extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-12-15 19:01:19 +01:00
Code Issues Packages Projects Releases Wiki Activity

Shorewall 1.4.6 RC1

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@660 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-07-14 22:09:33 +00:00
parent defe814ca5
commit 88e1eb7e4d
16 changed files with 5403 additions and 5050 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1525
Shorewall-docs/FAQ.htm
View File

File diff suppressed because it is too large Load Diff

3187
Shorewall-docs/News.htm
View File

File diff suppressed because it is too large Load Diff

50
Shorewall-docs/Shorewall_Doesnt.html Normal file
View File

@ -0,0 +1,50 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>What Shorewall Cannot Do</title>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep">
</head>
<body>
<small> </small><small>
</small><small>
</small><small>
</small><small>
</small> <small> </small>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"
bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%"><small> </small>
<h1 align="center"><small><font color="#ffffff">Some things that Shorewall
<b>Cannot</b> Do</font></small></h1>
<small> </small></td>
</tr>
</tbody>
</table>
<small><br>
</small>Shorewall cannot:<br>
<ul>
<li>Be used on a Linux System that is functioning as a Layer 2 Bridge</li>
<li>Act as a "Personal Firewall" that allows internet access by application.</li>
<li>Do content filtering -- better to use <a
href="Shorewall_Squid_Usage.html">Squid</a> for that.<br>
</li>
</ul>
<br>
<font size="2">Last updated 7/9/2003 - <a href="support.htm">Tom Eastep</a></font>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
<br>
</body>
</html>

122
Shorewall-docs/Shorewall_index_frame.htm
View File

@ -12,8 +12,8 @@
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title> <title>Shorewall Index</title>
<base target="main"> <base
target="main">
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
@ -21,121 +21,125 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#4b017c" height="90"> bgcolor="#4b017c" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%" <td width="100%"
height="90"> height="90">
<h3 align="center"><font color="#ffffff">Shorewall</font></h3> <h3 align="center"><font color="#ffffff">Shorewall</font></h3>
</td> </td>
</tr> </tr>
<tr> <tr>
<td width="100%" <td width="100%"
bgcolor="#ffffff"> bgcolor="#ffffff">
<ul> <ul>
<li> <a <li> <a
href="seattlefirewall_index.htm">Home</a></li> href="seattlefirewall_index.htm">Home</a></li>
<li> <a <li> <a
href="shorewall_features.htm">Features</a></li> href="shorewall_features.htm">Features</a></li>
<li> <a <li><a href="Shorewall_Doesnt.html">What it Cannot Do</a><br>
</li>
<li> <a
href="shorewall_prerequisites.htm">Requirements</a></li> href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <a <li> <a
href="download.htm">Download</a><br> href="download.htm">Download</a><br>
</li>
<li> <a
href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a><br>
</li>
<li> <a
href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a><br>
</li> </li>
<li> <li> <a
<b><a href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></b></li> href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a><br>
</li>
<li> <a
href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a><br>
</li>
<li> <a href="FAQ.htm">FAQs</a></li> <li> <b><a
<li><a href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></b></li>
<li> <a href="FAQ.htm">FAQs</a></li>
<li><a
href="useful_links.html">Useful Links</a><br> href="useful_links.html">Useful Links</a><br>
</li> </li>
<li> <a <li> <a
href="troubleshoot.htm">Things to try if it doesn't work</a></li> href="troubleshoot.htm">Things to try if it doesn't work</a></li>
<li> <a <li> <a
href="errata.htm">Errata</a></li> href="errata.htm">Errata</a></li>
<li> <a <li> <a
href="upgrade_issues.htm">Upgrade Issues</a></li> href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a <li> <a
href="support.htm">Getting help or Answers to Questions</a></li> href="support.htm">Getting help or Answers to Questions</a></li>
<li><a href="http://lists.shorewall.net">Mailing Lists</a><a <li><a href="http://lists.shorewall.net">Mailing Lists</a><a
href="http://lists.shorewall.net"> </a><br> href="http://lists.shorewall.net"> </a><br>
</li> </li>
<li><a href="1.3" <li><a href="1.3"
target="_top">Shorewall 1.3 Site</a></li> target="_top">Shorewall 1.3 Site</a></li>
<li><a <li><a
href="http://www1.shorewall.net/1.2/index.htm" target="_top">Shorewall href="http://www1.shorewall.net/1.2/index.htm" target="_top">Shorewall 1.2
1.2 Site</a></li> Site</a></li>
<li><a href="shorewall_mirrors.htm">Mirrors</a> <li><a href="shorewall_mirrors.htm">Mirrors</a>
<ul> <ul>
<li><a <li><a
target="_top" href="http://slovakia.shorewall.net">Slovak Republic</a></li> target="_top" href="http://slovakia.shorewall.net">Slovak Republic</a></li>
<li><a <li><a
target="_top" href="http://shorewall.infohiiway.com">Texas, USA</a></li> target="_top" href="http://shorewall.infohiiway.com">Texas, USA</a></li>
<li><a <li><a
target="_top" href="http://germany.shorewall.net">Germany</a></li> target="_top" href="http://germany.shorewall.net">Germany</a></li>
<li><a target="_top" <li><a target="_top"
href="http://france.shorewall.net">France</a></li> href="http://france.shorewall.net">France</a></li>
<li><a href="http://shorewall.syachile.cl" <li><a href="http://shorewall.syachile.cl"
target="_top">Chile</a></li> target="_top">Chile</a></li>
<li><a href="http://shorewall.greshko.com" <li><a href="http://shorewall.greshko.com"
target="_top">Taiwan</a></li> target="_top">Taiwan</a></li>
<li><a href="http://argentina.shorewall.net" target="_top">Argentina</a><br> <li><a href="http://argentina.shorewall.net" target="_top">Argentina</a><br>
</li> </li>
<li><a <li><a
href="http://www.shorewall.net" target="_top">Washington State, USA</a><br> href="http://www.shorewall.net" target="_top">Washington State, USA</a><br>
</li> </li>
</ul> </ul>
</li> </li>
</ul> </ul>
<ul> <ul>
<li> <a <li> <a
href="News.htm">News Archive</a></li> href="News.htm">News Archive</a></li>
<li> <a <li> <a
href="Shorewall_CVS_Access.html">CVS Repository</a></li> href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li> <a <li> <a
href="quotes.htm">Quotes from Users</a></li> href="quotes.htm">Quotes from Users</a></li>
<li>GSLUG Presentation</li> <li>GSLUG Presentation</li>
<ul> <ul>
<li><a href="GSLUG.htm">HTML</a></li> <li><a href="GSLUG.htm">HTML</a></li>
<li><a href="GSLUG.ppt">PowerPoint</a><br> <li><a href="GSLUG.ppt">PowerPoint</a><br>
</li> </li>
</ul> </ul>
<li> <a <li> <a
href="shoreline.htm">About the Author</a></li> href="shoreline.htm">About the Author</a></li>
<li> <a <li> <a
href="seattlefirewall_index.htm#Donations">Donations</a></li> href="seattlefirewall_index.htm#Donations">Donations</a></li>
</ul> </ul>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001-2003 Thomas M. Eastep.</font></a><br> size="2">2001-2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br>
</body> </body>
</html> </html>

122
Shorewall-docs/Shorewall_sfindex_frame.htm
View File

@ -12,7 +12,7 @@
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title> <title>Shorewall Index</title>
<base target="main"> <base target="main">
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
@ -21,120 +21,124 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#4b017c" height="90"> bgcolor="#4b017c" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%" <td width="100%"
height="90"> height="90">
<h3 align="center"><font color="#ffffff">Shorewall</font></h3> <h3 align="center"><font color="#ffffff">Shorewall</font></h3>
</td> </td>
</tr> </tr>
<tr> <tr>
<td width="100%" <td width="100%"
bgcolor="#ffffff"> bgcolor="#ffffff">
<ul> <ul>
<li> <a <li> <a
href="seattlefirewall_index.htm">Home</a></li> href="seattlefirewall_index.htm">Home</a></li>
<li> <a <li> <a
href="shorewall_features.htm">Features</a></li> href="shorewall_features.htm">Features</a></li>
<li> <a <li><a href="Shorewall_Doesnt.html">What it Cannot Do</a><br>
</li>
<li> <a
href="shorewall_prerequisites.htm">Requirements</a></li> href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <a <li> <a
href="download.htm">Download</a><br> href="download.htm">Download</a><br>
</li>
<li> <a
href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a><br>
</li>
<li> <a
href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a><br>
</li> </li>
<li> <li> <a
<b><a href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></b></li> href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a><br>
</li>
<li> <a
href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a><br>
</li>
<li>
<b><a href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></b></li>
<li> <a href="FAQ.htm">FAQs</a></li> <li> <a href="FAQ.htm">FAQs</a></li>
<li><a <li><a
href="useful_links.html">Useful Links</a><br> href="useful_links.html">Useful Links</a><br>
</li> </li>
<li> <a <li> <a
href="troubleshoot.htm">Things to try if it doesn't work</a></li> href="troubleshoot.htm">Things to try if it doesn't work</a></li>
<li> <a <li> <a
href="errata.htm">Errata</a></li> href="errata.htm">Errata</a></li>
<li> <a <li> <a
href="upgrade_issues.htm">Upgrade Issues</a></li> href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a <li> <a
href="support.htm">Getting help or Answers to Questions</a> href="support.htm">Getting help or Answers to Questions</a>
</li> </li>
<li><a <li><a
href="http://lists.shorewall.net">Mailing Lists</a> <br> href="http://lists.shorewall.net">Mailing Lists</a> <br>
</li> </li>
<li><a href="1.3" target="_top">Shorewall 1.3 Site</a></li> <li><a href="1.3" target="_top">Shorewall 1.3 Site</a></li>
<li><a <li><a
href="http://www1.shorewall.net/1.2/index.htm" target="_top">Shorewall 1.2 href="http://www1.shorewall.net/1.2/index.htm" target="_top">Shorewall
Site</a></li> 1.2 Site</a></li>
<li><a href="shorewall_mirrors.htm">Mirrors</a> <li><a href="shorewall_mirrors.htm">Mirrors</a>
<ul> <ul>
<li><a <li><a
target="_top" href="http://slovakia.shorewall.net">Slovak Republic</a></li> target="_top" href="http://slovakia.shorewall.net">Slovak Republic</a></li>
<li><a <li><a
target="_top" href="http://shorewall.infohiiway.com">Texas, USA</a></li> target="_top" href="http://shorewall.infohiiway.com">Texas, USA</a></li>
<li><a <li><a
target="_top" href="http://germany.shorewall.net">Germany</a></li> target="_top" href="http://germany.shorewall.net">Germany</a></li>
<li><a target="_top" <li><a target="_top"
href="http://france.shorewall.net">France</a></li> href="http://france.shorewall.net">France</a></li>
<li><a href="http://shorewall.syachile.cl" <li><a href="http://shorewall.syachile.cl"
target="_top">Chile</a></li> target="_top">Chile</a></li>
<li><a href="http://shorewall.greshko.com" <li><a href="http://shorewall.greshko.com"
target="_top">Taiwan</a></li> target="_top">Taiwan</a></li>
<li><a href="http://argentina.shorewall.net" target="_top">Argentina</a><br> <li><a href="http://argentina.shorewall.net" target="_top">Argentina</a><br>
</li> </li>
<li><a <li><a
href="http://www.shorewall.net" target="_top">Washington State, USA</a><br> href="http://www.shorewall.net" target="_top">Washington State, USA</a><br>
</li> </li>
</ul> </ul>
</li> </li>
</ul> </ul>
<ul> <ul>
<li> <a <li> <a
href="News.htm">News Archive</a></li> href="News.htm">News Archive</a></li>
<li> <a <li> <a
href="Shorewall_CVS_Access.html">CVS Repository</a></li> href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li>GSLUG Presentation</li> <li>GSLUG Presentation</li>
<ul> <ul>
<li><a href="GSLUG.htm">HTML</a></li> <li><a href="GSLUG.htm">HTML</a></li>
<li><a href="GSLUG.ppt">PowerPoint</a><br> <li><a href="GSLUG.ppt">PowerPoint</a><br>
</li> </li>
</ul> </ul>
<li> <a <li> <a
href="quotes.htm">Quotes from Users</a></li> href="quotes.htm">Quotes from Users</a></li>
<li> <a <li> <a
href="shoreline.htm">About the Author</a></li> href="shoreline.htm">About the Author</a></li>
<li> <a <li> <a
href="seattlefirewall_index.htm#Donations">Donations</a></li> href="seattlefirewall_index.htm#Donations">Donations</a></li>
</ul> </ul>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001-2003 Thomas M. Eastep.</font></a><br> size="2">2001-2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br>
</body> </body>
</html> </html>

