extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-21 23:23:13 +01:00
Code Issues Packages Projects Releases Wiki Activity

Documentation updates for 2.2.3

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2026 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-04-07 16:35:59 +00:00
parent 05601aeb63
commit 9edbc16770
11 changed files with 266 additions and 67 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
Shorewall-docs2/Documentation.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2005-03-10</pubdate>
<pubdate>2005-04-06</pubdate>
<copyright>
<year>2001-2005</year>
@ -1079,6 +1079,16 @@ loc eth1:192.168.1.0/24,192.168.12.0/24</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>QUEUE</term>
<listitem>
<para>Send the connection request to a user-space process via the
iptables QUEUE target (useful when you are using
Snort-inline).</para>
</listitem>
</varlistentry>
<varlistentry>
<term>CONTINUE</term>
@ -2651,6 +2661,37 @@ eth0 eth1 206.124.146.176</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>MACLIST_TTL</term>
<listitem>
<para>(Added at version 2.2.0) The performance of configurations
with a large numbers of entries in /etc/shorewall/maclist can be
improved by setting the MACLIST_TTL variable in
/etc/shorewall/shorewall.conf.</para>
<para>If your iptables and kernel support the "Recent Match" (see
the output of "shorewall check" near the top), you can cache the
results of a 'maclist' file lookup and thus reduce the overhead
associated with <ulink url="MAC_Validation.html">MAC
Verification</ulink>.</para>
<para>When a new connection arrives from a 'maclist' interface, the
packet passes through then list of entries for that interface in
/etc/shorewall/maclist. If there is a match then the source IP
address is added to the 'Recent' set for that interface. Subsequent
connection attempts from that IP address occuring within
$MACLIST_TTL seconds will be accepted without having to scan all of
the entries. After $MACLIST_TTL from the first accepted connection
request from an IP address, the next connection request from that IP
address will be checked against the entire list.</para>
<para>If MACLIST_TTL is not specified or is specified as empty (e.g,
MACLIST_TTL="" or is specified as zero then 'maclist' lookups will
not be cached).</para>
</listitem>
</varlistentry>
<varlistentry>
<term>RFC1918_STRICT</term>
@ -3861,7 +3902,11 @@ all all tcp ftp-data - 8</programlisting
<title>/etc/shorewall/routestopped (Added in Version 1.3.4)</title>
<para>This file defines the hosts that are accessible from the firewall
when the firewall is stopped. Columns in the file are:</para>
when the firewall is stopped. Beginning with Shorewall version 2.2.3,
entries in this file are also active while Shorewall is being [re]started.
</para>
<para>Columns in the file are:</para>
<variablelist>
<varlistentry>

9
Shorewall-docs2/Documentation_Index.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2005-02-19</pubdate>
<pubdate>2005-03-18</pubdate>
<copyright>
<year>2001-2005</year>
@ -23,7 +23,7 @@
<holder>Thomas M. Eastep</holder>
</copyright>
<edition>2.2.0</edition>
<edition>2.2.2</edition>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
@ -162,6 +162,11 @@
address or Subnet</ulink></para>
</listitem>
<listitem>
<para><ulink url="configuration_file_basics.htm#IPRanges">IP
Address Ranges</ulink></para>
</listitem>
<listitem>
<para><ulink url="configuration_file_basics.htm#Levels">Shorewall
Configurations (making a test configuration)</ulink></para>

