Table Elimination Work

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1050 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-06-20 17:58:07 +02:00 · 2004-01-01 22:23:30 +00:00 · 2004-01-01 22:23:30 +00:00 · 9ca64face0
commit 9ca64face0
parent 98660c3439
5 changed files with 524 additions and 1584 deletions
--- a/Shorewall-docs/Documentation_Index.xml
+++ b/Shorewall-docs/Documentation_Index.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2003-12-30</pubdate>
+    <pubdate>2003-12-31</pubdate>
    <copyright>
      <year>2001-2003</year>
@ -36,14 +36,16 @@
  </articleinfo>
  <caution>
-    <para>Running Shorewall on <ulink url="http://www.mandrakesoft.tom">Mandrake
+    <para>Are you running Shorewall on <ulink
-    Linux</ulink> with a two-interface setup?</para>
+    url="http://www.mandrakesoft.com"><trademark>Mandrake</trademark> Linux</ulink>
    with a two-interface setup?</para>
-    <para>If so, this documentation will not apply directly to your setup. If
+    <para>If so, this documentation will not apply directly to your
-    you want to use the documentation that you find here, you will want to
+    environment. If you want to use the documentation that you find here, you
-    consider uninstalling what you have and installing a setup that matches
+    will want to consider uninstalling what you have and installing a
-    this documentation. See the <ulink url="two-interface.htm">Two-interface
+    configuration that matches this documentation. See the <ulink
-    QuickStart Guide</ulink> for details. </para>
+    url="two-interface.htm">Two-interface QuickStart Guide</ulink> for
    details.</para>
  </caution>
  <itemizedlist>
--- a/Shorewall-docs/shorewall_setup_guide.xml
+++ b/Shorewall-docs/shorewall_setup_guide.xml
--- a/Shorewall-docs/support.xml
+++ b/Shorewall-docs/support.xml
@ -15,10 +15,10 @@
      </author>
    </authorgroup>
-    <pubdate>2003-12-18</pubdate>
+    <pubdate>2003-01-01</pubdate>
    <copyright>
-      <year>2001-2003</year>
+      <year>2001-2004</year>
      <holder>Thomas M. Eastep</holder>
    </copyright>
@ -31,22 +31,8 @@
      Texts. A copy of the license is included in the section entitled
      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
    </legalnotice>
    <revhistory>
      <revision>
        <revnumber>1.1</revnumber>
        <date>2003-12-19</date>
        <authorinitials>TE</authorinitials>
        <revremark>Corrected URL for Newbies List</revremark>
      </revision>
    </revhistory>
  </articleinfo>
  <graphic fileref="images/obrasinf.gif" format="GIF" valign="middle" />
  <section>
    <title>Before Reporting a Problem or Asking a Question</title>
@ -54,10 +40,6 @@
    these before you post.</para>
    <itemizedlist>
      <listitem>
        <para>Shorewall versions earlier that 1.3.0 are no longer supported.</para>
      </listitem>
      <listitem>
        <para>More than half of the questions posted on the support list have
        answers directly accessible from the <ulink
@ -91,9 +73,7 @@
    <title>Problem Reporting Guidelines</title>
    <note>
-      <para>In this section, commands that are to be entered to a root shell
+      <para>Shorewall versions earlier that 1.3.0 are no longer supported.</para>
      on your firewall system are underlined or are shown in a box with a
      colored background.</para>
    </note>
    <itemizedlist>
@ -149,19 +129,19 @@
          <listitem>
            <para>the exact version of Shorewall you are running.</para>
-            <programlisting>shorewall version</programlisting>
+            <programlisting><command>shorewall version</command></programlisting>
          </listitem>
          <listitem>
            <para>the complete, exact output of</para>
-            <programlisting>ip addr show</programlisting>
+            <programlisting><command>ip addr show</command></programlisting>
          </listitem>
          <listitem>
            <para>the complete, exact output of</para>
-            <programlisting>ip route show</programlisting>
+            <programlisting><command>ip route show</command></programlisting>
          </listitem>
          <listitem>
@ -172,10 +152,8 @@
            <orderedlist>
              <listitem>
-                <para><emphasis role="bold">If shorewall isn&#39;t running</emphasis>
+                <para>If Shorewall isn&#39;t started then <command>/sbin/shorewall/start</command>.
-                then <emphasis role="underline">/sbin/shorewall/start</emphasis>.
