mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-22 06:10:42 +01:00
Documentation updates
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2109 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
05a39f6d25
commit
9350da941e
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2005-01-19</pubdate>
|
||||
<pubdate>2005-05-13</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2005</year>
|
||||
@ -477,6 +477,9 @@ acton:info:test fw net</programlisting>
|
||||
<para>$TAG="test"</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>For an example of how to use these variables, see <ulink
|
||||
url="PortKnocking.html">this article</ulink>.</para>
|
||||
</section>
|
||||
|
||||
<section id="Extension">
|
||||
@ -499,5 +502,8 @@ acton:info:test fw net</programlisting>
|
||||
|
||||
<para>/etc/shorewall/DropBcasts<programlisting>run_iptables -A DropBcasts -m pkttype --pkttype broadcast -j DROP</programlisting></para>
|
||||
</example>
|
||||
|
||||
<para>For a richer example, see <ulink url="PortKnocking.html">this
|
||||
article</ulink>.</para>
|
||||
</section>
|
||||
</article>
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2005-05-09</pubdate>
|
||||
<pubdate>2005-05-12</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2005</year>
|
||||
@ -439,6 +439,10 @@
|
||||
</itemizedlist>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="PortKnocking.html">Port Knocking</ulink></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="PPTP.htm">PPTP</ulink></para>
|
||||
</listitem>
|
||||
|
@ -17,7 +17,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2005-05-09</pubdate>
|
||||
<pubdate>2005-05-10</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2005</year>
|
||||
@ -77,7 +77,7 @@
|
||||
not modify those files.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="faq44">
|
||||
<title>(FAQ 44) I can't install/upgrade the RPM — I keep getting the
|
||||
message "error: failed dependencies:iproute is needed..."</title>
|
||||
|
||||
@ -320,6 +320,14 @@ DNAT net fw:192.168.1.1:22 tcp 4104</programlisting>
|
||||
url="http://ian.idallen.ca/dnat.txt">Paper about DNAT and
|
||||
Linux</ulink>.</para>
|
||||
</section>
|
||||
|
||||
<section id="faq48">
|
||||
<title>(FAQ 48) How do I Set up Transparent Proxy with
|
||||
Shorewall?</title>
|
||||
|
||||
<para>Answer: See <ulink
|
||||
url="Shorewall_Squid_Usage.html">Shorewall_Squid_Usage.html</ulink>.</para>
|
||||
</section>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
@ -554,10 +562,9 @@ really dumb and does not deserve to exist at all. It was an excellent tool
|
||||
to debug/develop the newnat interface.</programlisting></para>
|
||||
</blockquote>
|
||||
|
||||
<para>Look <ulink url="http://linux-igd.sourceforge.net">here</ulink>
|
||||
for a solution for MSN IM but be aware that there are significant
|
||||
security risks involved with this solution. Also check the Netfilter
|
||||
mailing list archives at <ulink
|
||||
<para>Look <ulink url="UPnP.html">here</ulink> for a solution for MSN IM
|
||||
but be aware that there are significant security risks involved with
|
||||
this solution. Also check the Netfilter mailing list archives at <ulink
|
||||
url="http://www.netfilter.org">http://www.netfilter.org</ulink>.</para>
|
||||
</section>
|
||||
</section>
|
||||
@ -757,6 +764,33 @@ SPT=33120 DPT=5000 LEN=22</programlisting>
|
||||
# ZONE
|
||||
generic:udp:5000 net 69.145.71.133</programlisting>
|
||||
</section>
|
||||
|
||||
<section id="faq47">
|
||||
<title>(FAQ 47) This Rule Doesn't Work as Documented</title>
|
||||
|
||||
<para>I want to allow access from the local zone to the net except for
|
||||
two systems (192.168.100.101 and 192.168.100.115). I use the following
|
||||
rule but find that 192.168.100.115 can still access the net. Is this a
|
||||
bug?</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO
|
||||
ACCEPT loc:!192.168.100.101,192.168.100.115 net</programlisting>
|
||||
|
||||
<para><emphasis role="bold">Answer</emphasis>: Shorewall is currently
|
||||
inconsistent as to where it correctly supports the "!" before a list of
|
||||
addresses. In some places, it works as you would expect and in other
|
||||
cases such as this one it does not. You will need to take a different
|
||||
approach to accomplish what you want. I recommend that you change your
|
||||
loc->net policy to ACCEPT and then use this rule:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO
|
||||
REJECT loc:192.168.100.101,192.168.100.115 net</programlisting>
|
||||
|
||||
<para><emphasis role="bold">Author's Note</emphasis>: I have looked
|
||||
several times at correcting this problem but it really isn't feasible
|
||||
until I muster the energy to rewrite the Shorewall rules parser.