125
Shorewall-docs2/FAQ.xml
View File

@ -17,10 +17,10 @@
</author>
</authorgroup>
<pubdate>2005-03-07</pubdate>
<pubdate>2005-04-05</pubdate>
<copyright>
<year>2001-2004</year>
<year>2001-2005</year>
<holder>Thomas M. Eastep</holder>
</copyright>
@ -78,8 +78,8 @@
</section>
<section>
<title>(FAQ 44) I can't install the RPM — I keep getting the message
"error: failed dependencies:iproute is needed..."</title>
<title>(FAQ 44) I can't install/upgrade the RPM — I keep getting the
message "error: failed dependencies:iproute is needed..."</title>
<para><emphasis role="bold">Answer</emphasis>: Read the <ulink
url="Install.htm">Installation Instructions</ulink>!!!!!</para>
@ -233,6 +233,51 @@ DNAT net loc:&lt;l<emphasis>ocal IP address</emphasis>&gt;[:&lt;<emphasis>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT
DNAT net loc:192.168.1.3:22 tcp 1022</programlisting>
</section>
<section id="faq1d">
<title>(FAQ 1d) I have a web server in my DMZ and I use port
forwarding to make that server accessible from the Internet. That
works fine but when my local users try to connect to the server using
the Firewall's external IP address, it doesn't work.</title>
<para><emphasis role="bold">Answer</emphasis>: Let's assume the
following:</para>
<itemizedlist>
<listitem>
<para>External IP address is 206.124.146.176 on <filename
class="devicefile">eth0</filename>.</para>
</listitem>
<listitem>
<para>Server's IP address is 192.168.2.4</para>
</listitem>
</itemizedlist>
<para>You can enable access to the server from your local network
using the firewall's external IP address by adding this rule:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
# PORT DEST
DNAT loc dmz:192.168.2.4 tcp 80 - 206.124.146.176</programlisting>
<para>If your external IP address is dynamic, then you must do the
following:</para>
<para>In <filename>/etc/shorewall/init</filename>:</para>
<programlisting><command>ETH0_IP=`find_interface_address eth0`</command></programlisting>
<para>For users of Shorewall 2.1.0 and later:</para>
<programlisting><command>ETH0_IP=`find_first_interface_address eth0`</command></programlisting>
<para>and make your DNAT rule:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL
# PORT DEST.
DNAT loc dmz:192.168.2.4 tcp 80 - $ETH0_IP</programlisting>
</section>
</section>
<section id="faq30">
@ -409,6 +454,51 @@ dmz eth2 192.168.2.255 <emphasis role="bold">routeback</emphasis>
have <quote>Yes</quote> in the ALL INTERFACES column.</para>
</example>
</section>
<section id="faq2b">
<title>(FAQ 2b) I have a web server in my DMZ and I use port
forwarding to make that server accessible from the Internet as
www.mydomain.com. That works fine but when my local users try to
connect to www.mydomain.com, it doesn't work.</title>
<para><emphasis role="bold">Answer</emphasis>: Let's assume the
following:</para>
<itemizedlist>
<listitem>
<para>External IP address is 206.124.146.176 on <filename
class="devicefile">eth0</filename> (www.mydomain.com).</para>
</listitem>
<listitem>
<para>Server's IP address is 192.168.2.4</para>
</listitem>
</itemizedlist>
<para>You can enable access to the server from your local network
using the firewall's external IP address by adding this rule:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
# PORT DEST
DNAT loc dmz:192.168.2.4 tcp 80 - 206.124.146.176</programlisting>
<para>If your external IP address is dynamic, then you must do the
following:</para>
<para>In <filename>/etc/shorewall/init</filename>:</para>
<programlisting><command>ETH0_IP=`find_interface_address eth0`</command></programlisting>
<para>For users of Shorewall 2.1.0 and later:</para>
<programlisting><command>ETH0_IP=`find_first_interface_address eth0`</command></programlisting>
<para>and make your DNAT rule:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL
# PORT DEST.
DNAT loc dmz:192.168.2.4 tcp 80 - $ETH0_IP</programlisting>
</section>
</section>
</section>
@ -1144,9 +1234,13 @@ net net DROP</programlisting>
eth0 eth2
eth1 eth2</programlisting>
<para><citetitle>There was an article in SysAdmin covering this topic.
It may be found at <ulink
url="http://www.samag.com/documents/s=1824/sam0201h/">http://www.samag.com/documents/s=1824/sam0201h/</ulink></citetitle></para>
<para>There was an article in SysAdmin covering the topic of setting up
routing for this configuration. It may be found at <ulink
url="http://www.samag.com/documents/s=1824/sam0201h/">http://www.samag.com/documents/s=1824/sam0201h/</ulink>.</para>
<para>Stephen Carville has put together a Shorewall-specific writeup
that covers this subject at <ulink
url="http://www.heronforge.net/redhat/node17.html">http://www.heronforge.net/redhat/node17.html</ulink>.</para>
<para><citetitle>The following information regarding setting up routing
for this configuration is reproduced from the <ulink
@ -1690,9 +1784,9 @@ alias ipt_pkttype off</programlisting>
</variablelist>
</section>
<section>
<title>Given that the Debian Stable Release includes Shorewall 1.2.12,
how can you not support that version?</title>
<section id="faq43">
<title>(FAQ 43) Given that the Debian Stable Release includes Shorewall
1.2.12, how can you not support that version?</title>
<para>The first release of Shorewall was in March of 2001. Shorewall
1.2.12 was released in May of 2002. It is now the year 2005 and
@ -1909,7 +2003,12 @@ eth0 eth1 # eth1 = interface to local netwo
nmap from the firewall system, I get <quote>operation not
permitted</quote>. How do I allow this option?</title>
<para>Add this command to your /etc/shorewall/start file:</para>
<para>If you are running Shorewall 2.2.0 or later, set DROPINVALID=No
in <ulink
url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>.</para>
<para>Otherwise, add this command to your /etc/shorewall/start
file:</para>
<programlisting><command>run_iptables -D OUTPUT -p ! icmp -m state --state INVALID -j DROP</command></programlisting>
</section>
@ -1958,8 +2057,8 @@ iptables: Invalid argument
<section id="faq28">
<title>(FAQ 28) How do I use Shorewall as a Bridging Firewall?</title>
<para>Experimental Shorewall Bridging Firewall support is available —
<ulink url="bridge.html">check here for details</ulink>.</para>
<para>Shorewall Bridging Firewall support is available — <ulink
url="bridge.html">check here for details</ulink>.</para>
</section>
<section id="faq39">