+                Otherwise <command>/sbin/shorewall reset</command>.</para>
                <emphasis role="bold">Otherwise</emphasis> <emphasis
                role="underline">/sbin/shorewall reset</emphasis>.</para>
              </listitem>
              <listitem>
@ -183,13 +161,12 @@
              </listitem>
              <listitem>
-                <para><emphasis role="underline">/sbin/shorewall status &#62;
+                <para><command>/sbin/shorewall status &#62; /tmp/status.txt</command></para>
                /tmp/status.txt</emphasis></para>
              </listitem>
              <listitem>
-                <para>Post the /tmp/status.txt file as an attachment (you may
+                <para>Post the <filename>/tmp/status.txt</filename> file as an
-                compress it if you like).</para>
+                attachment (you may compress it if you like).</para>
              </listitem>
            </orderedlist>
          </listitem>
@ -215,11 +192,10 @@
      </listitem>
      <listitem>
-        <para>Do you see any <quote>Shorewall</quote> messages (<quote><emphasis
+        <para>Do you see any <quote>Shorewall</quote> messages (<quote><command>/sbin/shorewall
-        role="underline">/sbin/shorewall show log</emphasis></quote>) when you
+        show log</command></quote>) when you exercise the function that is
-        exercise the function that is giving you problems? If so, include the
+        giving you problems? If so, include the message(s) in your post along
-        message(s) in your post along with a copy of your
+        with a copy of your /etc/shorewall/interfaces file.</para>
        /etc/shorewall/interfaces file.</para>
      </listitem>
      <listitem>
@ -231,15 +207,15 @@
      </listitem>
      <listitem>
-        <para>If an error occurs when you try to <quote><emphasis
+        <para>If an error occurs when you try to <quote><command>shorewall
-        role="underline">shorewall start</emphasis></quote>, include a trace
+        start</command></quote>, include a trace (See the Troubleshooting
-        (See the Troubleshooting section for instructions).</para>
+        section for instructions).</para>
      </listitem>
      <listitem>
        <para><emphasis role="bold">The list server limits posts to 120kb so
-        don&#39;t post GIFs of your network layout, etc. to the Mailing List
+        don&#39;t post graphics of your network layout, etc. to the Mailing
-        -- your post will be rejected</emphasis>.</para>
+        List -- your post will be rejected</emphasis>.</para>
      </listitem>
      <listitem>
@ -316,4 +292,13 @@
    <para>For information on other Shorewall mailing lists, go to <ulink
    url="http://lists.shorewall.net">http://lists.shorewall.net</ulink> .</para>
  </section>
  <appendix>
    <title>Revision History</title>
    <para><revhistory><revision><revnumber>1.2</revnumber><date>2003-01-01</date><authorinitials>TE</authorinitials><revremark>Removed
    .GIF and moved note about unsupported releases. Move Revision History to
    this Appendix.</revremark></revision><revision><revnumber>1.1</revnumber><date>2003-12-19</date><authorinitials>TE</authorinitials><revremark>Corrected
    URL for Newbies List</revremark></revision></revhistory></para>
  </appendix>
 </article>
--- a/Shorewall-docs/troubleshoot.xml
+++ b/Shorewall-docs/troubleshoot.xml
@ -13,10 +13,10 @@
      <surname>Eastep</surname>
    </author>
-    <pubdate>2003/12/22</pubdate>
+    <pubdate>2004-01-01</pubdate>
    <copyright>
-      <year>2003</year>
+      <year>2001-2004</year>
      <holder>Thomas M. Eastep</holder>
    </copyright>
@ -31,12 +31,6 @@
    </legalnotice>
  </articleinfo>
  <graphic align="center" fileref="images/obrasinf.gif" />
  <para><emphasis role="bold"><quote>If you think you can you can; if you
  think you can&#39;t you&#39;re right. If you don&#39;t believe that you can,
  why should someone else?</quote> -- Gunnar Tapper</emphasis></para>
  <section>
    <title>First Steps</title>
@ -72,14 +66,15 @@
      </listitem>
      <listitem>
-        <para>shorewall debug start 2&#62; /tmp/trace</para>
+        <para><command>shorewall debug start 2&#62; /tmp/trace</command></para>
      </listitem>
      <listitem>
-        <para>Look at the /tmp/trace file and see if that helps you determine
+        <para>Look at the <filename>/tmp/trace</filename> file and see if that
-        what the problem is. Be sure you find the place in the log where the
+        helps you determine what the problem is. Be sure you find the place in
-        error message you saw is generated -- If you are using Shorewall 1.4.0
+        the log where the error message you saw is generated -- If you are
-        or later, you should find the message near the end of the log.</para>
+        using Shorewall 1.4.0 or later, you should find the message near the
        end of the log.</para>
      </listitem>
      <listitem>
@ -93,26 +88,26 @@
      <para>During startup, a user sees the following:</para>
-      <programlisting>        Adding Common Rules
+      <programlisting>Adding Common Rules
-        iptables: No chain/target/match by that name