|
||||
Sorry.</para>
|
||||
</section>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
@ -2183,9 +2217,14 @@ REJECT fw net:216.239.39.99 all</programlisting>Given that
|
||||
<title>(FAQ 42) How can I tell which features my kernel and iptables
|
||||
support?</title>
|
||||
|
||||
<para>Answer: At a root prompt, enter the command <command>shorewall
|
||||
check</command>. There is a section near the top of the resulting output
|
||||
that gives you a synopsis of your kernel/iptables capabilities.</para>
|
||||
<para>Answer: Users running Shorewall 2.2.4 or later can simply use the
|
||||
<command>shorewall show capabilities</command> command at a root
|
||||
prompt.</para>
|
||||
|
||||
<para>For those running older versions, at a root prompt, enter the
|
||||
command <command>shorewall check</command>. There is a section near the
|
||||
top of the resulting output that gives you a synopsis of your
|
||||
kernel/iptables capabilities.</para>
|
||||
|
||||
<programlisting>gateway:/etc/shorewall # shorewall check
|
||||
Loading /usr/share/shorewall/functions...
|
||||
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2005-05-02</pubdate>
|
||||
<pubdate>2005-05-11</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2004</year>
|
||||
@ -50,6 +50,48 @@
|
||||
<para>You must have <emphasis role="bold">BOTH</emphasis> the
|
||||
Netfilter+ipsec patches and the policy match patch. <emphasis
|
||||
role="bold">One without the other will not work</emphasis>.</para>
|
||||
|
||||
<para>Here's a combination of components that I know works:</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>Kernel 2.6.11 from kernel.org. Patched with:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>The five patches in <ulink
|
||||
url="http://shorewall.net/pub/shorewall/contrib/IPSEC/2.6.11">http://shorewall.net/pub/shorewall/contrib/IPSEC/2.6.11</ulink></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The "policy match" extension from the Patch-o-matic-ng CVS
|
||||
snapshot from 2005-May-04 (be sure to NOT try to apply the
|
||||
ipsec-NN patches from patch-o-matic-ng).</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>iptables 1.3.1 patched with the "policy match" extension from
|
||||
the Patch-o-matic-ng CVS snapshot from 2005-May-04.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>ipsec-tools 0.5.2 compiled from source. I've also had success
|
||||
with:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>ipsec-tools 0.5.2 and racoon 0.5.2 from Debian
|
||||
Sarge/testing</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The ipsec-tools 0.5 rpm from SuSE 9.3.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</important>
|
||||
|
||||
<warning>
|
||||
@ -194,6 +236,13 @@
|
||||
of) SA(s) used to encrypt and decrypt traffic to/from the zone and the
|
||||
security policies that select which traffic to encrypt/decrypt.</para>
|
||||
|
||||
<para>This article assumes the use of ipsec-tools (<ulink
|
||||
url="http://ipsec-tools.sourceforge.net">http://ipsec-tools.sourceforge.net</ulink>).
|
||||
As of this writing, I recommend that you run at least version 0.5.2.
