extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-12-15 02:41:01 +01:00
Code Issues Packages Projects Releases Wiki Activity

Shorewall 1.4.6 RC1

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@660 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-07-14 22:09:33 +00:00
parent defe814ca5
commit 88e1eb7e4d
16 changed files with 5403 additions and 5050 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

281
Shorewall-docs/FAQ.htm
View File

@ -12,6 +12,7 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall FAQ</title>
<meta name="Microsoft Theme" content="none">
</head>
<body>
@ -39,9 +40,9 @@
</h1>
<p align="left"><b>1. </b><a href="#faq1"> I want to <b>forward</b> UDP <b>
port</b> 7777 to my my personal PC with IP address
192.168.1.5. I've looked everywhere and can't
find <b>how to do it</b>.</a></p>
port</b> 7777 to my my personal PC with IP
address 192.168.1.5. I've looked everywhere and
can't find <b>how to do it</b>.</a></p>
<p align="left"><b>1a. </b><a href="#faq1a">Ok -- I followed those instructions
but it doesn't work.<br>
@ -86,8 +87,8 @@ using their DNS names.</b></a></p>
as 'closed' rather than 'blocked'.</b> Why?</a></p>
<p align="left"><b>4a. </b><a href="#faq4a">I just ran an <b>nmap UDP scan</b>
of my firewall and it showed 100s of ports as
open!!!!<br>
of my firewall and it showed 100s of ports
as open!!!!<br>
</a></p>
<b>4b</b>. <a href="#faq4b">I have a port that I can't close no matter
how I change my rules. </a>
@ -110,13 +111,13 @@ using their DNS names.</b></a></p>
<p align="left"><b>6b. <a href="#faq6b">DROP messages</a></b><a
href="#faq6b"> on port 10619 are <b>flooding the logs</b> with their connect
requests. Can i exclude these error messages for this port temporarily
from logging in Shorewall?</a><br>
requests. Can i exclude these error messages for this port
temporarily from logging in Shorewall?</a><br>
</p>
<p align="left"><b>6c. </b><a href="#faq6c">All day long I get a steady flow
of these <b>DROP messages from port 53</b> <b>to some high numbered
port</b>. They get dropped, but what the heck are they?</a><br>
of these <b>DROP messages from port 53</b> <b>to some high
numbered port</b>. They get dropped, but what the heck are they?</a><br>
</p>
<p align="left"><b>6d.</b> <a href="#faq6d">Why is the <b>MAC address</b>
@ -131,8 +132,8 @@ using their DNS names.</b></a></p>
<a href="#faq17">How do I find out <b>why this traffic is</b>
getting <b>logged?</b></a><br>
<b><br>
21. </b><a href="#faq21">I see these <b>strange log entries
</b>occasionally; what are they?</a><br>
21. </b><a href="#faq21">I see these <b>strange log
entries </b>occasionally; what are they?</a><br>
<h1>STARTING AND STOPPING<br>
</h1>
@ -152,9 +153,10 @@ stop', I can't connect to anything</b>. Why doesn't that command
<p align="left"><b>9. </b><a href="FAQ.htm#faq9">Why can't Shorewall <b>detect
my interfaces </b>properly at startup?</a></p>
<b>22. </b><a href="#faq22">I
have some <b>iptables commands </b>that I want to <b>run
when Shorewall starts.</b> Which file do I put them in?</a><br>
<b>22. </b><a
href="#faq22">I have some <b>iptables commands </b>that I
want to <b>run when Shorewall starts.</b> Which file do I put them
in?</a><br>
<h1>ABOUT SHOREWALL<br>
</h1>
@ -167,25 +169,26 @@ when Shorewall starts.</b> Which file do I put them in?</a><br>
<p align="left"><b>12. </b><a href="#faq12">Is there a <b>GUI?</b></a></p>
<p align="left"><b>13. </b><a href="#faq13">Why do you call it <b>"Shorewall"?</b></a></p>
<b>23. </b><a href="#faq23">Why do you
use such <b>ugly fonts</b> on your <b>web site</b>?</a><br>
<b>23. </b><a href="#faq23">Why do
you use such <b>ugly fonts</b> on your <b>web site</b>?</a><br>
<b><br>
25. </b><a href="#faq25">How to I tell <b>which version of Shorewall</b>
I am <b>running</b>?</a><br>
25. </b><a href="#faq25">How to I tell <b>which version of
Shorewall</b> I am <b>running</b>?</a><br>
<h1>RFC 1918<br>
</h1>
<p align="left"><b>14. </b><a href="#faq14">I'm connected via a cable modem
and it has an internel web server that allows
me to configure/monitor it but as expected if I enable
<b> rfc1918 blocking</b> for my eth0 interface, it also
blocks the <b>cable modems web server</b></a>.</p>
me to configure/monitor it but as expected if I
enable <b> rfc1918 blocking</b> for my eth0 interface,
it also blocks the <b>cable modems web server</b></a>.</p>
<p align="left"><b>14a. </b><a href="#faq14a">Even though it assigns public
IP addresses, my ISP's DHCP server has an RFC
1918 address. If I enable RFC 1918 filtering on my
external interface, <b>my DHCP client cannot renew its lease</b>.</a></p>
1918 address. If I enable RFC 1918 filtering on
my external interface, <b>my DHCP client cannot renew its
lease</b>.</a></p>
<h1>ALIAS IP ADDRESSES/VIRTUAL INTERFACES<br>
</h1>
@ -195,9 +198,9 @@ when Shorewall starts.</b> Which file do I put them in?</a><br>
<h1>MISCELLANEOUS<br>
</h1>
<b>19. </b><a href="#faq19">I have added <b>entries to
/etc/shorewall/tcrules</b> but they <b>don't </b>seem to <b>do
anything</b>. Why?</a><br>
<b>19. </b><a href="#faq19">I have added <b>entries
to /etc/shorewall/tcrules</b> but they <b>don't </b>seem to
<b>do anything</b>. Why?</a><br>
<br>
<b>20. </b><a
href="#faq20">I have just set up a server. <b>Do I have
@ -207,14 +210,20 @@ to change Shorewall to allow access to my server from the internet?<
conections</b> to let's say the ssh port only<b> from specific
IP Addresses</b> on the internet?</a><br>
<br>
<b>26. </b><a href="#faq26">When I try to use any of the
<b>SYN options in nmap</b> on or behind the firewall, I get "<b>operation
<b>26. </b><a href="#faq26">When I try to use any of
the <b>SYN options in nmap</b> on or behind the firewall, I get "<b>operation
not permitted</b>". How can I use nmap with Shorewall?"</a><br>
<br>
<b>27. </b><a href="#faq27">I am compiling a <b>new kernel</b> for my firewall<b>.</b>
What should I look out for?</a><br>
<br>
<b>28. </b><a href="#faq28">How do I use Shorewall as a <b>Bridging Firewall</b>?</a><br>
<hr>
<h4 align="left"><a name="faq1"></a>1. I want to forward UDP port 7777 to
my my personal PC with IP address 192.168.1.5.
I've looked everywhere and can't find how to do it.</h4>
I've looked everywhere and can't find how to do
it.</h4>
<p align="left"><b>Answer: </b>The <a
href="Documentation.htm#PortForward"> first example</a> in the <a
@ -245,9 +254,11 @@ not permitted</b>". How can I use nmap with Shorewall?"</a><br>
<td><i>&lt;protocol&gt;</i></td>
<td><i>&lt;port
#&gt;</i></td>
<td> <br>
<td>
<br>
</td>
<td> <br>
<td>
<br>
</td>
</tr>
@ -279,9 +290,11 @@ not permitted</b>". How can I use nmap with Shorewall?"</a><br>
<td>loc:192.168.1.5</td>
<td>udp</td>
<td>7777</td>
<td> <br>
<td>
<br>
</td>
<td> <br>
<td>
<br>
</td>
</tr>
@ -290,9 +303,9 @@ not permitted</b>". How can I use nmap with Shorewall?"</a><br>
</blockquote>
<div align="left"> <font face="Courier"> </font>If
you want to forward requests directed to a particular address
( <i>&lt;external IP&gt;</i> ) on your firewall to an internal
system:</div>
you want to forward requests directed to a particular
address ( <i>&lt;external IP&gt;</i> ) on your firewall to
an internal system:</div>
<blockquote>
<table border="1" cellpadding="2" cellspacing="0"
@ -335,13 +348,14 @@ not permitted</b>". How can I use nmap with Shorewall?"</a><br>
things:</p>
<ul>
<li>You are
trying to test from inside your firewall (no, that
<li>You
are trying to test from inside your firewall (no, that
won't work -- see <a href="#faq2">FAQ #2</a>).</li>
<li>You have
a more basic problem with your local system such as
an incorrect default gateway configured (it should be
set to the IP address of your firewall's internal interface).</li>
<li>You
have a more basic problem with your local system such
as an incorrect default gateway configured (it should
be set to the IP address of your firewall's internal
interface).</li>
<li>Your ISP is blocking that particular port inbound.<br>
</li>
@ -353,25 +367,25 @@ set to the IP address of your firewall's internal interface).</l
