From 9edbc16770d459f68de82a952ef3d880d3c51d8f Mon Sep 17 00:00:00 2001 From: teastep Date: Thu, 7 Apr 2005 16:35:59 +0000 Subject: [PATCH] Documentation updates for 2.2.3 git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2026 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-docs2/Documentation.xml | 49 ++++++- Shorewall-docs2/Documentation_Index.xml | 9 +- Shorewall-docs2/FAQ.xml | 125 ++++++++++++++++-- Shorewall-docs2/MAC_Validation.xml | 30 ++++- Shorewall-docs2/PPTP.xml | 6 +- Shorewall-docs2/configuration_file_basics.xml | 14 +- .../shorewall_extension_scripts.xml | 75 ++++++----- Shorewall-docs2/shorewall_prerequisites.xml | 9 +- .../starting_and_stopping_shorewall.xml | 4 +- Shorewall-docs2/three-interface.xml | 8 +- Shorewall-docs2/troubleshoot.xml | 4 +- 11 files changed, 266 insertions(+), 67 deletions(-) diff --git a/Shorewall-docs2/Documentation.xml b/Shorewall-docs2/Documentation.xml index 4dede14af..1c6341524 100644 --- a/Shorewall-docs2/Documentation.xml +++ b/Shorewall-docs2/Documentation.xml @@ -15,7 +15,7 @@ - 2005-03-10 + 2005-04-06 2001-2005 @@ -1079,6 +1079,16 @@ loc eth1:192.168.1.0/24,192.168.12.0/24 + + QUEUE + + + Send the connection request to a user-space process via the + iptables QUEUE target (useful when you are using + Snort-inline). + + + CONTINUE @@ -2651,6 +2661,37 @@ eth0 eth1 206.124.146.176 + + MACLIST_TTL + + + (Added at version 2.2.0) The performance of configurations + with a large numbers of entries in /etc/shorewall/maclist can be + improved by setting the MACLIST_TTL variable in + /etc/shorewall/shorewall.conf. + + If your iptables and kernel support the "Recent Match" (see + the output of "shorewall check" near the top), you can cache the + results of a 'maclist' file lookup and thus reduce the overhead + associated with MAC + Verification. + + When a new connection arrives from a 'maclist' interface, the + packet passes through then list of entries for that interface in + /etc/shorewall/maclist. If there is a match then the source IP + address is added to the 'Recent' set for that interface. Subsequent + connection attempts from that IP address occuring within + $MACLIST_TTL seconds will be accepted without having to scan all of + the entries. After $MACLIST_TTL from the first accepted connection + request from an IP address, the next connection request from that IP + address will be checked against the entire list. + + If MACLIST_TTL is not specified or is specified as empty (e.g, + MACLIST_TTL="" or is specified as zero then 'maclist' lookups will + not be cached). + + + RFC1918_STRICT @@ -3861,7 +3902,11 @@ all all tcp ftp-data - 8/etc/shorewall/routestopped (Added in Version 1.3.4) This file defines the hosts that are accessible from the firewall - when the firewall is stopped. Columns in the file are: + when the firewall is stopped. Beginning with Shorewall version 2.2.3, + entries in this file are also active while Shorewall is being [re]started. + + + Columns in the file are: diff --git a/Shorewall-docs2/Documentation_Index.xml b/Shorewall-docs2/Documentation_Index.xml index 7c77dc632..fd3e6766d 100644 --- a/Shorewall-docs2/Documentation_Index.xml +++ b/Shorewall-docs2/Documentation_Index.xml @@ -15,7 +15,7 @@ - 2005-02-19 + 2005-03-18 2001-2005 @@ -23,7 +23,7 @@ Thomas M. Eastep - 2.2.0 + 2.2.2 Permission is granted to copy, distribute and/or modify this @@ -162,6 +162,11 @@ address or Subnet + + IP + Address Ranges + + Shorewall Configurations (making a test configuration) diff --git a/Shorewall-docs2/FAQ.xml b/Shorewall-docs2/FAQ.xml index 31cd929bb..562d8083b 100644 --- a/Shorewall-docs2/FAQ.xml +++ b/Shorewall-docs2/FAQ.xml @@ -17,10 +17,10 @@ - 2005-03-07 + 2005-04-05 - 2001-2004 + 2001-2005 Thomas M. Eastep @@ -78,8 +78,8 @@
- (FAQ 44) I can't install the RPM — I keep getting the message - "error: failed dependencies:iproute is needed..." + (FAQ 44) I can't install/upgrade the RPM — I keep getting the + message "error: failed dependencies:iproute is needed..." Answer: Read the Installation Instructions!!!!! @@ -233,6 +233,51 @@ DNAT net loc:<local IP address>[:< #ACTION SOURCE DEST PROTO DEST PORT DNAT net loc:192.168.1.3:22 tcp 1022
