Search"> </p>
|
||||||
</form>
|
</form>
|
||||||
|
|
||||||
<h2 align="left"><font color="#ff0000">Please do not try to download the entire
|
<h2 align="left"><font color="#ff0000">Please do not try to download the
|
||||||
Archive -- it is 75MB (and growing daily) and my slow DSL line simply won't
|
entire Archive -- it is 75MB (and growing daily) and my slow DSL line simply
|
||||||
stand the traffic. If I catch you, you will be blacklisted.<br>
|
won't stand the traffic. If I catch you, you will be blacklisted.<br>
|
||||||
</font></h2>
|
</font></h2>
|
||||||
|
|
||||||
<h2 align="left">Shorewall CA Certificate</h2>
|
<h2 align="left">Shorewall CA Certificate</h2>
|
||||||
If you want to trust X.509 certificates issued
|
If you want to trust X.509 certificates issued
|
||||||
by Shoreline Firewall (such as the one used on my web site),
|
by Shoreline Firewall (such as the one used on my web site), you
|
||||||
you may <a href="Shorewall_CA_html.html">download and install my CA certificate</a>
|
may <a href="Shorewall_CA_html.html">download and install my CA certificate</a>
|
||||||
in your browser. If you don't wish to trust my certificates
|
in your browser. If you don't wish to trust my certificates
|
||||||
then you can either use unencrypted access when subscribing to
|
then you can either use unencrypted access when subscribing to Shorewall
|
||||||
Shorewall mailing lists or you can use secure access (SSL) and
|
mailing lists or you can use secure access (SSL) and accept the
|
||||||
accept the server's certificate when prompted by your browser.<br>
|
server's certificate when prompted by your browser.<br>
|
||||||
|
|
||||||
<h2 align="left">Shorewall Users Mailing List</h2>
|
<h2 align="left">Shorewall Users Mailing List</h2>
|
||||||
|
|
||||||
<p align="left">The Shorewall Users Mailing list provides a way for users
|
<p align="left">The Shorewall Users Mailing list provides a way for users
|
||||||
to get answers to questions and to report problems. Information
|
to get answers to questions and to report problems. Information
|
||||||
of general interest to the Shorewall user community is also
|
of general interest to the Shorewall user community is also posted
|
||||||
posted to this list.</p>
|
to this list.</p>
|
||||||
|
|
||||||
<p align="left"><b>Before posting a problem report to this list, please see
|
<p align="left"><b>Before posting a problem report to this list, please see
|
||||||
the <a href="http://www.shorewall.net/support.htm">problem
|
the <a href="http://www.shorewall.net/support.htm">problem
|
||||||
@ -207,9 +200,9 @@ reporting guidelines</a>.</b></p>
|
|||||||
<p align="left">The list archives are at <a
|
<p align="left">The list archives are at <a
|
||||||
href="http://lists.shorewall.net/pipermail/shorewall-users/index.html">http://lists.shorewall.net/pipermail/shorewall-users</a>.</p>
|
href="http://lists.shorewall.net/pipermail/shorewall-users/index.html">http://lists.shorewall.net/pipermail/shorewall-users</a>.</p>
|
||||||
|
|
||||||
<p align="left">Note that prior to 1/1/2002, the mailing list was hosted
|
<p align="left">Note that prior to 1/1/2002, the mailing list was hosted at
|
||||||
at <a href="http://sourceforge.net">Sourceforge</a>. The archives from that
|
<a href="http://sourceforge.net">Sourceforge</a>. The archives from that list
|
||||||
list may be found at <a
|
may be found at <a
|
||||||
href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p>
|
href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p>
|
||||||
|
|
||||||
<h2 align="left">Shorewall Announce Mailing List</h2>
|
<h2 align="left">Shorewall Announce Mailing List</h2>
|
||||||
@ -294,11 +287,12 @@ emailed to you.</p>
|
|||||||
|
|
||||||
<p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p>
|
<p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p>
|
||||||
|
|
||||||
<p align="left"><font size="2">Last updated 6/14/2003 - <a
|
<p align="left"><font size="2">Last updated 7/7/2003 - <a
|
||||||
href="http://www.shorewall.net/support.htm">Tom Eastep</a></font></p>
|
href="http://www.shorewall.net/support.htm">Tom Eastep</a></font></p>
|
||||||
|
|
||||||
<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font> ©
|
<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font>
|
||||||
<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
|
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
|
||||||
</p>
|
</p>
|
||||||
|
<br>
|
||||||
</body>
|
</body>
|
||||||
</html>
|
</html>
|
||||||
|
@ -24,15 +24,18 @@
|
|||||||
</table>
|
</table>
|
||||||
<br>
|
<br>
|
||||||
Shorewall 'Ping' management has evolved over time with the latest change
|
Shorewall 'Ping' management has evolved over time with the latest change
|
||||||
coming in Shorewall version 1.4.0. <br>
|
coming in Shorewall version 1.4.0. To find out which version of Shorewall
|
||||||
|
you are running, at a shell prompt type "<font color="#009900"><b>/sbin/shorewall
|
||||||
|
version</b></font>". If that command gives you an error, it's time to upgrade
|
||||||
|
since you have a very old version of Shorewall installed (1.2.4 or earlier).<br>
|
||||||
|
|
||||||
<h2>Shorewall Versions >= 1.4.0</h2>
|
<h2>Shorewall Versions >= 1.4.0</h2>
|
||||||
In Shoreall 1.4.0 and later version, ICMP echo-request's are treated just
|
In Shoreall 1.4.0 and later version, ICMP echo-request's are treated just
|
||||||
like any other connection request.<br>
|
like any other connection request.<br>
|
||||||
<br>
|
<br>
|
||||||
In order to accept ping requests from zone z1 to zone z2 where the policy
|
In order to accept ping requests from zone z1 to zone z2 where the policy
|
||||||
for z1 to z2 is not ACCEPT, you need a rule in /etc/shoreall/rules of the
|
for z1 to z2 is not ACCEPT, you need a rule in /etc/shoreall/rules of the
|
||||||
form:<br>
|
form:<br>
|
||||||
|
|
||||||
<blockquote>ACCEPT <i>z1 z2
|
<blockquote>ACCEPT <i>z1 z2
|
||||||
</i>icmp 8<br>
|
</i>icmp 8<br>
|
||||||
@ -51,8 +54,8 @@ form:<br>
|
|||||||
<blockquote>
|
<blockquote>
|
||||||
<pre><b><font color="#009900">run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT<br></font></b></pre>
|
<pre><b><font color="#009900">run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT<br></font></b></pre>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
With that rule in place, if you want to ignore 'ping' from z1 to z2 then
|
With that rule in place, if you want to ignore 'ping' from z1 to z2
|
||||||
you need a rule of the form:<br>
|
then you need a rule of the form:<br>
|
||||||
|
|
||||||
<blockquote>DROP <i>z1 z2
|
<blockquote>DROP <i>z1 z2
|
||||||
</i>icmp 8<br>
|
</i>icmp 8<br>
|
||||||
@ -70,7 +73,7 @@ form:<br>
|
|||||||
in /etc/shorewall/shorewall.conf</h2>
|
in /etc/shorewall/shorewall.conf</h2>
|
||||||
In 1.3.14, Ping handling was put under control of the rules and policies
|
In 1.3.14, Ping handling was put under control of the rules and policies
|
||||||
just like any other connection request. In order to accept ping requests
|
just like any other connection request. In order to accept ping requests
|
||||||
from zone z1 to zone z2 where the policy for z1 to z2 is not ACCEPT, you
|
from zone z1 to zone z2 where the policy for z1 to z2 is not ACCEPT, you
|
||||||
need a rule in /etc/shoreall/rules of the form:<br>
|
need a rule in /etc/shoreall/rules of the form:<br>
|
||||||
|
|
||||||
<blockquote>ACCEPT <i>z1 z2
|
<blockquote>ACCEPT <i>z1 z2
|
||||||
@ -90,8 +93,8 @@ need a rule in /etc/shoreall/rules of the form:<br>
|
|||||||
<blockquote>
|
<blockquote>
|
||||||
<pre><b><font color="#009900">run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT<br></font></b></pre>
|
<pre><b><font color="#009900">run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT<br></font></b></pre>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
With that rule in place, if you want to ignore 'ping' from z1 to z2 then
|
With that rule in place, if you want to ignore 'ping' from z1 to z2
|
||||||
you need a rule of the form:<br>
|
then you need a rule of the form:<br>
|
||||||
|
|
||||||
<blockquote>DROP <i>z1 z2
|
<blockquote>DROP <i>z1 z2
|
||||||
</i>icmp 8<br>
|
</i>icmp 8<br>
|
||||||
@ -111,8 +114,8 @@ need a rule in /etc/shoreall/rules of the form:<br>
|
|||||||
There are several aspects to the old Shorewall Ping management:<br>
|
There are several aspects to the old Shorewall Ping management:<br>
|
||||||
|
|
||||||