|
||||
Debian users, please note that there are separate Debian packages for
|
||||
ipsec-tools and racoon although the ipsec-tools project releases them as a
|
||||
single package.</para>
|
||||
|
||||
<para>For more information on IPSEC, Kernel 2.6 and Shorewall see <ulink
|
||||
url="LinuxFest.pdf">my presentation on the subject given at LinuxFest NW
|
||||
2005</ulink>.</para>
|
||||
@ -773,7 +822,7 @@ all all REJECT info
|
||||
url="http://www.ipsec-howto.org/">http://www.ipsec-howto.org/</ulink>.</para>
|
||||
|
||||
<para>One piece of information that may not be so easy to find is "How
|
||||
to I generate a PKCS#12 certificate to import into Windows?". Here's the
|
||||
do I generate a PKCS#12 certificate to import into Windows?". Here's the
|
||||
openssl command that I used:</para>
|
||||
|
||||
<programlisting><command>openssl pkcs12 -export -in eastepnc6000.pem -inkey eastepnc6000_key.pem -out eastepnc6000.pfx -name "IPSEC Cert for Home Wireless"</command> </programlisting>
|
||||
@ -785,18 +834,19 @@ all all REJECT info
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>eastepnc6000.pem was the laptop's certificate in PEM
|
||||
format.</para>
|
||||
<para><filename>eastepnc6000.pem</filename> was the laptop's
|
||||
certificate in PEM format.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>eastepnc6000_key.pem was the laptop's private key (actually,
|
||||
it's the original signing request which includes the private
|
||||
key).</para>
|
||||
<para><filename>eastepnc6000_key.pem</filename> was the laptop's
|
||||
private key (actually, it's the original signing request which
|
||||
includes the private key).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>eastepnc6000.pfx is the PKCS#12 output file.</para>
|
||||
<para><filename>eastepnc6000.pfx</filename> is the PKCS#12 output
|
||||
file.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -813,4 +863,13 @@ all all REJECT info
|
||||
different dialog boxes on Windows XP!!!</para>
|
||||
</warning>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Source of Additional Samples</title>
|
||||
|
||||
<para>Be sure to check out the <filename
|
||||
class="directory">src/racoon/samples</filename> subdirectory in the
|
||||
ipsec-tools source tree. It has a wide variety of sample racoon
|
||||
configuration files.</para>
|
||||
</section>
|
||||
</article>
|
@ -185,10 +185,13 @@ INIT="rc.firewall"</programlisting>
|
||||
|
||||
<listitem>
|
||||
<para>If you are running Slackware and are installing Shorewall 2.0.3
|
||||
Beta 1 or later, then type:</para>
|
||||
Beta 1 to Shorewall 2.2.3, then type:</para>
|
||||
|
||||
<programlisting><emphasis role="bold">DEST=/etc/rc.d INIT=rc.firewall ./install.sh</emphasis></programlisting>
|
||||
|
||||
<para>If you are running Slackware and are installing Shorewall 2.2.4 or later, then type:</para>
|
||||
<programlisting><command>./install.sh</command></programlisting>
|
||||
|
||||
<para>Otherwise, type:</para>
|
||||
|
||||
<programlisting><command>./install.sh</command></programlisting>
|
||||
|
129
Shorewall-docs2/PortKnocking.xml
Normal file
129
Shorewall-docs2/PortKnocking.xml
Normal file
@ -0,0 +1,129 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
||||
<article>
|
||||
<!--$Id$-->
|
||||
|
||||
<articleinfo>
|
||||
<title>Port Knocking</title>
|
||||
|
||||
<authorgroup>
|
||||
<author>
|
||||
<firstname>Tom</firstname>
|
||||
|
||||
<surname>Eastep</surname>
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2005-05-13</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2005</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
|
||||
<legalnotice>
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published SHby the Free Software Foundation;
|
||||
with no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<section>
|
||||
<title>What is Port Knocking?</title>
|
||||
|
||||
<para>Port knocking is a technique whereby attempting to connect to port A
|
||||
enables access to port B from that same host. For the example on which
|
||||
this article is based, see <ulink
|
||||
url="http://www.soloport.com/iptables.html">http://www.soloport.com/iptables.html</ulink>
|
||||
which should be considered to be part of this documentation.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Implementing Port Knocking in Shorewall</title>
|
||||
|
||||
<para>In order to implement this solution, your iptables and kernel must
|
||||
support the 'recent match' extension (see <ulink url="FAQ.htm#faq42">FAQ
|
||||
42</ulink>). These instructions also assume Shorewall version 2.2.0 or
|
||||
later.</para>
|
||||
|
||||