diagnose this problem:<br>
<ul>
<li>As root, type "iptables
-t nat -Z". This clears the NetFilter counters in
the nat table.</li>
<li>Try to connect to
the redirected port from an external host.</li>
<li>As root, type
"iptables -t nat -Z". This clears the NetFilter counters
in the nat table.</li>
<li>Try to connect
to the redirected port from an external host.</li>
<li>As root type "shorewall
show nat"</li>
<li>Locate the appropriate
DNAT rule. It will be in a chain called <i>&lt;source
zone&gt;</i>_dnat ('net_dnat' in the above examples).</li>
<li>Is the packet count
in the first column non-zero? If so, the connection
<li>Is the packet
count in the first column non-zero? If so, the connection
request is reaching the firewall and is being redirected
to the server. In this case, the problem is usually a missing
or incorrect default gateway setting on the server (the
server's default gateway should be the IP address of the firewall's
interface to the server).</li>
<li>If the packet count
is zero:</li>
server's default gateway should be the IP address of the
firewall's interface to the server).</li>
<li>If the packet
count is zero:</li>
<ul>
<li>the connection
@ -443,13 +457,13 @@ my local network. External clients can browse http://www
an internet-accessible server in your local network
is like raising foxes in the corner of your hen house.
If the server is compromised, there's nothing between
that server and your other internal systems. For the cost
of another NIC and a cross-over cable, you can put your
server in a DMZ such that it is isolated from your local systems
that server and your other internal systems. For the
cost of another NIC and a cross-over cable, you can put
your server in a DMZ such that it is isolated from your local systems
- assuming that the Server can be located near the Firewall,
of course :-)</li>
<li>The accessibility
problem is best solved using <a
<li>The
accessibility problem is best solved using <a
href="shorewall_setup_guide.htm#DNS">Bind Version 9 "views"</a>
(or using a separate DNS server for local clients) such that www.mydomain.com
resolves to 130.141.100.69 externally and 192.168.1.5
@ -615,13 +629,14 @@ releases.<br>
<h4 align="left"><a name="faq2a"></a>2a. I have a zone "Z" with an RFC1918
subnet and I use static NAT to assign non-RFC1918
addresses to hosts in Z. Hosts in Z cannot communicate
with each other using their external (non-RFC1918 addresses)
so they can't access each other using their DNS names.</h4>
with each other using their external (non-RFC1918
addresses) so they can't access each other using their DNS
names.</h4>
<p align="left"><b>Answer: </b>This is another problem that is best solved
using Bind Version 9 "views". It allows both
external and internal clients to access a NATed host
using the host's DNS name.</p>
external and internal clients to access a NATed
host using the host's DNS name.</p>
<p align="left">Another good way to approach this problem is to switch from
static NAT to Proxy ARP. That way, the hosts
@ -638,7 +653,8 @@ Z-&gt;Z traffic through your firewall then:</p>
Example:</p>
<p align="left">Zone: dmz<br>
Interface: eth2<br>
Interface:
eth2<br>
Subnet: 192.168.2.0/24</p>
<p align="left">In /etc/shorewall/interfaces:</p>
@ -682,7 +698,8 @@ Z-&gt;Z traffic through your firewall then:</p>
<td>dmz</td>
<td>dmz</td>
<td>ACCEPT</td>
<td> <br>
<td>
<br>
</td>
</tr>
@ -725,8 +742,8 @@ Z-&gt;Z traffic through your firewall then:</p>
href="http://www.kfki.hu/%7Ekadlec/sw/netfilter/newnat-suite/"> H.323 connection
tracking/NAT module</a> that may help with Netmeeting.
Look <a href="http://linux-igd.sourceforge.net">here</a> for
a solution for MSN IM but be aware that there are significant security
risks involved with this solution. Also check the Netfilter
a solution for MSN IM but be aware that there are significant
security risks involved with this solution. Also check the Netfilter
mailing list archives at <a
href="http://www.netfilter.org">http://www.netfilter.org</a>.
</p>
@ -783,10 +800,10 @@ that attempt.<br>
<p align="left">a) Create /etc/shorewall/common if it doesn't already exist.
<br>
b) Be sure that
the first command in the file is ". /etc/shorewall/common.def"<br>
c) Add the following
to /etc/shorewall/common </p>
b) Be sure
that the first command in the file is ". /etc/shorewall/common.def"<br>
c) Add the
following to /etc/shorewall/common </p>
<blockquote>
<p align="left">run_iptables -A icmpdef -p ICMP --icmp-type echo-request
@ -839,14 +856,14 @@ see "man syslog") in your <a href="Documentation.htm#Policy">policies</a>
<a href="http://gege.org/iptables">http://gege.org/iptables</a><br>
</p>
</blockquote>
I personnaly use Logwatch. It emails
me a report each day from my various systems with each
report summarizing the logged activity on the corresponding
I personnaly use Logwatch. It
emails me a report each day from my various systems with
each report summarizing the logged activity on the corresponding
system.
<h4 align="left"><b><a name="faq6b"></a>6b. DROP messages</b> on port 10619
are <b>flooding the logs</b> with their connect requests. Can
i exclude these error messages for this port temporarily from logging
in Shorewall?</h4>
i exclude these error messages for this port temporarily from
logging in Shorewall?</h4>
Temporarily add the following rule:<br>
<pre> DROP net fw udp 10619</pre>
@ -908,9 +925,9 @@ sample configurations available in the <a
<p align="left">The 'stop' command is intended to place your firewall into
a safe state whereby only those hosts listed
in /etc/shorewall/routestopped' are activated. If
you want to totally open up your firewall, you must use the
'shorewall clear' command. </p>
in /etc/shorewall/routestopped' are activated.
If you want to totally open up your firewall, you must use
the 'shorewall clear' command. </p>
<h4 align="left"><a name="faq8"></a>8. When I try to start Shorewall on RedHat,
I get messages about insmod failing -- what's wrong?</h4>
@ -974,8 +991,8 @@ local zone is defined as all hosts connected through eth1</p>
<h4 align="left"><a name="faq12"></a>12. Is there a GUI?</h4>
<p align="left"><b>Answer: </b>Yes. Shorewall support is included in Webmin
1.060 and later versions. See <a href="http://www.webmin.com">http://www.webmin.com</a>
</p>
1.060 and later versions. See <a
href="http://www.webmin.com">http://www.webmin.com</a> </p>
<h4 align="left"> <a name="faq13"></a>13. Why do you call it "Shorewall"?</h4>
@ -993,8 +1010,8 @@ enable rfc1918 blocking for my eth0 interface (the internet
<p align="left">Is there any way it can add a rule before the rfc1918 blocking
that will let all traffic to and from the 192.168.100.1
address of the modem in/out but still block all other
rfc1918 addresses?</p>
address of the modem in/out but still block all
other rfc1918 addresses?</p>
<p align="left"><b>Answer: </b>If you are running a version of Shorewall
earlier than 1.3.1, create /etc/shorewall/start and in it, place the
@ -1091,10 +1108,10 @@ its lease.</h4>
the net</h4>
<p align="left"><b>Answer: </b>Every time I read "systems can't see out to
the net", I wonder where the poster bought computers
with eyes and what those computers will "see" when
things are working properly. That aside, the most
common causes of this problem are:</p>
the net", I wonder where the poster bought
computers with eyes and what those computers will
"see" when things are working properly. That aside,
the most common causes of this problem are:</p>
<ol>
<li>
@ -1111,8 +1128,8 @@ common causes of this problem are:</p>
<p align="left">The DNS settings on the local systems are wrong or the
user is running a DNS server on the firewall
and hasn't enabled UDP and TCP port 53 from the
firewall to the internet.</p>
and hasn't enabled UDP and TCP port 53 from
the firewall to the internet.</p>
</li>
</ol>
@ -1125,8 +1142,8 @@ common causes of this problem are:</p>
the 'dmesg' man page ("man dmesg"). You must add a suitable 'dmesg' command
to your startup scripts or place it in /etc/shorewall/start.
Under RedHat, the max log level that is sent