<ol>
|
<ol>
|
||||||
<li>The <b>noping</b> and <b>filterping </b>interface options in <a
|
<li>The <b>noping</b> and <b>filterping </b>interface options in
|
||||||
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
|
<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
|
||||||
<li>The <b>FORWARDPING</b> option in<a
|
<li>The <b>FORWARDPING</b> option in<a
|
||||||
href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf</a>.</li>
|
href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf</a>.</li>
|
||||||
<li>Explicit rules in <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
|
<li>Explicit rules in <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
|
||||||
@ -123,8 +126,8 @@ need a rule in /etc/shoreall/rules of the form:<br>
|
|||||||
<ol>
|
<ol>
|
||||||
<li>Ping requests addressed to the firewall itself; and</li>
|
<li>Ping requests addressed to the firewall itself; and</li>
|
||||||
<li>Ping requests being forwarded to another system. Included here
|
<li>Ping requests being forwarded to another system. Included here
|
||||||
are all cases of packet forwarding including NAT, DNAT rule, Proxy ARP and
|
are all cases of packet forwarding including NAT, DNAT rule, Proxy ARP
|
||||||
simple routing.</li>
|
and simple routing.</li>
|
||||||
|
|
||||||
</ol>
|
</ol>
|
||||||
These cases will be covered separately.<br>
|
These cases will be covered separately.<br>
|
||||||
@ -133,13 +136,13 @@ simple routing.</li>
|
|||||||
For ping requests addressed to the firewall, the sequence is as follows:<br>
|
For ping requests addressed to the firewall, the sequence is as follows:<br>
|
||||||
|
|
||||||
<ol>
|
<ol>
|
||||||
<li>If neither <b>noping</b> nor <b>filterping </b>are specified for
|
<li>If neither <b>noping</b> nor <b>filterping </b>are specified
|
||||||
the interface that receives the ping request then the request will be responded
|
for the interface that receives the ping request then the request will
|
||||||
to with an ICMP echo-reply.</li>
|
be responded to with an ICMP echo-reply.</li>
|
||||||
<li>If <b>noping</b> is specified for the interface that receives
|
<li>If <b>noping</b> is specified for the interface that receives
|
||||||
the ping request then the request is ignored.</li>
|
the ping request then the request is ignored.</li>
|
||||||
<li>If <b>filterping </b>is specified for the interface then the request
|
<li>If <b>filterping </b>is specified for the interface then the
|
||||||
is passed to the rules/policy evaluation.</li>
|
request is passed to the rules/policy evaluation.</li>
|
||||||
|
|
||||||
</ol>
|
</ol>
|
||||||
|
|
||||||
@ -153,7 +156,7 @@ the ping request then the request is ignored.</li>
|
|||||||
Destination </i>icmp 8<br>
|
Destination </i>icmp 8<br>
|
||||||
<br>
|
<br>
|
||||||
Example 1. Accept pings from the net to the dmz (pings are responded
|
Example 1. Accept pings from the net to the dmz (pings are responded
|
||||||
to with an ICMP echo-reply):<br>
|
to with an ICMP echo-reply):<br>
|
||||||
<br>
|
<br>
|
||||||
ACCEPT net dmz
|
ACCEPT net dmz
|
||||||
icmp 8<br>
|
icmp 8<br>
|
||||||
@ -165,11 +168,11 @@ to with an ICMP echo-reply):<br>
|
|||||||
|
|
||||||
<h3>Policy Evaluation</h3>
|
<h3>Policy Evaluation</h3>
|
||||||
If no applicable rule is found, then the policy for the source to the
|
If no applicable rule is found, then the policy for the source to the
|
||||||
destination is applied.<br>
|
destination is applied.<br>
|
||||||
|
|
||||||
<ol>
|
<ol>
|
||||||
<li>If the relevant policy is ACCEPT then the request is responded
|
<li>If the relevant policy is ACCEPT then the request is responded
|
||||||
to with an ICMP echo-reply.</li>
|
to with an ICMP echo-reply.</li>
|
||||||
<li>If <b>FORWARDPING</b> is set to Yes in /etc/shorewall/shorewall.conf
|
<li>If <b>FORWARDPING</b> is set to Yes in /etc/shorewall/shorewall.conf
|
||||||
then the request is responded to with an ICMP echo-reply.</li>
|
then the request is responded to with an ICMP echo-reply.</li>
|
||||||
<li>Otherwise, the relevant REJECT or DROP policy is used and the
|
<li>Otherwise, the relevant REJECT or DROP policy is used and the
|
||||||
@ -177,16 +180,11 @@ request is either rejected or simply ignored.</li>
|
|||||||
|
|
||||||
</ol>
|
</ol>
|
||||||
|
|
||||||
<p><font size="2">Updated 5/4/2003 - <a href="support.htm">Tom Eastep</a>
|
<p><font size="2">Updated 7/7/2003 - <a href="support.htm">Tom Eastep</a>
|
||||||
</font></p>
|
</font></p>
|
||||||
|
|
||||||
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||||
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></p>
|
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
|
||||||
<br>
|
</p>
|
||||||
<br>
|
|
||||||
<br>
|
|
||||||
<br>
|
|
||||||
<br>
|
|
||||||
<br>
|
|
||||||
</body>
|
</body>
|
||||||
</html>
|
</html>
|
||||||
|
@ -71,9 +71,9 @@
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
<p>The Shoreline Firewall, more commonly known as "Shorewall", is
|
<p>The Shoreline Firewall, more commonly known as "Shorewall", is a
|
||||||
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
|
<a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
|
||||||
firewall that can be used on a dedicated firewall system, a multi-function
|
that can be used on a dedicated firewall system, a multi-function
|
||||||
gateway/router/server or on a standalone GNU/Linux system.</p>
|
gateway/router/server or on a standalone GNU/Linux system.</p>
|
||||||
|
|
||||||
|
|
||||||
@ -83,18 +83,18 @@ firewall that can be used on a dedicated firewall system, a multi-functio
|
|||||||
<p>This program is free software; you can redistribute it and/or modify
|
<p>This program is free software; you can redistribute it and/or modify
|
||||||
|
|
||||||
it under the terms of <a
|
it under the terms of <a
|
||||||
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the
|
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
|
||||||
GNU General Public License</a> as published by the Free Software
|
General Public License</a> as published by the Free Software
|
||||||
Foundation.<br>
|
Foundation.<br>
|
||||||
|
|
||||||
<br>
|
<br>
|
||||||
|
|
||||||
This program is distributed in
|
This program is distributed in
|
||||||
the hope that it will be useful, but
|
the hope that it will be useful, but
|
||||||
WITHOUT ANY WARRANTY; without even the
|
WITHOUT ANY WARRANTY; without even
|
||||||
implied warranty of MERCHANTABILITY or
|
the implied warranty of MERCHANTABILITY
|
||||||
FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
General Public License for more details.<br>
|
GNU General Public License for more details.<br>
|
||||||
|
|
||||||
<br>
|
<br>
|
||||||
|
|
||||||
@ -102,7 +102,7 @@ General Public License for more details.<br>
|
|||||||
of the GNU General Public License
|
of the GNU General Public License
|
||||||
along with this program; if not, write
|
along with this program; if not, write
|
||||||
to the Free Software Foundation,
|
to the Free Software Foundation,
|
||||||
Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
|
Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
@ -119,13 +119,14 @@ General Public License for more details.<br>
|
|||||||
|
|
||||||
|
|
||||||
<h2>Getting Started with Shorewall</h2>
|
<h2>Getting Started with Shorewall</h2>
|
||||||
New to Shorewall? Start by selecting the <a
|
New to Shorewall? Start by selecting the
|
||||||
href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most closely
|
<a href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that
|
||||||
match your environment and follow the step by step instructions.<br>
|
most closely match your environment and follow the step by
|
||||||
|
step instructions.<br>
|
||||||
|
|
||||||
<h2>Looking for Information?</h2>
|
<h2>Looking for Information?</h2>
|
||||||
The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
|
The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
|
||||||
Index</a> is a good place to start as is the Quick Search to your right.
|
Index</a> is a good place to start as is the Quick Search to your right.
|
||||||
|
|
||||||
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
|
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
|
||||||
If so, the documentation<b> </b>on this site will not
|
If so, the documentation<b> </b>on this site will not
|
||||||
@ -142,20 +143,28 @@ Index</a> is a good place to start as is the Quick Search to your right.