+ +
+ (FAQ 1d) I have a web server in my DMZ and I use port + forwarding to make that server accessible from the Internet. That + works fine but when my local users try to connect to the server using + the Firewall's external IP address, it doesn't work. + + Answer: Let's assume the + following: + + + + External IP address is 206.124.146.176 on eth0. + + + + Server's IP address is 192.168.2.4 + + + + You can enable access to the server from your local network + using the firewall's external IP address by adding this rule: + + #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL +# PORT DEST +DNAT loc dmz:192.168.2.4 tcp 80 - 206.124.146.176 + + If your external IP address is dynamic, then you must do the + following: + + In /etc/shorewall/init: + + ETH0_IP=`find_interface_address eth0` + + For users of Shorewall 2.1.0 and later: + + ETH0_IP=`find_first_interface_address eth0` + + and make your DNAT rule: + + #ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL +# PORT DEST. +DNAT loc dmz:192.168.2.4 tcp 80 - $ETH0_IP +
@@ -409,6 +454,51 @@ dmz eth2 192.168.2.255 routeback have Yes in the ALL INTERFACES column.
+ +
+ (FAQ 2b) I have a web server in my DMZ and I use port + forwarding to make that server accessible from the Internet as + www.mydomain.com. That works fine but when my local users try to + connect to www.mydomain.com, it doesn't work. + + Answer: Let's assume the + following: + + + + External IP address is 206.124.146.176 on eth0 (www.mydomain.com). + + + + Server's IP address is 192.168.2.4 + + + + You can enable access to the server from your local network + using the firewall's external IP address by adding this rule: + + #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL +# PORT DEST +DNAT loc dmz:192.168.2.4 tcp 80 - 206.124.146.176 + + If your external IP address is dynamic, then you must do the + following: + + In /etc/shorewall/init: + + ETH0_IP=`find_interface_address eth0` + + For users of Shorewall 2.1.0 and later: + + ETH0_IP=`find_first_interface_address eth0` + + and make your DNAT rule: + + #ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL +# PORT DEST. +DNAT loc dmz:192.168.2.4 tcp 80 - $ETH0_IP +
@@ -1144,9 +1234,13 @@ net net DROP eth0 eth2 eth1 eth2 - There was an article in SysAdmin covering this topic. - It may be found at http://www.samag.com/documents/s=1824/sam0201h/ + There was an article in SysAdmin covering the topic of setting up + routing for this configuration. It may be found at http://www.samag.com/documents/s=1824/sam0201h/. + + Stephen Carville has put together a Shorewall-specific writeup + that covers this subject at http://www.heronforge.net/redhat/node17.html. The following information regarding setting up routing for this configuration is reproduced from the -
- Given that the Debian Stable Release includes Shorewall 1.2.12, - how can you not support that version? +
+ (FAQ 43) Given that the Debian Stable Release includes Shorewall + 1.2.12, how can you not support that version? The first release of Shorewall was in March of 2001. Shorewall 1.2.12 was released in May of 2002. It is now the year 2005 and @@ -1909,7 +2003,12 @@ eth0 eth1 # eth1 = interface to local netwo nmap from the firewall system, I get operation not permitted. How do I allow this option? - Add this command to your /etc/shorewall/start file: + If you are running Shorewall 2.2.0 or later, set DROPINVALID=No + in /etc/shorewall/shorewall.conf. + + Otherwise, add this command to your /etc/shorewall/start + file: run_iptables -D OUTPUT -p ! icmp -m state --state INVALID -j DROP
@@ -1958,8 +2057,8 @@ iptables: Invalid argument
(FAQ 28) How do I use Shorewall as a Bridging Firewall? - Experimental Shorewall Bridging Firewall support is available — - check here for details. + Shorewall Bridging Firewall support is available — check here for details.
