From 9ce8fa2d664740bb01e52bd3ca5bd5ace252d88a Mon Sep 17 00:00:00 2001 From: teastep Date: Sat, 5 Mar 2005 16:53:54 +0000 Subject: [PATCH] Update Website for new Mailing List Policy and Search git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1983 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-Website/mailing_list.htm | 58 ++++++++----- Shorewall-Website/search.html | 60 ++++++++++++++ Shorewall-docs2/Shorewall_Squid_Usage.xml | 46 ++++++++-- Shorewall-docs2/configuration_file_basics.xml | 30 ++++++- Shorewall-docs2/ping.xml | 83 ++++++++++++------- Shorewall-docs2/shorewall_logging.xml | 32 ++++--- Shorewall-docs2/support.xml | 28 ++++--- Shorewall-docs2/troubleshoot.xml | 8 +- 8 files changed, 263 insertions(+), 82 deletions(-) create mode 100644 Shorewall-Website/search.html diff --git a/Shorewall-Website/mailing_list.htm b/Shorewall-Website/mailing_list.htm index 25d6eb4a4..46dc4f285 100755 --- a/Shorewall-Website/mailing_list.htm +++ b/Shorewall-Website/mailing_list.htm @@ -27,7 +27,7 @@ Documentation License
-

2005-02-15
+

2005-03-05

See the Shorewall @@ -59,15 +59,22 @@ Shorewall information and documentation.

  • Acknowlegements
    • -

    Mailing Lists are Moderated for Non-Member -Posts

    -Given recent problems associated with viruses (and the more annoying -problems of clueless mail admins who configure their AV software to -spam -innocent bystanders during a virus storm), the Shorewall lists are -moderated for non-member posts. It is also a good idea to mention that -you are a non-member so that people will include you in the CC list -when replying. +
    +

    Mailing Lists are closed to Non-Member Posts
    +

    +For several years, the Shorewall lists were moderated for non-member +posts. I've found that this is a pain for me (I have to wade through +the spam to find and approve legitimate posts).  Additionally, +non-members seemed to almost universally ignore instructions to mention +that they were non-members in their post. Since the mailing lists are +set up so that replies go to the list rather than to the poster, this +means that most non-members who posted were not receiving their +replies. So effective 2005-03-05, all Shorewall lists are closed to +non-member posts.
    +
    +
    - Tom Eastep
    +
    +

    Please post in plain text

    A growing number of MTAs serving list subscribers are rejecting all HTML traffic. At least one MTA has gone so far as to blacklist @@ -91,22 +98,22 @@ On shorewall.net as elsewhere, it is considered very bad netiquette to hijack another poster's thread by simply replying to a list post and changing the subject to a different one. Please start a new thread when you wish to introduce a new topic for discussion.
    +

    Mailing Lists Archive Search

    - + name="ie" value="UTF-8" type="hidden"> - +
    - Google - Google
    @@ -120,6 +127,7 @@ simply won't stand the traffic. If I catch you, you will be blacklisted.
    +

    Shorewall CA Certificate

    If you want to trust X.509 certificates issued by Shoreline Firewall (such as the one used on my web site), you may +

    Shorewall Users Mailing List

    The Shorewall Users Mailing list provides a way for users to get answers to questions and to report problems. Information @@ -157,6 +166,7 @@ at Sourceforge. The archives from that list may be found at www.geocrawler.com/lists/3/Sourceforge/9327/0/.

    +

    Shorewall Announce Mailing List

    This list is for announcements of general interest to the Shorewall community.
    The list archives are at http://lists.shorewall.net/pipermail/shorewall-announce. +

    Shorewall Development Mailing List

    The Shorewall Development Mailing list provides a forum for the exchange of ideas about the future of Shorewall and @@ -189,6 +200,7 @@ REGULAR RELEASE SUPPORT REQUESTS SHOULD BE POSTED TO THE The list archives are at http://lists.shorewall.net/pipermail/shorewall-devel.

    +

    Shorewall Newbies Mailing List (Closed)

    @@ -201,6 +213,7 @@ to be less that a success and has been discontinued.
    target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-newbies

    The list archives are at http://lists.shorewall.net/pipermail/shorewall-newbies.

    +

    How to Unsubscribe from one of the Mailing Lists

    There seems to be near-universal confusion about @@ -226,6 +239,7 @@ password, there is another button that will cause your password to be emailed to you.

    +

    A Word about the SPAM Filters at Shorewall.net 

    Please note that the mail server at shorewall.net checks @@ -244,8 +258,9 @@ fully-qualified DNS name. lookup must not fail).
    -

    -If you experience problems with any of these lists, +
    +

    If you experience problems with any of these +lists, please let me know

    @@ -253,6 +268,7 @@ know

    You can report such problems by sending mail to tmeastep at hotmail dot com.