to the console is specified in /etc/sysconfig/init in
the LOGLEVEL variable.<br>
to the console is specified in /etc/sysconfig/init
in the LOGLEVEL variable.<br>
</p>
<h4><a name="faq17"></a>17. How do I find out why this traffic is getting
@ -1146,9 +1163,9 @@ the 'dmesg' man page ("man dmesg"). You must add a suitable 'dmesg' command
href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
<li><b>all2&lt;zone&gt;</b>,
<b>&lt;zone&gt;2all</b> or <b>all2all
</b>- You have a<a href="Documentation.htm#Policy"> policy</a> that
specifies a log level and this packet is being logged
under that policy. If you intend to ACCEPT this traffic
</b>- You have a<a href="Documentation.htm#Policy"> policy</a>
that specifies a log level and this packet is being
logged under that policy. If you intend to ACCEPT this traffic
then you need a <a href="Documentation.htm#Rules">rule</a> to that effect.<br>
</li>
<li><b>&lt;zone1&gt;2&lt;zone2&gt;
@ -1165,8 +1182,8 @@ includes a log level.</li>
<li><b>logpkt</b>
- The packet is being logged under the <b>logunclean</b>
<a href="Documentation.htm#Interfaces">interface option</a>.</li>
<li><b>badpkt </b>-
The packet is being logged under the <b>dropunclean</b>
<li><b>badpkt
</b>- The packet is being logged under the <b>dropunclean</b>
<a href="Documentation.htm#Interfaces">interface option</a>
as specified in the <b>LOGUNCLEAN </b>setting in <a
href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.</li>
@ -1175,11 +1192,12 @@ includes a log level.</li>
is blacklisted in the<a href="Documentation.htm#Blacklist"> /etc/shorewall/blacklist
</a>file.</li>
<li><b>newnotsyn
</b>- The packet is being logged because it is a
TCP packet that is not part of any current connection yet
it is not a syn packet. Options affecting the logging of such
packets include <b>NEWNOTSYN </b>and <b>LOGNEWNOTSYN
</b>in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
</b>- The packet is being logged because it is
a TCP packet that is not part of any current connection
yet it is not a syn packet. Options affecting the logging
of such packets include <b>NEWNOTSYN </b>and
<b>LOGNEWNOTSYN </b>in <a
href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
<li><b>INPUT</b>
or <b>FORWARD</b> - The packet has a source IP address
that isn't in any of your defined zones ("shorewall check"
@ -1197,9 +1215,9 @@ packet is being logged because it failed the checks implemen
<h4><a name="faq18"></a>18. Is there any way to use <b>aliased ip addresses</b>
with Shorewall, and maintain separate rulesets for
different IPs?</h4>
<b>Answer: </b>Yes. See
<a href="Shorewall_and_Aliased_Interfaces.html">Shorewall and Aliased Interfaces</a>.
<b>Answer: </b>Yes.
See <a href="Shorewall_and_Aliased_Interfaces.html">Shorewall and Aliased
Interfaces</a>.
<h4><b><a name="faq19"></a>19. </b>I have added entries to /etc/shorewall/tcrules
but they don't seem to do anything. Why?</h4>
You probably haven't set
@ -1225,11 +1243,11 @@ rules for your server.<br>
192.0.2.3 is external on my
firewall... 172.16.0.0/24 is my internal LAN<br>
<br>
<b>Answer: </b>While most people
associate the Internet Control Message Protocol (ICMP)
with 'ping', ICMP is a key piece of the internet. ICMP is
used to report problems back to the sender of a packet; this
is what is happening here. Unfortunately, where NAT is involved
<b>Answer: </b>While most
people associate the Internet Control Message Protocol
(ICMP) with 'ping', ICMP is a key piece of the internet.
ICMP is used to report problems back to the sender of a packet;
this is what is happening here. Unfortunately, where NAT is involved
(including SNAT, DNAT and Masquerade), there are a lot of broken
implementations. That is what you are seeing with these messages.<br>
<br>
@ -1237,9 +1255,9 @@ implementations. That is what you are seeing with these messages.<br>
what is happening -- to confirm this analysis, one would
have to have packet sniffers placed a both ends of the connection.<br>
<br>
Host 172.16.1.10 behind NAT gateway
206.124.146.179 sent a UDP DNS query to 192.0.2.3 and
your DNS server tried to send a response (the response information
Host 172.16.1.10 behind NAT
gateway 206.124.146.179 sent a UDP DNS query to 192.0.2.3
and your DNS server tried to send a response (the response information
is in the brackets -- note source port 53 which marks this as
a DNS reply). When the response was returned to to 206.124.146.179,
it rewrote the destination IP TO 172.16.1.10 and forwarded the
@ -1249,17 +1267,17 @@ back to 192.0.2.3. As this packet is sent back through 206.124.146.179,
that box correctly changes the source address in the packet to 206.124.146.179
but doesn't reset the DST IP in the original DNS response similarly.
When the ICMP reaches your firewall (192.0.2.3), your firewall has
no record of having sent a DNS reply to 172.16.1.10 so this ICMP doesn't
appear to be related to anything that was sent. The final result
is that the packet gets logged and dropped in the all2all chain. I
have also seen cases where the source IP in the ICMP itself isn't set
back to the external IP of the remote NAT gateway; that causes your
no record of having sent a DNS reply to 172.16.1.10 so this ICMP
doesn't appear to be related to anything that was sent. The final
result is that the packet gets logged and dropped in the all2all chain.
I have also seen cases where the source IP in the ICMP itself isn't
set back to the external IP of the remote NAT gateway; that causes your
firewall to log and drop the packet out of the rfc1918 chain because
the source IP is reserved by RFC 1918.<br>
<h4><a name="faq22"></a><b>22. </b>I have some <b>iptables commands </b>that
I want to <b>run when Shorewall starts.</b> Which file do
I put them in?</h4>
I want to <b>run when Shorewall starts.</b> Which file
do I put them in?</h4>
You can place these commands
in one of the <a href="shorewall_extension_scripts.htm">Shorewall Extension
Scripts</a>. Be sure that you look at the contents of the chain(s)
@ -1274,10 +1292,10 @@ or REJECT rule and any rules that you add after that will be ignored.
<h4><a name="faq23"></a><b>23. </b>Why do you use such ugly fonts on your
web site?</h4>
The Shorewall web site is almost font
neutral (it doesn't explicitly specify fonts except on a few
pages) so the fonts you see are largely the default fonts configured
in your browser. If you don't like them then reconfigure your
browser.<br>
neutral (it doesn't explicitly specify fonts except on a
few pages) so the fonts you see are largely the default fonts
configured in your browser. If you don't like them then reconfigure
your browser.<br>
<h4><a name="faq24"></a>24. How can I <b>allow conections</b> to let's say
the ssh port only<b> from specific IP Addresses</b> on the
@ -1305,13 +1323,30 @@ in nmap on or behind the firewall, I get "operation not permitted". How can
I use nmap with Shorewall?"</h4>
Edit /etc/shorewall/shorewall.conf and change "NEWNOTSYN=No" to "NEWNOTSYN=Yes"
then restart Shorewall.<br>
<h4><a name="faq27">27. I'm compiling a new kernel for my firewall. What should
I look out for?</a></h4>
First take a look at the <a href="kernel.htm">Shorewall kernel configuration
page</a>. You probably also want to be sure that you have selected the "<b>NAT
of local connections (READ HELP)</b>" on the Netfilter Configuration menu.
Otherwise, DNAT rules with your firewall as the source zone won't work with
your new kernel.<br>
<h4><a name="faq28"></a>28. How do I use Shorewall as a Bridging Firewall?<br>
</h4>
Basically, you don't. While there are kernel patches that allow you to route
bridge traffic through Netfilter, the environment is so different from the
Layer 3 firewalling environment that very little of Shorewall works. In fact,
so much of Shorewall doesn't work that my official position is that "Shorewall
doesn't work with Layer 2 Bridging".<br>
<br>
<font size="2">Last updated 7/5/2003 - <a
<font size="2">Last updated 7/9/2003 - <a
href="support.htm">Tom Eastep</a></font>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
<br>
<br>
<br>
</body>
</html>