186
Shorewall-docs/mailing_list.htm
View File

@ -19,48 +19,48 @@
<table height="90" bgcolor="#400169" id="AutoNumber1" width="100%" <table height="90" bgcolor="#400169" id="AutoNumber1" width="100%"
style="border-collapse: collapse;" cellspacing="0" cellpadding="0" style="border-collapse: collapse;" cellspacing="0" cellpadding="0"
border="0"> border="0">
<tbody> <tbody>
<tr> <tr>
<td width="33%" valign="middle" <td width="33%" valign="middle"
align="left"> align="left">
<h1 align="center"><a <h1 align="center"><a
href="http://www.centralcommand.com/linux_products.html"><img href="http://www.centralcommand.com/linux_products.html"><img
src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78" src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78"
height="79" align="left"> height="79" align="left">
</a></h1> </a></h1>
<a <a
href="http://www.gnu.org/software/mailman/mailman.html"> <img href="http://www.gnu.org/software/mailman/mailman.html"> <img
border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110" border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110"
height="35" alt=""> height="35" alt="">
</a> </a>
<p align="right"><font color="#ffffff"><b>  </b></font><a <p align="right"><font color="#ffffff"><b>  </b></font><a
href="http://razor.sourceforge.net/"><img src="images/razor.gif" href="http://razor.sourceforge.net/"><img src="images/razor.gif"
alt="(Razor Logo)" width="100" height="22" align="left" border="0"> alt="(Razor Logo)" width="100" height="22" align="left" border="0">
</a> </p> </a> </p>
</td> </td>
<td valign="middle" width="34%" align="center"> <td valign="middle" width="34%" align="center">
<h1 align="center"><font color="#ffffff">Shorewall Mailing Lists</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Mailing Lists</font></h1>
</td> </td>
<td valign="middle" width="33%"> <td valign="middle" width="33%">
<a href="http://www.postfix.org/"> <img <a href="http://www.postfix.org/"> <img
src="images/postfix-white.gif" align="right" border="0" width="158" src="images/postfix-white.gif" align="right" border="0" width="158"
height="84" alt="(Postfix Logo)"> height="84" alt="(Postfix Logo)">
</a><br> </a><br>
<div align="left"><a href="http://www.spamassassin.org"><img <div align="left"><a href="http://www.spamassassin.org"><img
src="images/ninjalogo.png" alt="" width="110" height="42" align="right" src="images/ninjalogo.png" alt="" width="110" height="42" align="right"
border="0"> border="0">
</a> </div> </a> </div>
<br> <br>
<div align="right"><b><font color="#ffffff"><br> <div align="right"><b><font color="#ffffff"><br>
</font></b><br> </font></b><br>
</div> </div>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
@ -68,69 +68,62 @@
<h1>REPORTING A PROBLEM OR ASKING FOR HELP? If you haven't already, please <h1>REPORTING A PROBLEM OR ASKING FOR HELP? If you haven't already, please
read the <a href="http://www.shorewall.net/support.htm">Shorewall Support read the <a href="http://www.shorewall.net/support.htm">Shorewall Support
Guide</a>.<br> Guide</a>.<br>
</h1> </h1>
<p align="left">If you experience problems with any of these lists, please <p align="left">If you experience problems with any of these lists, please
let <a href="mailto:postmaster@shorewall.net">me</a> know</p> let <a href="mailto:postmaster@shorewall.net">me</a> know</p>
<h2 align="left">Not able to Post Mail to shorewall.net?</h2> <h2 align="left">Not able to Post Mail to shorewall.net?</h2>
<p align="left">You can report such problems by sending mail to tmeastep at <p align="left">You can report such problems by sending mail to tmeastep
hotmail dot com.</p> at hotmail dot com.</p>
<h2>A Word about the SPAM Filters at Shorewall.net <a <h2>A Word about the SPAM Filters at Shorewall.net <a
href="http://osirusoft.com/"> </a></h2> href="http://osirusoft.com/"> </a></h2>
<p>Please note that the mail server at shorewall.net checks <p>Please note that the mail server at shorewall.net
incoming mail:<br> checks incoming mail:<br>
</p> </p>
<ol> <ol>
<li>against <a <li>against <a
href="http://spamassassin.org">Spamassassin</a> (including <a href="http://spamassassin.org">Spamassassin</a> (including <a
href="http://razor.sourceforge.net/">Vipul's Razor</a>).<br> href="http://razor.sourceforge.net/">Vipul's Razor</a>).<br>
</li> </li>
<li>to ensure that the sender address is fully <li>to ensure that the sender address is fully
qualified.</li> qualified.</li>
<li>to verify that the sender's domain has an <li>to verify that the sender's domain has an
A or MX record in DNS.</li> A or MX record in DNS.</li>
<li>to ensure that the host name in the HELO/EHLO <li>to ensure that the host name in the HELO/EHLO
command is a valid fully-qualified DNS name that resolves.</li> command is a valid fully-qualified DNS name that resolves.</li>
<li>to ensure that the sending system has a valid PTR record in DNS.</li>
</ol> </ol>
<big><font color="#cc0000"><b>This last point is important. If you run your
own outgoing mail server and it doesn't have a valid DNS PTR record, your
email won't reach the lists unless/until the postmaster notices that your
posts are being rejected. To avoid this problem, you should configure your
MTA to forward posts to shorewall.net through an MTA that <u>does</u> have
a valid PTR record (such as the one at your ISP). </b></font></big><br>
<h2>Please post in plain text</h2> <h2>Please post in plain text</h2>
A growing number of MTAs serving list subscribers are A growing number of MTAs serving list subscribers are
rejecting all HTML traffic. At least one MTA has gone so far as to rejecting all HTML traffic. At least one MTA has gone so far as
blacklist shorewall.net "for continuous abuse" because it has been my to blacklist shorewall.net "for continuous abuse" because it has been
policy to allow HTML in list posts!!<br> my policy to allow HTML in list posts!!<br>
<br> <br>
I think that blocking all HTML is a Draconian way to I think that blocking all HTML is a Draconian way to
control spam and that the ultimate losers here are not the spammers control spam and that the ultimate losers here are not the spammers
but the list subscribers whose MTAs are bouncing all shorewall.net but the list subscribers whose MTAs are bouncing all shorewall.net
mail. As one list subscriber wrote to me privately "These e-mail admin's mail. As one list subscriber wrote to me privately "These e-mail admin's
need to get a <i>(explitive deleted)</i> life instead of trying to rid need to get a <i>(explitive deleted)</i> life instead of trying to rid
the planet of HTML based e-mail". Nevertheless, to allow subscribers the planet of HTML based e-mail". Nevertheless, to allow subscribers to
to receive list posts as must as possible, I have now configured the receive list posts as must as possible, I have now configured the list
list server at shorewall.net to strip all HTML from outgoing posts. server at shorewall.net to strip all HTML from outgoing posts. This
This means that HTML-only posts will be bounced by the list server.<br> means that HTML-only posts will be bounced by the list server.<br>
<p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br> <p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br>
</p> </p>
<h2>Other Mail Delivery Problems</h2> <h2>Other Mail Delivery Problems</h2>
If you find that you are missing an occasional list post, If you find that you are missing an occasional list post,
your e-mail admin may be blocking mail whose <i>Received:</i> headers your e-mail admin may be blocking mail whose <i>Received:</i> headers
contain the names of certain ISPs. Again, I believe that such policies contain the names of certain ISPs. Again, I believe that such policies
hurt more than they help but I'm not prepared to go so far as to start hurt more than they help but I'm not prepared to go so far as to start
stripping <i>Received:</i> headers to circumvent those policies.<br> stripping <i>Received:</i> headers to circumvent those policies.<br>
<h2 align="left">Mailing Lists Archive Search</h2> <h2 align="left">Mailing Lists Archive Search</h2>
@ -142,12 +135,12 @@ This means that HTML-only posts will be bounced by the list server.<br>
<option value="or">Any </option> <option value="or">Any </option>
<option value="boolean">Boolean </option> <option value="boolean">Boolean </option>
</select> </select>
Format: Format:
<select name="format"> <select name="format">
<option value="builtin-long">Long </option> <option value="builtin-long">Long </option>
<option value="builtin-short">Short </option> <option value="builtin-short">Short </option>
</select> </select>
Sort by: Sort by:
<select name="sort"> <select name="sort">
<option value="score">Score </option> <option value="score">Score </option>
<option value="time">Time </option> <option value="time">Time </option>
@ -156,46 +149,46 @@ This means that HTML-only posts will be bounced by the list server.<br>
<option value="revtime">Reverse Time </option> <option value="revtime">Reverse Time </option>
<option value="revtitle">Reverse Title </option> <option value="revtitle">Reverse Title </option>
</select> </select>
</font> <input type="hidden" name="config" </font> <input type="hidden"
value="htdig"> <input type="hidden" name="restrict" name="config" value="htdig"> <input type="hidden" name="restrict"
value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden" value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden"
name="exclude" value=""> <br> name="exclude" value=""> <br>
Search: <input type="text" size="30" Search: <input type="text" size="30"
name="words" value=""> <input type="submit" value="Search"> </p> name="words" value=""> <input type="submit" value="Search"> </p>
</form> </form>
<h2 align="left"><font color="#ff0000">Please do not try to download the entire <h2 align="left"><font color="#ff0000">Please do not try to download the
Archive -- it is 75MB (and growing daily) and my slow DSL line simply won't entire Archive -- it is 75MB (and growing daily) and my slow DSL line simply
stand the traffic. If I catch you, you will be blacklisted.<br> won't stand the traffic. If I catch you, you will be blacklisted.<br>
</font></h2> </font></h2>
<h2 align="left">Shorewall CA Certificate</h2> <h2 align="left">Shorewall CA Certificate</h2>
If you want to trust X.509 certificates issued If you want to trust X.509 certificates issued
by Shoreline Firewall (such as the one used on my web site), by Shoreline Firewall (such as the one used on my web site), you
you may <a href="Shorewall_CA_html.html">download and install my CA certificate</a> may <a href="Shorewall_CA_html.html">download and install my CA certificate</a>
in your browser. If you don't wish to trust my certificates in your browser. If you don't wish to trust my certificates
then you can either use unencrypted access when subscribing to then you can either use unencrypted access when subscribing to Shorewall
Shorewall mailing lists or you can use secure access (SSL) and mailing lists or you can use secure access (SSL) and accept the
accept the server's certificate when prompted by your browser.<br> server's certificate when prompted by your browser.<br>
<h2 align="left">Shorewall Users Mailing List</h2> <h2 align="left">Shorewall Users Mailing List</h2>
<p align="left">The Shorewall Users Mailing list provides a way for users <p align="left">The Shorewall Users Mailing list provides a way for users
to get answers to questions and to report problems. Information to get answers to questions and to report problems. Information
of general interest to the Shorewall user community is also of general interest to the Shorewall user community is also posted
posted to this list.</p> to this list.</p>
<p align="left"><b>Before posting a problem report to this list, please see <p align="left"><b>Before posting a problem report to this list, please see
the <a href="http://www.shorewall.net/support.htm">problem the <a href="http://www.shorewall.net/support.htm">problem
reporting guidelines</a>.</b></p> reporting guidelines</a>.</b></p>
<p align="left">To subscribe to the mailing list:<br> <p align="left">To subscribe to the mailing list:<br>
</p> </p>
<ul> <ul>
<li><b>Insecure: </b><a <li><b>Insecure: </b><a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a></li> href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a></li>
<li><b>SSL:</b> <a <li><b>SSL:</b> <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-users" href="https://lists.shorewall.net/mailman/listinfo/shorewall-users"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-users</a></li> target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-users</a></li>
@ -207,30 +200,30 @@ reporting guidelines</a>.</b></p>
<p align="left">The list archives are at <a <p align="left">The list archives are at <a
href="http://lists.shorewall.net/pipermail/shorewall-users/index.html">http://lists.shorewall.net/pipermail/shorewall-users</a>.</p> href="http://lists.shorewall.net/pipermail/shorewall-users/index.html">http://lists.shorewall.net/pipermail/shorewall-users</a>.</p>
<p align="left">Note that prior to 1/1/2002, the mailing list was hosted <p align="left">Note that prior to 1/1/2002, the mailing list was hosted at
at <a href="http://sourceforge.net">Sourceforge</a>. The archives from that <a href="http://sourceforge.net">Sourceforge</a>. The archives from that list
list may be found at <a may be found at <a
href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p> href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p>
<h2 align="left">Shorewall Announce Mailing List</h2> <h2 align="left">Shorewall Announce Mailing List</h2>
<p align="left">This list is for announcements of general interest to the <p align="left">This list is for announcements of general interest to the
Shorewall community. To subscribe:<br> Shorewall community. To subscribe:<br>
</p> </p>
<p align="left"></p> <p align="left"></p>
<ul> <ul>
<li><b>Insecure:</b> <a <li><b>Insecure:</b> <a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-announce">http://lists.shorewall.net/mailman/listinfo/shorewall-announce</a></li> href="http://lists.shorewall.net/mailman/listinfo/shorewall-announce">http://lists.shorewall.net/mailman/listinfo/shorewall-announce</a></li>
<li><b>SSL</b>: <a <li><b>SSL</b>: <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-announce" href="https://lists.shorewall.net/mailman/listinfo/shorewall-announce"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-announce.</a></li> target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-announce.</a></li>
</ul> </ul>
<p align="left"><br> <p align="left"><br>
The list archives are at <a The list archives are at <a
href="http://lists.shorewall.net/pipermail/shorewall-announce">http://lists.shorewall.net/pipermail/shorewall-announce</a>.</p> href="http://lists.shorewall.net/pipermail/shorewall-announce">http://lists.shorewall.net/pipermail/shorewall-announce</a>.</p>
<h2 align="left">Shorewall Development Mailing List</h2> <h2 align="left">Shorewall Development Mailing List</h2>
@ -240,12 +233,12 @@ list may be found at <a
coordinating ongoing Shorewall Development.</p> coordinating ongoing Shorewall Development.</p>
<p align="left">To subscribe to the mailing list:<br> <p align="left">To subscribe to the mailing list:<br>
</p> </p>
<ul> <ul>
<li><b>Insecure: </b><a <li><b>Insecure: </b><a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-devel">http://lists.shorewall.net/mailman/listinfo/shorewall-devel</a></li> href="http://lists.shorewall.net/mailman/listinfo/shorewall-devel">http://lists.shorewall.net/mailman/listinfo/shorewall-devel</a></li>
<li><b>SSL:</b> <a <li><b>SSL:</b> <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-devel" href="https://lists.shorewall.net/mailman/listinfo/shorewall-devel"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-devel.</a></li> target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-devel.</a></li>
@ -265,12 +258,12 @@ list may be found at <a
to make this less confusing. To unsubscribe:</p> to make this less confusing. To unsubscribe:</p>
<ul> <ul>
<li> <li>
<p align="left">Follow the same link above that you used to subscribe <p align="left">Follow the same link above that you used to subscribe
to the list.</p> to the list.</p>
</li> </li>
<li> <li>
<p align="left">Down at the bottom of that page is the following text: <p align="left">Down at the bottom of that page is the following text:
" To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>, get " To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>, get
@ -278,14 +271,14 @@ list may be found at <a
your subscription email address:". Enter your email address your subscription email address:". Enter your email address
in the box and click on the "<b>Unsubscribe</b> or edit options" in the box and click on the "<b>Unsubscribe</b> or edit options"
button.</p> button.</p>
</li> </li>
<li> <li>
<p align="left">There will now be a box where you can enter your password <p align="left">There will now be a box where you can enter your password
and click on "Unsubscribe"; if you have forgotten your password, and click on "Unsubscribe"; if you have forgotten your password,
there is another button that will cause your password to be there is another button that will cause your password to be
emailed to you.</p> emailed to you.</p>
</li> </li>
</ul> </ul>
@ -294,11 +287,12 @@ emailed to you.</p>
<p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p> <p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p>
<p align="left"><font size="2">Last updated 6/14/2003 - <a <p align="left"><font size="2">Last updated 7/7/2003 - <a
href="http://www.shorewall.net/support.htm">Tom Eastep</a></font></p> href="http://www.shorewall.net/support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font> © <p align="left"><a href="copyright.htm"> <font size="2">Copyright</font>
<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br>
</body> </body>
</html> </html>

