From 89122c0d5581be72ae639e3e313c311fc298f469 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 5 Oct 2015 07:51:43 -0700 Subject: [PATCH] Updates for routestopped -> stoppedrules Signed-off-by: Tom Eastep --- docs/CompiledPrograms.xml | 8 ++-- docs/FAQ.xml | 10 ++-- docs/Manpages.xml | 2 +- docs/Manpages6.xml | 2 +- docs/Shorewall-Lite.xml | 6 +-- docs/ipsets.xml | 4 +- docs/shorewall_extension_scripts.xml | 4 +- docs/shorewall_setup_guide.xml | 59 ++++++++++++------------ docs/standalone.xml | 27 ++++++----- docs/starting_and_stopping_shorewall.xml | 6 +-- 10 files changed, 65 insertions(+), 63 deletions(-) diff --git a/docs/CompiledPrograms.xml b/docs/CompiledPrograms.xml index 62c4cfedf..e87c09dd4 100644 --- a/docs/CompiledPrograms.xml +++ b/docs/CompiledPrograms.xml @@ -186,8 +186,8 @@ configuring Shorewall on the firewall system itself). It's a good idea to include the IP address of the administrative system in the routestopped - file. + url="manpages/shorewall-stoppedrules.html">stoppedrules + file. It is important to understand that with Shorewall Lite, the firewall's export directory on the administrative system @@ -493,7 +493,7 @@ clean: Be sure that the IP address of the administrative system is included in the firewall's export directory - routestopped file. + stoppedrules file. shorewall stop @@ -514,7 +514,7 @@ clean: It's a good idea to include the IP address of the administrative system in the firewall system's routestopped + url="manpages/shorewall-stoppedrules.html">stoppedrules file. Also, edit the shorewall.conf file in diff --git a/docs/FAQ.xml b/docs/FAQ.xml index 2538b1496..605176903 100644 --- a/docs/FAQ.xml +++ b/docs/FAQ.xml @@ -247,7 +247,7 @@ DNAT net:address loc:local-IP-address You are trying to test from inside your firewall (no, that - won't work -- see ). + won't work -- see ). @@ -2029,7 +2029,7 @@ Dec 15 16:47:30 heath-desktop last message repeated 2 times ADMINISABSENTMINDED in shorewall.conf (5) and the contents of shorewall-routestopped + url="manpages/shorewall-stoppedrules.html">shorewall-stoppedrules (5). To totally open the firewall, use the clear command. @@ -2138,8 +2138,8 @@ Creating input Chains... /sbin/shorewall stop places the firewall in a safe state, the details of which depend on your - /etc/shorewall/routestopped file (shorewall-routestopped(5)) + /etc/shorewall/stoppedrules file (shorewall-stoppedrules(5)) and on the setting of ADMINISABSENTMINDED in /etc/shorewall/shorewall.conf (shorewall.conf(5)). @@ -3065,7 +3065,7 @@ Shorewall has detected the following iptables/netfilter capabilities: Persistent SNAT: Available gateway:~# - +
diff --git a/docs/Manpages.xml b/docs/Manpages.xml index 45c1fb040..48a8d7bae 100644 --- a/docs/Manpages.xml +++ b/docs/Manpages.xml @@ -37,7 +37,7 @@ These manpages are for Shorewall 5.0 and later only. They describe features and options not available on earlier releases. The manpages for - Shorewall 4.4-4.6 are available + Shorewall 4.4-4.6 are available here. diff --git a/docs/Manpages6.xml b/docs/Manpages6.xml index d4042fc5f..8dd027b3d 100644 --- a/docs/Manpages6.xml +++ b/docs/Manpages6.xml @@ -38,7 +38,7 @@ These manpages are for Shorewall6 5.0 and later only. They describe features and options not available on earlier releases.The manpages for Shorewall 4.4-4.6 are available here. + url="/manpages4/Manpages.html">here.