|
|||||||
|
|
||||||
|
|
||||||
<p><b></b></p>
|
<p><b></b></p>
|
||||||
|
|
||||||
<ol>
|
<ol>
|
||||||
|
|
||||||
</ol>
|
</ol>
|
||||||
|
|
||||||
<p><b>7/7/2003 - Shorewall-1.4.6 Beta 2</b><b> <img border="0"
|
<p><b>7/15/2003 - Shorewall-1.4.6 RC 1</b><b> <img border="0"
|
||||||
src="images/new10.gif" width="28" height="12" alt="(New)">
|
src="images/new10.gif" width="28" height="12" alt="(New)">
|
||||||
<br>
|
|
||||||
</b></p>
|
</b></p>
|
||||||
|
<blockquote>
|
||||||
|
<p><b><a href="http://shorewall.net/pub/shorewall/testing">http://shorewall.net/pub/shorewall/testing</a><br>
|
||||||
|
<a href="ftp://shorewall.net/pub/shorewall/testing"
|
||||||
|
target="_top">ftp://shorewall.net/pub/shorewall/testing</a><br>
|
||||||
|
</b></p>
|
||||||
|
</blockquote>
|
||||||
|
|
||||||
<p><b>Problems Corrected:</b><br>
|
<p><b>Problems Corrected:</b><br>
|
||||||
</p>
|
</p>
|
||||||
|
|
||||||
<ol>
|
<ol>
|
||||||
<li>A problem seen on RH7.3 systems where Shorewall encountered start
|
<li>A problem seen on RH7.3 systems where Shorewall encountered
|
||||||
errors when started using the "service" mechanism has been worked around.<br>
|
start errors when started using the "service" mechanism has been worked
|
||||||
|
around.<br>
|
||||||
<br>
|
<br>
|
||||||
</li>
|
</li>
|
||||||
<li>Where a list of IP addresses appears in the DEST column of a
|
<li>Where a list of IP addresses appears in the DEST column of a
|
||||||
@ -166,7 +175,13 @@ a single DNAT rule with multiple "--to-destination" clauses.<br>
|
|||||||
</li>
|
</li>
|
||||||
<li>Corrected a problem in Beta 1 where DNS names containing a "-"
|
<li>Corrected a problem in Beta 1 where DNS names containing a "-"
|
||||||
were mis-handled when they appeared in the DEST column of a rule.<br>
|
were mis-handled when they appeared in the DEST column of a rule.<br>
|
||||||
|
<br>
|
||||||
</li>
|
</li>
|
||||||
|
<li>A number of problems with rule parsing have been corrected. Corrections
|
||||||
|
involve the handling of "z1!z2" in the SOURCE column as well as lists in
|
||||||
|
the ORIGINAL DESTINATION column.<br>
|
||||||
|
</li>
|
||||||
|
|
||||||
</ol>
|
</ol>
|
||||||
|
|
||||||
<p><b>Migration Issues:</b><br>
|
<p><b>Migration Issues:</b><br>
|
||||||
@ -186,8 +201,9 @@ entries of the following format:<br>
|
|||||||
</li>
|
</li>
|
||||||
<li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options have been
|
<li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options have been
|
||||||
removed from /etc/shorewall/shorewall.conf. These capabilities are now automatically
|
removed from /etc/shorewall/shorewall.conf. These capabilities are now automatically
|
||||||
detected by Shorewall (see below).<br>
|
detected by Shorewall (see below).<br>
|
||||||
</li>
|
</li>
|
||||||
|
|
||||||
</ol>
|
</ol>
|
||||||
|
|
||||||
<p><b>New Features:</b><br>
|
<p><b>New Features:</b><br>
|
||||||
@ -196,7 +212,7 @@ detected by Shorewall (see below).<br>
|
|||||||
<ol>
|
<ol>
|
||||||
<li>A 'newnotsyn' interface option has been added. This option may
|
<li>A 'newnotsyn' interface option has been added. This option may
|
||||||
be specified in /etc/shorewall/interfaces and overrides the setting NEWNOTSYN=No
|
be specified in /etc/shorewall/interfaces and overrides the setting NEWNOTSYN=No
|
||||||
for packets arriving on the associated interface.<br>
|
for packets arriving on the associated interface.<br>
|
||||||
<br>
|
<br>
|
||||||
</li>
|
</li>
|
||||||
<li>The means for specifying a range of IP addresses in /etc/shorewall/masq
|
<li>The means for specifying a range of IP addresses in /etc/shorewall/masq
|
||||||
@ -208,19 +224,19 @@ for packets arriving on the associated interface.<br>
|
|||||||
first one on an interface.<br>
|
first one on an interface.<br>
|
||||||
<br>
|
<br>
|
||||||
</li>
|
</li>
|
||||||
<li>DNAT[-] rules may now be used to load balance (round-robin) over
|
<li>DNAT[-] rules may now be used to load balance (round-robin)
|
||||||
a set of servers. Servers may be specified in a range of addresses given
|
over a set of servers. Servers may be specified in a range of addresses
|
||||||
as <first address>-<last address>.<br>
|
given as <first address>-<last address>.<br>
|
||||||
<br>
|
<br>
|
||||||
Example:<br>
|
Example:<br>
|
||||||
<br>
|
<br>
|
||||||
DNAT net loc:192.168.10.2-192.168.10.5 tcp 80<br>
|
DNAT net loc:192.168.10.2-192.168.10.5 tcp 80<br>
|
||||||
<br>
|
<br>
|
||||||
</li>
|
</li>
|
||||||
<li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration options
|
<li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration
|
||||||
have been removed and have been replaced by code that detects whether these
|
options have been removed and have been replaced by code that detects whether
|
||||||
capabilities are present in the current kernel. The output of the start,
|
these capabilities are present in the current kernel. The output of the
|
||||||
restart and check commands have been enhanced to report the outcome:<br>
|
start, restart and check commands have been enhanced to report the outcome:<br>
|
||||||
<br>
|
<br>
|
||||||
Shorewall has detected the following iptables/netfilter capabilities:<br>
|
Shorewall has detected the following iptables/netfilter capabilities:<br>
|
||||||
NAT: Available<br>
|
NAT: Available<br>
|
||||||
@ -231,10 +247,10 @@ restart and check commands have been enhanced to report the outcome:<br>
|
|||||||
</li>
|
</li>
|
||||||
<li>Support for the Connection Tracking Match Extension has been
|
<li>Support for the Connection Tracking Match Extension has been
|
||||||
added. This extension is available in recent kernel/iptables releases and
|
added. This extension is available in recent kernel/iptables releases and
|
||||||
allows for rules which match against elements in netfilter's connection
|
allows for rules which match against elements in netfilter's connection tracking
|
||||||
tracking table. Shorewall automatically detects the availability of this
|
table. Shorewall automatically detects the availability of this extension
|
||||||
extension and reports its availability in the output of the start, restart
|
and reports its availability in the output of the start, restart and check
|
||||||
and check commands.<br>
|
commands.<br>
|
||||||
<br>
|
<br>
|
||||||
Shorewall has detected the following iptables/netfilter capabilities:<br>
|
Shorewall has detected the following iptables/netfilter capabilities:<br>
|
||||||
NAT: Available<br>
|
NAT: Available<br>
|
||||||
@ -243,12 +259,13 @@ and check commands.<br>
|
|||||||
Connection Tracking Match: Available<br>
|
Connection Tracking Match: Available<br>
|
||||||
Verifying Configuration...<br>
|
Verifying Configuration...<br>
|
||||||
<br>
|
<br>
|
||||||
If this extension is available, the ruleset generated by Shorewall is changed
|
If this extension is available, the ruleset generated by Shorewall is
|
||||||
in the following ways:</li>
|
changed in the following ways:</li>
|
||||||
|
|
||||||
<ul>
|
<ul>
|
||||||
<li>To handle 'norfc1918' filtering, Shorewall will not create
|
<li>To handle 'norfc1918' filtering, Shorewall will not create
|
||||||
chains in the mangle table but will rather do all 'norfc1918' filtering
|
chains in the mangle table but will rather do all 'norfc1918' filtering in
|
||||||
in the filter table (rfc1918 chain).</li>
|
the filter table (rfc1918 chain).</li>
|
||||||
<li>Recall that Shorewall DNAT rules generate two netfilter rules;
|
<li>Recall that Shorewall DNAT rules generate two netfilter rules;
|
||||||
one in the nat table and one in the filter table. If the Connection Tracking
|
one in the nat table and one in the filter table. If the Connection Tracking
|
||||||
Match Extension is available, the rule in the filter table is extended to
|
Match Extension is available, the rule in the filter table is extended to
|
||||||
@ -256,6 +273,7 @@ check that the original destination address was the same as specified (or
|
|||||||
defaulted to) in the DNAT rule.<br>
|
defaulted to) in the DNAT rule.<br>
|
||||||
<br>
|
<br>
|
||||||
</li>
|
</li>
|
||||||
|
|
||||||
</ul>
|
</ul>
|
||||||
<li>The shell used to interpret the firewall script (/usr/share/shorewall/firewall)
|
<li>The shell used to interpret the firewall script (/usr/share/shorewall/firewall)
|
||||||
may now be specified using the SHOREWALL_SHELL parameter in shorewall.conf.<br>
|
may now be specified using the SHOREWALL_SHELL parameter in shorewall.conf.<br>
|
||||||
@ -285,9 +303,9 @@ defaulted to) in the DNAT rule.<br>
|
|||||||
Warning:<br>
|
Warning:<br>
|
||||||
<br>
|
<br>
|
||||||
If your shell only supports 32-bit signed arithmatic (ash or dash), then
|
If your shell only supports 32-bit signed arithmatic (ash or dash), then
|
||||||
the ipcalc command produces incorrect information for IP addresses 128.0.0.0-1
|
the ipcalc command produces incorrect information for IP addresses 128.0.0.0-1
|
||||||
and for /1 networks. Bash should produce correct information for all valid
|
and for /1 networks. Bash should produce correct information for all valid
|
||||||
IP addresses.<br>
|
IP addresses.<br>
|
||||||
<br>
|
<br>
|
||||||
</li>
|
</li>
|
||||||
<li>An 'iprange' command has been added to /sbin/shorewall. <br>
|
<li>An 'iprange' command has been added to /sbin/shorewall. <br>
|
||||||
@ -324,7 +342,9 @@ then the range may not span 128.0.0.0.<br>
|
|||||||
<br>
|
<br>
|
||||||
foo eth1:192.168.1.0/24,192.168.2.0/24<br>
|
foo eth1:192.168.1.0/24,192.168.2.0/24<br>
|
||||||
</li>
|
</li>
|
||||||
|
|
||||||
</ol>
|
</ol>
|
||||||
|
|
||||||
<p><b>6/17/2003 - Shorewall-1.4.5</b><b> </b></p>
|
<p><b>6/17/2003 - Shorewall-1.4.5</b><b> </b></p>
|
||||||
|
|
||||||
<p>Problems Corrected:<br>
|
<p>Problems Corrected:<br>
|
||||||
@ -345,10 +365,10 @@ file; previously, INCLUDE in that file was ignored.</li>
|
|||||||
</p>
|
</p>
|
||||||
|
|
||||||
<ol>
|
<ol>
|
||||||
<li>The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-] rule
|
<li>The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-]
|
||||||
may now contain a list of addresses. If the list begins with "!' then
|
rule may now contain a list of addresses. If the list begins with "!'