+iptables: No chain/target/match by that name
-        Terminated</programlisting>
+Terminated</programlisting>
      <para>A search through the trace for <quote>No chain/target/match by
      that name</quote> turned up the following:</para>
-      <programlisting>        + echo &#39;Adding Common Rules&#39;
+      <programlisting>+ echo &#39;Adding Common Rules&#39;
-        + add_common_rules
+ add_common_rules
-        + run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset
+ run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset
-        ++ echo -A reject -p tcp -j REJECT --reject-with tcp-reset
++ echo -A reject -p tcp -j REJECT --reject-with tcp-reset
-        ++ sed &#39;s/!/! /g&#39;
++ sed &#39;s/!/! /g&#39;
-        + iptables -A reject -p tcp -j REJECT --reject-with tcp-reset
+ iptables -A reject -p tcp -j REJECT --reject-with tcp-reset
-        iptables: No chain/target/match by that name
+iptables: No chain/target/match by that name
 </programlisting>
-      <para>The command that failed was: <quote>iptables -A reject -p tcp -j
+      <para>The command that failed was: <quote><command>iptables -A reject -p
-      REJECT --reject-with tcp-reset</quote>. In this case, the user had
+      tcp -j REJECT --reject-with tcp-reset</command></quote>. In this case,
-      compiled his own kernel and had forgotten to include REJECT target
+      the user had compiled his own kernel and had forgotten to include REJECT
-      support (see <ulink url="kernel.htm">kernel.htm</ulink>)</para>
+      target support (see <ulink url="kernel.htm">kernel.htm</ulink>)</para>
    </example>
  </section>
@ -140,8 +135,8 @@
        requests, this type of setup does NOT work the way that you expect it
        to. If you are running Shorewall version 1.4.7 or later, you can test
        using this kind of configuration if you specify the <emphasis
-        role="bold">arp_filter</emphasis> option in <ulink
+        role="bold">arp_filter</emphasis> option in <filename><ulink
-        url="Documentation.htm#Interfaces">/etc/shorewall/interfaces</ulink>
+        url="Documentation.htm#Interfaces">/etc/shorewall/interfaces</ulink></filename>
        for all interfaces connected to the common hub/switch. Using such a
        setup with a production firewall is strongly recommended against.</para>
      </listitem>
@ -163,25 +158,28 @@
    will generate when you try to connect in a way that isn&#39;t permitted by
    your rule set.</para>
-    <para>Check your log (<quote>/sbin/shorewall show log</quote>). If you
+    <para>Check your log (<quote><command>/sbin/shorewall show log</command></quote>).
-    don&#39;t see Shorewall messages, then your problem is probably NOT a
+    If you don&#39;t see Shorewall messages, then your problem is probably NOT
-    Shorewall problem. If you DO see packet messages, it may be an indication
+    a Shorewall problem. If you DO see packet messages, it may be an
-    that you are missing one or more rules -- see <ulink url="FAQ.htm#faq17">FAQ
+    indication that you are missing one or more rules -- see <ulink
-    17</ulink>.</para>
+    url="FAQ.htm#faq17">FAQ 17</ulink>.</para>
    <para>While you are troubleshooting, it is a good idea to clear two
-    variables in /etc/shorewall/shorewall.conf:</para>
+    variables in <filename><filename>/etc/shorewall/shorewall.conf</filename></filename>:</para>
-    <para><programlisting>     LOGRATE=&#34;&#34;
+    <para><programlisting>LOGRATE=
-     LOGBURST=&#34;&#34;</programlisting>This way, you will see all of the log
+LOGBURST=&#34;&#34;</programlisting>This way, you will see all of the log
    messages being generated (be sure to restart shorewall after clearing
    these variables).</para>
    <example>
      <title>Log Message</title>
-      <programlisting>Jun 27 15:37:56 gateway kernel: Shorewall:all2all:REJECT:IN=eth2 OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3
+      <programlisting>Jun 27 15:37:56 gateway kernel: Shorewall:all2all:REJECT:IN=eth2
-                                LEN=67 TOS=0x00 PREC=0x00 TTL=63 ID=5805 DF PROTO=UDP SPT=1803 DPT=53 LEN=47</programlisting>
+                                OUT=eth1 SRC=192.168.2.2
                                DST=192.168.1.3 LEN=67 TOS=0x00
                                PREC=0x00 TTL=63 ID=5805 DF
                                PROTO=UDP SPT=1803 DPT=53 LEN=47</programlisting>
      <para>Let&#39;s look at the important parts of this message:</para>
@ -220,7 +218,9 @@
      <para>In this case, 192.168.2.2 was in the <quote>dmz</quote> zone and
      192.168.1.3 is in the <quote>loc</quote> zone. I was missing the rule:</para>
-      <programlisting>ACCEPT    dmz    loc    udp    53</programlisting>
+      <programlisting>#ACTION   SOURCE           DEST                  PROTO   DEST
 #                                                        PORT(S)
 ACCEPT    dmz              loc                   udp     53</programlisting>
    </example>
  </section>
@ -230,7 +230,39 @@
    <para>Either can&#39;t ping when you think you should be able to or are
    able to ping when you think that you shouldn&#39;t be allowed?