214
Shorewall-docs/ping.html
View File

@ -13,180 +13,178 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">ICMP Echo-request (Ping)</font></h1> <h1 align="center"><font color="#ffffff">ICMP Echo-request (Ping)</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br> <br>
Shorewall 'Ping' management has evolved over time with the latest change Shorewall 'Ping' management has evolved over time with the latest change
coming in Shorewall version 1.4.0. <br> coming in Shorewall version 1.4.0. To find out which version of Shorewall
you are running, at a shell prompt type "<font color="#009900"><b>/sbin/shorewall
version</b></font>". If that command gives you an error, it's time to upgrade
since you have a very old version of Shorewall installed (1.2.4 or earlier).<br>
<h2>Shorewall Versions &gt;= 1.4.0</h2> <h2>Shorewall Versions &gt;= 1.4.0</h2>
In Shoreall 1.4.0 and later version, ICMP echo-request's are treated just In Shoreall 1.4.0 and later version, ICMP echo-request's are treated just
like any other connection request.<br> like any other connection request.<br>
<br> <br>
In order to accept ping requests from zone z1 to zone z2 where the policy In order to accept ping requests from zone z1 to zone z2 where the policy
for z1 to z2 is not ACCEPT, you need a rule in /etc/shoreall/rules of the for z1 to z2 is not ACCEPT, you need a rule in /etc/shoreall/rules of the
form:<br> form:<br>
<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp; <blockquote>ACCEPT&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp;
</i>icmp&nbsp;&nbsp;&nbsp; 8<br> </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote> </blockquote>
Example: <br> Example: <br>
<br> <br>
To permit ping from the local zone to the firewall:<br> To permit ping from the local zone to the firewall:<br>
<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp; <blockquote>ACCEPT&nbsp;&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;
icmp&nbsp;&nbsp;&nbsp; 8<br> icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote> </blockquote>
If you would like to accept 'ping' by default even when the relevant If you would like to accept 'ping' by default even when the relevant
policy is DROP or REJECT, create <b>/etc/shorewall/icmpdef </b>if it doesn't policy is DROP or REJECT, create <b>/etc/shorewall/icmpdef </b>if it doesn't
already exist and in that file place the following command:<br> already exist and in that file place the following command:<br>
<blockquote> <blockquote>
<pre><b><font color="#009900">run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT<br></font></b></pre> <pre><b><font color="#009900">run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT<br></font></b></pre>
</blockquote> </blockquote>
With that rule in place, if you want to ignore 'ping' from z1 to z2 then With that rule in place, if you want to ignore 'ping' from z1 to z2
you need a rule of the form:<br> then you need a rule of the form:<br>
<blockquote>DROP&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp; <blockquote>DROP&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp;
</i>icmp&nbsp;&nbsp;&nbsp; 8<br> </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote> </blockquote>
Example:<br> Example:<br>
<br> <br>
To drop ping from the internet, you would need this rule in /etc/shorewall/rules:<br> To drop ping from the internet, you would need this rule in /etc/shorewall/rules:<br>
<br> <br>
<blockquote>DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp; <blockquote>DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;
icmp&nbsp;&nbsp;&nbsp; 8<br> icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote> </blockquote>
<h2>Shorewall Versions &gt;= 1.3.14 &nbsp;and &lt; 1.4.0 with OLD_PING_HANDLING=No <h2>Shorewall Versions &gt;= 1.3.14 &nbsp;and &lt; 1.4.0 with OLD_PING_HANDLING=No
in /etc/shorewall/shorewall.conf</h2> in /etc/shorewall/shorewall.conf</h2>
In 1.3.14, Ping handling was put under control of the rules and policies In 1.3.14, Ping handling was put under control of the rules and policies
just like any other connection request. In order to accept ping requests just like any other connection request. In order to accept ping requests
from zone z1 to zone z2 where the policy for z1 to z2 is not ACCEPT, you from zone z1 to zone z2 where the policy for z1 to z2 is not ACCEPT, you
need a rule in /etc/shoreall/rules of the form:<br> need a rule in /etc/shoreall/rules of the form:<br>
<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp; <blockquote>ACCEPT&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp;
</i>icmp&nbsp;&nbsp;&nbsp; 8<br> </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote> </blockquote>
Example: <br> Example: <br>
<br> <br>
To permit ping from the local zone to the firewall:<br> To permit ping from the local zone to the firewall:<br>
<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp; <blockquote>ACCEPT&nbsp;&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;
icmp&nbsp;&nbsp;&nbsp; 8<br> icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote> </blockquote>
If you would like to accept 'ping' by default even when the relevant If you would like to accept 'ping' by default even when the relevant
policy is DROP or REJECT, create <b>/etc/shorewall/icmpdef </b>if it doesn't policy is DROP or REJECT, create <b>/etc/shorewall/icmpdef </b>if it doesn't
already exist and in that file place the following command:<br> already exist and in that file place the following command:<br>
<blockquote> <blockquote>
<pre><b><font color="#009900">run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT<br></font></b></pre> <pre><b><font color="#009900">run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT<br></font></b></pre>
</blockquote> </blockquote>
With that rule in place, if you want to ignore 'ping' from z1 to z2 then With that rule in place, if you want to ignore 'ping' from z1 to z2
you need a rule of the form:<br> then you need a rule of the form:<br>
<blockquote>DROP&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp; <blockquote>DROP&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp;
</i>icmp&nbsp;&nbsp;&nbsp; 8<br> </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote> </blockquote>
Example:<br> Example:<br>
<br> <br>
To drop ping from the internet, you would need this rule in /etc/shorewall/rules:<br> To drop ping from the internet, you would need this rule in /etc/shorewall/rules:<br>
<blockquote>DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp; <blockquote>DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;
icmp&nbsp;&nbsp;&nbsp; 8<br> icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote> </blockquote>
<blockquote> </blockquote> <blockquote> </blockquote>
<h2>Shorewall Versions &lt; 1.3.14 or with OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf<br> <h2>Shorewall Versions &lt; 1.3.14 or with OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf<br>
</h2> </h2>
There are several aspects to the old Shorewall Ping management:<br> There are several aspects to the old Shorewall Ping management:<br>
<ol> <ol>
<li>The <b>noping</b> and <b>filterping </b>interface options in <a <li>The <b>noping</b> and <b>filterping </b>interface options in
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li> <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
<li>The <b>FORWARDPING</b> option in<a <li>The <b>FORWARDPING</b> option in<a
href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf</a>.</li> href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf</a>.</li>
<li>Explicit rules in <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li> <li>Explicit rules in <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
</ol> </ol>
There are two cases to consider:<br> There are two cases to consider:<br>
<ol> <ol>
<li>Ping requests addressed to the firewall itself; and</li> <li>Ping requests addressed to the firewall itself; and</li>
<li>Ping requests being forwarded to another system. Included here <li>Ping requests being forwarded to another system. Included here
are all cases of packet forwarding including NAT, DNAT rule, Proxy ARP and are all cases of packet forwarding including NAT, DNAT rule, Proxy ARP
simple routing.</li> and simple routing.</li>
</ol> </ol>
These cases will be covered separately.<br> These cases will be covered separately.<br>
<h3>Ping Requests Addressed to the Firewall Itself</h3> <h3>Ping Requests Addressed to the Firewall Itself</h3>
For ping requests addressed to the firewall, the sequence is as follows:<br> For ping requests addressed to the firewall, the sequence is as follows:<br>
<ol> <ol>
<li>If neither <b>noping</b> nor <b>filterping </b>are specified for <li>If neither <b>noping</b> nor <b>filterping </b>are specified
the interface that receives the ping request then the request will be responded for the interface that receives the ping request then the request will
to with an ICMP echo-reply.</li> be responded to with an ICMP echo-reply.</li>
<li>If <b>noping</b> is specified for the interface that receives <li>If <b>noping</b> is specified for the interface that receives
the ping request then the request is ignored.</li> the ping request then the request is ignored.</li>
<li>If <b>filterping </b>is specified for the interface then the request <li>If <b>filterping </b>is specified for the interface then the
is passed to the rules/policy evaluation.</li> request is passed to the rules/policy evaluation.</li>
</ol> </ol>
<h3>Ping Requests Forwarded by the Firewall</h3> <h3>Ping Requests Forwarded by the Firewall</h3>
These requests are <b>always</b> passed to rules/policy evaluation.<br> These requests are <b>always</b> passed to rules/policy evaluation.<br>
<h3>Rules Evaluation</h3> <h3>Rules Evaluation</h3>
Ping requests are ICMP type 8. So the general rule format is:<br> Ping requests are ICMP type 8. So the general rule format is:<br>
<br> <br>
&nbsp;&nbsp;&nbsp; <i>Target&nbsp;&nbsp;&nbsp; Source&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <i>Target&nbsp;&nbsp;&nbsp; Source&nbsp;&nbsp;&nbsp;
Destination&nbsp;&nbsp;&nbsp; </i>icmp&nbsp;&nbsp;&nbsp; 8<br> Destination&nbsp;&nbsp;&nbsp; </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
<br> <br>
Example 1. Accept pings from the net to the dmz (pings are responded Example 1. Accept pings from the net to the dmz (pings are responded
to with an ICMP echo-reply):<br> to with an ICMP echo-reply):<br>
<br> <br>
&nbsp;&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; dmz&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; dmz&nbsp;&nbsp;&nbsp;
icmp&nbsp;&nbsp;&nbsp; 8<br> icmp&nbsp;&nbsp;&nbsp; 8<br>
<br> <br>
Example 2. Drop pings from the net to the firewall<br> Example 2. Drop pings from the net to the firewall<br>
<br> <br>
&nbsp;&nbsp;&nbsp; DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;
icmp&nbsp;&nbsp;&nbsp; 8<br> icmp&nbsp;&nbsp;&nbsp; 8<br>
<h3>Policy Evaluation</h3> <h3>Policy Evaluation</h3>
If no applicable rule is found, then the policy for the source to the If no applicable rule is found, then the policy for the source to the
destination is applied.<br> destination is applied.<br>
<ol> <ol>
<li>If the relevant policy is ACCEPT then the request is responded <li>If the relevant policy is ACCEPT then the request is responded
to with an ICMP echo-reply.</li> to with an ICMP echo-reply.</li>
<li>If <b>FORWARDPING</b> is set to Yes in /etc/shorewall/shorewall.conf <li>If <b>FORWARDPING</b> is set to Yes in /etc/shorewall/shorewall.conf
then the request is responded to with an ICMP echo-reply.</li> then the request is responded to with an ICMP echo-reply.</li>
<li>Otherwise, the relevant REJECT or DROP policy is used and the <li>Otherwise, the relevant REJECT or DROP policy is used and the
request is either rejected or simply ignored.</li> request is either rejected or simply ignored.</li>
</ol> </ol>
<p><font size="2">Updated 5/4/2003 - <a href="support.htm">Tom Eastep</a> <p><font size="2">Updated 7/7/2003 - <a href="support.htm">Tom Eastep</a>
</font></p> </font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font <p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></p> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
<br> </p>
<br>
<br>
<br>
<br>
<br>
</body> </body>
</html> </html>