30
Shorewall-docs2/MAC_Validation.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2005-03-11</pubdate>
<pubdate>2005-04-06</pubdate>
<copyright>
<year>2001-2005</year>
@ -94,6 +94,34 @@
If set the the empty value (e.g., MACLIST_LOG_LEVEL="") then failing
connection requests are not logged.</para>
</listitem>
<listitem>
<para>Beginning with Shorewall 2.2.3, the <emphasis
role="bold">MACLIST_TTL</emphasis> variable in <ulink
url="???">/etc/shorewall/shorewall.conf</ulink>. The performance of
configurations with a large numbers of entries in
/etc/shorewall/maclist can be improved by setting the MACLIST_TTL
variable.</para>
<para>If your iptables and kernel support the "Recent Match" (see the
output of "shorewall check" near the top), you can cache the results
of a 'maclist' file lookup and thus reduce the overhead associated
with MAC Verification.</para>
<para>When a new connection arrives from a 'maclist' interface, the
packet passes through then list of entries for that interface in
/etc/shorewall/maclist. If there is a match then the source IP address
is added to the 'Recent' set for that interface. Subsequent connection
attempts from that IP address occuring within $MACLIST_TTL seconds
will be accepted without having to scan all of the entries. After
$MACLIST_TTL from the first accepted connection request from an IP
address, the next connection request from that IP address will be
checked against the entire list.</para>
<para>If MACLIST_TTL is not specified or is specified as empty (e.g,
MACLIST_TTL="" or is specified as zero then 'maclist' lookups will not
be cached).</para>
</listitem>
</orderedlist>
</section>