diff --git a/docs/Shorewall-Lite.xml b/docs/Shorewall-Lite.xml index b6ffb6411..4ab0995c4 100644 --- a/docs/Shorewall-Lite.xml +++ b/docs/Shorewall-Lite.xml @@ -191,7 +191,7 @@ configuring Shorewall on the firewall system itself). It's a good idea to include the IP address of the administrative system in the routestopped + url="manpages/shorewall-stoppedrules.html">stoppedrules file. It is important to understand that with Shorewall Lite, @@ -412,7 +412,7 @@ Be sure that the IP address of the administrative system is included in the firewall's export directory - routestopped file. + stoppedrules file. shorewall stop @@ -433,7 +433,7 @@ It's a good idea to include the IP address of the administrative system in the firewall system's routestopped + url="manpages/shorewall-stoppedrules.html">stoppedrules file. Also, edit the shorewall.conf file in diff --git a/docs/ipsets.xml b/docs/ipsets.xml index 4640fc04f..468761d07 100644 --- a/docs/ipsets.xml +++ b/docs/ipsets.xml @@ -146,8 +146,10 @@ ACCEPT net:+sshok $FW tcp 22 You cannot use an ipset in shorewall-stoppedrules + (5) (shorewall-routestopped - (5). + (5)). diff --git a/docs/shorewall_extension_scripts.xml b/docs/shorewall_extension_scripts.xml index dae67b5b1..7ffbe4620 100644 --- a/docs/shorewall_extension_scripts.xml +++ b/docs/shorewall_extension_scripts.xml @@ -174,8 +174,8 @@ esac indeterminate. So if you have ADMINISABSENTMINDED=No in shorewall.conf(8) and output on an interface is not allowed by routestopped(8) then - the isuasable script must blow it's own holes in the firewall + url="manpages/shorewall-stoppedrules.html">stoppedrules(8) + then the isuasable script must blow it's own holes in the firewall before probing. diff --git a/docs/shorewall_setup_guide.xml b/docs/shorewall_setup_guide.xml index a83bc3b1f..de44d7869 100644 --- a/docs/shorewall_setup_guide.xml +++ b/docs/shorewall_setup_guide.xml @@ -67,7 +67,7 @@ yourself with what's involved then go back through it again making your configuration changes. Points at which configuration changes are recommended are flagged with . + fileref="images/BD21298_.gif"/>. @@ -96,7 +96,7 @@
Shorewall Concepts - + The configuration files for Shorewall are contained in the directory /etc/shorewall -- for most setups, @@ -195,7 +195,7 @@ dmz ipv4 the Internet zone or because that is the DMZ. - + Edit the /etc/shorewall/zones file and make any changes necessary. @@ -304,7 +304,7 @@ all all REJECT info - + At this point, edit your /etc/shorewall/policy and make any changes that you wish. @@ -338,7 +338,7 @@ all all REJECT info - + The simplest way to define zones is to associate the zone name (previously defined in /etc/shorewall/zones) with a network interface. @@ -357,7 +357,7 @@ all all REJECT info external interface will be ippp0. - + If your external interface is ppp0 or Note that the $FW zone has no entry in the /etc/shorewall/interfaces file. - + Edit the /etc/shorewall/interfaces file and define the network interfaces on your firewall and associate each @@ -441,7 +441,7 @@ loc eth1 detect loc eth2 detect - + You may define more complicated zones using the /etc/shorewall/hosts @@ -1231,7 +1231,7 @@ tcpdump: listening on eth2 Before we begin, there is one thing for you to check: - + If you are using the Debian package, please check your shorewall.conf file to ensure that the following are set correctly; if @@ -1254,7 +1254,7 @@ tcpdump: listening on eth2 this many IP addresses, you are able to subnet your /28 into two /29's and set up your network as shown in the following diagram. - + Here, the DMZ comprises the subnet 192.0.2.64/29 and the Local network is 192.0.2.72/29. The default gateway for hosts in the DMZ would @@ -1362,19 +1362,19 @@ Destination Gateway Genmask Flags MSS Window irtt Iface address and the source IP address of Internet requests sent from that zone. - + The local zone has been subnetted as 192.168.201.0/29 (netmask 255.255.255.248). - + The systems in the local zone would be configured with a default gateway of 192.168.201.1 (the IP address of the firewall's local interface). - + SNAT is configured in Shorewall using the /etc/shorewall/masq @@ -1401,7 +1401,7 @@ eth0 192.168.201.0/29 192.0.2.176 systems do not have a public IP address. DNAT provides a way to allow selected connections from the Internet. - + Suppose that your daughter wants to run a web server on her system Local 3. You could allow connections to the @@ -1475,7 +1475,7 @@ DNAT net loc:192.168.201.4 tcp www Let us suppose that we decide to use Proxy ARP on the DMZ in our example network. - + Here, we've assigned the IP addresses 192.0.2.177 to system DMZ 1 and 192.0.2.178 to DMZ 2. Notice that we've just assigned an @@ -1483,7 +1483,7 @@ DNAT net loc:192.168.201.4 tcp www the firewall. That address and netmask isn't relevant - just be sure it doesn't overlap another subnet that you've defined. - + The Shorewall configuration of Proxy ARP is done using the/etc/shorewall/proxyarp @@ -1591,7 +1591,7 @@ DNAT net loc:192.168.201.4 tcp www example involving your daughter's web server running on system Local 3. - + Recall that in this setup, the local network is using SNAT and is sharing the firewall external IP (192.0.2.176) for outbound @@ -1601,7 +1601,7 @@ DNAT net loc:192.168.201.4 tcp www #INTERFACE SUBNET ADDRESS eth0 192.168.201.0/29 192.0.2.176 - + Suppose now that