    +

    Acknowlegments

    The Shorewall Mailing Lists use the following software:
      diff --git a/Shorewall-Website/search.html b/Shorewall-Website/search.html new file mode 100644 index 000000000..84a8f1e21 --- /dev/null +++ b/Shorewall-Website/search.html @@ -0,0 +1,60 @@ + + + + ht://Dig WWW Search + + + +

      Shorewall Site Searches

      +
      This search will allow you to search the contents of all the +publicly available WWW documents at shorewall.net. Currently +searches only the shorewall.net mirror in Washington State, USA. +
      + + + + + + + +
      Google
      + +
      +
      +
      +

      This search will allow you to search the contents of the Mailing +List Archives at shorewall.net. Currently searches at the main +shorewall.net site only.

      +
      +
      + + + + + + +
      Google
      +
      +
      +
      +


      +

      +
      +
      + + diff --git a/Shorewall-docs2/Shorewall_Squid_Usage.xml b/Shorewall-docs2/Shorewall_Squid_Usage.xml index 22d22e2da..96799d8ef 100644 --- a/Shorewall-docs2/Shorewall_Squid_Usage.xml +++ b/Shorewall-docs2/Shorewall_Squid_Usage.xml @@ -181,9 +181,12 @@ REDIRECT loc 3128 tcp www - !206.124.146. - In /etc/shorewall/init, put: + Create /etc/shorewall/addroutes as + follows: - if [ -z "`ip rule list | grep www.out`" ] ; then + #!/bin/sh + +if [ -z "`ip rule list | grep www.out`" ] ; then ip rule add fwmark 0xCA table www.out # Note 0xCA = 202 ip route add default via 192.168.1.3 dev eth1 table www.out ip route flush cache @@ -192,7 +195,21 @@ fi - In /etc/shorewall/interfaces: + Make /etc/shorewall/addroutes executable + via: + + chmod +x /etc/shorewall/addroutes + + + + In /etc/shorewall/init, put: + + run_and_save_command "/etc/shorewall/addroutes" + + + + In + /etc/shorewall/interfaces: #ZONE INTERFACE BROADCAST OPTIONS loc eth1 detect routeback @@ -254,15 +271,32 @@ chkconfig --level 35 iptables on - In /etc/shorewall/init, put: + Create /etc/shorewall/addroutes as + follows: - if [ -z "`ip rule list | grep www.out`" ] ; then + #!/bin/sh + +if [ -z "`ip rule list | grep www.out`" ] ; then ip rule add fwmark 0xCA table www.out # Note 0xCA = 202 - ip route add default via 192.0.2.177 dev eth1 table www.out + ip route add default via 192.168.1.3 dev eth1 table www.out ip route flush cache + echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects fi + + Make /etc/shorewall/addroutes executable + via: + + chmod +x /etc/shorewall/addroutes + + + + In /etc/shorewall/init, put: + + run_and_save_command "/etc/shorewall/addroutes" + + Do one of the following: diff --git a/Shorewall-docs2/configuration_file_basics.xml b/Shorewall-docs2/configuration_file_basics.xml index 7f60403f6..d070e9b48 100644 --- a/Shorewall-docs2/configuration_file_basics.xml +++ b/Shorewall-docs2/configuration_file_basics.xml @@ -15,7 +15,7 @@ - 2005-02-28 + 2005-03-24 2001-2005 @@ -495,6 +495,34 @@ DNAT net loc:192.168.1.3 tcp 4000:4100 omit the high port number, a value of 65535 is assumed. +
      + Port Lists + + In most cases where a port or port range may appear, a + comma-separated list of ports or port ranges may also be entered. + Shorewall will use the Netfilter multiport match capability if it is available (see + the output of "shorewall check" under the + heading "Shorewall has detected the following iptables/netfilter + capabilities:") and if its use is appropriate. + + Shorewall can use multiport match if: + + + + The list contains 15 or fewer port number; and + + + + There are no port ranges listed OR your iptables/kernel support + the Extended multiport match (again + see the output of "shorewall check"). Where the Extended multiport match is available, each port range + counts as two ports toward the maximum of 15. + + +
      +