|
||||||
the rule will take effect only if the original destination address in
|
then the rule will take effect only if the original destination address
|
||||||
the connection request does not match any of the addresses listed.</li>
|
in the connection request does not match any of the addresses listed.</li>
|
||||||
|
|
||||||
</ol>
|
</ol>
|
||||||
|
|
||||||
@ -356,24 +376,28 @@ the connection request does not match any of the addresses listed.</li>
|
|||||||
</b></p>
|
</b></p>
|
||||||
|
|
||||||
<p>The firewall at shorewall.net has been upgraded to the 2.4.21 kernel
|
<p>The firewall at shorewall.net has been upgraded to the 2.4.21 kernel
|
||||||
and iptables 1.2.8 (using the "official" RPM from netfilter.org). No
|
and iptables 1.2.8 (using the "official" RPM from netfilter.org). No problems
|
||||||
problems have been encountered with this set of software. The Shorewall
|
have been encountered with this set of software. The Shorewall version
|
||||||
version is 1.4.4b plus the accumulated changes for 1.4.5.<br>
|
is 1.4.4b plus the accumulated changes for 1.4.5.<br>
|
||||||
</p>
|
</p>
|
||||||
|
|
||||||
<p><b>6/8/2003 - Updated Samples</b><b> </b></p>
|
<p><b>6/8/2003 - Updated Samples</b><b> </b></p>
|
||||||
|
|
||||||
|
|
||||||
<p>Thanks to Francesca Smith, the samples have been updated to Shorewall
|
<p>Thanks to Francesca Smith, the samples have been updated to Shorewall
|
||||||
version 1.4.4.</p>
|
version 1.4.4.</p>
|
||||||
|
|
||||||
|
|
||||||
<p><b></b></p>
|
<p><b></b></p>
|
||||||
|
|
||||||
<ol>
|
<ol>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
</ol>
|
</ol>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<p><a href="News.htm">More News</a></p>
|
<p><a href="News.htm">More News</a></p>
|
||||||
|
|
||||||
|
|
||||||
@ -395,8 +419,8 @@ version is 1.4.4b plus the accumulated changes for 1.4.5.<br>
|
|||||||
</a></p>
|
</a></p>
|
||||||
|
|
||||||
|
|
||||||
<b>Congratulations to Jacques and Eric on the recent
|
<b>Congratulations to Jacques and Eric on the
|
||||||
release of Bering 1.2!!! </b><br>
|
recent release of Bering 1.2!!! </b><br>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
@ -477,11 +501,11 @@ version is 1.4.4b plus the accumulated changes for 1.4.5.<br>
|
|||||||
|
|
||||||
|
|
||||||
<p align="center"><font size="4" color="#ffffff"><br>
|
<p align="center"><font size="4" color="#ffffff"><br>
|
||||||
<font size="+2"> Shorewall is free but if you try it
|
<font size="+2"> Shorewall is free but if you try
|
||||||
and find it useful, please consider making a donation
|
it and find it useful, please consider making a donation
|
||||||
to <a
|
to
|
||||||
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
|
<a href="http://www.starlight.org"><font color="#ffffff">Starlight
|
||||||
Foundation.</font></a> Thanks!</font></font></p>
|
Children's Foundation.</font></a> Thanks!</font></font></p>
|
||||||
|
|
||||||
</td>
|
</td>
|
||||||
|
|
||||||
@ -493,8 +517,9 @@ version is 1.4.4b plus the accumulated changes for 1.4.5.<br>
|
|||||||
</table>
|
</table>
|
||||||
|
|
||||||
|
|
||||||
<p><font size="2">Updated 7/7/2003 - <a href="support.htm">Tom Eastep</a></font>
|
<p><font size="2">Updated 7/15/2003 - <a href="support.htm">Tom Eastep</a></font>
|
||||||
|
<br>
|
||||||
|
</p>
|
||||||
<br>
|
<br>
|
||||||
</p>
|
|
||||||
</body>
|
</body>
|
||||||
</html>
|
</html>
|
||||||
|
@ -6,6 +6,7 @@
|
|||||||
content="text/html; charset=windows-1252">
|
content="text/html; charset=windows-1252">
|
||||||
<title>About the Shorewall Author</title>
|
<title>About the Shorewall Author</title>
|
||||||
|
|
||||||
|
|
||||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||||
|
|
||||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||||
@ -29,7 +30,7 @@
|
|||||||
</table>
|
</table>
|
||||||
|
|
||||||
<p align="center"> <img border="3" src="images/Tom.jpg"
|
<p align="center"> <img border="3" src="images/Tom.jpg"
|
||||||
alt="Tom - June 2003" width="640" height="480">
|
alt="Aging Geek - June 2003" width="320" height="240">
|
||||||
</p>
|
</p>
|
||||||
|
|
||||||
<p align="center">Tom -- June 2003<br>
|
<p align="center">Tom -- June 2003<br>
|
||||||
@ -60,32 +61,32 @@
|
|||||||
ipchains and developed the scripts which are now collectively known
|
ipchains and developed the scripts which are now collectively known
|
||||||
as <a href="http://seawall.sourceforge.net"> Seattle Firewall</a>.
|
as <a href="http://seawall.sourceforge.net"> Seattle Firewall</a>.
|
||||||
Expanding on what I learned from Seattle Firewall, I then
|
Expanding on what I learned from Seattle Firewall, I then
|
||||||
designed and wrote Shorewall. </p>
|
designed and wrote Shorewall. </p>
|
||||||
|
|
||||||
<p>I telework from our <a
|
<p>I telework from our <a
|
||||||
href="http://lists.shorewall.net/SeattleInTheSpring.html">home</a> in <a
|
href="http://lists.shorewall.net/SeattleInTheSpring.html">home</a> in <a
|
||||||
href="http://www.cityofshoreline.com">Shoreline, Washington</a> where
|
href="http://www.cityofshoreline.com">Shoreline, Washington</a>
|
||||||
I live with my wife Tarry. </p>
|
where I live with my wife Tarry. </p>
|
||||||
|
|
||||||
<p>Our current home network consists of: </p>
|
<p>Our current home network consists of: </p>
|
||||||
|
|
||||||
<ul>
|
<ul>
|
||||||
<li>1.2Gz Athlon, Windows XP Pro, 320MB RAM,
|
<li>1.2Gz Athlon, Windows XP Pro, 320MB RAM,
|
||||||
40GB & 20GB IDE HDs and LNE100TX (Tulip) NIC - My personal
|
40GB & 20GB IDE HDs and LNE100TX (Tulip) NIC - My personal
|
||||||
Windows system. Serves as a PPTP server for Road Warrior access. Dual
|
Windows system. Serves as a PPTP server for Road Warrior access. Dual
|
||||||
boots <a href="http://www.mandrakelinux.com">Mandrake</a> 9.0.</li>
|
boots <a href="http://www.mandrakelinux.com">Mandrake</a> 9.0.</li>
|
||||||
<li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD,
|
<li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD,
|
||||||
LNE100TX(Tulip) NIC - My personal Linux System which runs Samba.
|
LNE100TX(Tulip) NIC - My personal Linux System which runs
|
||||||
This system also has <a href="http://www.vmware.com/">VMware</a>
|
Samba. This system also has <a href="http://www.vmware.com/">VMware</a>
|
||||||
installed and can run both <a href="http://www.debian.org">Debian
|
installed and can run both <a href="http://www.debian.org">Debian
|
||||||
Woody</a> and <a href="http://www.suse.com">SuSE 8.1</a> in virtual
|
Woody</a> and <a href="http://www.suse.com">SuSE 8.1</a> in virtual
|
||||||
machines.</li>
|
machines.</li>
|
||||||
<li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100
|
<li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD,
|
||||||
NIC - Email (Postfix, Courier-IMAP and Mailman), HTTP (Apache),
|
EEPRO100 NIC - Email (Postfix, Courier-IMAP and Mailman), HTTP (Apache),
|
||||||
FTP (Pure_ftpd), DNS server (Bind 9).</li>
|
FTP (Pure_ftpd), DNS server (Bind 9).</li>
|
||||||
<li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD
|
<li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI
|
||||||
- 3 LNE100TX (Tulip) and 1 TLAN NICs - Firewall running Shorewall
|
HD - 3 LNE100TX (Tulip) and 1 TLAN NICs - Firewall running Shorewall
|
||||||
1.4.4c, a DHCP server and Samba configured as a WINS server..</li>
|
1.4.6Beta1, a DHCP server and Samba configured as a WINS server..</li>
|
||||||
<li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139
|
<li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139
|
||||||
NIC - My wife's personal system.</li>
|
NIC - My wife's personal system.</li>
|
||||||
<li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB
|
<li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB
|
||||||
@ -125,11 +126,12 @@ FTP (Pure_ftpd), DNS server (Bind 9).</li>
|
|||||||
height="75" border="0">
|
height="75" border="0">
|
||||||
</a><a href="http://www.opera.com"> </a> </font></p>
|
</a><a href="http://www.opera.com"> </a> </font></p>
|
||||||
|
|
||||||
<p><font size="2">Last updated 6/15/2003 - </font><font size="2"> <a
|
<p><font size="2">Last updated 7/14/2003 - </font><font size="2"> <a
|
||||||
href="support.htm">Tom Eastep</a></font> </p>
|
href="support.htm">Tom Eastep</a></font> </p>
|
||||||
<font face="Trebuchet MS"><a
|
<font face="Trebuchet MS"><a
|
||||||
href="copyright.htm"><font size="2">Copyright</font> © <font
|
href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||||
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
|
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
|
||||||
<br>
|
<br>
|
||||||
|
<br>
|
||||||
</body>
|
</body>
|
||||||
</html>
|
</html>
|
||||||
|
@ -30,30 +30,31 @@
|
|||||||
Shorewall Requires:<br>
|
Shorewall Requires:<br>
|
||||||
|
|
||||||
<ul>
|
<ul>
|
||||||
<li>A kernel that supports netfilter. I've tested with 2.4.2 - 2.4.20.