6
Shorewall-docs2/PPTP.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-12-23</pubdate>
<pubdate>2005-03-28</pubdate>
<copyright>
<year>2001</year>
@ -26,6 +26,8 @@
<year>2004</year>
<year>2005</year>
<holder>Thomas M. Eastep</holder>
</copyright>
@ -355,7 +357,7 @@ alias ppp-compress-26 ppp_deflate</programlisting>
<title>Configuring pptpd</title>
<para>PoPTop (pptpd) is available from <ulink
url="http://poptop.lineo.com/">http://poptop.lineo.com/</ulink>.</para>
url="http://www.poptop.org/">http://www.poptop.org/</ulink>.</para>
<para>Here is a copy of my /etc/pptpd.conf file:</para>

14
Shorewall-docs2/configuration_file_basics.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2005-03-24</pubdate>
<pubdate>2005-03-18</pubdate>
<copyright>
<year>2001-2005</year>
@ -448,7 +448,7 @@ smtp,www,pop3,imap #Services running on the firewall</programlisting>
</itemizedlist>
</section>
<section>
<section id="IPRanges">
<title>IP Address Ranges</title>
<para>Beginning with Shorewall 2.2.0, if you kernel and iptables have
@ -506,7 +506,7 @@ DNAT net loc:192.168.1.3 tcp 4000:4100</programlisting>
heading "Shorewall has detected the following iptables/netfilter
capabilities:") and if its use is appropriate.</para>
<para>Shorewall can use multiport match if: </para>
<para>Shorewall can use multiport match if:</para>
<orderedlist>
<listitem>
@ -630,9 +630,11 @@ DNAT net loc:192.168.1.3 tcp 4000:4100</programlisting>
</listitem>
<listitem>
<para>specifying the separate directory in a shorewall start or
shorewall restart command (e.g., <command>shorewall /etc/testconfig
restart</command> )</para>
<para>specifying the separate directory in a <command>shorewall
start</command> or <command>shorewall restart</command> command (e.g.,
<command>shorewall restart /etc/testconfig</command> using Shorewall
2.2.0 and later or <command>shorewall -c /etc/testconf
restart</command> using earlier versions )</para>
</listitem>
</orderedlist>