      Using Shell Variables diff --git a/Shorewall-docs2/ping.xml b/Shorewall-docs2/ping.xml index f67e24b13..9d5bec534 100644 --- a/Shorewall-docs2/ping.xml +++ b/Shorewall-docs2/ping.xml @@ -13,10 +13,10 @@ - 2004-01-03 + 2005-03-04 - 2001-2004 + 2001-2005 Thomas M. Eastep @@ -27,7 +27,8 @@ 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled - GNU Free Documentation License. + GNU Free Documentation + License. @@ -36,8 +37,8 @@ the latest change coming in Shorewall version 1.4.0. To find out which version of Shorewall you are running, at a shell prompt type /sbin/shorewall version. If that command - gives you an error, it's time to upgrade since you have a very old - version of Shorewall installed (1.2.4 or earlier). + gives you an error, it's time to upgrade since you have a very old version + of Shorewall installed (1.2.4 or earlier). @@ -47,14 +48,14 @@
      - Shorewall Versions >= 2.0.0 + Shorewall Versions >= 2.0.0 - In Shoreall 1.4.0 and later version, ICMP echo-request's are - treated just like any other connection request. + In Shoreall 1.4.0 and later version, ICMP echo-request's are treated + just like any other connection request. In order to accept ping requests from zone z1 to zone z2 where the policy for z1 to z2 is not ACCEPT, you need a rule in - /etc/shoreall/rules of the form: + /etc/shorewall/rules of the form: #ACTION SOURCE DEST PROTO DEST PORT(S) AllowPing z1 z2 @@ -69,8 +70,11 @@ AllowPing loc fw If you would like to accept ping by default even when - the relevant policy is DROP or REJECT, modify /etc/shorewall/action.Drop - or /etc/shorewall/action.Reject respectively and simply add the line: + the relevant policy is DROP or REJECT, copy + /usr/share/shorewall/action.Drop or + /usr/share shorewall/action.Reject respectively to + /etc/shorewall and simply add this + line to the copy: AllowPing @@ -84,7 +88,7 @@ DropPing z1 z2 Silently drop pings from the Internet To drop ping from the internet, you would need this rule in - /etc/shorewall/rules: + /etc/shorewall/rules: #ACTION SOURCE DEST PROTO DEST PORT(S) DropPing net fw @@ -96,10 +100,10 @@ DropPing net fw
      - Shorewall Versions >= 1.4.0 + Shorewall Versions >= 1.4.0 - In Shoreall 1.4.0 and later version, ICMP echo-request's are - treated just like any other connection request. + In Shoreall 1.4.0 and later version, ICMP echo-request's are treated + just like any other connection request. In order to accept ping requests from zone z1 to zone z2 where the policy for z1 to z2 is not ACCEPT, you need a rule in @@ -119,7 +123,7 @@ ACCEPT loc fw icmp 8 If you would like to accept ping by default even when the relevant policy is DROP or REJECT, create /etc/shorewall/icmpdef if it - doesn't already exist and in that file place the following command: + doesn't already exist and in that file place the following command: run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT @@ -145,7 +149,7 @@ DROP net fw icmp 8
      - Shorewall Versions >= 1.3.14 and < 1.4.0 with + <title>Shorewall Versions >= 1.3.14 and < 1.4.0 with OLD_PING_HANDLING=No in /etc/shorewall/shorewall.conf In 1.3.14, Ping handling was put under control of the rules and @@ -167,7 +171,7 @@ ACCEPT loc fw icmp 8 If you would like to accept ping by default even when the relevant policy is DROP or REJECT, create /etc/shorewall/icmpdef if it - doesn't already exist and in that file place the following command: + doesn't already exist and in that file place the following command: run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT @@ -199,10 +203,11 @@ DROP net fw icmp 8
      - Shorewall Versions < 1.3.14 or with OLD_PING_HANDLING=Yes in + <title>Shorewall Versions < 1.3.14 or with OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf - There are several aspects to the old Shorewall Ping management: + There are several aspects to the old Shorewall Ping + management: @@ -213,11 +218,13 @@ DROP net fw icmp 8 The FORWARDPING option in - /etc/shorewall/shorewall.conf. + /etc/shorewall/shorewall.conf. - Explicit rules in /etc/shorewall/rules. + Explicit rules in /etc/shorewall/rules. @@ -268,15 +275,17 @@ DROP net fw icmp 8
      Ping Requests Forwarded by the Firewall - These requests are always passed to rules/policy evaluation. + These requests are always passed to rules/policy + evaluation.