diff --git a/Shorewall-docs2/MAC_Validation.xml b/Shorewall-docs2/MAC_Validation.xml index a832d9279..8de71983e 100644 --- a/Shorewall-docs2/MAC_Validation.xml +++ b/Shorewall-docs2/MAC_Validation.xml @@ -15,7 +15,7 @@ - 2005-03-11 + 2005-04-06 2001-2005 @@ -94,6 +94,34 @@ If set the the empty value (e.g., MACLIST_LOG_LEVEL="") then failing connection requests are not logged. + + + Beginning with Shorewall 2.2.3, the MACLIST_TTL variable in /etc/shorewall/shorewall.conf. The performance of + configurations with a large numbers of entries in + /etc/shorewall/maclist can be improved by setting the MACLIST_TTL + variable. + + If your iptables and kernel support the "Recent Match" (see the + output of "shorewall check" near the top), you can cache the results + of a 'maclist' file lookup and thus reduce the overhead associated + with MAC Verification. + + When a new connection arrives from a 'maclist' interface, the + packet passes through then list of entries for that interface in + /etc/shorewall/maclist. If there is a match then the source IP address + is added to the 'Recent' set for that interface. Subsequent connection + attempts from that IP address occuring within $MACLIST_TTL seconds + will be accepted without having to scan all of the entries. After + $MACLIST_TTL from the first accepted connection request from an IP + address, the next connection request from that IP address will be + checked against the entire list. + + If MACLIST_TTL is not specified or is specified as empty (e.g, + MACLIST_TTL="" or is specified as zero then 'maclist' lookups will not + be cached). +
diff --git a/Shorewall-docs2/PPTP.xml b/Shorewall-docs2/PPTP.xml index 7a86c4757..311d03c7d 100644 --- a/Shorewall-docs2/PPTP.xml +++ b/Shorewall-docs2/PPTP.xml @@ -15,7 +15,7 @@ - 2004-12-23 + 2005-03-28 2001 @@ -26,6 +26,8 @@ 2004 + 2005 + Thomas M. Eastep @@ -355,7 +357,7 @@ alias ppp-compress-26 ppp_deflate Configuring pptpd PoPTop (pptpd) is available from http://poptop.lineo.com/. + url="http://www.poptop.org/">http://www.poptop.org/. Here is a copy of my /etc/pptpd.conf file: diff --git a/Shorewall-docs2/configuration_file_basics.xml b/Shorewall-docs2/configuration_file_basics.xml index d070e9b48..7214db5ee 100644 --- a/Shorewall-docs2/configuration_file_basics.xml +++ b/Shorewall-docs2/configuration_file_basics.xml @@ -15,7 +15,7 @@ - 2005-03-24 + 2005-03-18 2001-2005 @@ -448,7 +448,7 @@ smtp,www,pop3,imap #Services running on the firewall
-
+
IP Address Ranges Beginning with Shorewall 2.2.0, if you kernel and iptables have @@ -506,7 +506,7 @@ DNAT net loc:192.168.1.3 tcp 4000:4100 heading "Shorewall has detected the following iptables/netfilter capabilities:") and if its use is appropriate. - Shorewall can use multiport match if: + Shorewall can use multiport match if: @@ -630,9 +630,11 @@ DNAT net loc:192.168.1.3 tcp 4000:4100 - specifying the separate directory in a shorewall start or - shorewall restart command (e.g., shorewall /etc/testconfig - restart ) + specifying the separate directory in a shorewall + start or shorewall restart command (e.g., + shorewall restart /etc/testconfig using Shorewall + 2.2.0 and later or shorewall -c /etc/testconf + restart using earlier versions ) diff --git a/Shorewall-docs2/shorewall_extension_scripts.xml b/Shorewall-docs2/shorewall_extension_scripts.xml index 3a3ec16ad..740694986 100644 --- a/Shorewall-docs2/shorewall_extension_scripts.xml +++ b/Shorewall-docs2/shorewall_extension_scripts.xml @@ -15,10 +15,10 @@ - 2004-05-10 + 2005-04-06 - 2001-2004 + 2001-2005 Thomas M. Eastep @@ -29,7 +29,8 @@ 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled - GNU Free Documentation License. + GNU Free Documentation + License. @@ -70,7 +71,8 @@ - start -- invoked after the firewall