989
Shorewall-docs/News.htm
View File

File diff suppressed because it is too large Load Diff

50
Shorewall-docs/Shorewall_Doesnt.html Normal file
View File

@ -0,0 +1,50 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>What Shorewall Cannot Do</title>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep">
</head>
<body>
<small> </small><small>
</small><small>
</small><small>
</small><small>
</small> <small> </small>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"
bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%"><small> </small>
<h1 align="center"><small><font color="#ffffff">Some things that Shorewall
<b>Cannot</b> Do</font></small></h1>
<small> </small></td>
</tr>
</tbody>
</table>
<small><br>
</small>Shorewall cannot:<br>
<ul>
<li>Be used on a Linux System that is functioning as a Layer 2 Bridge</li>
<li>Act as a "Personal Firewall" that allows internet access by application.</li>
<li>Do content filtering -- better to use <a
href="Shorewall_Squid_Usage.html">Squid</a> for that.<br>
</li>
</ul>
<br>
<font size="2">Last updated 7/9/2003 - <a href="support.htm">Tom Eastep</a></font>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
<br>
</body>
</html>

16
Shorewall-docs/Shorewall_index_frame.htm
View File

@ -12,8 +12,8 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title>
<base target="main">
<base
target="main">
<meta name="Microsoft Theme" content="none">
</head>
<body>
@ -38,6 +38,8 @@
href="seattlefirewall_index.htm">Home</a></li>
<li> <a
href="shorewall_features.htm">Features</a></li>
<li><a href="Shorewall_Doesnt.html">What it Cannot Do</a><br>
</li>
<li> <a
href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <a
@ -50,8 +52,9 @@
<li> <a
href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a><br>
</li>
<li>
<b><a href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></b></li>
<li> <b><a
href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></b></li>
<li> <a href="FAQ.htm">FAQs</a></li>
<li><a
@ -71,8 +74,8 @@
<li><a href="1.3"
target="_top">Shorewall 1.3 Site</a></li>
<li><a
href="http://www1.shorewall.net/1.2/index.htm" target="_top">Shorewall
1.2 Site</a></li>
href="http://www1.shorewall.net/1.2/index.htm" target="_top">Shorewall 1.2
Site</a></li>
<li><a href="shorewall_mirrors.htm">Mirrors</a>
@ -137,5 +140,6 @@
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001-2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
</body>
</html>

8
Shorewall-docs/Shorewall_sfindex_frame.htm
View File

@ -38,6 +38,8 @@
href="seattlefirewall_index.htm">Home</a></li>
<li> <a
href="shorewall_features.htm">Features</a></li>
<li><a href="Shorewall_Doesnt.html">What it Cannot Do</a><br>
</li>
<li> <a
href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <a
@ -71,11 +73,12 @@
</li>
<li><a href="1.3" target="_top">Shorewall 1.3 Site</a></li>
<li><a
href="http://www1.shorewall.net/1.2/index.htm" target="_top">Shorewall 1.2
Site</a></li>
href="http://www1.shorewall.net/1.2/index.htm" target="_top">Shorewall
1.2 Site</a></li>
<li><a href="shorewall_mirrors.htm">Mirrors</a>
<ul>
<li><a
target="_top" href="http://slovakia.shorewall.net">Slovak Republic</a></li>
@ -136,5 +139,6 @@ Site</a></li>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001-2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
</body>
</html>

66
Shorewall-docs/mailing_list.htm
View File

@ -75,14 +75,14 @@
<h2 align="left">Not able to Post Mail to shorewall.net?</h2>
<p align="left">You can report such problems by sending mail to tmeastep at
hotmail dot com.</p>
<p align="left">You can report such problems by sending mail to tmeastep
at hotmail dot com.</p>
<h2>A Word about the SPAM Filters at Shorewall.net <a
href="http://osirusoft.com/"> </a></h2>
<p>Please note that the mail server at shorewall.net checks
incoming mail:<br>
<p>Please note that the mail server at shorewall.net
checks incoming mail:<br>
</p>
<ol>
@ -96,31 +96,24 @@ incoming mail:<br>
A or MX record in DNS.</li>
<li>to ensure that the host name in the HELO/EHLO
command is a valid fully-qualified DNS name that resolves.</li>
<li>to ensure that the sending system has a valid PTR record in DNS.</li>
</ol>
<big><font color="#cc0000"><b>This last point is important. If you run your
own outgoing mail server and it doesn't have a valid DNS PTR record, your
email won't reach the lists unless/until the postmaster notices that your
posts are being rejected. To avoid this problem, you should configure your
MTA to forward posts to shorewall.net through an MTA that <u>does</u> have
a valid PTR record (such as the one at your ISP). </b></font></big><br>
<h2>Please post in plain text</h2>
A growing number of MTAs serving list subscribers are
rejecting all HTML traffic. At least one MTA has gone so far as to
blacklist shorewall.net "for continuous abuse" because it has been my
policy to allow HTML in list posts!!<br>
rejecting all HTML traffic. At least one MTA has gone so far as
to blacklist shorewall.net "for continuous abuse" because it has been
my policy to allow HTML in list posts!!<br>
<br>
I think that blocking all HTML is a Draconian way to
control spam and that the ultimate losers here are not the spammers
but the list subscribers whose MTAs are bouncing all shorewall.net
mail. As one list subscriber wrote to me privately "These e-mail admin's
need to get a <i>(explitive deleted)</i> life instead of trying to rid
the planet of HTML based e-mail". Nevertheless, to allow subscribers
to receive list posts as must as possible, I have now configured the
list server at shorewall.net to strip all HTML from outgoing posts.
This means that HTML-only posts will be bounced by the list server.<br>
the planet of HTML based e-mail". Nevertheless, to allow subscribers to
receive list posts as must as possible, I have now configured the list
server at shorewall.net to strip all HTML from outgoing posts. This
means that HTML-only posts will be bounced by the list server.<br>
<p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br>
</p>
@ -156,34 +149,34 @@ This means that HTML-only posts will be bounced by the list server.<br>
<option value="revtime">Reverse Time </option>
<option value="revtitle">Reverse Title </option>
</select>
</font> <input type="hidden" name="config"
value="htdig"> <input type="hidden" name="restrict"
</font> <input type="hidden"
name="config" value="htdig"> <input type="hidden" name="restrict"
value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden"
name="exclude" value=""> <br>
Search: <input type="text" size="30"
name="words" value=""> <input type="submit" value="Search"> </p>
</form>
<h2 align="left"><font color="#ff0000">Please do not try to download the entire
Archive -- it is 75MB (and growing daily) and my slow DSL line simply won't
stand the traffic. If I catch you, you will be blacklisted.<br>
<h2 align="left"><font color="#ff0000">Please do not try to download the
entire Archive -- it is 75MB (and growing daily) and my slow DSL line simply
won't stand the traffic. If I catch you, you will be blacklisted.<br>
</font></h2>
<h2 align="left">Shorewall CA Certificate</h2>
If you want to trust X.509 certificates issued
by Shoreline Firewall (such as the one used on my web site),
you may <a href="Shorewall_CA_html.html">download and install my CA certificate</a>
by Shoreline Firewall (such as the one used on my web site), you
may <a href="Shorewall_CA_html.html">download and install my CA certificate</a>
in your browser. If you don't wish to trust my certificates
then you can either use unencrypted access when subscribing to
Shorewall mailing lists or you can use secure access (SSL) and
accept the server's certificate when prompted by your browser.<br>
then you can either use unencrypted access when subscribing to Shorewall
mailing lists or you can use secure access (SSL) and accept the
server's certificate when prompted by your browser.<br>
<h2 align="left">Shorewall Users Mailing List</h2>
<p align="left">The Shorewall Users Mailing list provides a way for users
to get answers to questions and to report problems. Information
of general interest to the Shorewall user community is also
posted to this list.</p>
of general interest to the Shorewall user community is also posted
to this list.</p>
<p align="left"><b>Before posting a problem report to this list, please see
the <a href="http://www.shorewall.net/support.htm">problem
@ -207,9 +200,9 @@ reporting guidelines</a>.</b></p>
<p align="left">The list archives are at <a
href="http://lists.shorewall.net/pipermail/shorewall-users/index.html">http://lists.shorewall.net/pipermail/shorewall-users</a>.</p>
<p align="left">Note that prior to 1/1/2002, the mailing list was hosted
at <a href="http://sourceforge.net">Sourceforge</a>. The archives from that
list may be found at <a
<p align="left">Note that prior to 1/1/2002, the mailing list was hosted at
<a href="http://sourceforge.net">Sourceforge</a>. The archives from that list
may be found at <a
href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p>
<h2 align="left">Shorewall Announce Mailing List</h2>
@ -294,11 +287,12 @@ emailed to you.</p>
<p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p>
<p align="left"><font size="2">Last updated 6/14/2003 - <a
<p align="left"><font size="2">Last updated 7/7/2003 - <a
href="http://www.shorewall.net/support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font> ©
<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
</body>
</html>