|
<li>A kernel that supports netfilter. I've tested with 2.4.2 -
|
||||||
With current releases of Shorewall, Traffic Shaping/Control requires at
|
2.4.20. With current releases of Shorewall, Traffic Shaping/Control requires
|
||||||
least 2.4.18. <a href="kernel.htm"> Check here for kernel configuration
|
at least 2.4.18. <a href="kernel.htm"> Check here for kernel
|
||||||
information.</a> If you are looking for a firewall for use with
|
configuration information.</a> If you are looking for a firewall
|
||||||
2.2 kernels, <a href="http://seawall.sf.net"> see the Seattle
|
for use with 2.2 kernels, <a href="http://seawall.sf.net"> see
|
||||||
Firewall site</a> .</li>
|
the Seattle Firewall site</a> .</li>
|
||||||
<li>iptables 1.2 or later but beware version 1.2.3 -- see the <a
|
<li>iptables 1.2 or later but beware version 1.2.3 -- see the
|
||||||
href="errata.htm">Errata</a>. <font color="#ff0000"><b>WARNING: </b></font>The
|
<a href="errata.htm">Errata</a>. <font color="#ff0000"><b>WARNING:
|
||||||
buggy iptables version 1.2.3 is included in RedHat 7.2 and you should
|
</b></font>The buggy iptables version 1.2.3 is included in RedHat
|
||||||
upgrade to iptables 1.2.4 prior to installing Shorewall. Version 1.2.4
|
7.2 and you should upgrade to iptables 1.2.4 prior to installing Shorewall.
|
||||||
is available <a
|
Version 1.2.4 is available <a
|
||||||
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">from RedHat</a>
|
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">from RedHat</a>
|
||||||
and in the <a href="errata.htm">Shorewall Errata</a>. </li>
|
and in the <a href="errata.htm">Shorewall Errata</a>. </li>
|
||||||
<li>Iproute ("ip" utility). The iproute package is included
|
<li>Iproute ("ip" utility). The iproute package is included
|
||||||
with most distributions but may not be installed by default. The official
|
with most distributions but may not be installed by default. The official
|
||||||
download site is <a href="ftp://ftp.inr.ac.ru/ip-routing"
|
download site is <a href="ftp://ftp.inr.ac.ru/ip-routing"
|
||||||
target="_blank"> <font face="Century Gothic, Arial, Helvetica">f</font>tp://ftp.inr.ac.ru/ip-routing</a>.
|
target="_blank"> <font face="Century Gothic, Arial, Helvetica">f</font>tp://ftp.inr.ac.ru/ip-routing</a>.
|
||||||
</li>
|
</li>
|
||||||
<li>A Bourne shell or derivative such as bash or ash. This shell
|
<li>A Bourne shell or derivative such as bash or ash. This shell
|
||||||
must have correct support for variable expansion formats ${<i>variable</i>%<i>pattern</i>
|
must have correct support for variable expansion formats ${<i>variable</i>%<i>pattern</i>
|
||||||
}, ${<i>variable</i>%%<i>pattern</i>}, ${<i>variable</i>#<i>pattern</i>
|
}, ${<i>variable</i>%%<i>pattern</i>}, ${<i>variable</i>#<i>pattern</i>
|
||||||
} and ${<i>variable</i>##<i>pattern</i>}.</li>
|
} and ${<i>variable</i>##<i>pattern</i>}.</li>
|
||||||
<li>Must produce a sensible result when a number n (128 <= n <= 255)
|
<li>Your shell must produce a sensible result when a number n (128 <=
|
||||||
is left shifted by 24 bits. You can check this at a shell prompt by:</li>
|
n <= 255) is left shifted by 24 bits. You can check this at a shell prompt
|
||||||
|
by:</li>
|
||||||
|
|
||||||
<ul>
|
<ul>
|
||||||
<li>echo $((128 << 24))<br>
|
<li>echo $((128 << 24))<br>
|
||||||
@ -62,12 +63,12 @@ is left shifted by 24 bits. You can check this at a shell prompt by:</li>
|
|||||||
</li>
|
</li>
|
||||||
|
|
||||||
</ul>
|
</ul>
|
||||||
<li>The firewall monitoring display is greatly improved if you have
|
<li>The firewall monitoring display is greatly improved if you
|
||||||
awk (gawk) installed.</li>
|
have awk (gawk) installed.</li>
|
||||||
|
|
||||||
</ul>
|
</ul>
|
||||||
|
|
||||||
<p align="left"><font size="2">Last updated 7/4/2003 - <a
|
<p align="left"><font size="2">Last updated 7/8/2003 - <a
|
||||||
href="support.htm">Tom Eastep</a></font></p>
|
href="support.htm">Tom Eastep</a></font></p>
|
||||||
|
|
||||||
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
|
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
|
||||||
@ -79,5 +80,6 @@ is left shifted by 24 bits. You can check this at a shell prompt by:</li>
|
|||||||
<br>
|
<br>
|
||||||
<br>
|
<br>
|
||||||
<br>
|
<br>
|
||||||
|
<br>
|
||||||
</body>
|
</body>
|
||||||
</html>
|
</html>
|
||||||
|
@ -84,18 +84,18 @@
|
|||||||
<p>This program is free software; you can redistribute it and/or modify
|
<p>This program is free software; you can redistribute it and/or modify
|
||||||
|
|
||||||
it under the terms of <a
|
it under the terms of <a
|
||||||
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
|
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the
|
||||||
General Public License</a> as published by the Free Software
|
GNU General Public License</a> as published by the Free Software
|
||||||
Foundation.<br>
|
Foundation.<br>
|
||||||
|
|
||||||
<br>
|
<br>
|
||||||
|
|
||||||
This program is distributed in
|
This program is distributed in
|
||||||
the hope that it will be useful, but
|
the hope that it will be useful, but
|
||||||
WITHOUT ANY WARRANTY; without even
|
WITHOUT ANY WARRANTY; without even the
|
||||||
the implied warranty of MERCHANTABILITY
|
implied warranty of MERCHANTABILITY or
|
||||||
or FITNESS FOR A PARTICULAR PURPOSE. See the
|
FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||||
GNU General Public License for more details.<br>
|
General Public License for more details.<br>
|
||||||
|
|
||||||
<br>
|
<br>
|
||||||
|
|
||||||
@ -103,7 +103,7 @@ the implied warranty of MERCHANTABILITY
|
|||||||
of the GNU General Public License
|
of the GNU General Public License
|
||||||
along with this program; if not, write
|
along with this program; if not, write
|
||||||
to the Free Software Foundation,
|
to the Free Software Foundation,
|
||||||
Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
|
Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
@ -117,18 +117,19 @@ Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
|
|||||||
|
|
||||||
|
|
||||||
<h2>Getting Started with Shorewall</h2>
|
<h2>Getting Started with Shorewall</h2>
|
||||||
New to Shorewall? Start by selecting the <a
|
New to Shorewall? Start by selecting the
|
||||||
|
<a
|
||||||
href="file:///vfat/Shorewall-docs/shorewall_quickstart_guide.htm">QuickStart
|
href="file:///vfat/Shorewall-docs/shorewall_quickstart_guide.htm">QuickStart
|
||||||
Guide</a> that most closely match your environment and follow
|
Guide</a> that most closely match your environment and follow
|
||||||
the step by step instructions.<br>
|
the step by step instructions.<br>
|
||||||
|
|
||||||
<h2>Looking for Information?</h2>
|
<h2>Looking for Information?</h2>
|
||||||
The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
|
The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
|
||||||
Index</a> is a good place to start as is the Quick Search to your right.
|
Index</a> is a good place to start as is the Quick Search to your right.
|
||||||
|
|
||||||
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
|
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
|
||||||
If so, the documentation<b> </b>on this site will not
|
If so, the documentation<b> </b>on this site will
|
||||||
apply directly to your setup. If you want to use the documentation
|
not apply directly to your setup. If you want to use the documentation
|
||||||
that you find here, you will want to consider uninstalling what you have
|
that you find here, you will want to consider uninstalling what you have
|
||||||
and installing a setup that matches the documentation on this site.
|
and installing a setup that matches the documentation on this site.
|
||||||
See the <a href="two-interface.htm">Two-interface QuickStart Guide</a>
|
See the <a href="two-interface.htm">Two-interface QuickStart Guide</a>
|
||||||
@ -138,17 +139,23 @@ Index</a> is a good place to start as is the Quick Search to your right.
|
|||||||
|
|
||||||
|
|
||||||
<h2><b>News</b></h2>
|
<h2><b>News</b></h2>
|
||||||
<p><b>7/7/2003 - Shorewall-1.4.6 Beta 2</b><b> <img border="0"
|
|
||||||
|
<p><b>7/15/2003 - Shorewall-1.4.6 RC 1</b><b> <img border="0"
|
||||||
src="images/new10.gif" width="28" height="12" alt="(New)">
|
src="images/new10.gif" width="28" height="12" alt="(New)">
|
||||||
<br>
|
<br>
|
||||||
</b></p>
|
</b> </p>
|
||||||
|
<blockquote><b><a
|
||||||
|
href="http://shorewall.net/pub/shorewall/testing">http://shorewall.net/pub/shorewall/testing</a></b><b><a
|
||||||
|
href="ftp://shorewall.net/pub/shorewall/testing" target="_top"><br>
|
||||||
|
ftp://shorewall.net/pub/shorewall/testing</a></b></blockquote>
|
||||||
|
|
||||||
<p><b>Problems Corrected:</b><br>
|
<p><b>Problems Corrected:</b><br>
|
||||||
</p>
|
</p>
|
||||||
|
|
||||||
<ol>
|
<ol>
|
||||||
<li>A problem seen on RH7.3 systems where Shorewall encountered start
|
<li>A problem seen on RH7.3 systems where Shorewall encountered
|
||||||
errors when started using the "service" mechanism has been worked around.<br>
|
start errors when started using the "service" mechanism has been worked
|
||||||
|
around.<br>
|
||||||
<br>
|
<br>
|
||||||
</li>
|
</li>
|
||||||
<li>Where a list of IP addresses appears in the DEST column of a
|
<li>Where a list of IP addresses appears in the DEST column of a
|
||||||
@ -159,7 +166,13 @@ a single DNAT rule with multiple "--to-destination" clauses.<br>
|
|||||||
</li>
|
</li>
|
||||||
<li>Corrected a problem in Beta 1 where DNS names containing a "-"
|
<li>Corrected a problem in Beta 1 where DNS names containing a "-"
|
||||||
were mis-handled when they appeared in the DEST column of a rule.<br>
|
were mis-handled when they appeared in the DEST column of a rule.<br>
|
||||||
|
<br>
|
||||||
</li>
|
</li>
|
||||||
|
<li value="4">A number of problems with rule parsing have been corrected.