75
Shorewall-docs2/shorewall_extension_scripts.xml
View File

@ -15,10 +15,10 @@
</author>
</authorgroup>
<pubdate>2004-05-10</pubdate>
<pubdate>2005-04-06</pubdate>
<copyright>
<year>2001-2004</year>
<year>2001-2005</year>
<holder>Thomas M. Eastep</holder>
</copyright>
@ -29,7 +29,8 @@
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
@ -70,7 +71,8 @@
</listitem>
<listitem>
<para>start -- invoked after the firewall has been started or restarted.</para>
<para>start -- invoked after the firewall has been started or
restarted.</para>
</listitem>
<listitem>
@ -96,10 +98,19 @@
<quote>newnotsyn</quote> chain has been created but before any rules
have been added to it.</para>
</listitem>
<listitem>
<para>continue (added in version 2.2.3) -- invoked to allow you to
insert special rules to allow traffic while Shorewall is [re]starting.
Any rules added in this script should be deleted in your
<emphasis>start</emphasis> script. This script is invoked earlier in the
[re]start process than is the <emphasis>initdone</emphasis> script
described above.</para>
</listitem>
</itemizedlist>
<para><emphasis role="bold">If your version of Shorewall doesn&#39;t have
the file that you want to use from the above list, you can simply create the
<para><emphasis role="bold">If your version of Shorewall doesn't have the
file that you want to use from the above list, you can simply create the
file yourself.</emphasis> You can also supply a script with the same name as
any of the filter chains in the firewall and the script will be invoked
after the /etc/shorewall/rules file has been processed but before the
@ -114,10 +125,10 @@
<command>run_iptables</command> instead. <command>run_iptables</command>
will run the iptables utility passing the arguments to
<command>run_iptables</command> and if the command fails, the firewall
will be stopped (Shorewall version &#60; 2.0.2 Beta 1 or there is no
will be stopped (Shorewall version &lt; 2.0.2 Beta 1 or there is no
<filename>/var/lib/shorewall/restore</filename> file) or restored
(Shorewall version &#62;= 2.0.2 Beta 1 and <filename>/var/lib/shorewall/restore</filename>
exists).</para>
(Shorewall version &gt;= 2.0.2 Beta 1 and
<filename>/var/lib/shorewall/restore</filename> exists).</para>
</listitem>
<listitem>
@ -125,11 +136,13 @@
commands other than <command>iptables</command> that must be re-run in
order to restore the firewall to its current state then you must save
the commands to the <firstterm>restore file</firstterm>. The restore
file is a temporary file in <filename class="directory">/var/lib/shorewall</filename>
that will be renamed <filename>/var/lib/shorewall/restore-base</filename>
at the successful completion of the Shorewall command. The
<command>shorewall save</command> command combines <filename>/var/lib/shorewall/restore-base</filename>
with the output of <command>iptables-save</command> to produce the
file is a temporary file in <filename
class="directory">/var/lib/shorewall</filename> that will be renamed
<filename>/var/lib/shorewall/restore-base</filename> at the successful
completion of the Shorewall command. The <command>shorewall
save</command> command combines
<filename>/var/lib/shorewall/restore-base</filename> with the output of
<command>iptables-save</command> to produce the
<filename>/var/lib/shorewall/restore</filename> script.</para>
<para>Here are three functions that are useful when running commands
@ -142,15 +155,15 @@
<para>Example: <programlisting>save_command echo Operation Complete</programlisting></para>
<para>That command would simply write &#34;echo Operation
Complete&#34; to the restore file.</para>
<para>That command would simply write "echo Operation Complete" to
the restore file.</para>
</listitem>
<listitem>
<para><emphasis role="bold">run_and_save_command()</emphasis> --
saves the passed command to the restore file then executes it. The
return value is the exit status of the command. Example:
<programlisting>run_and_save_command &#34;echo 1 &#62; /proc/sys/net/ipv4/icmp_echo_ignore_all&#34;</programlisting></para>
<programlisting>run_and_save_command "echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_all"</programlisting></para>
<para>Note that as in this example, when the command involves file
redirection then the entire command must be enclosed in quotes. This
@ -160,21 +173,21 @@
<listitem>
<para><emphasis role="bold">ensure_and_save_command()</emphasis> --
runs the passed command. If the command fails, the firewall is
restored to it&#39;s prior saved state and the operation is
terminated. If the command succeeds, the command is written to the
restore file</para>
restored to it's prior saved state and the operation is terminated.
If the command succeeds, the command is written to the restore
file</para>
</listitem>
</orderedlist>
</listitem>
</itemizedlist>
<para>Beginning with Shorewall 2.0.0, you can also define a
<emphasis>common action</emphasis> to be performed immediately before a
policy of ACCEPT, DROP or REJECT is applied. Separate <ulink
url="Actions.html">actions</ulink> can be assigned to each
policy type so for example you can have a different common action for DROP
and REJECT policies. The most common usage of common actions is to silently
drop traffic that you don&#39;t wish to have logged by the policy.</para>
<para>Beginning with Shorewall 2.0.0, you can also define a <emphasis>common
action</emphasis> to be performed immediately before a policy of ACCEPT,
DROP or REJECT is applied. Separate <ulink
url="Actions.html">actions</ulink> can be assigned to each policy type so
for example you can have a different common action for DROP and REJECT
policies. The most common usage of common actions is to silently drop
traffic that you don't wish to have logged by the policy.</para>
<para>As released, Shorewall defines a number of actions which are cataloged
in the <filename>/usr/share/shorewall/actions.std</filename> file. That file
@ -197,10 +210,10 @@ Reject:REJECT</programlisting>
<para>One final note. The chain created to perform an action has the same
name as the action. You can use an extension script by that name to add
rules to the action&#39;s chain in the same way as you can any other chain.
So if you create the new action <quote>Dagger</quote> and define it in
rules to the action's chain in the same way as you can any other chain. So
if you create the new action <quote>Dagger</quote> and define it in
<filename>/etc/shorewall/action.Dagger</filename>, you can also have an
extension script named <filename>/etc/shorewall/Dagger</filename> that can
add rules to the <quote>Dagger</quote> chain that can&#39;t be created using
add rules to the <quote>Dagger</quote> chain that can't be created using
<filename>/etc/shorewall/action.Dagger</filename>.</para>
</article>
</article>