42
Shorewall-docs/ping.html
View File

@ -24,7 +24,10 @@
</table>
<br>
Shorewall 'Ping' management has evolved over time with the latest change
coming in Shorewall version 1.4.0. <br>
coming in Shorewall version 1.4.0. To find out which version of Shorewall
you are running, at a shell prompt type "<font color="#009900"><b>/sbin/shorewall
version</b></font>". If that command gives you an error, it's time to upgrade
since you have a very old version of Shorewall installed (1.2.4 or earlier).<br>
<h2>Shorewall Versions &gt;= 1.4.0</h2>
In Shoreall 1.4.0 and later version, ICMP echo-request's are treated just
@ -51,8 +54,8 @@ form:<br>
<blockquote>
<pre><b><font color="#009900">run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT<br></font></b></pre>
</blockquote>
With that rule in place, if you want to ignore 'ping' from z1 to z2 then
you need a rule of the form:<br>
With that rule in place, if you want to ignore 'ping' from z1 to z2
then you need a rule of the form:<br>
<blockquote>DROP&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp;
</i>icmp&nbsp;&nbsp;&nbsp; 8<br>
@ -90,8 +93,8 @@ need a rule in /etc/shoreall/rules of the form:<br>
<blockquote>
<pre><b><font color="#009900">run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT<br></font></b></pre>
</blockquote>
With that rule in place, if you want to ignore 'ping' from z1 to z2 then
you need a rule of the form:<br>
With that rule in place, if you want to ignore 'ping' from z1 to z2
then you need a rule of the form:<br>
<blockquote>DROP&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp;
</i>icmp&nbsp;&nbsp;&nbsp; 8<br>
@ -111,8 +114,8 @@ need a rule in /etc/shoreall/rules of the form:<br>
There are several aspects to the old Shorewall Ping management:<br>
<ol>
<li>The <b>noping</b> and <b>filterping </b>interface options in <a
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
<li>The <b>noping</b> and <b>filterping </b>interface options in
<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
<li>The <b>FORWARDPING</b> option in<a
href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf</a>.</li>
<li>Explicit rules in <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
@ -123,8 +126,8 @@ need a rule in /etc/shoreall/rules of the form:<br>
<ol>
<li>Ping requests addressed to the firewall itself; and</li>
<li>Ping requests being forwarded to another system. Included here
are all cases of packet forwarding including NAT, DNAT rule, Proxy ARP and
simple routing.</li>
are all cases of packet forwarding including NAT, DNAT rule, Proxy ARP
and simple routing.</li>
</ol>
These cases will be covered separately.<br>
@ -133,13 +136,13 @@ simple routing.</li>
For ping requests addressed to the firewall, the sequence is as follows:<br>
<ol>
<li>If neither <b>noping</b> nor <b>filterping </b>are specified for
the interface that receives the ping request then the request will be responded
to with an ICMP echo-reply.</li>
<li>If neither <b>noping</b> nor <b>filterping </b>are specified
for the interface that receives the ping request then the request will
be responded to with an ICMP echo-reply.</li>
<li>If <b>noping</b> is specified for the interface that receives
the ping request then the request is ignored.</li>
<li>If <b>filterping </b>is specified for the interface then the request
is passed to the rules/policy evaluation.</li>
<li>If <b>filterping </b>is specified for the interface then the
request is passed to the rules/policy evaluation.</li>
</ol>
@ -177,16 +180,11 @@ request is either rejected or simply ignored.</li>
</ol>
<p><font size="2">Updated 5/4/2003 - <a href="support.htm">Tom Eastep</a>
<p><font size="2">Updated 7/7/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></p>
<br>
<br>
<br>
<br>
<br>
<br>
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
</body>
</html>

117
Shorewall-docs/seattlefirewall_index.htm
View File

@ -71,9 +71,9 @@
<p>The Shoreline Firewall, more commonly known as "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
firewall that can be used on a dedicated firewall system, a multi-function
<p>The Shoreline Firewall, more commonly known as "Shorewall", is a
<a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
that can be used on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.</p>
@ -83,18 +83,18 @@ firewall that can be used on a dedicated firewall system, a multi-functio
<p>This program is free software; you can redistribute it and/or modify
it under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the
GNU General Public License</a> as published by the Free Software
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
General Public License</a> as published by the Free Software
Foundation.<br>
<br>
This program is distributed in
the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the
implied warranty of MERCHANTABILITY or
FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.<br>
WITHOUT ANY WARRANTY; without even
the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.<br>
<br>
@ -119,9 +119,10 @@ General Public License for more details.<br>
<h2>Getting Started with Shorewall</h2>
New to Shorewall? Start by selecting the <a
href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most closely
match your environment and follow the step by step instructions.<br>
New to Shorewall? Start by selecting the
<a href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that
most closely match your environment and follow the step by
step instructions.<br>
<h2>Looking for Information?</h2>
The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
@ -142,20 +143,28 @@ Index</a> is a good place to start as is the Quick Search to your right.
<p><b></b></p>
<ol>
</ol>
<p><b>7/7/2003 - Shorewall-1.4.6 Beta 2</b><b> <img border="0"
<p><b>7/15/2003 - Shorewall-1.4.6 RC 1</b><b> <img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
<br>
</b></p>
<blockquote>
<p><b><a href="http://shorewall.net/pub/shorewall/testing">http://shorewall.net/pub/shorewall/testing</a><br>
<a href="ftp://shorewall.net/pub/shorewall/testing"
target="_top">ftp://shorewall.net/pub/shorewall/testing</a><br>
</b></p>
</blockquote>
<p><b>Problems Corrected:</b><br>
</p>
<ol>
<li>A problem seen on RH7.3 systems where Shorewall encountered start
errors when started using the "service" mechanism has been worked around.<br>
<li>A problem seen on RH7.3 systems where Shorewall encountered
start errors when started using the "service" mechanism has been worked
around.<br>
<br>
</li>
<li>Where a list of IP addresses appears in the DEST column of a
@ -166,7 +175,13 @@ a single DNAT rule with multiple "--to-destination" clauses.<br>
</li>
<li>Corrected a problem in Beta 1 where DNS names containing a "-"
were mis-handled when they appeared in the DEST column of a rule.<br>
<br>
</li>
<li>A number of problems with rule parsing have been corrected. Corrections
involve the handling of "z1!z2" in the SOURCE column as well as lists in
the ORIGINAL DESTINATION column.<br>
</li>
</ol>
<p><b>Migration Issues:</b><br>
@ -188,6 +203,7 @@ entries of the following format:<br>
removed from /etc/shorewall/shorewall.conf. These capabilities are now automatically
detected by Shorewall (see below).<br>
</li>
</ol>
<p><b>New Features:</b><br>
@ -208,19 +224,19 @@ for packets arriving on the associated interface.<br>
first one on an interface.<br>
<br>
</li>
<li>DNAT[-] rules may now be used to load balance (round-robin) over
a set of servers. Servers may be specified in a range of addresses given
as &lt;first address&gt;-&lt;last address&gt;.<br>
<li>DNAT[-] rules may now be used to load balance (round-robin)
over a set of servers. Servers may be specified in a range of addresses
given as &lt;first address&gt;-&lt;last address&gt;.<br>
<br>
Example:<br>
<br>
    DNAT net loc:192.168.10.2-192.168.10.5 tcp 80<br>
<br>
</li>
<li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration options
have been removed and have been replaced by code that detects whether these
capabilities are present in the current kernel. The output of the start,
restart and check commands have been enhanced to report the outcome:<br>
<li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration
options have been removed and have been replaced by code that detects whether
these capabilities are present in the current kernel. The output of the
start, restart and check commands have been enhanced to report the outcome:<br>
<br>
Shorewall has detected the following iptables/netfilter capabilities:<br>
   NAT: Available<br>
@ -231,10 +247,10 @@ restart and check commands have been enhanced to report the outcome:<br>
</li>
<li>Support for the Connection Tracking Match Extension has been
added. This extension is available in recent kernel/iptables releases and
allows for rules which match against elements in netfilter's connection
tracking table. Shorewall automatically detects the availability of this
extension and reports its availability in the output of the start, restart
and check commands.<br>
allows for rules which match against elements in netfilter's connection tracking
table. Shorewall automatically detects the availability of this extension
and reports its availability in the output of the start, restart and check
commands.<br>
<br>
Shorewall has detected the following iptables/netfilter capabilities:<br>
   NAT: Available<br>
@ -243,12 +259,13 @@ and check commands.<br>
   Connection Tracking Match: Available<br>
Verifying Configuration...<br>
<br>
If this extension is available, the ruleset generated by Shorewall is changed
in the following ways:</li>
If this extension is available, the ruleset generated by Shorewall is
changed in the following ways:</li>
<ul>
<li>To handle 'norfc1918' filtering, Shorewall will not create
chains in the mangle table but will rather do all 'norfc1918' filtering
in the filter table (rfc1918 chain).</li>
chains in the mangle table but will rather do all 'norfc1918' filtering in
the filter table (rfc1918 chain).</li>
<li>Recall that Shorewall DNAT rules generate two netfilter rules;
one in the nat table and one in the filter table. If the Connection Tracking
Match Extension is available, the rule in the filter table is extended to
@ -256,6 +273,7 @@ check that the original destination address was the same as specified (or
defaulted to) in the DNAT rule.<br>
<br>
</li>
</ul>
<li>The shell used to interpret the firewall script (/usr/share/shorewall/firewall)
may now be specified using the SHOREWALL_SHELL parameter in shorewall.conf.<br>
@ -324,7 +342,9 @@ then the range may not span 128.0.0.0.<br>
<br>
    foo    eth1:192.168.1.0/24,192.168.2.0/24<br>
</li>
</ol>
<p><b>6/17/2003 - Shorewall-1.4.5</b><b> </b></p>
<p>Problems Corrected:<br>
@ -345,10 +365,10 @@ file; previously, INCLUDE in that file was ignored.</li>
</p>
<ol>
<li>The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-] rule
may now contain a list of addresses. If the list begins with "!' then
the rule will take effect only if the original destination address in
the connection request does not match any of the addresses listed.</li>
<li>The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-]
rule may now contain a list of addresses. If the list begins with "!'
then the rule will take effect only if the original destination address
in the connection request does not match any of the addresses listed.</li>
</ol>
@ -356,24 +376,28 @@ the connection request does not match any of the addresses listed.</li>
</b></p>
<p>The firewall at shorewall.net has been upgraded to the 2.4.21 kernel
and iptables 1.2.8 (using the "official" RPM from netfilter.org). No
problems have been encountered with this set of software. The Shorewall
version is 1.4.4b plus the accumulated changes for 1.4.5.<br>
and iptables 1.2.8 (using the "official" RPM from netfilter.org). No problems
have been encountered with this set of software. The Shorewall version
is 1.4.4b plus the accumulated changes for 1.4.5.<br>
</p>
<p><b>6/8/2003 - Updated Samples</b><b> </b></p>
<p>Thanks to Francesca Smith, the samples have been updated to Shorewall
version 1.4.4.</p>
<p><b></b></p>
<ol>
</ol>
<p><a href="News.htm">More News</a></p>
@ -395,8 +419,8 @@ version is 1.4.4b plus the accumulated changes for 1.4.5.<br>
</a></p>
<b>Congratulations to Jacques and Eric on the recent
release of Bering 1.2!!! </b><br>
<b>Congratulations to Jacques and Eric on the
recent release of Bering 1.2!!! </b><br>
@ -477,11 +501,11 @@ version is 1.4.4b plus the accumulated changes for 1.4.5.<br>
<p align="center"><font size="4" color="#ffffff"><br>
<font size="+2"> Shorewall is free but if you try it
and find it useful, please consider making a donation
to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
Foundation.</font></a> Thanks!</font></font></p>
<font size="+2"> Shorewall is free but if you try
it and find it useful, please consider making a donation
to
<a href="http://www.starlight.org"><font color="#ffffff">Starlight
Children's Foundation.</font></a> Thanks!</font></font></p>
</td>
@ -493,8 +517,9 @@ version is 1.4.4b plus the accumulated changes for 1.4.5.<br>
</table>
<p><font size="2">Updated 7/7/2003 - <a href="support.htm">Tom Eastep</a></font>
<p><font size="2">Updated 7/15/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
<br>
</body>
</html>