      Rules Evaluation - Ping requests are ICMP type 8. So the general rule format is: + Ping requests are ICMP type 8. So the general rule format + is: #ACTION SOURCE DEST PROTO DEST PORT(S) -<action> <source> <destination> icmp 8 +<action> <source> <destination> icmp 8 Allow ping from DMZ to Net @@ -327,8 +336,26 @@ DROP net fw icmp 8 Revision History - 1.22004-01-03TEAdd - traceroute reference1.12003-08-23TEInitial - version converted to Docbook XML + + + 1.2 + + 2004-01-03 + + TE + + Add traceroute reference + + + + 1.1 + + 2003-08-23 + + TE + + Initial version converted to Docbook XML + + \ No newline at end of file diff --git a/Shorewall-docs2/shorewall_logging.xml b/Shorewall-docs2/shorewall_logging.xml index b9f252527..beb253010 100644 --- a/Shorewall-docs2/shorewall_logging.xml +++ b/Shorewall-docs2/shorewall_logging.xml @@ -15,10 +15,10 @@ - 2004-12-27 + 2005-03-04 - 2001 - 2004 + 2001 - 2005 Thomas M. Eastep @@ -220,17 +220,25 @@ You will need to change all instances of log levels (usually info) in your Shorewall configuration files to ULOG - this includes entries in the policy, rules and - shorewall.conf files. Here's what I have: + shorewall.conf files. Here's what I had at one time: - [root@gateway shorewall]# grep LOG * | grep -v ^\# - params:LOG=ULOG - policy:loc fw REJECT $LOG - policy:net all DROP $LOG 10/sec:40 - policy:all all REJECT $LOG - rules:REJECT:$LOG loc net tcp 6667 - shorewall.conf:TCP_FLAGS_LOG_LEVEL=$LOG - shorewall.conf:RFC1918_LOG_LEVEL=$LOG - [root@gateway shorewall]# + gateway:/etc/shorewall# grep -v ^\# * | egrep '\$LOG|ULOG|LOGFILE' +params:LOG=ULOG +policy:loc $FW REJECT $LOG +policy:net all DROP $LOG 10/sec:40 +policy:all all REJECT $LOG +rules:REJECT:$LOG loc net tcp 25 +rules:REJECT:$LOG loc net udp 1025:1031 +rules:REJECT:$LOG dmz net udp 1025:1031 +rules:ACCEPT:$LOG dmz net tcp 1024: 20 +rules:REJECT:$LOG fw net udp 1025:1031 +shorewall.conf:LOGFILE=/var/log/shorewall +shorewall.conf:LOGUNCLEAN=$LOG +shorewall.conf:LOGNEWNOTSYN=$LOG +shorewall.conf:MACLIST_LOG_LEVEL=$LOG +shorewall.conf:TCP_FLAGS_LOG_LEVEL=$LOG +shorewall.conf:RFC1918_LOG_LEVEL=$LOG +gateway:/etc/shorewall# Finally edit /etc/shorewall/shorewall.conf and set LOGFILE=<file that you wish to log to>. This diff --git a/Shorewall-docs2/support.xml b/Shorewall-docs2/support.xml index f28e39bf4..d53eae79b 100644 --- a/Shorewall-docs2/support.xml +++ b/Shorewall-docs2/support.xml @@ -15,7 +15,7 @@ - 2005-02-20 + 2005-03-05 2001-2005 @@ -75,10 +75,9 @@ - The Site and Mailing - List Archives search facility can locate documents and posts - about similar problems: + The Search + facility linked from the Shorewall Home Page can locate + documents and posts about similar problems:
      @@ -274,7 +273,9 @@ release (see the Shorewall Release Model page) -- please post your question or problem to the Shorewall - Development Mailing List. + Development Mailing List. IMPORTANT: You must subscribe to the list before + you will be able to post to it (see link below). If you run Shorewall under MandrakeSoft Multi Network Firewall (MNF) and you have not purchased an MNF license from @@ -285,18 +286,25 @@ Otherwise, please post your question or problem to the Shorewall users mailing - list. IMPORTANT: If you are not - subscribed to the list, please say so -- otherwise, you will not be - included in any replies. + list. IMPORTANT: You must + subscribe to the list before you will be able to post to it (see link + below).
      Subscribing to the Users Mailing List - To Subscribe to the mailing list go to To Subscribe to the users mailing list go to https://lists.shorewall.net/mailman/listinfo/shorewall-users.
      +
      + Subscribing to the Development Mailing List + + To Subscribe to the development mailing list go to https://lists.shorewall.net/mailman/listinfo/shorewall-devel. +
      +
      Other Mailing Lists diff --git a/Shorewall-docs2/troubleshoot.xml b/Shorewall-docs2/troubleshoot.xml index 13cc5fbe2..232ea7978 100644 --- a/Shorewall-docs2/troubleshoot.xml +++ b/Shorewall-docs2/troubleshoot.xml @@ -13,7 +13,7 @@ Eastep - 20045-03-03 + 2005-03-05 2001-2005 @@ -57,9 +57,9 @@ Try Searching the Shorewall Site and Mailing List Archives - The Site - and Mailing List Archives search facility can locate documents - and posts about similar problems. + The Site and Mailing + List Archives search facility can locate documents and posts + about similar problems.