499
Shorewall-docs/seattlefirewall_index.htm
View File

@ -9,7 +9,7 @@
<title>Shoreline Firewall (Shorewall) 1.4</title> <title>Shoreline Firewall (Shorewall) 1.4</title>
<base target="_self"> <base target="_self">
</head> </head>
<body> <body>
@ -18,32 +18,32 @@
style="border-collapse: collapse;" width="100%" id="AutoNumber3" style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="33%" height="90" valign="middle" <td width="33%" height="90" valign="middle"
align="left"><a href="http://www.cityofshoreline.com"><img align="left"><a href="http://www.cityofshoreline.com"><img
src="images/washington.jpg" alt="" width="97" height="80" hspace="4" src="images/washington.jpg" alt="" width="97" height="80" hspace="4"
border="0"> border="0">
</a></td> </a></td>
<td valign="middle" width="34%" align="center"> <td valign="middle" width="34%" align="center">
<h1><font color="#ffffff">Shorewall 1.4</font><i><font <h1><font color="#ffffff">Shorewall 1.4</font><i><font
color="#ffffff"> <small><small><small>"iptables made easy"</small></small></small></font></i></h1> color="#ffffff"> <small><small><small>"iptables made easy"</small></small></small></font></i></h1>
</td> </td>
<td valign="middle"> <td valign="middle">
<h1 align="center"><a href="http://www.shorewall.net" <h1 align="center"><a href="http://www.shorewall.net"
target="_top"><img border="0" src="images/shorewall.jpg" width="119" target="_top"><img border="0" src="images/shorewall.jpg" width="119"
height="38" hspace="4" alt="(Shorewall Logo)" align="right" vspace="4"> height="38" hspace="4" alt="(Shorewall Logo)" align="right" vspace="4">
</a></h1> </a></h1>
<br> <br>
</td> </td>
</tr> </tr>
@ -56,11 +56,11 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"> style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody> <tbody>
<tr> <tr>
<td width="90%"> <td width="90%">
@ -71,10 +71,10 @@
<p>The Shoreline Firewall, more commonly known as "Shorewall", is <p>The Shoreline Firewall, more commonly known as "Shorewall", is a
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based <a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
firewall that can be used on a dedicated firewall system, a multi-function that can be used on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.</p> gateway/router/server or on a standalone GNU/Linux system.</p>
@ -82,27 +82,27 @@ firewall that can be used on a dedicated firewall system, a multi-functio
<p>This program is free software; you can redistribute it and/or modify <p>This program is free software; you can redistribute it and/or modify
it under the terms of <a it under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
GNU General Public License</a> as published by the Free Software General Public License</a> as published by the Free Software
Foundation.<br> Foundation.<br>
<br> <br>
This program is distributed in This program is distributed in
the hope that it will be useful, but the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the WITHOUT ANY WARRANTY; without even
implied warranty of MERCHANTABILITY or the implied warranty of MERCHANTABILITY
FITNESS FOR A PARTICULAR PURPOSE. See the GNU or FITNESS FOR A PARTICULAR PURPOSE. See the
General Public License for more details.<br> GNU General Public License for more details.<br>
<br> <br>
You should have received a copy You should have received a copy
of the GNU General Public License of the GNU General Public License
along with this program; if not, write along with this program; if not, write
to the Free Software Foundation, to the Free Software Foundation,
Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p> Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
@ -119,16 +119,17 @@ General Public License for more details.<br>
<h2>Getting Started with Shorewall</h2> <h2>Getting Started with Shorewall</h2>
New to Shorewall? Start by selecting the <a New to Shorewall? Start by selecting the
href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most closely <a href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that
match your environment and follow the step by step instructions.<br> most closely match your environment and follow the step by
step instructions.<br>
<h2>Looking for Information?</h2> <h2>Looking for Information?</h2>
The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
Index</a> is a good place to start as is the Quick Search to your right. Index</a> is a good place to start as is the Quick Search to your right.
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2> <h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
If so, the documentation<b> </b>on this site will not If so, the documentation<b> </b>on this site will not
apply directly to your setup. If you want to use the documentation apply directly to your setup. If you want to use the documentation
that you find here, you will want to consider uninstalling what you have that you find here, you will want to consider uninstalling what you have
and installing a setup that matches the documentation on this site. and installing a setup that matches the documentation on this site.
@ -142,213 +143,232 @@ Index</a> is a good place to start as is the Quick Search to your right.
<p><b></b></p> <p><b></b></p>
<ol> <ol>
</ol> </ol>
<p><b>7/7/2003 - Shorewall-1.4.6 Beta 2</b><b> <img border="0" <p><b>7/15/2003 - Shorewall-1.4.6 RC 1</b><b> <img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)"> src="images/new10.gif" width="28" height="12" alt="(New)">
<br> </b></p>
</b></p> <blockquote>
<p><b><a href="http://shorewall.net/pub/shorewall/testing">http://shorewall.net/pub/shorewall/testing</a><br>
<a href="ftp://shorewall.net/pub/shorewall/testing"
target="_top">ftp://shorewall.net/pub/shorewall/testing</a><br>
</b></p>
</blockquote>
<p><b>Problems Corrected:</b><br> <p><b>Problems Corrected:</b><br>
</p> </p>
<ol> <ol>
<li>A problem seen on RH7.3 systems where Shorewall encountered start <li>A problem seen on RH7.3 systems where Shorewall encountered
errors when started using the "service" mechanism has been worked around.<br> start errors when started using the "service" mechanism has been worked
<br> around.<br>
</li> <br>
<li>Where a list of IP addresses appears in the DEST column of a </li>
<li>Where a list of IP addresses appears in the DEST column of a
DNAT[-] rule, Shorewall incorrectly created multiple DNAT rules in the nat DNAT[-] rule, Shorewall incorrectly created multiple DNAT rules in the nat
table (one for each element in the list). Shorewall now correctly creates table (one for each element in the list). Shorewall now correctly creates
a single DNAT rule with multiple "--to-destination" clauses.<br> a single DNAT rule with multiple "--to-destination" clauses.<br>
<br> <br>
</li> </li>
<li>Corrected a problem in Beta 1 where DNS names containing a "-" <li>Corrected a problem in Beta 1 where DNS names containing a "-"
were mis-handled when they appeared in the DEST column of a rule.<br> were mis-handled when they appeared in the DEST column of a rule.<br>
</li> <br>
</li>
<li>A number of problems with rule parsing have been corrected. Corrections
involve the handling of "z1!z2" in the SOURCE column as well as lists in
the ORIGINAL DESTINATION column.<br>
</li>
</ol> </ol>
<p><b>Migration Issues:</b><br> <p><b>Migration Issues:</b><br>
</p>
<ol>
<li>In earlier versions, an undocumented feature allowed entries
in the host file as follows:<br>
<br>
    z    eth1:192.168.1.0/24,eth2:192.168.2.0/24<br>
<br>
This capability was never documented and has been removed in 1.4.6 to allow
entries of the following format:<br>
<br>
    z   eth1:192.168.1.0/24,192.168.2.0/24<br>
<br>
</li>
<li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options have been
removed from /etc/shorewall/shorewall.conf. These capabilities are now automatically
detected by Shorewall (see below).<br>
</li>
</ol>
<p><b>New Features:</b><br>
</p> </p>
<ol> <ol>
<li>A 'newnotsyn' interface option has been added. This option may <li>In earlier versions, an undocumented feature allowed entries
be specified in /etc/shorewall/interfaces and overrides the setting NEWNOTSYN=No in the host file as follows:<br>
for packets arriving on the associated interface.<br> <br>
    z    eth1:192.168.1.0/24,eth2:192.168.2.0/24<br>
<br>
This capability was never documented and has been removed in 1.4.6 to allow
entries of the following format:<br>
<br>
    z   eth1:192.168.1.0/24,192.168.2.0/24<br>
<br> <br>
</li> </li>
<li>The means for specifying a range of IP addresses in /etc/shorewall/masq <li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options have been
removed from /etc/shorewall/shorewall.conf. These capabilities are now automatically
detected by Shorewall (see below).<br>
</li>
</ol>
<p><b>New Features:</b><br>
</p>
<ol>
<li>A 'newnotsyn' interface option has been added. This option may
be specified in /etc/shorewall/interfaces and overrides the setting NEWNOTSYN=No
for packets arriving on the associated interface.<br>
<br>
</li>
<li>The means for specifying a range of IP addresses in /etc/shorewall/masq
to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes is enabled for address to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes is enabled for address
ranges.<br> ranges.<br>
<br> <br>
</li> </li>
<li>Shorewall can now add IP addresses to subnets other than the <li>Shorewall can now add IP addresses to subnets other than the
first one on an interface.<br> first one on an interface.<br>
<br> <br>
</li> </li>
<li>DNAT[-] rules may now be used to load balance (round-robin) over <li>DNAT[-] rules may now be used to load balance (round-robin)
a set of servers. Servers may be specified in a range of addresses given over a set of servers. Servers may be specified in a range of addresses
as &lt;first address&gt;-&lt;last address&gt;.<br> given as &lt;first address&gt;-&lt;last address&gt;.<br>
<br> <br>
Example:<br> Example:<br>
<br> <br>
    DNAT net loc:192.168.10.2-192.168.10.5 tcp 80<br>     DNAT net loc:192.168.10.2-192.168.10.5 tcp 80<br>
<br> <br>
</li> </li>
<li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration options <li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration
have been removed and have been replaced by code that detects whether these options have been removed and have been replaced by code that detects whether
capabilities are present in the current kernel. The output of the start, these capabilities are present in the current kernel. The output of the
restart and check commands have been enhanced to report the outcome:<br> start, restart and check commands have been enhanced to report the outcome:<br>
<br> <br>
Shorewall has detected the following iptables/netfilter capabilities:<br> Shorewall has detected the following iptables/netfilter capabilities:<br>
   NAT: Available<br>    NAT: Available<br>
   Packet Mangling: Available<br>    Packet Mangling: Available<br>
   Multi-port Match: Available<br>    Multi-port Match: Available<br>
Verifying Configuration...<br> Verifying Configuration...<br>
<br> <br>
</li> </li>
<li>Support for the Connection Tracking Match Extension has been <li>Support for the Connection Tracking Match Extension has been
added. This extension is available in recent kernel/iptables releases and added. This extension is available in recent kernel/iptables releases and
allows for rules which match against elements in netfilter's connection allows for rules which match against elements in netfilter's connection tracking
tracking table. Shorewall automatically detects the availability of this table. Shorewall automatically detects the availability of this extension
extension and reports its availability in the output of the start, restart and reports its availability in the output of the start, restart and check
and check commands.<br> commands.<br>
<br> <br>
Shorewall has detected the following iptables/netfilter capabilities:<br> Shorewall has detected the following iptables/netfilter capabilities:<br>
   NAT: Available<br>    NAT: Available<br>
   Packet Mangling: Available<br>    Packet Mangling: Available<br>
   Multi-port Match: Available<br>    Multi-port Match: Available<br>
   Connection Tracking Match: Available<br>    Connection Tracking Match: Available<br>
Verifying Configuration...<br> Verifying Configuration...<br>
<br> <br>
If this extension is available, the ruleset generated by Shorewall is changed If this extension is available, the ruleset generated by Shorewall is
in the following ways:</li> changed in the following ways:</li>
<ul> <ul>
<li>To handle 'norfc1918' filtering, Shorewall will not create <li>To handle 'norfc1918' filtering, Shorewall will not create
chains in the mangle table but will rather do all 'norfc1918' filtering chains in the mangle table but will rather do all 'norfc1918' filtering in
in the filter table (rfc1918 chain).</li> the filter table (rfc1918 chain).</li>
<li>Recall that Shorewall DNAT rules generate two netfilter rules; <li>Recall that Shorewall DNAT rules generate two netfilter rules;
one in the nat table and one in the filter table. If the Connection Tracking one in the nat table and one in the filter table. If the Connection Tracking
Match Extension is available, the rule in the filter table is extended to Match Extension is available, the rule in the filter table is extended to
check that the original destination address was the same as specified (or check that the original destination address was the same as specified (or
defaulted to) in the DNAT rule.<br> defaulted to) in the DNAT rule.<br>
<br> <br>
</li> </li>
</ul> </ul>
<li>The shell used to interpret the firewall script (/usr/share/shorewall/firewall) <li>The shell used to interpret the firewall script (/usr/share/shorewall/firewall)
may now be specified using the SHOREWALL_SHELL parameter in shorewall.conf.<br> may now be specified using the SHOREWALL_SHELL parameter in shorewall.conf.<br>
<br> <br>
</li> </li>
<li>An 'ipcalc' command has been added to /sbin/shorewall.<br> <li>An 'ipcalc' command has been added to /sbin/shorewall.<br>
<br> <br>
      ipcalc [ &lt;address&gt; &lt;netmask&gt; | &lt;address&gt;/&lt;vlsm&gt;       ipcalc [ &lt;address&gt; &lt;netmask&gt; | &lt;address&gt;/&lt;vlsm&gt;
]<br> ]<br>
<br> <br>
Examples:<br> Examples:<br>
<br> <br>
      [root@wookie root]# shorewall ipcalc 192.168.1.0/24<br>       [root@wookie root]# shorewall ipcalc 192.168.1.0/24<br>
         CIDR=192.168.1.0/24<br>          CIDR=192.168.1.0/24<br>
         NETMASK=255.255.255.0<br>          NETMASK=255.255.255.0<br>
         NETWORK=192.168.1.0<br>          NETWORK=192.168.1.0<br>
         BROADCAST=192.168.1.255<br>          BROADCAST=192.168.1.255<br>
      [root@wookie root]#<br>       [root@wookie root]#<br>
<br> <br>
      [root@wookie root]# shorewall ipcalc 192.168.1.0 255.255.255.0<br>       [root@wookie root]# shorewall ipcalc 192.168.1.0 255.255.255.0<br>
         CIDR=192.168.1.0/24<br>          CIDR=192.168.1.0/24<br>
         NETMASK=255.255.255.0<br>          NETMASK=255.255.255.0<br>
         NETWORK=192.168.1.0<br>          NETWORK=192.168.1.0<br>
         BROADCAST=192.168.1.255<br>          BROADCAST=192.168.1.255<br>
      [root@wookie root]#<br>       [root@wookie root]#<br>
<br> <br>
Warning:<br> Warning:<br>
<br> <br>
If your shell only supports 32-bit signed arithmatic (ash or dash), then If your shell only supports 32-bit signed arithmatic (ash or dash), then
the ipcalc command produces incorrect information for IP addresses 128.0.0.0-1 the ipcalc command produces incorrect information for IP addresses 128.0.0.0-1
and for /1 networks. Bash should produce correct information for all valid and for /1 networks. Bash should produce correct information for all valid
IP addresses.<br> IP addresses.<br>
<br> <br>
</li> </li>
<li>An 'iprange' command has been added to /sbin/shorewall. <br> <li>An 'iprange' command has been added to /sbin/shorewall. <br>
<br> <br>
      iprange &lt;address&gt;-&lt;address&gt;<br>       iprange &lt;address&gt;-&lt;address&gt;<br>
<br> <br>
This command decomposes a range of IP addressses into a list of network This command decomposes a range of IP addressses into a list of network
and host addresses. The command can be useful if you need to construct an and host addresses. The command can be useful if you need to construct an
efficient set of rules that accept connections from a range of network addresses.<br> efficient set of rules that accept connections from a range of network addresses.<br>
<br> <br>
Note: If your shell only supports 32-bit signed arithmetic (ash or dash) Note: If your shell only supports 32-bit signed arithmetic (ash or dash)
then the range may not span 128.0.0.0.<br> then the range may not span 128.0.0.0.<br>
<br> <br>
Example:<br> Example:<br>
<br> <br>
      [root@gateway root]# shorewall iprange 192.168.1.4-192.168.12.9<br>       [root@gateway root]# shorewall iprange 192.168.1.4-192.168.12.9<br>
      192.168.1.4/30<br>       192.168.1.4/30<br>
      192.168.1.8/29<br>       192.168.1.8/29<br>
      192.168.1.16/28<br>       192.168.1.16/28<br>
      192.168.1.32/27<br>       192.168.1.32/27<br>
      192.168.1.64/26<br>       192.168.1.64/26<br>
      192.168.1.128/25<br>       192.168.1.128/25<br>
      192.168.2.0/23<br>       192.168.2.0/23<br>
      192.168.4.0/22<br>       192.168.4.0/22<br>
      192.168.8.0/22<br>       192.168.8.0/22<br>
      192.168.12.0/29<br>       192.168.12.0/29<br>
      192.168.12.8/31<br>       192.168.12.8/31<br>
      [root@gateway root]#<br>       [root@gateway root]#<br>
<br> <br>
</li> </li>
<li>A list of host/net addresses is now allowed in an entry in /etc/shorewall/hosts.<br> <li>A list of host/net addresses is now allowed in an entry in /etc/shorewall/hosts.<br>
<br> <br>
Example:<br> Example:<br>
<br> <br>
    foo    eth1:192.168.1.0/24,192.168.2.0/24<br>     foo    eth1:192.168.1.0/24,192.168.2.0/24<br>
</li> </li>
</ol> </ol>
<p><b>6/17/2003 - Shorewall-1.4.5</b><b> </b></p> <p><b>6/17/2003 - Shorewall-1.4.5</b><b> </b></p>
<p>Problems Corrected:<br> <p>Problems Corrected:<br>
</p> </p>
<ol> <ol>
<li>The command "shorewall debug try &lt;directory&gt;" now <li>The command "shorewall debug try &lt;directory&gt;" now
correctly traces the attempt.</li> correctly traces the attempt.</li>
<li>The INCLUDE directive now works properly in the zones <li>The INCLUDE directive now works properly in the zones
file; previously, INCLUDE in that file was ignored.</li> file; previously, INCLUDE in that file was ignored.</li>
<li>/etc/shorewall/routestopped records with an empty second <li>/etc/shorewall/routestopped records with an empty second
column are no longer ignored.<br> column are no longer ignored.<br>
</li> </li>
</ol> </ol>
<p>New Features:<br> <p>New Features:<br>
</p> </p>
<ol> <ol>
<li>The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-] rule <li>The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-]
may now contain a list of addresses. If the list begins with "!' then rule may now contain a list of addresses. If the list begins with "!'
the rule will take effect only if the original destination address in then the rule will take effect only if the original destination address
the connection request does not match any of the addresses listed.</li> in the connection request does not match any of the addresses listed.</li>
</ol> </ol>
@ -356,24 +376,28 @@ the connection request does not match any of the addresses listed.</li>
</b></p> </b></p>
<p>The firewall at shorewall.net has been upgraded to the 2.4.21 kernel <p>The firewall at shorewall.net has been upgraded to the 2.4.21 kernel
and iptables 1.2.8 (using the "official" RPM from netfilter.org). No and iptables 1.2.8 (using the "official" RPM from netfilter.org). No problems
problems have been encountered with this set of software. The Shorewall have been encountered with this set of software. The Shorewall version
version is 1.4.4b plus the accumulated changes for 1.4.5.<br> is 1.4.4b plus the accumulated changes for 1.4.5.<br>
</p> </p>
<p><b>6/8/2003 - Updated Samples</b><b> </b></p> <p><b>6/8/2003 - Updated Samples</b><b> </b></p>
<p>Thanks to Francesca Smith, the samples have been updated to Shorewall <p>Thanks to Francesca Smith, the samples have been updated to Shorewall
version 1.4.4.</p> version 1.4.4.</p>
<p><b></b></p> <p><b></b></p>
<ol> <ol>
</ol> </ol>
<p><a href="News.htm">More News</a></p> <p><a href="News.htm">More News</a></p>
@ -384,50 +408,50 @@ version is 1.4.4b plus the accumulated changes for 1.4.5.<br>
border="0" src="images/leaflogo.gif" width="49" height="36" border="0" src="images/leaflogo.gif" width="49" height="36"
alt="(Leaf Logo)"> alt="(Leaf Logo)">
</a>Jacques Nilo and Eric Wolzak </a>Jacques Nilo and Eric Wolzak
have a LEAF (router/firewall/gateway have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution on a floppy, CD or compact flash) distribution
called <i>Bering</i> that features called <i>Bering</i> that features
Shorewall-1.4.2 and Kernel-2.4.20. You Shorewall-1.4.2 and Kernel-2.4.20. You
can find their work at: <a can find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br> href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
</a></p> </a></p>
<b>Congratulations to Jacques and Eric on the recent <b>Congratulations to Jacques and Eric on the
release of Bering 1.2!!! </b><br> recent release of Bering 1.2!!! </b><br>
<h2><a name="Donations"></a>Donations</h2> <h2><a name="Donations"></a>Donations</h2>
</td> </td>
<td width="88" bgcolor="#4b017c" <td width="88" bgcolor="#4b017c"
valign="top" align="center"> valign="top" align="center">
<form method="post" <form method="post"
action="http://lists.shorewall.net/cgi-bin/htsearch"> action="http://lists.shorewall.net/cgi-bin/htsearch">
<strong><br> <strong><br>
<font <font
color="#ffffff"><b>Note: </b></font></strong><font color="#ffffff"><b>Note: </b></font></strong><font
color="#ffffff">Search is unavailable Daily 0200-0330 GMT.</font><br> color="#ffffff">Search is unavailable Daily 0200-0330 GMT.</font><br>
<strong></strong> <strong></strong>
<p><font color="#ffffff"><strong>Quick Search</strong></font><br> <p><font color="#ffffff"><strong>Quick Search</strong></font><br>
<font <font
face="Arial" size="-1"> <input type="text" name="words" face="Arial" size="-1"> <input type="text" name="words"
size="15"></font><font size="-1"> </font> <font face="Arial" size="15"></font><font size="-1"> </font> <font face="Arial"
size="-1"> <input type="hidden" name="format" value="long"> <input size="-1"> <input type="hidden" name="format" value="long"> <input
type="hidden" name="method" value="and"> <input type="hidden" type="hidden" name="method" value="and"> <input type="hidden"
name="config" value="htdig"> <input type="submit" value="Search"></font> name="config" value="htdig"> <input type="submit" value="Search"></font>
</p> </p>
<font <font
face="Arial"> <input type="hidden" name="exclude" face="Arial"> <input type="hidden" name="exclude"
value="[http://lists.shorewall.net/pipermail/*]"> </font> </form> value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
@ -437,30 +461,30 @@ version is 1.4.4b plus the accumulated changes for 1.4.5.<br>
<p><font color="#ffffff"><b><a <p><font color="#ffffff"><b><a
href="http://lists.shorewall.net/htdig/search.html"><font href="http://lists.shorewall.net/htdig/search.html"><font
color="#ffffff">Extended Search</font></a></b></font></p> color="#ffffff">Extended Search</font></a></b></font></p>
<br> <br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</center> </center>
</div> </div>
<table border="0" cellpadding="5" cellspacing="0" <table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2" style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="100%" style="margin-top: 1px;" <td width="100%" style="margin-top: 1px;"
valign="middle"> valign="middle">
@ -470,22 +494,22 @@ version is 1.4.4b plus the accumulated changes for 1.4.5.<br>
border="4" src="images/newlog.gif" width="57" height="100" align="left" border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10" alt="(Starlight Logo)"> hspace="10" alt="(Starlight Logo)">
</a></p> </a></p>
<p align="center"><font size="4" color="#ffffff"><br> <p align="center"><font size="4" color="#ffffff"><br>
<font size="+2"> Shorewall is free but if you try it <font size="+2"> Shorewall is free but if you try
and find it useful, please consider making a donation it and find it useful, please consider making a donation
to <a to
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's <a href="http://www.starlight.org"><font color="#ffffff">Starlight
Foundation.</font></a> Thanks!</font></font></p> Children's Foundation.</font></a> Thanks!</font></font></p>
</td> </td>
</tr> </tr>
@ -493,8 +517,9 @@ version is 1.4.4b plus the accumulated changes for 1.4.5.<br>
</table> </table>
<p><font size="2">Updated 7/7/2003 - <a href="support.htm">Tom Eastep</a></font> <p><font size="2">Updated 7/15/2003 - <a href="support.htm">Tom Eastep</a></font>
<br> <br>
</p> </p>
<br>
</body> </body>
</html> </html>