    Shorewall&#39;s <quote>Ping</quote> Management is <ulink url="ping.html">described
-    here</ulink>.</para>
+    here</ulink>. Here are a couple of tips:</para>
    <itemizedlist>
      <listitem>
        <para>Remember that Shorewall doesn&#39;t automatically allow ICMP
        type 8 (<quote>ping</quote>) requests to be sent between zones. If you
        want pings to be allowed between zones, you need a rule of the form:</para>
        <programlisting>#ACTION  SOURCE          DEST                  PROTO   DEST
 #                                                      PORT(S)
 ACCEPT&#x00A0;&#x00A0; <emphasis>&#60;source zone&#62;</emphasis>&#x00A0;&#x00A0; <emphasis>&#60;destination zone&#62;</emphasis>&#x00A0;&#x00A0;&#x00A0; icmp&#x00A0;&#x00A0;&#x00A0; echo-request</programlisting>
        <para>The ramifications of this can be subtle. For example, if you
        have the following in <filename><ulink url="NAT.htm">/etc/shorewall/nat</ulink></filename>:</para>
        <programlisting>#EXTERNAL   INTERFACE  INTERNAL
 10.1.1.2&#x00A0;&#x00A0;&#x00A0; eth0&#x00A0;&#x00A0;&#x00A0;    130.252.100.18</programlisting>
        <para>and you ping 130.252.100.18, unless you have allowed icmp type 8
        between the zone containing the system you are pinging from and the
        zone containing 10.1.1.2, the ping requests will be dropped.</para>
      </listitem>
      <listitem>
        <para>Similarly, since Shorewall gives no special treatment to
        <quote>ping</quote>packets, these packets are subject to logging
        specifications in policies. This allows people pinging your firewall
        to create large number of messages in your log. These messages can be
        eliminated by the following rule:<programlisting>#ACTION   SOURCE           DEST                PROTO   DEST
 #                                                      PORT(S)
 DROP      net              fw                  icmp    echo-request</programlisting></para>
      </listitem>
    </itemizedlist>
  </section>
  <section>
@ -245,7 +277,7 @@
          <listitem>
            <para>your zone definitions are screwed up and the host that is
            sending the packets or the destination host isn&#39;t in any zone
-            (using an <ulink url="Documentation.htm#Hosts">/etc/shorewall/hosts</ulink>
+            (using an <ulink url="Documentation.htm#Hosts"><filename>/etc/shorewall/hosts</filename></ulink>
            file are you?); or</para>
          </listitem>
@ -254,28 +286,11 @@
            same interface and you don&#39;t have a policy or rule for the
            source zone to or from the destination zone or you haven&#39;t set
            the <emphasis role="bold">routeback</emphasis> option for the
-            interface in <ulink url="Documentation.htm#Interfaces">/etc/shorewall/interfaces</ulink>.</para>
+            interface in <ulink url="Documentation.htm#Interfaces"><filename>/etc/shorewall/interfaces</filename></ulink>.</para>
          </listitem>
        </orderedlist>
      </listitem>
      <listitem>
        <para>Remember that Shorewall doesn&#39;t automatically allow ICMP
        type 8 (<quote>ping</quote>) requests to be sent between zones. If you
        want pings to be allowed between zones, you need a rule of the form:</para>
        <programlisting>&#x00A0;&#x00A0;&#x00A0; ACCEPT&#x00A0;&#x00A0;&#x00A0; <emphasis>&#60;source zone&#62;</emphasis>&#x00A0;&#x00A0;&#x00A0; <emphasis>&#60;destination zone&#62;</emphasis>&#x00A0;&#x00A0;&#x00A0; icmp&#x00A0;&#x00A0;&#x00A0; echo-request</programlisting>
        <para>The ramifications of this can be subtle. For example, if you
        have the following in <ulink url="NAT.htm">/etc/shorewall/nat</ulink>:</para>
        <programlisting>&#x00A0;&#x00A0;&#x00A0; 10.1.1.2&#x00A0;&#x00A0;&#x00A0; eth0&#x00A0;&#x00A0;&#x00A0; 130.252.100.18</programlisting>
        <para>and you ping 130.252.100.18, unless you have allowed icmp type 8
        between the zone containing the system you are pinging from and the
        zone containing 10.1.1.2, the ping requests will be dropped.</para>
      </listitem>
      <listitem>
        <para>If you specify <quote>routefilter</quote> for an interface, that
        interface must be up prior to starting the firewall.</para>
@ -286,11 +301,11 @@
        need to be configured with their default gateway set to the IP address
        of their nearest firewall interface. One often overlooked aspect of
        routing is that in order for two hosts to communicate, the routing
-        between them must be set up <emphasis role="underline">in both
+        between them must be set up <emphasis role="bold">in both directions</emphasis>.