<para>In this example:</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>Attempting to connect to port 1600 enables SSH access.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Attempting to connect to port 1601 disables SSH access (note
|
||||
that in the article linked above, attempting to connect to port 1599
|
||||
also disables access. This is an port scan defence as explained in the
|
||||
article). </para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
|
||||
<para>To implement that approach:</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>Add an action named SSHKnock (see the <ulink
|
||||
url="Actions.html">Action documentation</ulink>). Leave the
|
||||
<filename>action.SSHKnock</filename> file empty.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Create /etc/shorewall/SSHKnock with the following
|
||||
contents:</para>
|
||||
|
||||
<programlisting>if [ -n "$LEVEL" ]; then
|
||||
log_rule_limit $LEVEL $CHAIN SSHKnock ACCEPT "" "$TAG" -A -p tcp --dport 22 -m recent --rcheck --name SSH
|
||||
log_rule_limit $LEVEL $CHAIN SSHKnock DROP "" "$TAG" -A -p tcp --dport ! 22
|
||||
fi
|
||||
run_iptables -A $CHAIN -p tcp --dport 22 -m recent --rcheck --name SSH -j ACCEPT
|
||||
run_iptables -A $CHAIN -p tcp --dport 1599 -m recent --name SSH --remove -j DROP
|
||||
run_iptables -A $CHAIN -p tcp --dport 1600 -m recent --name SSH --set -j DROP
|
||||
run_iptables -A $CHAIN -p tcp --dport 1601 -m recent --name SSH --remove -j DROP</programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Now if you want to protect SSH access to the firewall from the
|
||||
Internet, add this rule in
|
||||
<filename>/etc/shorewall/rules</filename>:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
SSHKnock net fw tcp 22,1599,1600,1601</programlisting>
|
||||
|
||||
<para>If you want to log the DROPs and ACCEPTs done by SSHKnock, you
|
||||
can just add a log level as in:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
SSHKnock:info net fw tcp 22,1599,1600,1601</programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>If you wish to use SSHKnock with a forwarded connection, you
|
||||
must be using Shorewall 2.3.1 or later for fullest protection. Assume
|
||||
that you forward port 22 from external IP address 206.124.146.178 to
|
||||
internal system 192.168.1.5 In /etc/shorewall/rules:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
|
||||
# PORT(S) DEST
|
||||
DNAT- net loc:192.168.1.5 tcp 22 - 206.124.146.178
|
||||
SSHKnock net fw tcp 1599,1600,1601
|
||||
SSHKnock net loc:192.168.1.5 tcp 22 - 206.124.146.178</programlisting>
|
||||
|
||||
<note>
|
||||
<para>You can use SSHKnock with DNAT on earlier releases provided
|
||||
that you omit the ORIGINAL DEST entry on the second SSHKnock rule.
|
||||
This rule will be quite secure provided that you specify 'norfc1918'
|
||||
on your external interface.</para>
|
||||
</note>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</section>
|
||||
</article>
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2005-04-06</pubdate>
|
||||
<pubdate>2005-05-13</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2005</year>
|
||||
@ -131,6 +131,53 @@
|
||||
<filename>/var/lib/shorewall/restore</filename> exists).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>If you wish to generate a log message, use <emphasis
|
||||
role="bold">log_rule_limit</emphasis>. Parameters are:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>Log Level</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Chain to insert the rule into</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Chain name to display in the message (this can be different
|
||||
from the preceding argument — see the <ulink
|
||||
url="PortKnocking.html">Port Knocking article</ulink> for an example
|
||||
of how to use this).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Disposition to report in the message (ACCEPT, DROP,
|
||||
etc)</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Rate Limit (if passed as "" then $LOGLIMIT is assumed — see
|
||||
the LOGLIMIT option in <ulink
|
||||
url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>)
|
||||
</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Log Tag ("" if none)</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Command (-A or -I for append or insert). This argument applies
|
||||
to Shorewall 2.2.0 and later only.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The remaining arguments are passed "as is" to iptables</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>With Shorewall 2.0.2 Beta 1 and later versions, if you run
|
||||
commands other than <command>iptables</command> that must be re-run in
|
||||
|
Loading…
Reference in New Issue
Block a user