102
Shorewall-docs/shoreline.htm
View File

@ -6,6 +6,7 @@
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>About the Shorewall Author</title> <title>About the Shorewall Author</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
@ -17,82 +18,82 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Tom Eastep</font></h1> <h1 align="center"><font color="#ffffff">Tom Eastep</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p align="center"> <img border="3" src="images/Tom.jpg" <p align="center"> <img border="3" src="images/Tom.jpg"
alt="Tom - June 2003" width="640" height="480"> alt="Aging Geek - June 2003" width="320" height="240">
</p> </p>
<p align="center">Tom -- June 2003<br> <p align="center">Tom -- June 2003<br>
<br> <br>
</p> </p>
<ul> <ul>
<li>Born 1945 in <a <li>Born 1945 in <a
href="http://www.experiencewashington.com">Washington State</a> .</li> href="http://www.experiencewashington.com">Washington State</a> .</li>
<li>BA Mathematics from <a <li>BA Mathematics from <a
href="http://www.wsu.edu">Washington State University</a> 1967</li> href="http://www.wsu.edu">Washington State University</a> 1967</li>
<li>MA Mathematics from <a <li>MA Mathematics from <a
href="http://www.washington.edu">University of Washington</a> 1969</li> href="http://www.washington.edu">University of Washington</a> 1969</li>
<li>Burroughs Corporation (now <a <li>Burroughs Corporation (now <a
href="http://www.unisys.com">Unisys</a> ) 1969 - 1980</li> href="http://www.unisys.com">Unisys</a> ) 1969 - 1980</li>
<li><a href="http://www.tandem.com">Tandem Computers, <li><a href="http://www.tandem.com">Tandem Computers,
Incorporated</a> (now part of the <a Incorporated</a> (now part of the <a
href="http://www.hp.com">The New HP</a>) 1980 - present</li> href="http://www.hp.com">The New HP</a>) 1980 - present</li>
<li>Married 1969 - no children.</li> <li>Married 1969 - no children.</li>
</ul> </ul>
<p>I am currently a member of the design team for the next-generation operating <p>I am currently a member of the design team for the next-generation operating
system from the NonStop Enterprise Division of HP. </p> system from the NonStop Enterprise Division of HP. </p>
<p>I became interested in Internet Security when I established a home office <p>I became interested in Internet Security when I established a home office
in 1999 and had DSL service installed in our home. I investigated in 1999 and had DSL service installed in our home. I investigated
ipchains and developed the scripts which are now collectively known ipchains and developed the scripts which are now collectively known
as <a href="http://seawall.sourceforge.net"> Seattle Firewall</a>. as <a href="http://seawall.sourceforge.net"> Seattle Firewall</a>.
Expanding on what I learned from Seattle Firewall, I then Expanding on what I learned from Seattle Firewall, I then
designed and wrote Shorewall. </p> designed and wrote Shorewall. </p>
<p>I telework from our <a <p>I telework from our <a
href="http://lists.shorewall.net/SeattleInTheSpring.html">home</a> in <a href="http://lists.shorewall.net/SeattleInTheSpring.html">home</a> in <a
href="http://www.cityofshoreline.com">Shoreline, Washington</a> where href="http://www.cityofshoreline.com">Shoreline, Washington</a>
I live with my wife Tarry.  </p> where I live with my wife Tarry.  </p>
<p>Our current home network consists of: </p> <p>Our current home network consists of: </p>
<ul> <ul>
<li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, <li>1.2Gz Athlon, Windows XP Pro, 320MB RAM,
40GB &amp; 20GB IDE HDs and LNE100TX (Tulip) NIC - My personal 40GB &amp; 20GB IDE HDs and LNE100TX (Tulip) NIC - My personal
Windows system. Serves as a PPTP server for Road Warrior access. Dual Windows system. Serves as a PPTP server for Road Warrior access. Dual
boots <a href="http://www.mandrakelinux.com">Mandrake</a> 9.0.</li> boots <a href="http://www.mandrakelinux.com">Mandrake</a> 9.0.</li>
<li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, <li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD,
LNE100TX(Tulip) NIC - My personal Linux System which runs Samba. LNE100TX(Tulip) NIC - My personal Linux System which runs
This system also has <a href="http://www.vmware.com/">VMware</a> Samba. This system also has <a href="http://www.vmware.com/">VMware</a>
installed and can run both <a href="http://www.debian.org">Debian installed and can run both <a href="http://www.debian.org">Debian
Woody</a> and <a href="http://www.suse.com">SuSE 8.1</a> in virtual Woody</a> and <a href="http://www.suse.com">SuSE 8.1</a> in virtual
machines.</li> machines.</li>
<li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 <li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD,
NIC  - Email (Postfix, Courier-IMAP and Mailman), HTTP (Apache), EEPRO100 NIC  - Email (Postfix, Courier-IMAP and Mailman), HTTP (Apache),
FTP (Pure_ftpd), DNS server (Bind 9).</li> FTP (Pure_ftpd), DNS server (Bind 9).</li>
<li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD <li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI
- 3 LNE100TX  (Tulip) and 1 TLAN NICs  - Firewall running Shorewall HD - 3 LNE100TX  (Tulip) and 1 TLAN NICs  - Firewall running Shorewall
1.4.4c, a DHCP server and Samba configured as a WINS server..</li> 1.4.6Beta1, a DHCP server and Samba configured as a WINS server..</li>
<li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 <li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139
NIC - My wife's personal system.</li> NIC - My wife's personal system.</li>
<li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB <li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB
HD, built-in EEPRO100, EEPRO100 in expansion base - My work system.</li> HD, built-in EEPRO100, EEPRO100 in expansion base - My work system.</li>
<li>XP 2200 Laptop, WinXP SP1, 512MB RAM, 40GB HD, built-in NIC and <li>XP 2200 Laptop, WinXP SP1, 512MB RAM, 40GB HD, built-in NIC and
LinkSys WET11 - Our Laptop.<br> LinkSys WET11 - Our Laptop.<br>
</li> </li>
</ul> </ul>
@ -105,31 +106,32 @@ FTP (Pure_ftpd), DNS server (Bind 9).</li>
<p><a href="http://www.redhat.com"><img border="0" <p><a href="http://www.redhat.com"><img border="0"
src="images/poweredby.png" width="88" height="31"> src="images/poweredby.png" width="88" height="31">
</a><a href="http://www.compaq.com"><img </a><a href="http://www.compaq.com"><img
border="0" src="images/poweredbycompaqlog0.gif" hspace="3" width="83" border="0" src="images/poweredbycompaqlog0.gif" hspace="3" width="83"
height="25"> height="25">
</a><a href="http://www.pureftpd.org"><img </a><a href="http://www.pureftpd.org"><img
border="0" src="images/pure.jpg" width="88" height="31"> border="0" src="images/pure.jpg" width="88" height="31">
</a><font size="4"><a </a><font size="4"><a
href="http://www.apache.org"><img border="0" href="http://www.apache.org"><img border="0"
src="images/apache_pb1.gif" hspace="2" width="170" height="20"> src="images/apache_pb1.gif" hspace="2" width="170" height="20">
</a><a href="http://www.mandrakelinux.com"><img </a><a href="http://www.mandrakelinux.com"><img
src="images/medbutton.png" alt="Powered by Mandrake" width="90" src="images/medbutton.png" alt="Powered by Mandrake" width="90"
height="32"> height="32">
</a><img src="images/shorewall.jpg" </a><img src="images/shorewall.jpg"
alt="Protected by Shorewall" width="125" height="40" hspace="4"> alt="Protected by Shorewall" width="125" height="40" hspace="4">
<a href="http://www.opera.com"><img src="images/opera.png" <a href="http://www.opera.com"><img src="images/opera.png"
alt="(Opera Logo)" width="102" height="39" border="0"> alt="(Opera Logo)" width="102" height="39" border="0">
</a>  <a href="http://www.hp.com"><img </a>  <a href="http://www.hp.com"><img
src="images/penquin_in_blue_racer_sm2.gif" alt="" width="120" src="images/penquin_in_blue_racer_sm2.gif" alt="" width="120"
height="75" border="0"> height="75" border="0">
</a><a href="http://www.opera.com"> </a> </font></p> </a><a href="http://www.opera.com"> </a> </font></p>
<p><font size="2">Last updated 6/15/2003 - </font><font size="2"> <a <p><font size="2">Last updated 7/14/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p> href="support.htm">Tom Eastep</a></font> </p>
<font face="Trebuchet MS"><a <font face="Trebuchet MS"><a
href="copyright.htm"><font size="2">Copyright</font> © <font href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
<br>
<br> <br>
</body> </body>
</html> </html>

66
Shorewall-docs/shorewall_prerequisites.htm
View File

@ -17,62 +17,64 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Requirements</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Requirements</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br> <br>
Shorewall Requires:<br> Shorewall Requires:<br>
<ul> <ul>
<li>A kernel that supports netfilter. I've tested with 2.4.2 - 2.4.20. <li>A kernel that supports netfilter. I've tested with 2.4.2 -
With current releases of Shorewall, Traffic Shaping/Control requires at 2.4.20. With current releases of Shorewall, Traffic Shaping/Control requires
least 2.4.18.  <a href="kernel.htm"> Check here for kernel configuration at least 2.4.18.  <a href="kernel.htm"> Check here for kernel
information.</a> If you are looking for a firewall for use with configuration information.</a> If you are looking for a firewall
2.2 kernels, <a href="http://seawall.sf.net"> see the Seattle for use with 2.2 kernels, <a href="http://seawall.sf.net"> see
Firewall site</a> .</li> the Seattle Firewall site</a> .</li>
<li>iptables 1.2 or later but beware version 1.2.3 -- see the <a <li>iptables 1.2 or later but beware version 1.2.3 -- see the
href="errata.htm">Errata</a>. <font color="#ff0000"><b>WARNING: </b></font>The <a href="errata.htm">Errata</a>. <font color="#ff0000"><b>WARNING:
buggy iptables version 1.2.3 is included in RedHat 7.2 and you should </b></font>The buggy iptables version 1.2.3 is included in RedHat
upgrade to iptables 1.2.4 prior to installing Shorewall. Version 1.2.4 7.2 and you should upgrade to iptables 1.2.4 prior to installing Shorewall.
is available <a Version 1.2.4 is available <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">from RedHat</a> href="http://www.redhat.com/support/errata/RHSA-2001-144.html">from RedHat</a>
and in the <a href="errata.htm">Shorewall Errata</a>. </li> and in the <a href="errata.htm">Shorewall Errata</a>. </li>
<li>Iproute ("ip" utility). The iproute package is included <li>Iproute ("ip" utility). The iproute package is included
with most distributions but may not be installed by default. The official with most distributions but may not be installed by default. The official
download site is <a href="ftp://ftp.inr.ac.ru/ip-routing" download site is <a href="ftp://ftp.inr.ac.ru/ip-routing"
target="_blank"> <font face="Century Gothic, Arial, Helvetica">f</font>tp://ftp.inr.ac.ru/ip-routing</a>. target="_blank"> <font face="Century Gothic, Arial, Helvetica">f</font>tp://ftp.inr.ac.ru/ip-routing</a>.
</li> </li>
<li>A Bourne shell or derivative such as bash or ash. This shell <li>A Bourne shell or derivative such as bash or ash. This shell
must have correct support for variable expansion formats ${<i>variable</i>%<i>pattern</i> must have correct support for variable expansion formats ${<i>variable</i>%<i>pattern</i>
}, ${<i>variable</i>%%<i>pattern</i>}, ${<i>variable</i>#<i>pattern</i> }, ${<i>variable</i>%%<i>pattern</i>}, ${<i>variable</i>#<i>pattern</i>
} and ${<i>variable</i>##<i>pattern</i>}.</li> } and ${<i>variable</i>##<i>pattern</i>}.</li>
<li>Must produce a sensible result when a number n (128 &lt;= n &lt;= 255) <li>Your shell must produce a sensible result when a number n (128 &lt;=
is left shifted by 24 bits. You can check this at a shell prompt by:</li> n &lt;= 255) is left shifted by 24 bits. You can check this at a shell prompt
by:</li>
<ul> <ul>
<li>echo $((128 &lt;&lt; 24))<br> <li>echo $((128 &lt;&lt; 24))<br>
</li> </li>
<li>The result must be either 2147483648 or -2147483648.<br> <li>The result must be either 2147483648 or -2147483648.<br>
</li> </li>
</ul> </ul>
<li>The firewall monitoring display is greatly improved if you have <li>The firewall monitoring display is greatly improved if you
awk (gawk) installed.</li> have awk (gawk) installed.</li>
</ul> </ul>
<p align="left"><font size="2">Last updated 7/4/2003 - <a <p align="left"><font size="2">Last updated 7/8/2003 - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p> size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
<br> <br>
<br>
<br> <br>
<br> <br>
<br> <br>

