extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-26 04:32:01 +02:00
Code Issues Packages Projects Releases Wiki Activity

Update FAQ and MultiISP

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4718 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-10-20 15:41:54 +00:00
parent 63d7b7adb0
commit 9e4691cb7d
2 changed files with 51 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
docs/FAQ.xml
View File

@ -1035,6 +1035,12 @@ DROP net fw udp 10619</programlisting>
level and this packet is being logged under that policy. If you level and this packet is being logged under that policy. If you
intend to ACCEPT this traffic then you need a <ulink intend to ACCEPT this traffic then you need a <ulink
url="Documentation.htm#Rules">rule</ulink> to that effect.</para> url="Documentation.htm#Rules">rule</ulink> to that effect.</para>
<para>Beginning with Shorewall 3.3.3, packets logged out of these
chains may have a source and/or destination that is not in any
defined zone (see the output of <command>shorewall[-lite] show
zones</command>). Remember that zone membership involves both a
firewall interface and an ip address.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1119,18 +1125,22 @@ DROP net fw udp 10619</programlisting>
<listitem> <listitem>
<para>The packet has a source IP address that isn't in any of your <para>The packet has a source IP address that isn't in any of your
defined zones (<quote>shorewall[-lite] show zones</quote> and look defined zones (<quote><command>shorewall[-lite] show
at the printed zone definitions) or the chain is FORWARD and the zones</command></quote> and look at the printed zone definitions)
destination IP isn't in any of your defined zones. If the chain is or the chain is FORWARD and the destination IP isn't in any of
FORWARD and the IN and OUT interfaces are the same, then you your defined zones. If the chain is FORWARD and the IN and OUT
probably need the <emphasis role="bold">routeback</emphasis> interfaces are the same, then you probably need the <emphasis
option on that interface in <filename> <ulink role="bold">routeback</emphasis> option on that interface in
<filename> <ulink
url="Documentation.htm#Interfaces">/etc/shorewall/interfaces</ulink> url="Documentation.htm#Interfaces">/etc/shorewall/interfaces</ulink>
</filename> or you need the <emphasis </filename> or you need the <emphasis
role="bold">routeback</emphasis> option in the relevant entry in role="bold">routeback</emphasis> option in the relevant entry in
<filename> <ulink <filename> <ulink
url="Documentation.htm#Hosts">/etc/shorewall/hosts</ulink> url="Documentation.htm#Hosts">/etc/shorewall/hosts</ulink>.</filename></para>
</filename>.</para>
<para>In Shorewall 3.3.3 and later versions, such packets may also
be logged out of a &lt;zone&gt;2all chain or the all2all chain.
</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1139,8 +1149,11 @@ DROP net fw udp 10619</programlisting>
<listitem> <listitem>
<para>The packet has a destination IP address that isn't in any of <para>The packet has a destination IP address that isn't in any of
your defined zones("shorewall show zones" and look at the printed your defined zones(<command>shorewall[-lite] show zones</command>
zone definitions).</para> and look at the printed zone definitions).</para>
<para>In Shorewall 3.3.3 and later versions, such packets may also
be logged out of the fw2all chain or the all2all chain.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

29
docs/MultiISP.xml
View File

@ -653,7 +653,8 @@ eth1 eth2 130.252.99.27</programlisting>
<para>Entries in <filename>/etc/shorewall/masq</filename> have no <para>Entries in <filename>/etc/shorewall/masq</filename> have no
effect on which ISP a particular connection will be sent through. That effect on which ISP a particular connection will be sent through. That
is rather the purpose of entries in is rather the purpose of entries in
<filename>/etc/shorewall/tcrules</filename>.</para> <filename>/etc/shorewall/tcrules</filename> or
<filename>/etc/shorewall/route_rules</filename>.</para>
</warning> </warning>
<para>Now suppose that you want to route all outgoing SMTP traffic from <para>Now suppose that you want to route all outgoing SMTP traffic from
@ -668,6 +669,32 @@ eth1 eth2 130.252.99.27</programlisting>
2:P &lt;local network&gt; 0.0.0.0/0 tcp 25</programlisting> 2:P &lt;local network&gt; 0.0.0.0/0 tcp 25</programlisting>
</section> </section>
<section>
<title>Applications running on the Firewall</title>
<para>Experience has shown that in some cases, problems occur with
applications running on the firewall itself. When this happens, it is
suggested that you have the application use specific local IP addresses
rather than 0.</para>
<para>Examples:</para>
<itemizedlist>
<listitem>
<para>Squid: In <filename>squid.conf</filename>, set <emphasis
role="bold">tcp_outgoing_address</emphasis> to the IP address of the
interface that you want Squid to use.</para>
</listitem>
<listitem>
<para>In OpenVPN, set <emphasis role="bold">local
</emphasis>(<emphasis role="bold">--local</emphasis> on the command
line) to the IP address that you want the server to receive
connections on.</para>
</listitem>
</itemizedlist>
</section>
<section> <section>
<title>/etc/shorewall/route_rules</title> <title>/etc/shorewall/route_rules</title>