|
||||||
|
Corrections involve the handling of "z1!z2" in the SOURCE column as well
|
||||||
|
as lists in the ORIGINAL DESTINATION column.<br>
|
||||||
|
</li>
|
||||||
|
|
||||||
</ol>
|
</ol>
|
||||||
|
|
||||||
<p><b>Migration Issues:</b><br>
|
<p><b>Migration Issues:</b><br>
|
||||||
@ -179,8 +192,9 @@ entries of the following format:<br>
|
|||||||
</li>
|
</li>
|
||||||
<li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options have been
|
<li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options have been
|
||||||
removed from /etc/shorewall/shorewall.conf. These capabilities are now automatically
|
removed from /etc/shorewall/shorewall.conf. These capabilities are now automatically
|
||||||
detected by Shorewall (see below).<br>
|
detected by Shorewall (see below).<br>
|
||||||
</li>
|
</li>
|
||||||
|
|
||||||
</ol>
|
</ol>
|
||||||
|
|
||||||
<p><b>New Features:</b><br>
|
<p><b>New Features:</b><br>
|
||||||
@ -189,7 +203,7 @@ detected by Shorewall (see below).<br>
|
|||||||
<ol>
|
<ol>
|
||||||
<li>A 'newnotsyn' interface option has been added. This option may
|
<li>A 'newnotsyn' interface option has been added. This option may
|
||||||
be specified in /etc/shorewall/interfaces and overrides the setting NEWNOTSYN=No
|
be specified in /etc/shorewall/interfaces and overrides the setting NEWNOTSYN=No
|
||||||
for packets arriving on the associated interface.<br>
|
for packets arriving on the associated interface.<br>
|
||||||
<br>
|
<br>
|
||||||
</li>
|
</li>
|
||||||
<li>The means for specifying a range of IP addresses in /etc/shorewall/masq
|
<li>The means for specifying a range of IP addresses in /etc/shorewall/masq
|
||||||
@ -201,19 +215,19 @@ for packets arriving on the associated interface.<br>
|
|||||||
first one on an interface.<br>
|
first one on an interface.<br>
|
||||||
<br>
|
<br>
|
||||||
</li>
|
</li>
|
||||||
<li>DNAT[-] rules may now be used to load balance (round-robin) over
|
<li>DNAT[-] rules may now be used to load balance (round-robin)
|
||||||
a set of servers. Servers may be specified in a range of addresses given
|
over a set of servers. Servers may be specified in a range of addresses
|
||||||
as <first address>-<last address>.<br>
|
given as <first address>-<last address>.<br>
|
||||||
<br>
|
<br>
|
||||||
Example:<br>
|
Example:<br>
|
||||||
<br>
|
<br>
|
||||||
DNAT net loc:192.168.10.2-192.168.10.5 tcp 80<br>
|
DNAT net loc:192.168.10.2-192.168.10.5 tcp 80<br>
|
||||||
<br>
|
<br>
|
||||||
</li>
|
</li>
|
||||||
<li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration options
|
<li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration
|
||||||
have been removed and have been replaced by code that detects whether these
|
options have been removed and have been replaced by code that detects whether
|
||||||
capabilities are present in the current kernel. The output of the start,
|
these capabilities are present in the current kernel. The output of the
|
||||||
restart and check commands have been enhanced to report the outcome:<br>
|
start, restart and check commands have been enhanced to report the outcome:<br>
|
||||||
<br>
|
<br>
|
||||||
Shorewall has detected the following iptables/netfilter capabilities:<br>
|
Shorewall has detected the following iptables/netfilter capabilities:<br>
|
||||||
NAT: Available<br>
|
NAT: Available<br>
|
||||||
@ -224,10 +238,10 @@ restart and check commands have been enhanced to report the outcome:<br>
|
|||||||
</li>
|
</li>
|
||||||
<li>Support for the Connection Tracking Match Extension has been
|
<li>Support for the Connection Tracking Match Extension has been
|
||||||
added. This extension is available in recent kernel/iptables releases and
|
added. This extension is available in recent kernel/iptables releases and
|
||||||
allows for rules which match against elements in netfilter's connection
|
allows for rules which match against elements in netfilter's connection tracking
|
||||||
tracking table. Shorewall automatically detects the availability of this
|
table. Shorewall automatically detects the availability of this extension
|
||||||
extension and reports its availability in the output of the start, restart
|
and reports its availability in the output of the start, restart and check
|
||||||
and check commands.<br>
|
commands.<br>
|
||||||
<br>
|
<br>
|
||||||
Shorewall has detected the following iptables/netfilter capabilities:<br>
|
Shorewall has detected the following iptables/netfilter capabilities:<br>
|
||||||
NAT: Available<br>
|
NAT: Available<br>
|
||||||
@ -236,12 +250,13 @@ and check commands.<br>
|
|||||||
Connection Tracking Match: Available<br>
|
Connection Tracking Match: Available<br>
|
||||||
Verifying Configuration...<br>
|
Verifying Configuration...<br>
|
||||||
<br>
|
<br>
|
||||||
If this extension is available, the ruleset generated by Shorewall is changed
|
If this extension is available, the ruleset generated by Shorewall is
|
||||||
in the following ways:</li>
|
changed in the following ways:</li>
|
||||||
|
|
||||||
<ul>
|
<ul>
|
||||||
<li>To handle 'norfc1918' filtering, Shorewall will not create
|
<li>To handle 'norfc1918' filtering, Shorewall will not create
|
||||||
chains in the mangle table but will rather do all 'norfc1918' filtering
|
chains in the mangle table but will rather do all 'norfc1918' filtering in
|
||||||
in the filter table (rfc1918 chain).</li>
|
the filter table (rfc1918 chain).</li>
|
||||||
<li>Recall that Shorewall DNAT rules generate two netfilter rules;
|
<li>Recall that Shorewall DNAT rules generate two netfilter rules;
|
||||||
one in the nat table and one in the filter table. If the Connection Tracking
|
one in the nat table and one in the filter table. If the Connection Tracking
|
||||||
Match Extension is available, the rule in the filter table is extended to
|
Match Extension is available, the rule in the filter table is extended to
|
||||||
@ -249,6 +264,7 @@ check that the original destination address was the same as specified (or
|
|||||||
defaulted to) in the DNAT rule.<br>
|
defaulted to) in the DNAT rule.<br>
|
||||||
<br>
|
<br>
|
||||||
</li>
|
</li>
|
||||||
|
|
||||||
</ul>
|
</ul>
|
||||||
<li>The shell used to interpret the firewall script (/usr/share/shorewall/firewall)
|
<li>The shell used to interpret the firewall script (/usr/share/shorewall/firewall)
|
||||||
may now be specified using the SHOREWALL_SHELL parameter in shorewall.conf.<br>
|
may now be specified using the SHOREWALL_SHELL parameter in shorewall.conf.<br>
|
||||||
@ -278,9 +294,9 @@ defaulted to) in the DNAT rule.<br>
|
|||||||
Warning:<br>
|
Warning:<br>
|
||||||
<br>
|
<br>
|
||||||
If your shell only supports 32-bit signed arithmatic (ash or dash), then
|
If your shell only supports 32-bit signed arithmatic (ash or dash), then
|
||||||
the ipcalc command produces incorrect information for IP addresses 128.0.0.0-1
|
the ipcalc command produces incorrect information for IP addresses 128.0.0.0-1
|
||||||
and for /1 networks. Bash should produce correct information for all valid
|
and for /1 networks. Bash should produce correct information for all valid
|
||||||
IP addresses.<br>
|
IP addresses.<br>
|
||||||
<br>
|
<br>
|
||||||
</li>
|
</li>
|
||||||
<li>An 'iprange' command has been added to /sbin/shorewall. <br>
|
<li>An 'iprange' command has been added to /sbin/shorewall. <br>
|
||||||
@ -316,6 +332,7 @@ then the range may not span 128.0.0.0.<br>
|
|||||||
Example:<br>
|
Example:<br>
|
||||||
<br>
|
<br>
|
||||||
foo eth1:192.168.1.0/24,192.168.2.0/24</li>
|
foo eth1:192.168.1.0/24,192.168.2.0/24</li>
|
||||||
|
|
||||||
</ol>
|
</ol>
|
||||||
<b> </b>
|
<b> </b>
|
||||||
<ol>
|
<ol>
|
||||||
@ -342,18 +359,18 @@ file; previously, INCLUDE in that file was ignored.</li>
|
|||||||
</p>
|
</p>
|
||||||
|
|
||||||
<ol>
|
<ol>
|
||||||
<li>The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-] rule
|
<li>The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-]
|
||||||
may now contain a list of addresses. If the list begins with "!' then
|
rule may now contain a list of addresses. If the list begins with "!'