505
Shorewall-docs/sourceforge_index.htm
View File

@ -9,7 +9,7 @@
<title>Shoreline Firewall (Shorewall) 1.4</title> <title>Shoreline Firewall (Shorewall) 1.4</title>
<base target="_self"> <base target="_self">
</head> </head>
<body> <body>
@ -18,31 +18,31 @@
style="border-collapse: collapse;" width="100%" id="AutoNumber3" style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="33%" height="90" valign="middle" <td width="33%" height="90" valign="middle"
align="left"><a href="http://www.cityofshoreline.com"><img align="left"><a href="http://www.cityofshoreline.com"><img
src="images/washington.jpg" alt="" width="97" height="80" hspace="4" src="images/washington.jpg" alt="" width="97" height="80" hspace="4"
border="0"> border="0">
</a></td> </a></td>
<td valign="middle" width="34%" align="center"> <td valign="middle" width="34%" align="center">
<h1><font color="#ffffff">Shorewall 1.4</font><i><font <h1><font color="#ffffff">Shorewall 1.4</font><i><font
color="#ffffff"> <small><small><small>"iptables made easy"</small></small></small></font></i></h1> color="#ffffff"> <small><small><small>"iptables made easy"</small></small></small></font></i></h1>
</td> </td>
<td valign="middle"> <td valign="middle">
<h1 align="center"><a href="http://www.shorewall.net" <h1 align="center"><a href="http://www.shorewall.net"
target="_top"><br> target="_top"><br>
</a></h1> </a></h1>
<br> <br>
</td> </td>
</tr> </tr>
@ -55,11 +55,11 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"> style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody> <tbody>
<tr> <tr>
<td width="90%"> <td width="90%">
@ -71,11 +71,11 @@
<p>The Shoreline Firewall, more commonly known as "Shorewall", is <p>The Shoreline Firewall, more commonly known as "Shorewall", is
a <a a <a
href="http://www.netfilter.org">Netfilter</a> (iptables) href="http://www.netfilter.org">Netfilter</a> (iptables)
based firewall that can be used on a dedicated based firewall that can be used on a dedicated
firewall system, a multi-function gateway/router/server firewall system, a multi-function gateway/router/server
or on a standalone GNU/Linux system.</p> or on a standalone GNU/Linux system.</p>
@ -83,27 +83,27 @@
<p>This program is free software; you can redistribute it and/or modify <p>This program is free software; you can redistribute it and/or modify
it under the terms of <a it under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU href="http://www.gnu.org/licenses/gpl.html">Version 2 of the
General Public License</a> as published by the Free Software GNU General Public License</a> as published by the Free Software
Foundation.<br> Foundation.<br>
<br> <br>
This program is distributed in This program is distributed in
the hope that it will be useful, but the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even WITHOUT ANY WARRANTY; without even the
the implied warranty of MERCHANTABILITY implied warranty of MERCHANTABILITY or
or FITNESS FOR A PARTICULAR PURPOSE. See the FITNESS FOR A PARTICULAR PURPOSE. See the GNU
GNU General Public License for more details.<br> General Public License for more details.<br>
<br> <br>
You should have received a copy You should have received a copy
of the GNU General Public License of the GNU General Public License
along with this program; if not, write along with this program; if not, write
to the Free Software Foundation, to the Free Software Foundation,
Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p> Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
@ -117,18 +117,19 @@ Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
<h2>Getting Started with Shorewall</h2> <h2>Getting Started with Shorewall</h2>
New to Shorewall? Start by selecting the <a New to Shorewall? Start by selecting the
<a
href="file:///vfat/Shorewall-docs/shorewall_quickstart_guide.htm">QuickStart href="file:///vfat/Shorewall-docs/shorewall_quickstart_guide.htm">QuickStart
Guide</a> that most closely match your environment and follow Guide</a> that most closely match your environment and follow
the step by step instructions.<br> the step by step instructions.<br>
<h2>Looking for Information?</h2> <h2>Looking for Information?</h2>
The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
Index</a> is a good place to start as is the Quick Search to your right. Index</a> is a good place to start as is the Quick Search to your right.
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2> <h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
If so, the documentation<b> </b>on this site will not If so, the documentation<b> </b>on this site will
apply directly to your setup. If you want to use the documentation not apply directly to your setup. If you want to use the documentation
that you find here, you will want to consider uninstalling what you have that you find here, you will want to consider uninstalling what you have
and installing a setup that matches the documentation on this site. and installing a setup that matches the documentation on this site.
See the <a href="two-interface.htm">Two-interface QuickStart Guide</a> See the <a href="two-interface.htm">Two-interface QuickStart Guide</a>
@ -138,186 +139,202 @@ Index</a> is a good place to start as is the Quick Search to your right.
<h2><b>News</b></h2> <h2><b>News</b></h2>
<p><b>7/7/2003 - Shorewall-1.4.6 Beta 2</b><b> <img border="0"
<p><b>7/15/2003 - Shorewall-1.4.6 RC 1</b><b> <img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)"> src="images/new10.gif" width="28" height="12" alt="(New)">
<br> <br>
</b></p> </b> </p>
<blockquote><b><a
href="http://shorewall.net/pub/shorewall/testing">http://shorewall.net/pub/shorewall/testing</a></b><b><a
href="ftp://shorewall.net/pub/shorewall/testing" target="_top"><br>
ftp://shorewall.net/pub/shorewall/testing</a></b></blockquote>
<p><b>Problems Corrected:</b><br> <p><b>Problems Corrected:</b><br>
</p> </p>
<ol> <ol>
<li>A problem seen on RH7.3 systems where Shorewall encountered start <li>A problem seen on RH7.3 systems where Shorewall encountered
errors when started using the "service" mechanism has been worked around.<br> start errors when started using the "service" mechanism has been worked
<br> around.<br>
</li> <br>
<li>Where a list of IP addresses appears in the DEST column of a </li>
<li>Where a list of IP addresses appears in the DEST column of a
DNAT[-] rule, Shorewall incorrectly created multiple DNAT rules in the nat DNAT[-] rule, Shorewall incorrectly created multiple DNAT rules in the nat
table (one for each element in the list). Shorewall now correctly creates table (one for each element in the list). Shorewall now correctly creates
a single DNAT rule with multiple "--to-destination" clauses.<br> a single DNAT rule with multiple "--to-destination" clauses.<br>
<br> <br>
</li> </li>
<li>Corrected a problem in Beta 1 where DNS names containing a "-" <li>Corrected a problem in Beta 1 where DNS names containing a "-"
were mis-handled when they appeared in the DEST column of a rule.<br> were mis-handled when they appeared in the DEST column of a rule.<br>
<br>
</li>
<li value="4">A number of problems with rule parsing have been corrected.
Corrections involve the handling of "z1!z2" in the SOURCE column as well
as lists in the ORIGINAL DESTINATION column.<br>
</li> </li>
</ol> </ol>
<p><b>Migration Issues:</b><br> <p><b>Migration Issues:</b><br>
</p>
<ol>
<li>In earlier versions, an undocumented feature allowed entries
in the host file as follows:<br>
<br>
    z    eth1:192.168.1.0/24,eth2:192.168.2.0/24<br>
<br>
This capability was never documented and has been removed in 1.4.6 to allow
entries of the following format:<br>
<br>
    z   eth1:192.168.1.0/24,192.168.2.0/24<br>
<br>
</li>
<li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options have been
removed from /etc/shorewall/shorewall.conf. These capabilities are now automatically
detected by Shorewall (see below).<br>
</li>
</ol>
<p><b>New Features:</b><br>
</p> </p>
<ol> <ol>
<li>A 'newnotsyn' interface option has been added. This option may <li>In earlier versions, an undocumented feature allowed entries
be specified in /etc/shorewall/interfaces and overrides the setting NEWNOTSYN=No in the host file as follows:<br>
for packets arriving on the associated interface.<br> <br>
    z    eth1:192.168.1.0/24,eth2:192.168.2.0/24<br>
<br>
This capability was never documented and has been removed in 1.4.6 to allow
entries of the following format:<br>
<br>
    z   eth1:192.168.1.0/24,192.168.2.0/24<br>
<br> <br>
</li> </li>
<li>The means for specifying a range of IP addresses in /etc/shorewall/masq <li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options have been
removed from /etc/shorewall/shorewall.conf. These capabilities are now automatically
detected by Shorewall (see below).<br>
</li>
</ol>
<p><b>New Features:</b><br>
</p>
<ol>
<li>A 'newnotsyn' interface option has been added. This option may
be specified in /etc/shorewall/interfaces and overrides the setting NEWNOTSYN=No
for packets arriving on the associated interface.<br>
<br>
</li>
<li>The means for specifying a range of IP addresses in /etc/shorewall/masq
to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes is enabled for address to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes is enabled for address
ranges.<br> ranges.<br>
<br> <br>
</li> </li>
<li>Shorewall can now add IP addresses to subnets other than the <li>Shorewall can now add IP addresses to subnets other than the
first one on an interface.<br> first one on an interface.<br>
<br> <br>
</li> </li>
<li>DNAT[-] rules may now be used to load balance (round-robin) over <li>DNAT[-] rules may now be used to load balance (round-robin)
a set of servers. Servers may be specified in a range of addresses given over a set of servers. Servers may be specified in a range of addresses
as &lt;first address&gt;-&lt;last address&gt;.<br> given as &lt;first address&gt;-&lt;last address&gt;.<br>
<br> <br>
Example:<br> Example:<br>
<br> <br>
    DNAT net loc:192.168.10.2-192.168.10.5 tcp 80<br>     DNAT net loc:192.168.10.2-192.168.10.5 tcp 80<br>
<br> <br>
</li> </li>
<li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration options <li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration
have been removed and have been replaced by code that detects whether these options have been removed and have been replaced by code that detects whether
capabilities are present in the current kernel. The output of the start, these capabilities are present in the current kernel. The output of the
restart and check commands have been enhanced to report the outcome:<br> start, restart and check commands have been enhanced to report the outcome:<br>
<br> <br>
Shorewall has detected the following iptables/netfilter capabilities:<br> Shorewall has detected the following iptables/netfilter capabilities:<br>
   NAT: Available<br>    NAT: Available<br>
   Packet Mangling: Available<br>    Packet Mangling: Available<br>
   Multi-port Match: Available<br>    Multi-port Match: Available<br>
Verifying Configuration...<br> Verifying Configuration...<br>
<br> <br>
</li> </li>
<li>Support for the Connection Tracking Match Extension has been <li>Support for the Connection Tracking Match Extension has been
added. This extension is available in recent kernel/iptables releases and added. This extension is available in recent kernel/iptables releases and
allows for rules which match against elements in netfilter's connection allows for rules which match against elements in netfilter's connection tracking
tracking table. Shorewall automatically detects the availability of this table. Shorewall automatically detects the availability of this extension
extension and reports its availability in the output of the start, restart and reports its availability in the output of the start, restart and check
and check commands.<br> commands.<br>
<br> <br>
Shorewall has detected the following iptables/netfilter capabilities:<br> Shorewall has detected the following iptables/netfilter capabilities:<br>
   NAT: Available<br>    NAT: Available<br>
   Packet Mangling: Available<br>    Packet Mangling: Available<br>
   Multi-port Match: Available<br>    Multi-port Match: Available<br>
   Connection Tracking Match: Available<br>    Connection Tracking Match: Available<br>
Verifying Configuration...<br> Verifying Configuration...<br>
<br> <br>
If this extension is available, the ruleset generated by Shorewall is changed If this extension is available, the ruleset generated by Shorewall is
in the following ways:</li> changed in the following ways:</li>
<ul> <ul>
<li>To handle 'norfc1918' filtering, Shorewall will not create <li>To handle 'norfc1918' filtering, Shorewall will not create
chains in the mangle table but will rather do all 'norfc1918' filtering chains in the mangle table but will rather do all 'norfc1918' filtering in
in the filter table (rfc1918 chain).</li> the filter table (rfc1918 chain).</li>
<li>Recall that Shorewall DNAT rules generate two netfilter rules; <li>Recall that Shorewall DNAT rules generate two netfilter rules;
one in the nat table and one in the filter table. If the Connection Tracking one in the nat table and one in the filter table. If the Connection Tracking