24
Shorewall-docs/shoreline.htm
View File

@ -6,6 +6,7 @@
content="text/html; charset=windows-1252">
<title>About the Shorewall Author</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
@ -29,7 +30,7 @@
</table>
<p align="center"> <img border="3" src="images/Tom.jpg"
alt="Tom - June 2003" width="640" height="480">
alt="Aging Geek - June 2003" width="320" height="240">
</p>
<p align="center">Tom -- June 2003<br>
@ -64,8 +65,8 @@ designed and wrote Shorewall. </p>
<p>I telework from our <a
href="http://lists.shorewall.net/SeattleInTheSpring.html">home</a> in <a
href="http://www.cityofshoreline.com">Shoreline, Washington</a> where
I live with my wife Tarry.  </p>
href="http://www.cityofshoreline.com">Shoreline, Washington</a>
where I live with my wife Tarry.  </p>
<p>Our current home network consists of: </p>
@ -75,17 +76,17 @@ I live with my wife Tarry.
Windows system. Serves as a PPTP server for Road Warrior access. Dual
boots <a href="http://www.mandrakelinux.com">Mandrake</a> 9.0.</li>
<li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD,
LNE100TX(Tulip) NIC - My personal Linux System which runs Samba.
This system also has <a href="http://www.vmware.com/">VMware</a>
LNE100TX(Tulip) NIC - My personal Linux System which runs
Samba. This system also has <a href="http://www.vmware.com/">VMware</a>
installed and can run both <a href="http://www.debian.org">Debian
Woody</a> and <a href="http://www.suse.com">SuSE 8.1</a> in virtual
machines.</li>
<li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100
NIC  - Email (Postfix, Courier-IMAP and Mailman), HTTP (Apache),
<li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD,
EEPRO100 NIC  - Email (Postfix, Courier-IMAP and Mailman), HTTP (Apache),
FTP (Pure_ftpd), DNS server (Bind 9).</li>
<li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD
- 3 LNE100TX  (Tulip) and 1 TLAN NICs  - Firewall running Shorewall
1.4.4c, a DHCP server and Samba configured as a WINS server..</li>
<li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI
HD - 3 LNE100TX  (Tulip) and 1 TLAN NICs  - Firewall running Shorewall
1.4.6Beta1, a DHCP server and Samba configured as a WINS server..</li>
<li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139
NIC - My wife's personal system.</li>
<li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB
@ -125,11 +126,12 @@ FTP (Pure_ftpd), DNS server (Bind 9).</li>
height="75" border="0">
</a><a href="http://www.opera.com"> </a> </font></p>
<p><font size="2">Last updated 6/15/2003 - </font><font size="2"> <a
<p><font size="2">Last updated 7/14/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<font face="Trebuchet MS"><a
href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
<br>
<br>
</body>
</html>

34
Shorewall-docs/shorewall_prerequisites.htm
View File

@ -30,17 +30,17 @@
Shorewall Requires:<br>
<ul>
<li>A kernel that supports netfilter. I've tested with 2.4.2 - 2.4.20.
With current releases of Shorewall, Traffic Shaping/Control requires at
least 2.4.18.  <a href="kernel.htm"> Check here for kernel configuration
information.</a> If you are looking for a firewall for use with
2.2 kernels, <a href="http://seawall.sf.net"> see the Seattle
Firewall site</a> .</li>
<li>iptables 1.2 or later but beware version 1.2.3 -- see the <a
href="errata.htm">Errata</a>. <font color="#ff0000"><b>WARNING: </b></font>The
buggy iptables version 1.2.3 is included in RedHat 7.2 and you should
upgrade to iptables 1.2.4 prior to installing Shorewall. Version 1.2.4
is available <a
<li>A kernel that supports netfilter. I've tested with 2.4.2 -
2.4.20. With current releases of Shorewall, Traffic Shaping/Control requires
at least 2.4.18.  <a href="kernel.htm"> Check here for kernel
configuration information.</a> If you are looking for a firewall
for use with 2.2 kernels, <a href="http://seawall.sf.net"> see
the Seattle Firewall site</a> .</li>
<li>iptables 1.2 or later but beware version 1.2.3 -- see the
<a href="errata.htm">Errata</a>. <font color="#ff0000"><b>WARNING:
</b></font>The buggy iptables version 1.2.3 is included in RedHat
7.2 and you should upgrade to iptables 1.2.4 prior to installing Shorewall.
Version 1.2.4 is available <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">from RedHat</a>
and in the <a href="errata.htm">Shorewall Errata</a>. </li>
<li>Iproute ("ip" utility). The iproute package is included
@ -52,8 +52,9 @@ with most distributions but may not be installed by default. The official
must have correct support for variable expansion formats ${<i>variable</i>%<i>pattern</i>
}, ${<i>variable</i>%%<i>pattern</i>}, ${<i>variable</i>#<i>pattern</i>
} and ${<i>variable</i>##<i>pattern</i>}.</li>
<li>Must produce a sensible result when a number n (128 &lt;= n &lt;= 255)
is left shifted by 24 bits. You can check this at a shell prompt by:</li>
<li>Your shell must produce a sensible result when a number n (128 &lt;=
n &lt;= 255) is left shifted by 24 bits. You can check this at a shell prompt
by:</li>
<ul>
<li>echo $((128 &lt;&lt; 24))<br>
@ -62,12 +63,12 @@ is left shifted by 24 bits. You can check this at a shell prompt by:</li>
</li>
</ul>
<li>The firewall monitoring display is greatly improved if you have
awk (gawk) installed.</li>
<li>The firewall monitoring display is greatly improved if you
have awk (gawk) installed.</li>
</ul>
<p align="left"><font size="2">Last updated 7/4/2003 - <a
<p align="left"><font size="2">Last updated 7/8/2003 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
@ -79,5 +80,6 @@ is left shifted by 24 bits. You can check this at a shell prompt by:</li>
<br>
<br>
<br>
<br>
</body>
</html>