|
||||||
the rule will take effect only if the original destination address in
|
then the rule will take effect only if the original destination address
|
||||||
the connection request does not match any of the addresses listed.</li>
|
in the connection request does not match any of the addresses listed.</li>
|
||||||
|
|
||||||
</ol>
|
</ol>
|
||||||
|
|
||||||
<p><b>6/15/2003 - Shorewall, Kernel 2.4.21 and iptables 1.2.8</b><b>
|
<p><b>6/15/2003 - Shorewall, Kernel 2.4.21 and iptables 1.2.8</b><b>
|
||||||
</b></p>
|
</b></p>
|
||||||
The firewall at shorewall.net has been upgraded to the 2.4.21 kernel
|
The firewall at shorewall.net has been upgraded to the 2.4.21
|
||||||
and iptables 1.2.8 (using the "official" RPM from netfilter.org). No
|
kernel and iptables 1.2.8 (using the "official" RPM from netfilter.org).
|
||||||
problems have been encountered with this set of software. The Shorewall
|
No problems have been encountered with this set of software. The Shorewall
|
||||||
version is 1.4.4b plus the accumulated changes for 1.4.5.
|
version is 1.4.4b plus the accumulated changes for 1.4.5.
|
||||||
|
|
||||||
<p><b>6/8/2003 - Updated Samples</b><b> </b></p>
|
<p><b>6/8/2003 - Updated Samples</b><b> </b></p>
|
||||||
@ -362,6 +379,7 @@ version is 1.4.4b plus the accumulated changes for 1.4.5.
|
|||||||
<p>Thanks to Francesca Smith, the samples have been updated to Shorewall
|
<p>Thanks to Francesca Smith, the samples have been updated to Shorewall
|
||||||
version 1.4.4.</p>
|
version 1.4.4.</p>
|
||||||
|
|
||||||
|
|
||||||
<p><b></b></p>
|
<p><b></b></p>
|
||||||
|
|
||||||
<ol>
|
<ol>
|
||||||
@ -421,8 +439,8 @@ version is 1.4.4b plus the accumulated changes for 1.4.5.
|
|||||||
have a LEAF (router/firewall/gateway
|
have a LEAF (router/firewall/gateway
|
||||||
on a floppy, CD or compact flash) distribution
|
on a floppy, CD or compact flash) distribution
|
||||||
called <i>Bering</i> that features
|
called <i>Bering</i> that features
|
||||||
Shorewall-1.4.2 and Kernel-2.4.20. You
|
Shorewall-1.4.2 and Kernel-2.4.20.
|
||||||
can find their work at: <a
|
You can find their work at: <a
|
||||||
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
|
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
|
||||||
|
|
||||||
<b>Congratulations to Jacques
|
<b>Congratulations to Jacques
|
||||||
@ -524,6 +542,7 @@ version is 1.4.4b plus the accumulated changes for 1.4.5.
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<p align="center"><a href="http://www.starlight.org"> <img
|
<p align="center"><a href="http://www.starlight.org"> <img
|
||||||
border="4" src="images/newlog.gif" width="57" height="100" align="left"
|
border="4" src="images/newlog.gif" width="57" height="100" align="left"
|
||||||
hspace="10">
|
hspace="10">
|
||||||
@ -536,7 +555,7 @@ version is 1.4.4b plus the accumulated changes for 1.4.5.
|
|||||||
|
|
||||||
<p align="center"><font size="4" color="#ffffff"><br>
|
<p align="center"><font size="4" color="#ffffff"><br>
|
||||||
<font size="+2">Shorewall is free but if you try it
|
<font size="+2">Shorewall is free but if you try it
|
||||||
and find it useful, please consider making a donation
|
and find it useful, please consider making a donation
|
||||||
to <a
|
to <a
|
||||||
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
|
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
|
||||||
Foundation.</font></a> Thanks!</font></font></p>
|
Foundation.</font></a> Thanks!</font></font></p>
|
||||||
@ -551,7 +570,7 @@ and find it useful, please consider making a donation
|
|||||||
</table>
|
</table>
|
||||||
|
|
||||||
|
|
||||||
<p><font size="2">Updated 7/7/2003 - <a href="support.htm">Tom Eastep</a></font>
|
<p><font size="2">Updated 7/15/2003 - <a href="support.htm">Tom Eastep</a></font>
|
||||||
<br>
|
<br>
|
||||||
</p>
|
</p>
|
||||||
</body>
|
</body>
|
||||||
|
@ -29,9 +29,9 @@
|
|||||||
|
|
||||||
<h2>Before Reporting a Problem or Asking a Question<br>
|
<h2>Before Reporting a Problem or Asking a Question<br>
|
||||||
</h2>
|
</h2>
|
||||||
There
|
|
||||||
are a number of sources of Shorewall information. Please try
|
There are a number of sources of Shorewall information. Please
|
||||||
these before you post.
|
try these before you post.
|
||||||
<ul>
|
<ul>
|
||||||
<li>Shorewall versions
|
<li>Shorewall versions
|
||||||
earlier that 1.3.0 are no longer supported.<br>
|
earlier that 1.3.0 are no longer supported.<br>
|
||||||
@ -43,17 +43,17 @@ earlier that 1.3.0 are no longer supported.<br>
|
|||||||
</li>
|
</li>
|
||||||
<li>
|
<li>
|
||||||
The <a href="http://www.shorewall.net/FAQ.htm">FAQ</a>
|
The <a href="http://www.shorewall.net/FAQ.htm">FAQ</a>
|
||||||
has solutions to more than 20 common problems.
|
has solutions to more than 20 common problems.
|
||||||
</li>
|
</li>
|
||||||
<li>
|
<li>
|
||||||
The <a href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a>
|
The <a href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a>
|
||||||
Information contains a number of tips to
|
Information contains a number of tips to
|
||||||
help you solve common problems. </li>
|
help you solve common problems. </li>
|
||||||
<li> The
|
|
||||||
<a href="http://www.shorewall.net/errata.htm"> Errata</a> has links
|
|
||||||
to download updated components. </li>
|
|
||||||
<li>
|
<li>
|
||||||
The Site and Mailing List Archives search facility can
|
The <a href="http://www.shorewall.net/errata.htm"> Errata</a>
|
||||||
|
has links to download updated components. </li>
|
||||||
|
<li>
|
||||||
|
The Site and Mailing List Archives search facility can
|
||||||
locate documents and posts about similar problems:
|
locate documents and posts about similar problems:
|
||||||
</li>
|
</li>
|
||||||
|
|
||||||
@ -96,8 +96,8 @@ locate documents and posts about similar problems:
|
|||||||
<option value="[http://lists.shorewall.net/pipermail/.*]">No</option>
|
<option value="[http://lists.shorewall.net/pipermail/.*]">No</option>
|
||||||
</select>
|
</select>
|
||||||
</font><br>
|
</font><br>
|
||||||
Search: <input type="text" size="30" name="words"
|
Search: <input type="text" size="30"
|
||||||
value=""> <input type="submit" value="Search"><br>
|
name="words" value=""> <input type="submit" value="Search"><br>
|
||||||
</form>
|
</form>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
|
|
||||||
@ -114,21 +114,21 @@ locate documents and posts about similar problems:
|
|||||||
is lacking.<br>
|
is lacking.<br>
|
||||||
<br>
|
<br>
|
||||||
</li>
|
</li>
|
||||||
<li>Please keep in mind that you're
|
<li>Please keep in mind that
|
||||||
asking for <strong>free</strong> technical support.
|
you're asking for <strong>free</strong> technical
|
||||||
Any help we offer is an act of generosity, not an obligation.
|
support. Any help we offer is an act of generosity, not an obligation.
|
||||||
Try to make it easy for us to help you. Follow good, courteous
|
Try to make it easy for us to help you. Follow good, courteous
|
||||||
practices in writing and formatting your e-mail. Provide details
|
practices in writing and formatting your e-mail. Provide details that
|
||||||
that we need if you expect good answers. <em>Exact quoting </em>
|
we need if you expect good answers. <em>Exact quoting </em> of
|
||||||
of error messages, log entries, command output, and other output is
|
error messages, log entries, command output, and other output is better
|
||||||
better than a paraphrase or summary.<br>
|
than a paraphrase or summary.<br>
|
||||||
<br>
|
<br>
|
||||||
</li>
|
</li>
|
||||||
<li>
|
<li>
|
||||||
Please don't describe your environment and then ask
|
Please don't describe your environment and then
|
||||||
us to send you custom configuration files. We're
|
ask us to send you custom configuration files.