Match Extension is available, the rule in the filter table is extended to Match Extension is available, the rule in the filter table is extended to
check that the original destination address was the same as specified (or check that the original destination address was the same as specified (or
defaulted to) in the DNAT rule.<br> defaulted to) in the DNAT rule.<br>
<br> <br>
</li> </li>
</ul> </ul>
<li>The shell used to interpret the firewall script (/usr/share/shorewall/firewall) <li>The shell used to interpret the firewall script (/usr/share/shorewall/firewall)
may now be specified using the SHOREWALL_SHELL parameter in shorewall.conf.<br> may now be specified using the SHOREWALL_SHELL parameter in shorewall.conf.<br>
<br> <br>
</li> </li>
<li>An 'ipcalc' command has been added to /sbin/shorewall.<br> <li>An 'ipcalc' command has been added to /sbin/shorewall.<br>
<br> <br>
      ipcalc [ &lt;address&gt; &lt;netmask&gt; | &lt;address&gt;/&lt;vlsm&gt;       ipcalc [ &lt;address&gt; &lt;netmask&gt; | &lt;address&gt;/&lt;vlsm&gt;
]<br> ]<br>
<br> <br>
Examples:<br> Examples:<br>
<br> <br>
      [root@wookie root]# shorewall ipcalc 192.168.1.0/24<br>       [root@wookie root]# shorewall ipcalc 192.168.1.0/24<br>
         CIDR=192.168.1.0/24<br>          CIDR=192.168.1.0/24<br>
         NETMASK=255.255.255.0<br>          NETMASK=255.255.255.0<br>
         NETWORK=192.168.1.0<br>          NETWORK=192.168.1.0<br>
         BROADCAST=192.168.1.255<br>          BROADCAST=192.168.1.255<br>
      [root@wookie root]#<br>       [root@wookie root]#<br>
<br> <br>
      [root@wookie root]# shorewall ipcalc 192.168.1.0 255.255.255.0<br>       [root@wookie root]# shorewall ipcalc 192.168.1.0 255.255.255.0<br>
         CIDR=192.168.1.0/24<br>          CIDR=192.168.1.0/24<br>
         NETMASK=255.255.255.0<br>          NETMASK=255.255.255.0<br>
         NETWORK=192.168.1.0<br>          NETWORK=192.168.1.0<br>
         BROADCAST=192.168.1.255<br>          BROADCAST=192.168.1.255<br>
      [root@wookie root]#<br>       [root@wookie root]#<br>
<br> <br>
Warning:<br> Warning:<br>
<br> <br>
If your shell only supports 32-bit signed arithmatic (ash or dash), then If your shell only supports 32-bit signed arithmatic (ash or dash), then
the ipcalc command produces incorrect information for IP addresses 128.0.0.0-1 the ipcalc command produces incorrect information for IP addresses 128.0.0.0-1
and for /1 networks. Bash should produce correct information for all valid and for /1 networks. Bash should produce correct information for all valid
IP addresses.<br> IP addresses.<br>
<br> <br>
</li> </li>
<li>An 'iprange' command has been added to /sbin/shorewall. <br> <li>An 'iprange' command has been added to /sbin/shorewall. <br>
<br> <br>
      iprange &lt;address&gt;-&lt;address&gt;<br>       iprange &lt;address&gt;-&lt;address&gt;<br>
<br> <br>
This command decomposes a range of IP addressses into a list of network This command decomposes a range of IP addressses into a list of network
and host addresses. The command can be useful if you need to construct an and host addresses. The command can be useful if you need to construct an
efficient set of rules that accept connections from a range of network addresses.<br> efficient set of rules that accept connections from a range of network addresses.<br>
<br> <br>
Note: If your shell only supports 32-bit signed arithmetic (ash or dash) Note: If your shell only supports 32-bit signed arithmetic (ash or dash)
then the range may not span 128.0.0.0.<br> then the range may not span 128.0.0.0.<br>
<br> <br>
Example:<br> Example:<br>
<br> <br>
      [root@gateway root]# shorewall iprange 192.168.1.4-192.168.12.9<br>       [root@gateway root]# shorewall iprange 192.168.1.4-192.168.12.9<br>
      192.168.1.4/30<br>       192.168.1.4/30<br>
      192.168.1.8/29<br>       192.168.1.8/29<br>
      192.168.1.16/28<br>       192.168.1.16/28<br>
      192.168.1.32/27<br>       192.168.1.32/27<br>
      192.168.1.64/26<br>       192.168.1.64/26<br>
      192.168.1.128/25<br>       192.168.1.128/25<br>
      192.168.2.0/23<br>       192.168.2.0/23<br>
      192.168.4.0/22<br>       192.168.4.0/22<br>
      192.168.8.0/22<br>       192.168.8.0/22<br>
      192.168.12.0/29<br>       192.168.12.0/29<br>
      192.168.12.8/31<br>       192.168.12.8/31<br>
      [root@gateway root]#<br>       [root@gateway root]#<br>
<br> <br>
</li> </li>
<li>A list of host/net addresses is now allowed in an entry in /etc/shorewall/hosts.<br> <li>A list of host/net addresses is now allowed in an entry in /etc/shorewall/hosts.<br>
<br> <br>
Example:<br> Example:<br>
<br> <br>
    foo    eth1:192.168.1.0/24,192.168.2.0/24</li>     foo    eth1:192.168.1.0/24,192.168.2.0/24</li>
</ol> </ol>
<b> </b> <b> </b>
<ol> <ol>
</ol> </ol>
@ -325,42 +342,43 @@ then the range may not span 128.0.0.0.<br>
<p><b>6/17/2003 - Shorewall-1.4.5</b><b> </b></p> <p><b>6/17/2003 - Shorewall-1.4.5</b><b> </b></p>
<p>Problems Corrected:<br> <p>Problems Corrected:<br>
</p> </p>
<ol> <ol>
<li>The command "shorewall debug try &lt;directory&gt;" now <li>The command "shorewall debug try &lt;directory&gt;" now
correctly traces the attempt.</li> correctly traces the attempt.</li>
<li>The INCLUDE directive now works properly in the zones <li>The INCLUDE directive now works properly in the zones
file; previously, INCLUDE in that file was ignored.</li> file; previously, INCLUDE in that file was ignored.</li>
<li>/etc/shorewall/routestopped records with an empty second <li>/etc/shorewall/routestopped records with an empty second
column are no longer ignored.<br> column are no longer ignored.<br>
</li> </li>
</ol> </ol>
<p>New Features:<br> <p>New Features:<br>
</p> </p>
<ol> <ol>
<li>The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-] rule <li>The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-]
may now contain a list of addresses. If the list begins with "!' then rule may now contain a list of addresses. If the list begins with "!'
the rule will take effect only if the original destination address in then the rule will take effect only if the original destination address
the connection request does not match any of the addresses listed.</li> in the connection request does not match any of the addresses listed.</li>
</ol> </ol>
<p><b>6/15/2003 - Shorewall, Kernel 2.4.21 and iptables 1.2.8</b><b> <p><b>6/15/2003 - Shorewall, Kernel 2.4.21 and iptables 1.2.8</b><b>
</b></p> </b></p>
The firewall at shorewall.net has been upgraded to the 2.4.21 kernel The firewall at shorewall.net has been upgraded to the 2.4.21
and iptables 1.2.8 (using the "official" RPM from netfilter.org). No kernel and iptables 1.2.8 (using the "official" RPM from netfilter.org).
problems have been encountered with this set of software. The Shorewall No problems have been encountered with this set of software. The Shorewall
version is 1.4.4b plus the accumulated changes for 1.4.5. version is 1.4.4b plus the accumulated changes for 1.4.5.
<p><b>6/8/2003 - Updated Samples</b><b> </b></p> <p><b>6/8/2003 - Updated Samples</b><b> </b></p>
<p>Thanks to Francesca Smith, the samples have been updated to Shorewall <p>Thanks to Francesca Smith, the samples have been updated to Shorewall
version 1.4.4.</p> version 1.4.4.</p>
<p><b></b></p> <p><b></b></p>
@ -389,26 +407,26 @@ version is 1.4.4b plus the accumulated changes for 1.4.5.
</ol> </ol>
</blockquote> </blockquote>
<p><a href="file:///Z:/Shorewall-docs/News.htm"></a></p> <p><a href="file:///Z:/Shorewall-docs/News.htm"></a></p>
<b> </b> <b> </b>
<p><b><a href="News.htm">More News</a></b></p> <p><b><a href="News.htm">More News</a></b></p>
<b> </b> <b> </b>
<h2><b> </b></h2> <h2><b> </b></h2>
<b> </b> <b> </b>
@ -417,16 +435,16 @@ version is 1.4.4b plus the accumulated changes for 1.4.5.
border="0" src="images/leaflogo.gif" width="49" height="36" border="0" src="images/leaflogo.gif" width="49" height="36"
alt="(Leaf Logo)"> alt="(Leaf Logo)">
</a>Jacques Nilo and Eric Wolzak </a>Jacques Nilo and Eric Wolzak
have a LEAF (router/firewall/gateway have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution on a floppy, CD or compact flash) distribution
called <i>Bering</i> that features called <i>Bering</i> that features
Shorewall-1.4.2 and Kernel-2.4.20. You Shorewall-1.4.2 and Kernel-2.4.20.
can find their work at: <a You can find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p> href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
<b>Congratulations to Jacques <b>Congratulations to Jacques
and Eric on the recent release of Bering 1.2!!! and Eric on the recent release of Bering 1.2!!!
</b><br> </b><br>
@ -435,29 +453,29 @@ version is 1.4.4b plus the accumulated changes for 1.4.5.
align="left" alt="SourceForge Logo" align="left" alt="SourceForge Logo"
src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3"> src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3">
</a></b></h1> </a></b></h1>
<b> </b> <b> </b>
<h4><b> </b></h4> <h4><b> </b></h4>
<b> </b> <b> </b>
<h2><b>This site is hosted by the generous folks at <a <h2><b>This site is hosted by the generous folks at <a
href="http://www.sf.net">SourceForge.net</a> </b></h2> href="http://www.sf.net">SourceForge.net</a> </b></h2>
<b> </b> <b> </b>
<h2><b><a name="Donations"></a>Donations</b></h2> <h2><b><a name="Donations"></a>Donations</b></h2>
<b> </b></td> <b> </b></td>
<td width="88" bgcolor="#4b017c" <td width="88" bgcolor="#4b017c"
valign="top" align="center"> valign="top" align="center">
@ -467,59 +485,60 @@ version is 1.4.4b plus the accumulated changes for 1.4.5.
<p><strong><br> <p><strong><br>
<font color="#ffffff"><b>Note: </b></font></strong> <font color="#ffffff"><b>Note: </b></font></strong>
<font color="#ffffff">Search is unavailable Daily <font color="#ffffff">Search is unavailable Daily
0200-0330 GMT.</font><br> 0200-0330 GMT.</font><br>
 </p>  </p>
<p><font color="#ffffff"><strong>Quick Search</strong></font><br> <p><font color="#ffffff"><strong>Quick Search</strong></font><br>
<font face="Arial" size="-1"> <font face="Arial" size="-1">
<input type="text" name="words" size="15"></font><font <input type="text" name="words" size="15"></font><font
size="-1"> </font><font face="Arial" size="-1"> <input size="-1"> </font><font face="Arial" size="-1"> <input
type="hidden" name="format" value="long"> <input type="hidden" name="format" value="long"> <input
type="hidden" name="method" value="and"> <input type="hidden" type="hidden" name="method" value="and"> <input type="hidden"
name="config" value="htdig"> <input type="submit" name="config" value="htdig"> <input type="submit"
value="Search"></font> </p> value="Search"></font> </p>
<font face="Arial"> <input <font face="Arial"> <input
type="hidden" name="exclude" type="hidden" name="exclude"
value="[http://lists.shorewall.net/pipermail/*]"> </font> value="[http://lists.shorewall.net/pipermail/*]"> </font>
</form> </form>
<p><font color="#ffffff"><b> <a <p><font color="#ffffff"><b> <a
href="http://lists.shorewall.net/htdig/search.html"> <font href="http://lists.shorewall.net/htdig/search.html"> <font
color="#ffffff">Extended Search</font></a></b></font></p> color="#ffffff">Extended Search</font></a></b></font></p>
<a target="_top" <a target="_top"
href="file:///vfat/Shorewall-docs/1.3/index.html"><font color="#ffffff"> href="file:///vfat/Shorewall-docs/1.3/index.html"><font color="#ffffff">
</font></a><a target="_top" </font></a><a target="_top"
href="http://www1.shorewall.net/1.2/index.htm"><font color="#ffffff"><small><small><small></small></small></small></font></a><br> href="http://www1.shorewall.net/1.2/index.htm"><font color="#ffffff"><small><small><small></small></small></small></font></a><br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</center> </center>
</div> </div>
<table border="0" cellpadding="5" cellspacing="0" <table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2" style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="100%" style="margin-top: 1px;">
<td width="100%" style="margin-top: 1px;">
@ -528,22 +547,22 @@ version is 1.4.4b plus the accumulated changes for 1.4.5.
border="4" src="images/newlog.gif" width="57" height="100" align="left" border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10"> hspace="10">
</a></p> </a></p>
<p align="center"><font size="4" color="#ffffff"><br> <p align="center"><font size="4" color="#ffffff"><br>
<font size="+2">Shorewall is free but if you try it <font size="+2">Shorewall is free but if you try it
and find it useful, please consider making a donation and find it useful, please consider making a donation
to <a to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
Foundation.</font></a> Thanks!</font></font></p> Foundation.</font></a> Thanks!</font></font></p>
</td> </td>
</tr> </tr>
@ -551,8 +570,8 @@ and find it useful, please consider making a donation
</table> </table>
<p><font size="2">Updated 7/7/2003 - <a href="support.htm">Tom Eastep</a></font> <p><font size="2">Updated 7/15/2003 - <a href="support.htm">Tom Eastep</a></font>
<br> <br>
</p> </p>
</body> </body>
</html> </html>