has been started or restarted. + start -- invoked after the firewall has been started or + restarted. @@ -96,10 +98,19 @@ newnotsyn chain has been created but before any rules have been added to it. + + + continue (added in version 2.2.3) -- invoked to allow you to + insert special rules to allow traffic while Shorewall is [re]starting. + Any rules added in this script should be deleted in your + start script. This script is invoked earlier in the + [re]start process than is the initdone script + described above. + - If your version of Shorewall doesn't have - the file that you want to use from the above list, you can simply create the + If your version of Shorewall doesn't have the + file that you want to use from the above list, you can simply create the file yourself. You can also supply a script with the same name as any of the filter chains in the firewall and the script will be invoked after the /etc/shorewall/rules file has been processed but before the @@ -114,10 +125,10 @@ run_iptables instead. run_iptables will run the iptables utility passing the arguments to run_iptables and if the command fails, the firewall - will be stopped (Shorewall version < 2.0.2 Beta 1 or there is no + will be stopped (Shorewall version < 2.0.2 Beta 1 or there is no /var/lib/shorewall/restore file) or restored - (Shorewall version >= 2.0.2 Beta 1 and /var/lib/shorewall/restore - exists). + (Shorewall version >= 2.0.2 Beta 1 and + /var/lib/shorewall/restore exists). @@ -125,11 +136,13 @@ commands other than iptables that must be re-run in order to restore the firewall to its current state then you must save the commands to the restore file. The restore - file is a temporary file in /var/lib/shorewall - that will be renamed /var/lib/shorewall/restore-base - at the successful completion of the Shorewall command. The - shorewall save command combines /var/lib/shorewall/restore-base - with the output of iptables-save to produce the + file is a temporary file in /var/lib/shorewall that will be renamed + /var/lib/shorewall/restore-base at the successful + completion of the Shorewall command. The shorewall + save command combines + /var/lib/shorewall/restore-base with the output of + iptables-save to produce the /var/lib/shorewall/restore script. Here are three functions that are useful when running commands @@ -142,15 +155,15 @@ Example: save_command echo Operation Complete - That command would simply write "echo Operation - Complete" to the restore file. + That command would simply write "echo Operation Complete" to + the restore file. run_and_save_command() -- saves the passed command to the restore file then executes it. The return value is the exit status of the command. Example: - run_and_save_command "echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all" + run_and_save_command "echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all" Note that as in this example, when the command involves file redirection then the entire command must be enclosed in quotes. This @@ -160,21 +173,21 @@ ensure_and_save_command() -- runs the passed command. If the command fails, the firewall is - restored to it's prior saved state and the operation is - terminated. If the command succeeds, the command is written to the - restore file + restored to it's prior saved state and the operation is terminated. + If the command succeeds, the command is written to the restore + file - Beginning with Shorewall 2.0.0, you can also define a - common action to be performed immediately before a - policy of ACCEPT, DROP or REJECT is applied. Separate actions can be assigned to each - policy type so for example you can have a different common action for DROP - and REJECT policies. The most common usage of common actions is to silently - drop traffic that you don't wish to have logged by the policy. + Beginning with Shorewall 2.0.0, you can also define a common + action to be performed immediately before a policy of ACCEPT, + DROP or REJECT is applied. Separate actions can be assigned to each policy type so + for example you can have a different common action for DROP and REJECT + policies. The most common usage of common actions is to silently drop + traffic that you don't wish to have logged by the policy. As released, Shorewall defines a number of actions which are cataloged in the /usr/share/shorewall/actions.std file. That file @@ -197,10 +210,10 @@ Reject:REJECT One final note. The chain created to perform an action has the same name as the action. You can use an extension script by that name to add - rules to the action's chain in the same way as you can any other chain. - So if you create the new action Dagger and define it in + rules to the action's chain in the same way as you can any other chain. So + if you create the new action Dagger and define it in /etc/shorewall/action.Dagger, you can also have an extension script named /etc/shorewall/Dagger that can - add rules to the Dagger chain that can't be created using + add rules to the Dagger chain that can't be created using /etc/shorewall/action.Dagger. - + \ No newline at end of file diff --git a/Shorewall-docs2/shorewall_prerequisites.xml b/Shorewall-docs2/shorewall_prerequisites.xml index 4a81e9f68..555efbeb9 100644 --- a/Shorewall-docs2/shorewall_prerequisites.xml +++ b/Shorewall-docs2/shorewall_prerequisites.xml @@ -13,7 +13,7 @@ Eastep - 2005-02-07 + 2005-03-22 2001-2005 @@ -38,9 +38,8 @@ A kernel that supports netfilter. I've tested with 2.4.2 - - 2.6.10. With current releases of Shorewall, Traffic Shaping/Control - requires at least 2.4.18. Check here - for kernel configuration information. + 2.6.11. Check here for kernel + configuration information. @@ -52,7 +51,7 @@ Iproute (ip utility). The iproute package is included with most distributions but may not be installed by default. The official download site is ftp://ftp.inr.ac.ru/ip-routing. + url="ftp://ftp.inr.ac.ru/ip-routing">http://developer.osdl.org/dev/iproute2/download/. diff --git a/Shorewall-docs2/starting_and_stopping_shorewall.xml b/Shorewall-docs2/starting_and_stopping_shorewall.xml index 47134e439..00fe9d7c1 100644 --- a/Shorewall-docs2/starting_and_stopping_shorewall.xml +++ b/Shorewall-docs2/starting_and_stopping_shorewall.xml @@ -15,11 +15,13 @@ - 2004-12-11 + 2005-04-06 2004 + 2005 + Thomas M. Eastep diff --git a/Shorewall-docs2/three-interface.xml b/Shorewall-docs2/three-interface.xml index ee6a4d45e..07031dc2f 100755 --- a/Shorewall-docs2/three-interface.xml +++ b/Shorewall-docs2/three-interface.xml @@ -15,7 +15,7 @@ - 2005-02-12 + 2005-03-31 2002-2005 @@ -63,7 +63,11 @@ - DMZ connected to a separate ethernet interface. + DMZ connected to a separate ethernet interface. The purpose of a + DMZ is to isolate those servers that are exposed to the Internet from + your local systems so that if one of those servers is compromised + there is still a firewall between the hacked server and your local + systems. diff --git a/Shorewall-docs2/troubleshoot.xml b/Shorewall-docs2/troubleshoot.xml index 232ea7978..cb5464583 100644 --- a/Shorewall-docs2/troubleshoot.xml +++ b/Shorewall-docs2/troubleshoot.xml @@ -13,7 +13,7 @@ Eastep - 2005-03-05 + 2005-03-22 2001-2005 @@ -406,7 +406,7 @@ AllowPing <source zone>   <des should be included with your distribution (though many distributions don't install iproute by default). You may also download the latest source tarball from ftp://ftp.inr.ac.ru/ip-routing + url="http://developer.osdl.org/dev/iproute2/download/">http://developer.osdl.org/dev/iproute2/download/ .