|
||||||
here to answer your questions but we can't do
|
We're here to answer your questions but we can't
|
||||||
your job for you.<br>
|
do your job for you.<br>
|
||||||
<br>
|
<br>
|
||||||
</li>
|
</li>
|
||||||
<li>When reporting a problem,
|
<li>When reporting a problem,
|
||||||
@ -185,19 +185,20 @@ better than a paraphrase or summary.<br>
|
|||||||
<ul>
|
<ul>
|
||||||
|
|
||||||
<ul>
|
<ul>
|
||||||
<li><font color="#ff0000"><u><i><big><b>THIS IS IMPORTANT!<br>
|
<li><big><font color="#ff0000"><u><i><big><b>THIS IS
|
||||||
|
IMPORTANT!</b></big></i></u></font><big><big><big> </big>If your problem
|
||||||
|
is that some type of connection to/from or through your firewall isn't working
|
||||||
|
then please perform the following four steps:</big></big></big><br>
|
||||||
<br>
|
<br>
|
||||||
</b></big></i></u></font>If your problem is that some type of connection
|
1. <b><font color="#009900">/sbin/shorewall reset</font></b><br>
|
||||||
to/from or through your firewall isn't working then please:<br>
|
|
||||||
<br>
|
|
||||||
1. <b><font color="#009900">/sbin/shorewall reset</font></b><br>
|
|
||||||
<br>
|
<br>
|
||||||
2. Try making the connection that is failing.<br>
|
2. Try making the connection that is failing.<br>
|
||||||
<br>
|
<br>
|
||||||
3.<b><font color="#009900"> /sbin/shorewall
|
3.<b><font color="#009900"> /sbin/shorewall
|
||||||
status > /tmp/status.txt</font></b><br>
|
status > /tmp/status.txt</font></b><br>
|
||||||
<br>
|
<br>
|
||||||
4. Post the /tmp/status.txt file as an attachment.<br>
|
4. Post the /tmp/status.txt file as an attachment
|
||||||
|
(you may compress it if you like).<br>
|
||||||
<br>
|
<br>
|
||||||
</li>
|
</li>
|
||||||
<li>the exact wording of any <code
|
<li>the exact wording of any <code
|
||||||
@ -224,10 +225,10 @@ in the SMTP headers of your post).<br>
|
|||||||
<br>
|
<br>
|
||||||
<strong></strong></li>
|
<strong></strong></li>
|
||||||
<li>Do you see any "Shorewall" messages
|
<li>Do you see any "Shorewall" messages
|
||||||
("<b><font color="#009900">/sbin/shorewall show log</font></b>")
|
("<b><font color="#009900">/sbin/shorewall show log</font></b>")
|
||||||
when you exercise the function that is giving you problems?
|
when you exercise the function that is giving you problems?
|
||||||
If so, include the message(s) in your post along with a copy of your
|
If so, include the message(s) in your post along with a copy of
|
||||||
/etc/shorewall/interfaces file.<br>
|
your /etc/shorewall/interfaces file.<br>
|
||||||
<br>
|
<br>
|
||||||
</li>
|
</li>
|
||||||
<li>Please include any of the Shorewall configuration
|
<li>Please include any of the Shorewall configuration
|
||||||
@ -239,15 +240,15 @@ If so, include the message(s) in your post along with a copy of your
|
|||||||
<br>
|
<br>
|
||||||
</li>
|
</li>
|
||||||
<li>If an error occurs when you try to
|
<li>If an error occurs when you try to
|
||||||
"<font color="#009900"><b>shorewall start</b></font>", include
|
"<font color="#009900"><b>shorewall start</b></font>", include
|
||||||
a trace (See the <a
|
a trace (See the <a
|
||||||
href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a>
|
href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a>
|
||||||
section for instructions).<br>
|
section for instructions).<br>
|
||||||
<br>
|
<br>
|
||||||
</li>
|
</li>
|
||||||
<li><b>The list server limits posts to 120kb so
|
<li><b>The list server limits posts to 120kb so
|
||||||
don't post GIFs of your network layout,
|
don't post GIFs of your network layout,
|
||||||
etc. to the Mailing List -- your post will be rejected.</b></li>
|
etc. to the Mailing List -- your post will be rejected.</b></li>
|
||||||
|
|
||||||
</ul>
|
</ul>
|
||||||
|
|
||||||
@ -259,28 +260,28 @@ etc. to the Mailing List -- your post will be rejected.</b><
|
|||||||
|
|
||||||
<h2>When using the mailing list, please post in plain text</h2>
|
<h2>When using the mailing list, please post in plain text</h2>
|
||||||
|
|
||||||
<blockquote> A growing number of MTAs serving list subscribers are
|
<blockquote> A growing number of MTAs serving list subscribers are rejecting
|
||||||
rejecting all HTML traffic. At least one MTA has gone so far as to
|
all HTML traffic. At least one MTA has gone so far as to blacklist
|
||||||
blacklist shorewall.net "for continuous abuse" because it has been
|
shorewall.net "for continuous abuse" because it has been my policy
|
||||||
my policy to allow HTML in list posts!!<br>
|
to allow HTML in list posts!!<br>
|
||||||
<br>
|
<br>
|
||||||
I think that blocking all HTML
|
I think that blocking all
|
||||||
is a Draconian way to control spam and that the ultimate
|
HTML is a Draconian way to control spam and that the
|
||||||
losers here are not the spammers but the list subscribers
|
ultimate losers here are not the spammers but the list subscribers
|
||||||
whose MTAs are bouncing all shorewall.net mail. As one list
|
whose MTAs are bouncing all shorewall.net mail. As one list
|
||||||
subscriber wrote to me privately "These e-mail admin's need
|
subscriber wrote to me privately "These e-mail admin's need
|
||||||
to get a <i>(expletive deleted)</i> life instead of trying to
|
to get a <i>(expletive deleted)</i> life instead of trying to rid
|
||||||
rid the planet of HTML based e-mail". Nevertheless, to allow
|
the planet of HTML based e-mail". Nevertheless, to allow subscribers
|
||||||
subscribers to receive list posts as must as possible, I have now
|
to receive list posts as must as possible, I have now configured
|
||||||
configured the list server at shorewall.net to strip all HTML from
|
the list server at shorewall.net to strip all HTML from outgoing
|
||||||
outgoing posts.<br>
|
posts.<br>
|
||||||
<br>
|
<br>
|
||||||
<big><font color="#cc0000"><b>If you run your own outgoing mail server
|
<big><font color="#cc0000"><b>If you run your own outgoing mail server
|
||||||
and it doesn't have a valid DNS PTR record, your email won't reach the lists
|
and it doesn't have a valid DNS PTR record, your email won't reach the lists
|
||||||
unless/until the postmaster notices that your posts are being rejected. To
|
unless/until the postmaster notices that your posts are being rejected.
|
||||||
avoid this problem, you should configure your MTA to forward posts to shorewall.net
|
To avoid this problem, you should configure your MTA to forward posts to
|
||||||
through an MTA that <u>does</u> have a valid PTR record (such as the one
|
shorewall.net through an MTA that <u>does</u> have a valid PTR record (such
|
||||||
at your ISP). </b></font></big><br>
|
as the one at your ISP). </b></font></big><br>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
|
|
||||||
<h2>Where to Send your Problem Report or to Ask for Help</h2>
|
<h2>Where to Send your Problem Report or to Ask for Help</h2>
|
||||||
@ -312,12 +313,10 @@ at your ISP). </b></font></big><br>
|
|||||||
href="http://lists.shorewall.net">http://lists.shorewall.net</a><br>
|
href="http://lists.shorewall.net">http://lists.shorewall.net</a><br>
|
||||||
</p>
|
</p>
|
||||||
|
|
||||||
<p align="left"><font size="2">Last Updated 7/6/2003 - Tom Eastep</font></p>
|
<p align="left"><font size="2">Last Updated 7/9/2003 - Tom Eastep</font></p>
|
||||||
|
|
||||||
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
|
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
|
||||||
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
|
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
|
||||||
</p>
|
</p>
|
||||||
<br>
|
|
||||||
<br>
|
|
||||||
</body>
|
</body>
|
||||||
</html>
|
</html>
|
||||||
|
@ -28,7 +28,7 @@
|
|||||||
# shown below. Simply run this script to revert to your prior version of
|
# shown below. Simply run this script to revert to your prior version of
|
||||||
# Shoreline Firewall.
|
# Shoreline Firewall.
|
||||||
|
|
||||||
VERSION=1.4.6Beta2
|
VERSION=1.4.6RC1
|
||||||
|
|
||||||
usage() # $1 = exit status
|
usage() # $1 = exit status
|
||||||
{
|
{
|
||||||
|
@ -54,7 +54,7 @@
|
|||||||
# /etc/rc.d/rc.local file is modified to start the firewall.
|
# /etc/rc.d/rc.local file is modified to start the firewall.
|
||||||
#
|
#
|
||||||
|
|
||||||
VERSION=1.4.6Beta2
|
VERSION=1.4.6RC1
|
||||||
|
|
||||||
usage() # $1 = exit status
|
usage() # $1 = exit status
|
||||||
{
|
{
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
%define name shorewall
|
%define name shorewall
|
||||||
%define version 1.4.6
|
%define version 1.4.6
|
||||||
%define release 0Beta2
|
%define release 0RC1
|
||||||
%define prefix /usr
|
%define prefix /usr
|
||||||
|
|
||||||
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
|
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
|
||||||
@ -105,6 +105,8 @@ fi
|
|||||||
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
|
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Jul 14 2003 Tom Eastep <tom@shorewall.net>
|
||||||
|
- Changed version to 1.4.6-0RC1
|
||||||
* Mon Jul 07 2003 Tom Eastep <tom@shorewall.net>
|
* Mon Jul 07 2003 Tom Eastep <tom@shorewall.net>
|
||||||
- Changed version to 1.4.6-0Beta2
|
- Changed version to 1.4.6-0Beta2
|
||||||
* Fri Jul 04 2003 Tom Eastep <tom@shorewall.net>
|
* Fri Jul 04 2003 Tom Eastep <tom@shorewall.net>
|
||||||
|
@ -26,7 +26,7 @@
|
|||||||
# You may only use this script to uninstall the version
|
# You may only use this script to uninstall the version
|
||||||
# shown below. Simply run this script to remove Seattle Firewall
|
# shown below. Simply run this script to remove Seattle Firewall
|
||||||
|
|
||||||
VERSION=1.4.6Beta2
|
VERSION=1.4.6RC1
|
||||||
|
|
||||||
usage() # $1 = exit status
|
usage() # $1 = exit status
|
||||||
{
|
{
|
||||||
|
Loading…
Reference in New Issue
Block a user