you have decided to give your daughter her own IP address (192.0.2.179) for both inbound and outbound connections. @@ -1615,7 +1615,7 @@ eth0 192.168.201.0/29 192.0.2.176 and the other two local systems share the firewall's IP address. - + Once the relationship between 192.0.2.179 and 192.168.201.4 is established by the nat file entry above, it is no longer appropriate @@ -1708,7 +1708,7 @@ ACCEPT net loc:192.168.201.4 tcp www not use those macros but rather defines the rules directly. - + With the default policies described earlier in this document, your local systems (Local 1-3) can access any server on the Internet and the @@ -1799,7 +1799,7 @@ ACCEPT net $FW tcp ssh #SSH to the prefer to use NAT only in cases where a system that is part of an RFC 1918 subnet needs to have its own public IP. - + If you haven't already, it would be a good idea to browse through The firewall is started using the shorewall start command and stopped using shorewall stop. When the firewall - is stopped, routing is enabled on those hosts that have an entry in + is stopped, routing is enabled on those hosts that have an ACCEPT entry in /etc/shorewall/routestopped. + url="manpages/shorewall-stoppedrules.html">/etc/shorewall/stoppedrules. A running firewall may be restarted using the shorewall restart command. If you want to totally remove any trace of Shorewall from your Netfilter configuration, use shorewall clear. - + Edit the /etc/shorewall/routestopped - file and configure those systems that you want to be able to access the - firewall when it is stopped. + url="manpages/shorewall-stoppedrules.html">/etc/shorewall/stoppedrules + file and add ACCEPT rules for those systems that you want to be able to + access the firewall when it is stopped. If you are connected to your firewall from the Internet, do not issue a shorewall stop command unless you have added an - entry for the IP address that you are connected from to /etc/shorewall/routestopped. + ACCEPT entry for the IP address that you are connected from to + /etc/shorewall/stoppedrules. Also, I don't recommend using shorewall restart; it is better to create an an alternate diff --git a/docs/standalone.xml b/docs/standalone.xml index 96dd2aa8c..d47e46754 100644 --- a/docs/standalone.xml +++ b/docs/standalone.xml @@ -119,19 +119,18 @@ Conventions Points at which configuration changes are recommended are flagged - with . + with . Configuration notes that are unique to Debian and it's derivatives are marked with . + format="GIF"/>.
PPTP/ADSL - + If you have an ADSL Modem and you use PPTP to communicate with a server in that modem, you @@ -144,7 +143,7 @@
Shorewall Concepts - + The configuration files for Shorewall are contained in the directory /etc/shorewall -- for simple @@ -177,7 +176,7 @@ - If + If you installed using a Shorewall 4.x .deb, the samples are in /usr/share/doc/shorewall/examples/one-interface.. @@ -352,7 +351,7 @@ root@lists:~# the external interface. - + The Shorewall one-interface sample configuration assumes that the external interface is eth0. If @@ -460,7 +459,7 @@ root@lists:~# - + If you are running a distribution that logs Netfilter messages to a log other than /var/log/messages, then modify the @@ -500,7 +499,7 @@ root@lists:~# /usr/share/shorewall/modules then copy the file to /etc/shorewall and modify the copy. - + Modify the setting of LOAD_HELPER_ONLY as necessary.
@@ -571,7 +570,7 @@ ACCEPT net $FW tcp 143 SSH(ACCEPT) net $FW - + At this point, edit /etc/shorewall/rules to add other connections as desired. @@ -580,7 +579,7 @@ SSH(ACCEPT) net $FW
Starting and Stopping Your Firewall - + The installation procedure configures your system to start Shorewall at system boot but startup is @@ -588,7 +587,7 @@ SSH(ACCEPT) net $FW configuration is complete. Once you have completed configuration of your firewall, you must edit /etc/shorewall/shorewall.conf and set STARTUP_ENABLED=Yes. + fileref="images/openlogo-nd-25.png"/> Users of the .deb package must edit @@ -610,7 +609,7 @@ SSH(ACCEPT) net $FW The firewall is started using the shorewall start command and stopped using shorewall stop. When the firewall is - stopped, routing is enabled on those hosts that have an entry in + stopped, traffic is enabled on those hosts that have an entry in /etc/shorewall/stoppedrules ( systemctl disable iptables.service - + At this point, disable your existing firewall service.
diff --git a/docs/starting_and_stopping_shorewall.xml b/docs/starting_and_stopping_shorewall.xml index 317db0f03..dc514a74e 100644 --- a/docs/starting_and_stopping_shorewall.xml +++ b/docs/starting_and_stopping_shorewall.xml @@ -151,7 +151,7 @@ all Netfilter rules and open your firewall for all traffic to pass. It rather places your firewall in a safe state defined by the contents of your /etc/shorewall/routestopped + url="manpages/shorewall-stoppedrules.html">/etc/shorewall/stoppedrules file and the setting of ADMINISABSENTMINDED in /etc/shorewall/shorewall.conf. @@ -638,8 +638,8 @@ firewall stop - Only traffic to/from hosts listed in - /etc/shorewall/routestopped is passed to/from/through the + Only traffic allowed by ACCEPT entries in + /etc/shorewall/stoppedrules is passed to/from/through the firewall. If ADMINISABSENTMINDED=Yes in /etc/shorewall/shorewall.conf then in addition, all existing connections are retained and all connection requests from the