-        directions</emphasis>. So when setting up routing between <emphasis
+        So when setting up routing between <emphasis role="bold">A</emphasis>
-        role="bold">A</emphasis> and <emphasis role="bold">B</emphasis>, be
+        and <emphasis role="bold">B</emphasis>, be sure to verify that the
-        sure to verify that the route from <emphasis role="bold">B</emphasis>
+        route from <emphasis role="bold">B</emphasis> back to <emphasis
-        back to <emphasis role="bold">A</emphasis> is defined.</para>
+        role="bold">A</emphasis> is defined.</para>
      </listitem>
      <listitem>
@ -318,7 +333,7 @@
        <para>Problems with NAT? Be sure that you let Shorewall add all
        external addresses to be use with NAT unless you have set <ulink
        url="Shorewall_and_Aliased_Interfaces.html">ADD_IP_ALIASES</ulink> =No
-        in /etc/shorewall/shorewall.conf.</para>
+        in <filename>/etc/shorewall/shorewall.conf</filename>.</para>
      </listitem>
    </itemizedlist>
  </section>
@ -328,4 +343,12 @@
    <para>See the <ulink url="support.htm">Shorewall Support Page</ulink>.</para>
  </section>
-</article>
+
  <appendix>
    <title>Revision History</title>
    <para><revhistory><revision><revnumber>1.2</revnumber><date>2004-01-01</date><authorinitials>TE</authorinitials><revremark>Added
    information about eliminating ping-generated log messages.</revremark></revision><revision><revnumber>1.1</revnumber><date>2003-12-22</date><authorinitials>TE</authorinitials><revremark>Initial
    Docbook Conversion</revremark></revision></revhistory></para>
  </appendix>
 </article>
--- a/Shorewall-docs/two-interface.xml
+++ b/Shorewall-docs/two-interface.xml
@ -12,7 +12,7 @@
      <surname>Eastep</surname>
    </author>
-    <pubdate><?dbtimestamp format="Y-m-d"?></pubdate>
+    <pubdate>2003-12-31</pubdate>
    <copyright>
      <year>2002</year>
@ -508,7 +508,7 @@
    url="FAQ.htm#faq2">Shorewall FAQ #2</ulink>.</para></listitem><listitem><para>Many
    <acronym>ISP</acronym>s block incoming connection requests to port 80. If
    you have problems connecting to your web server, try the following rule
-    and try connecting to port 5000. </para></listitem></itemizedlist><informaltable
+    and try connecting to port 5000.</para></listitem></itemizedlist><informaltable
    frame="all" label="rules" pgwide="0"><tgroup align="left" cols="7"><thead
    valign="middle"><row valign="middle"><entry align="left">ACTION</entry><entry
    align="left">SOURCE</entry><entry align="left">DEST</entry><entry
@ -634,7 +634,7 @@
    url="ports.htm">here</ulink>. <important><para>I don&#39;t recommend
    enabling <command>telnet</command> to/from the internet because it uses
    clear text (even for login!). If you want shell access to your firewall
-    from the internet, use <acronym>SSH</acronym>: </para></important><informaltable
+    from the internet, use <acronym>SSH</acronym>:</para></important><informaltable
    frame="all" label="rules" pgwide="0"><tgroup align="left" cols="7"><thead
    valign="middle"><row valign="middle"><entry align="left">ACTION</entry><entry
    align="left">SOURCE</entry><entry align="left">DEST</entry><entry