93
Shorewall-docs/sourceforge_index.htm
View File

@ -84,18 +84,18 @@
<p>This program is free software; you can redistribute it and/or modify
it under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
General Public License</a> as published by the Free Software
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the
GNU General Public License</a> as published by the Free Software
Foundation.<br>
<br>
This program is distributed in
the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even
the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.<br>
WITHOUT ANY WARRANTY; without even the
implied warranty of MERCHANTABILITY or
FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.<br>
<br>
@ -117,7 +117,8 @@ Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
<h2>Getting Started with Shorewall</h2>
New to Shorewall? Start by selecting the <a
New to Shorewall? Start by selecting the
<a
href="file:///vfat/Shorewall-docs/shorewall_quickstart_guide.htm">QuickStart
Guide</a> that most closely match your environment and follow
the step by step instructions.<br>
@ -127,8 +128,8 @@ the step by step instructions.<br>
Index</a> is a good place to start as is the Quick Search to your right.
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
If so, the documentation<b> </b>on this site will not
apply directly to your setup. If you want to use the documentation
If so, the documentation<b> </b>on this site will
not apply directly to your setup. If you want to use the documentation
that you find here, you will want to consider uninstalling what you have
and installing a setup that matches the documentation on this site.
See the <a href="two-interface.htm">Two-interface QuickStart Guide</a>
@ -138,17 +139,23 @@ Index</a> is a good place to start as is the Quick Search to your right.
<h2><b>News</b></h2>
<p><b>7/7/2003 - Shorewall-1.4.6 Beta 2</b><b> <img border="0"
<p><b>7/15/2003 - Shorewall-1.4.6 RC 1</b><b> <img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
<br>
</b> </p>
<blockquote><b><a
href="http://shorewall.net/pub/shorewall/testing">http://shorewall.net/pub/shorewall/testing</a></b><b><a
href="ftp://shorewall.net/pub/shorewall/testing" target="_top"><br>
ftp://shorewall.net/pub/shorewall/testing</a></b></blockquote>
<p><b>Problems Corrected:</b><br>
</p>
<ol>
<li>A problem seen on RH7.3 systems where Shorewall encountered start
errors when started using the "service" mechanism has been worked around.<br>
<li>A problem seen on RH7.3 systems where Shorewall encountered
start errors when started using the "service" mechanism has been worked
around.<br>
<br>
</li>
<li>Where a list of IP addresses appears in the DEST column of a
@ -159,7 +166,13 @@ a single DNAT rule with multiple "--to-destination" clauses.<br>
</li>
<li>Corrected a problem in Beta 1 where DNS names containing a "-"
were mis-handled when they appeared in the DEST column of a rule.<br>
<br>
</li>
<li value="4">A number of problems with rule parsing have been corrected.
Corrections involve the handling of "z1!z2" in the SOURCE column as well
as lists in the ORIGINAL DESTINATION column.<br>
</li>
</ol>
<p><b>Migration Issues:</b><br>
@ -181,6 +194,7 @@ entries of the following format:<br>
removed from /etc/shorewall/shorewall.conf. These capabilities are now automatically
detected by Shorewall (see below).<br>
</li>
</ol>
<p><b>New Features:</b><br>
@ -201,19 +215,19 @@ for packets arriving on the associated interface.<br>
first one on an interface.<br>
<br>
</li>
<li>DNAT[-] rules may now be used to load balance (round-robin) over
a set of servers. Servers may be specified in a range of addresses given
as &lt;first address&gt;-&lt;last address&gt;.<br>
<li>DNAT[-] rules may now be used to load balance (round-robin)
over a set of servers. Servers may be specified in a range of addresses
given as &lt;first address&gt;-&lt;last address&gt;.<br>
<br>
Example:<br>
<br>
    DNAT net loc:192.168.10.2-192.168.10.5 tcp 80<br>
<br>
</li>
<li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration options
have been removed and have been replaced by code that detects whether these
capabilities are present in the current kernel. The output of the start,
restart and check commands have been enhanced to report the outcome:<br>
<li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration
options have been removed and have been replaced by code that detects whether
these capabilities are present in the current kernel. The output of the
start, restart and check commands have been enhanced to report the outcome:<br>
<br>
Shorewall has detected the following iptables/netfilter capabilities:<br>
   NAT: Available<br>
@ -224,10 +238,10 @@ restart and check commands have been enhanced to report the outcome:<br>
</li>
<li>Support for the Connection Tracking Match Extension has been
added. This extension is available in recent kernel/iptables releases and
allows for rules which match against elements in netfilter's connection
tracking table. Shorewall automatically detects the availability of this
extension and reports its availability in the output of the start, restart
and check commands.<br>
allows for rules which match against elements in netfilter's connection tracking
table. Shorewall automatically detects the availability of this extension
and reports its availability in the output of the start, restart and check
commands.<br>
<br>
Shorewall has detected the following iptables/netfilter capabilities:<br>
   NAT: Available<br>
@ -236,12 +250,13 @@ and check commands.<br>
   Connection Tracking Match: Available<br>
Verifying Configuration...<br>
<br>
If this extension is available, the ruleset generated by Shorewall is changed
in the following ways:</li>
If this extension is available, the ruleset generated by Shorewall is
changed in the following ways:</li>
<ul>
<li>To handle 'norfc1918' filtering, Shorewall will not create
chains in the mangle table but will rather do all 'norfc1918' filtering
in the filter table (rfc1918 chain).</li>
chains in the mangle table but will rather do all 'norfc1918' filtering in
the filter table (rfc1918 chain).</li>
<li>Recall that Shorewall DNAT rules generate two netfilter rules;
one in the nat table and one in the filter table. If the Connection Tracking
Match Extension is available, the rule in the filter table is extended to
@ -249,6 +264,7 @@ check that the original destination address was the same as specified (or
defaulted to) in the DNAT rule.<br>
<br>
</li>
</ul>
<li>The shell used to interpret the firewall script (/usr/share/shorewall/firewall)
may now be specified using the SHOREWALL_SHELL parameter in shorewall.conf.<br>
@ -316,6 +332,7 @@ then the range may not span 128.0.0.0.<br>
Example:<br>
<br>
    foo    eth1:192.168.1.0/24,192.168.2.0/24</li>
</ol>
<b> </b>
<ol>
@ -342,18 +359,18 @@ file; previously, INCLUDE in that file was ignored.</li>
</p>
<ol>
<li>The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-] rule
may now contain a list of addresses. If the list begins with "!' then
the rule will take effect only if the original destination address in
the connection request does not match any of the addresses listed.</li>
<li>The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-]
rule may now contain a list of addresses. If the list begins with "!'
then the rule will take effect only if the original destination address
in the connection request does not match any of the addresses listed.</li>
</ol>
<p><b>6/15/2003 - Shorewall, Kernel 2.4.21 and iptables 1.2.8</b><b>
</b></p>
The firewall at shorewall.net has been upgraded to the 2.4.21 kernel
and iptables 1.2.8 (using the "official" RPM from netfilter.org). No
problems have been encountered with this set of software. The Shorewall
The firewall at shorewall.net has been upgraded to the 2.4.21
kernel and iptables 1.2.8 (using the "official" RPM from netfilter.org).
No problems have been encountered with this set of software. The Shorewall
version is 1.4.4b plus the accumulated changes for 1.4.5.
<p><b>6/8/2003 - Updated Samples</b><b> </b></p>
@ -362,6 +379,7 @@ version is 1.4.4b plus the accumulated changes for 1.4.5.
<p>Thanks to Francesca Smith, the samples have been updated to Shorewall
version 1.4.4.</p>
<p><b></b></p>
<ol>
@ -421,8 +439,8 @@ version is 1.4.4b plus the accumulated changes for 1.4.5.
have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution
called <i>Bering</i> that features
Shorewall-1.4.2 and Kernel-2.4.20. You
can find their work at: <a
Shorewall-1.4.2 and Kernel-2.4.20.
You can find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
<b>Congratulations to Jacques
@ -524,6 +542,7 @@ version is 1.4.4b plus the accumulated changes for 1.4.5.
<p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10">
@ -551,7 +570,7 @@ and find it useful, please consider making a donation
</table>
<p><font size="2">Updated 7/7/2003 - <a href="support.htm">Tom Eastep</a></font>
<p><font size="2">Updated 7/15/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
</body>