9
Shorewall-docs2/shorewall_prerequisites.xml
View File

@ -13,7 +13,7 @@
<surname>Eastep</surname>
</author>
<pubdate>2005-02-07</pubdate>
<pubdate>2005-03-22</pubdate>
<copyright>
<year>2001-2005</year>
@ -38,9 +38,8 @@
<itemizedlist>
<listitem>
<para>A kernel that supports netfilter. I've tested with 2.4.2 -
2.6.10. With current releases of Shorewall, Traffic Shaping/Control
requires at least 2.4.18. Check <ulink url="kernel.htm">here</ulink>
for kernel configuration information.</para>
2.6.11. Check <ulink url="kernel.htm">here</ulink> for kernel
configuration information.</para>
</listitem>
<listitem>
@ -52,7 +51,7 @@
<para>Iproute (<quote>ip</quote> utility). The iproute package is
included with most distributions but may not be installed by default.
The official download site is <ulink type="remote"
url="ftp://ftp.inr.ac.ru/ip-routing">ftp://ftp.inr.ac.ru/ip-routing</ulink>.</para>
url="ftp://ftp.inr.ac.ru/ip-routing">http://developer.osdl.org/dev/iproute2/download/</ulink>.</para>
</listitem>
<listitem>

4
Shorewall-docs2/starting_and_stopping_shorewall.xml
View File

@ -15,11 +15,13 @@
</author>
</authorgroup>
<pubdate>2004-12-11</pubdate>
<pubdate>2005-04-06</pubdate>
<copyright>
<year>2004</year>
<year>2005</year>
<holder>Thomas M. Eastep</holder>
</copyright>

8
Shorewall-docs2/three-interface.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2005-02-12</pubdate>
<pubdate>2005-03-31</pubdate>
<copyright>
<year>2002-2005</year>
@ -63,7 +63,11 @@
</listitem>
<listitem>
<para>DMZ connected to a separate ethernet interface.</para>
<para>DMZ connected to a separate ethernet interface. The purpose of a
DMZ is to isolate those servers that are exposed to the Internet from
your local systems so that if one of those servers is compromised
there is still a firewall between the hacked server and your local
systems.</para>
</listitem>
<listitem>

4
Shorewall-docs2/troubleshoot.xml
View File

@ -13,7 +13,7 @@
<surname>Eastep</surname>
</author>
<pubdate>2005-03-05</pubdate>
<pubdate>2005-03-22</pubdate>
<copyright>
<year>2001-2005</year>
@ -406,7 +406,7 @@ AllowPing <emphasis>&lt;source zone&gt;</emphasis>&nbsp;&nbsp; <emphasis>&lt;des
should be included with your distribution (though many distributions
don't install iproute by default). You may also download the latest
source tarball from <ulink
url="ftp://ftp.inr.ac.ru/ip-routing">ftp://ftp.inr.ac.ru/ip-routing</ulink>
url="http://developer.osdl.org/dev/iproute2/download/">http://developer.osdl.org/dev/iproute2/download/</ulink>
.</para>
</listitem>