327
Shorewall-docs/support.htm
View File

@ -13,49 +13,49 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td <td
width="100%"> width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Support Guide<img <h1 align="center"><font color="#ffffff">Shorewall Support Guide<img
src="images/obrasinf.gif" alt="" width="90" height="90" align="middle"> src="images/obrasinf.gif" alt="" width="90" height="90" align="middle">
</font></h1> </font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<h2>Before Reporting a Problem or Asking a Question<br> <h2>Before Reporting a Problem or Asking a Question<br>
</h2> </h2>
There
are a number of sources of Shorewall information. Please try There are a number of sources of Shorewall information. Please
these before you post. try these before you post.
<ul> <ul>
<li>Shorewall versions <li>Shorewall versions
earlier that 1.3.0 are no longer supported.<br> earlier that 1.3.0 are no longer supported.<br>
</li> </li>
<li>More than half of the questions posted on the support <li>More than half of the questions posted on the support
list have answers directly accessible from the <a list have answers directly accessible from the <a
href="http://www.shorewall.net/shorewall_quickstart_guide.htm#Documentation">Documentation href="http://www.shorewall.net/shorewall_quickstart_guide.htm#Documentation">Documentation
Index</a><br> Index</a><br>
</li> </li>
<li> <li>
The <a href="http://www.shorewall.net/FAQ.htm">FAQ</a> The <a href="http://www.shorewall.net/FAQ.htm">FAQ</a>
has solutions to more than 20 common problems. has solutions to more than 20 common problems.
</li> </li>
<li> <li>
The <a href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a> The <a href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a>
Information contains a number of tips to Information contains a number of tips to
help you solve common problems. </li> help you solve common problems. </li>
<li> The
<a href="http://www.shorewall.net/errata.htm"> Errata</a> has links
to download updated components. </li>
<li> <li>
The Site and Mailing List Archives search facility can The <a href="http://www.shorewall.net/errata.htm"> Errata</a>
has links to download updated components. </li>
<li>
The Site and Mailing List Archives search facility can
locate documents and posts about similar problems: locate documents and posts about similar problems:
</li> </li>
</ul> </ul>
@ -71,13 +71,13 @@ locate documents and posts about similar problems:
<option value="or">Any </option> <option value="or">Any </option>
<option value="boolean">Boolean </option> <option value="boolean">Boolean </option>
</select> </select>
Format: Format:
<select name="format"> <select name="format">
<option value="builtin-long">Long </option> <option value="builtin-long">Long </option>
<option value="builtin-short">Short </option> <option value="builtin-short">Short </option>
</select> </select>
Sort by: Sort by:
<select name="sort"> <select name="sort">
<option value="score">Score </option> <option value="score">Score </option>
@ -87,7 +87,7 @@ locate documents and posts about similar problems:
<option value="revtime">Reverse Time </option> <option value="revtime">Reverse Time </option>
<option value="revtitle">Reverse Title </option> <option value="revtitle">Reverse Title </option>
</select> </select>
</font><input type="hidden" name="config" </font><input type="hidden" name="config"
value="htdig"><input type="hidden" name="restrict" value=""><font value="htdig"><input type="hidden" name="restrict" value=""><font
size="-1"> Include Mailing List Archives: size="-1"> Include Mailing List Archives:
@ -95,43 +95,43 @@ locate documents and posts about similar problems:
<option value="">Yes</option> <option value="">Yes</option>
<option value="[http://lists.shorewall.net/pipermail/.*]">No</option> <option value="[http://lists.shorewall.net/pipermail/.*]">No</option>
</select> </select>
</font><br> </font><br>
Search: <input type="text" size="30" name="words" Search: <input type="text" size="30"
value=""> <input type="submit" value="Search"><br> name="words" value=""> <input type="submit" value="Search"><br>
</form> </form>
</blockquote> </blockquote>
<h2>Problem Reporting Guidelines<br> <h2>Problem Reporting Guidelines<br>
</h2> </h2>
<ul> <ul>
<li>Please remember we only know <li>Please remember we only know
what is posted in your message. Do not leave out any information what is posted in your message. Do not leave out any information
that appears to be correct, or was mentioned in a previous that appears to be correct, or was mentioned in a previous
post. There have been countless posts by people who were sure post. There have been countless posts by people who were sure
that some part of their configuration was correct when it actually that some part of their configuration was correct when it actually
contained a small error. We tend to be skeptics where detail contained a small error. We tend to be skeptics where detail
is lacking.<br> is lacking.<br>
<br> <br>
</li> </li>
<li>Please keep in mind that you're <li>Please keep in mind that
asking for <strong>free</strong> technical support. you're asking for <strong>free</strong> technical
Any help we offer is an act of generosity, not an obligation. support. Any help we offer is an act of generosity, not an obligation.
Try to make it easy for us to help you. Follow good, courteous Try to make it easy for us to help you. Follow good, courteous
practices in writing and formatting your e-mail. Provide details practices in writing and formatting your e-mail. Provide details that
that we need if you expect good answers. <em>Exact quoting </em> we need if you expect good answers. <em>Exact quoting </em> of
of error messages, log entries, command output, and other output is error messages, log entries, command output, and other output is better
better than a paraphrase or summary.<br> than a paraphrase or summary.<br>
<br> <br>
</li> </li>
<li> <li>
Please don't describe your environment and then ask Please don't describe your environment and then
us to send you custom configuration files. We're ask us to send you custom configuration files.
here to answer your questions but we can't do We're here to answer your questions but we can't
your job for you.<br> do your job for you.<br>
<br> <br>
</li> </li>
<li>When reporting a problem, <li>When reporting a problem,
<strong>ALWAYS</strong> include this information:</li> <strong>ALWAYS</strong> include this information:</li>
</ul> </ul>
@ -139,13 +139,13 @@ better than a paraphrase or summary.<br>
<ul> <ul>
<ul> <ul>
<li>the exact version of Shorewall <li>the exact version of Shorewall
you are running.<br> you are running.<br>
<br> <br>
<b><font color="#009900">shorewall <b><font color="#009900">shorewall
version</font><br> version</font><br>
</b> <br> </b> <br>
</li> </li>
</ul> </ul>
@ -155,23 +155,23 @@ better than a paraphrase or summary.<br>
</ul> </ul>
<ul> <ul>
<li>the complete, exact output <li>the complete, exact output
of<br> of<br>
<br> <br>
<font color="#009900"><b>ip <font color="#009900"><b>ip
addr show<br> addr show<br>
<br> <br>
</b></font></li> </b></font></li>
</ul> </ul>
<ul> <ul>
<li>the complete, exact output <li>the complete, exact output
of<br> of<br>
<br> <br>
<font color="#009900"><b>ip <font color="#009900"><b>ip
route show<br> route show<br>
</b></font></li> </b></font></li>
</ul> </ul>
@ -185,69 +185,70 @@ better than a paraphrase or summary.<br>
<ul> <ul>
<ul> <ul>
<li><font color="#ff0000"><u><i><big><b>THIS IS IMPORTANT!<br> <li><big><font color="#ff0000"><u><i><big><b>THIS IS
<br> IMPORTANT!</b></big></i></u></font><big><big><big> </big>If your problem
</b></big></i></u></font>If your problem is that some type of connection is that some type of connection to/from or through your firewall isn't working
to/from or through your firewall isn't working then please:<br> then please perform the following four steps:</big></big></big><br>
<br> <br>
1. <b><font color="#009900">/sbin/shorewall reset</font></b><br> 1. <b><font color="#009900">/sbin/shorewall reset</font></b><br>
<br> <br>
2. Try making the connection that is failing.<br> 2. Try making the connection that is failing.<br>
<br> <br>
3.<b><font color="#009900"> /sbin/shorewall 3.<b><font color="#009900"> /sbin/shorewall
status &gt; /tmp/status.txt</font></b><br> status &gt; /tmp/status.txt</font></b><br>
<br> <br>
4. Post the /tmp/status.txt file as an attachment.<br> 4. Post the /tmp/status.txt file as an attachment
<br> (you may compress it if you like).<br>
</li> <br>
<li>the exact wording of any <code </li>
<li>the exact wording of any <code
style="color: green; font-weight: bold;">ping</code> failure responses<br> style="color: green; font-weight: bold;">ping</code> failure responses<br>
<br> <br>
</li> </li>
<li>If you installed Shorewall using one of the QuickStart <li>If you installed Shorewall using one of the QuickStart
Guides, please indicate which one. <br> Guides, please indicate which one. <br>
<br> <br>
</li> </li>
<li><b>If you are running Shorewall under Mandrake using <li><b>If you are running Shorewall under Mandrake using
the Mandrake installation of Shorewall, please say so.<br> the Mandrake installation of Shorewall, please say so.<br>
<br> <br>
</b></li> </b></li>
</ul> </ul>
<li>As a general matter, please <strong>do not edit the diagnostic <li>As a general matter, please <strong>do not edit the diagnostic
information</strong> in an attempt to conceal your IP address, information</strong> in an attempt to conceal your IP address,
netmask, nameserver addresses, domain name, etc. These aren't netmask, nameserver addresses, domain name, etc. These aren't
secrets, and concealing them often misleads us (and 80% of the time, secrets, and concealing them often misleads us (and 80% of the time,
a hacker could derive them anyway from information contained a hacker could derive them anyway from information contained
in the SMTP headers of your post).<br> in the SMTP headers of your post).<br>
<br> <br>
<strong></strong></li> <strong></strong></li>
<li>Do you see any "Shorewall" messages <li>Do you see any "Shorewall" messages
("<b><font color="#009900">/sbin/shorewall show log</font></b>") ("<b><font color="#009900">/sbin/shorewall show log</font></b>")
when you exercise the function that is giving you problems? when you exercise the function that is giving you problems?
If so, include the message(s) in your post along with a copy of your If so, include the message(s) in your post along with a copy of
/etc/shorewall/interfaces file.<br> your /etc/shorewall/interfaces file.<br>
<br> <br>
</li> </li>
<li>Please include any of the Shorewall configuration <li>Please include any of the Shorewall configuration
files (especially the /etc/shorewall/hosts file files (especially the /etc/shorewall/hosts file
if you have modified that file) that you think are if you have modified that file) that you think are
relevant. If you include /etc/shorewall/rules, please include relevant. If you include /etc/shorewall/rules, please include
/etc/shorewall/policy as well (rules are meaningless unless /etc/shorewall/policy as well (rules are meaningless unless
one also knows the policies).<br> one also knows the policies).<br>
<br> <br>
</li> </li>
<li>If an error occurs when you try to <li>If an error occurs when you try to
"<font color="#009900"><b>shorewall start</b></font>", include "<font color="#009900"><b>shorewall start</b></font>", include
a trace (See the <a a trace (See the <a
href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a> href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a>
section for instructions).<br> section for instructions).<br>
<br> <br>
</li> </li>
<li><b>The list server limits posts to 120kb so <li><b>The list server limits posts to 120kb so
don't post GIFs of your network layout, don't post GIFs of your network layout,
etc. to the Mailing List -- your post will be rejected.</b></li> etc. to the Mailing List -- your post will be rejected.</b></li>
</ul> </ul>
@ -255,69 +256,67 @@ etc. to the Mailing List -- your post will be rejected.</b><
heavily plagiarized from the excellent LEAF document by <i>Ray</i> heavily plagiarized from the excellent LEAF document by <i>Ray</i>
<em>Olszewski</em> found at <a <em>Olszewski</em> found at <a
href="http://leaf-project.org/pub/doc/docmanager/docid_1891.html">http://leaf-project.org/pub/doc/docmanager/docid_1891.html</a>.<br> href="http://leaf-project.org/pub/doc/docmanager/docid_1891.html">http://leaf-project.org/pub/doc/docmanager/docid_1891.html</a>.<br>
</blockquote> </blockquote>
<h2>When using the mailing list, please post in plain text</h2> <h2>When using the mailing list, please post in plain text</h2>
<blockquote> A growing number of MTAs serving list subscribers are <blockquote> A growing number of MTAs serving list subscribers are rejecting
rejecting all HTML traffic. At least one MTA has gone so far as to all HTML traffic. At least one MTA has gone so far as to blacklist
blacklist shorewall.net "for continuous abuse" because it has been shorewall.net "for continuous abuse" because it has been my policy
my policy to allow HTML in list posts!!<br> to allow HTML in list posts!!<br>
<br> <br>
I think that blocking all HTML I think that blocking all
is a Draconian way to control spam and that the ultimate HTML is a Draconian way to control spam and that the
losers here are not the spammers but the list subscribers ultimate losers here are not the spammers but the list subscribers
whose MTAs are bouncing all shorewall.net mail. As one list whose MTAs are bouncing all shorewall.net mail. As one list
subscriber wrote to me privately "These e-mail admin's need subscriber wrote to me privately "These e-mail admin's need
to get a <i>(expletive deleted)</i> life instead of trying to to get a <i>(expletive deleted)</i> life instead of trying to rid
rid the planet of HTML based e-mail". Nevertheless, to allow the planet of HTML based e-mail". Nevertheless, to allow subscribers
subscribers to receive list posts as must as possible, I have now to receive list posts as must as possible, I have now configured
configured the list server at shorewall.net to strip all HTML from the list server at shorewall.net to strip all HTML from outgoing
outgoing posts.<br> posts.<br>
<br> <br>
<big><font color="#cc0000"><b>If you run your own outgoing mail server <big><font color="#cc0000"><b>If you run your own outgoing mail server
and it doesn't have a valid DNS PTR record, your email won't reach the lists and it doesn't have a valid DNS PTR record, your email won't reach the lists
unless/until the postmaster notices that your posts are being rejected. To unless/until the postmaster notices that your posts are being rejected.
avoid this problem, you should configure your MTA to forward posts to shorewall.net To avoid this problem, you should configure your MTA to forward posts to
through an MTA that <u>does</u> have a valid PTR record (such as the one shorewall.net through an MTA that <u>does</u> have a valid PTR record (such
at your ISP). </b></font></big><br> as the one at your ISP). </b></font></big><br>
</blockquote> </blockquote>
<h2>Where to Send your Problem Report or to Ask for Help</h2> <h2>Where to Send your Problem Report or to Ask for Help</h2>
<blockquote> <blockquote>
<h4>If you run Shorewall under Bering -- <span <h4>If you run Shorewall under Bering -- <span
style="font-weight: 400;">please post your question or problem style="font-weight: 400;">please post your question or problem
to the <a to the <a
href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing
list</a>.</span></h4> list</a>.</span></h4>
<b>If you run Shorewall under <b>If you run Shorewall under
MandrakeSoft Multi Network Firewall (MNF) and you have MandrakeSoft Multi Network Firewall (MNF) and you have
not purchased an MNF license from MandrakeSoft then you can not purchased an MNF license from MandrakeSoft then you can
post non MNF-specific Shorewall questions to the </b><a post non MNF-specific Shorewall questions to the </b><a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
list</a>. <b>Do not expect to get free MNF support on the list</b> list</a>. <b>Do not expect to get free MNF support on the list</b>
<p>Otherwise, please post your question or problem to the <a <p>Otherwise, please post your question or problem to the <a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
list</a> .</p> list</a> .</p>
<p> To Subscribe to the mailing list go to <a <p> To Subscribe to the mailing list go to <a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a> href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a>
.<br> .<br>
</p> </p>
</blockquote> </blockquote>
<p>For information on other Shorewall mailing lists, go to <a <p>For information on other Shorewall mailing lists, go to <a
href="http://lists.shorewall.net">http://lists.shorewall.net</a><br> href="http://lists.shorewall.net">http://lists.shorewall.net</a><br>
</p> </p>
<p align="left"><font size="2">Last Updated 7/6/2003 - Tom Eastep</font></p> <p align="left"><font size="2">Last Updated 7/9/2003 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br> size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p> </p>
<br>
<br>
</body> </body>
</html> </html>

2
Shorewall/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of # shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall. # Shoreline Firewall.
VERSION=1.4.6Beta2 VERSION=1.4.6RC1
usage() # $1 = exit status usage() # $1 = exit status
{ {

2
Shorewall/install.sh
View File

@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall. # /etc/rc.d/rc.local file is modified to start the firewall.
# #
VERSION=1.4.6Beta2 VERSION=1.4.6RC1
usage() # $1 = exit status usage() # $1 = exit status
{ {

4
Shorewall/shorewall.spec
View File

@ -1,6 +1,6 @@
%define name shorewall %define name shorewall
%define version 1.4.6 %define version 1.4.6
%define release 0Beta2 %define release 0RC1
%define prefix /usr %define prefix /usr
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@ -105,6 +105,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog %changelog
* Mon Jul 14 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.6-0RC1
* Mon Jul 07 2003 Tom Eastep <tom@shorewall.net> * Mon Jul 07 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.6-0Beta2 - Changed version to 1.4.6-0Beta2
* Fri Jul 04 2003 Tom Eastep <tom@shorewall.net> * Fri Jul 04 2003 Tom Eastep <tom@shorewall.net>

2
Shorewall/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall # shown below. Simply run this script to remove Seattle Firewall
VERSION=1.4.6Beta2 VERSION=1.4.6RC1
usage() # $1 = exit status usage() # $1 = exit status
{ {