89
Shorewall-docs/support.htm
View File

@ -29,9 +29,9 @@
<h2>Before Reporting a Problem or Asking a Question<br>
</h2>
There
are a number of sources of Shorewall information. Please try
these before you post.
There are a number of sources of Shorewall information. Please
try these before you post.
<ul>
<li>Shorewall versions
earlier that 1.3.0 are no longer supported.<br>
@ -49,9 +49,9 @@ has solutions to more than 20 common problems.
The <a href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a>
Information contains a number of tips to
help you solve common problems. </li>
<li> The
<a href="http://www.shorewall.net/errata.htm"> Errata</a> has links
to download updated components. </li>
<li>
The <a href="http://www.shorewall.net/errata.htm"> Errata</a>
has links to download updated components. </li>
<li>
The Site and Mailing List Archives search facility can
locate documents and posts about similar problems:
@ -96,8 +96,8 @@ locate documents and posts about similar problems:
<option value="[http://lists.shorewall.net/pipermail/.*]">No</option>
</select>
</font><br>
Search: <input type="text" size="30" name="words"
value=""> <input type="submit" value="Search"><br>
Search: <input type="text" size="30"
name="words" value=""> <input type="submit" value="Search"><br>
</form>
</blockquote>
@ -114,21 +114,21 @@ locate documents and posts about similar problems:
is lacking.<br>
<br>
</li>
<li>Please keep in mind that you're
asking for <strong>free</strong> technical support.
Any help we offer is an act of generosity, not an obligation.
<li>Please keep in mind that
you're asking for <strong>free</strong> technical
support. Any help we offer is an act of generosity, not an obligation.
Try to make it easy for us to help you. Follow good, courteous
practices in writing and formatting your e-mail. Provide details
that we need if you expect good answers. <em>Exact quoting </em>
of error messages, log entries, command output, and other output is
better than a paraphrase or summary.<br>
practices in writing and formatting your e-mail. Provide details that
we need if you expect good answers. <em>Exact quoting </em> of
error messages, log entries, command output, and other output is better
than a paraphrase or summary.<br>
<br>
</li>
<li>
Please don't describe your environment and then ask
us to send you custom configuration files. We're
here to answer your questions but we can't do
your job for you.<br>
Please don't describe your environment and then
ask us to send you custom configuration files.
We're here to answer your questions but we can't
do your job for you.<br>
<br>
</li>
<li>When reporting a problem,
@ -185,10 +185,10 @@ better than a paraphrase or summary.<br>
<ul>
<ul>
<li><font color="#ff0000"><u><i><big><b>THIS IS IMPORTANT!<br>
<br>
</b></big></i></u></font>If your problem is that some type of connection
to/from or through your firewall isn't working then please:<br>
<li><big><font color="#ff0000"><u><i><big><b>THIS IS
IMPORTANT!</b></big></i></u></font><big><big><big> </big>If your problem
is that some type of connection to/from or through your firewall isn't working
then please perform the following four steps:</big></big></big><br>
<br>
1. <b><font color="#009900">/sbin/shorewall reset</font></b><br>
<br>
@ -197,7 +197,8 @@ to/from or through your firewall isn't working then please:<br>
3.<b><font color="#009900"> /sbin/shorewall
status &gt; /tmp/status.txt</font></b><br>
<br>
4. Post the /tmp/status.txt file as an attachment.<br>
4. Post the /tmp/status.txt file as an attachment
(you may compress it if you like).<br>
<br>
</li>
<li>the exact wording of any <code
@ -226,8 +227,8 @@ in the SMTP headers of your post).<br>
<li>Do you see any "Shorewall" messages
("<b><font color="#009900">/sbin/shorewall show log</font></b>")
when you exercise the function that is giving you problems?
If so, include the message(s) in your post along with a copy of your
/etc/shorewall/interfaces file.<br>
If so, include the message(s) in your post along with a copy of
your /etc/shorewall/interfaces file.<br>
<br>
</li>
<li>Please include any of the Shorewall configuration
@ -259,28 +260,28 @@ etc. to the Mailing List -- your post will be rejected.</b><
<h2>When using the mailing list, please post in plain text</h2>
<blockquote> A growing number of MTAs serving list subscribers are
rejecting all HTML traffic. At least one MTA has gone so far as to
blacklist shorewall.net "for continuous abuse" because it has been
my policy to allow HTML in list posts!!<br>
<blockquote> A growing number of MTAs serving list subscribers are rejecting
all HTML traffic. At least one MTA has gone so far as to blacklist
shorewall.net "for continuous abuse" because it has been my policy
to allow HTML in list posts!!<br>
<br>
I think that blocking all HTML
is a Draconian way to control spam and that the ultimate
losers here are not the spammers but the list subscribers
I think that blocking all
HTML is a Draconian way to control spam and that the
ultimate losers here are not the spammers but the list subscribers
whose MTAs are bouncing all shorewall.net mail. As one list
subscriber wrote to me privately "These e-mail admin's need
to get a <i>(expletive deleted)</i> life instead of trying to
rid the planet of HTML based e-mail". Nevertheless, to allow
subscribers to receive list posts as must as possible, I have now
configured the list server at shorewall.net to strip all HTML from
outgoing posts.<br>
to get a <i>(expletive deleted)</i> life instead of trying to rid
the planet of HTML based e-mail". Nevertheless, to allow subscribers
to receive list posts as must as possible, I have now configured
the list server at shorewall.net to strip all HTML from outgoing
posts.<br>
<br>
<big><font color="#cc0000"><b>If you run your own outgoing mail server
and it doesn't have a valid DNS PTR record, your email won't reach the lists
unless/until the postmaster notices that your posts are being rejected. To
avoid this problem, you should configure your MTA to forward posts to shorewall.net
through an MTA that <u>does</u> have a valid PTR record (such as the one
at your ISP). </b></font></big><br>
unless/until the postmaster notices that your posts are being rejected.
To avoid this problem, you should configure your MTA to forward posts to
shorewall.net through an MTA that <u>does</u> have a valid PTR record (such
as the one at your ISP). </b></font></big><br>
</blockquote>
<h2>Where to Send your Problem Report or to Ask for Help</h2>
@ -312,12 +313,10 @@ at your ISP). </b></font></big><br>
href="http://lists.shorewall.net">http://lists.shorewall.net</a><br>
</p>
<p align="left"><font size="2">Last Updated 7/6/2003 - Tom Eastep</font></p>
<p align="left"><font size="2">Last Updated 7/9/2003 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
<br>
</body>
</html>

2
Shorewall/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=1.4.6Beta2
VERSION=1.4.6RC1
usage() # $1 = exit status
{

2
Shorewall/install.sh
View File

@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall.
#
VERSION=1.4.6Beta2
VERSION=1.4.6RC1
usage() # $1 = exit status
{

4
Shorewall/shorewall.spec
View File

@ -1,6 +1,6 @@
%define name shorewall
%define version 1.4.6
%define release 0Beta2
%define release 0RC1
%define prefix /usr
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@ -105,6 +105,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog
* Mon Jul 14 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.6-0RC1
* Mon Jul 07 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.6-0Beta2
* Fri Jul 04 2003 Tom Eastep <tom@shorewall.net>

2
Shorewall/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall
VERSION=1.4.6Beta2
VERSION=1.4.6RC1
usage() # $1 = exit status
{