diff --git a/Shorewall-docs2/Documentation.xml b/Shorewall-docs2/Documentation.xml
index 1c6341524..858179999 100644
--- a/Shorewall-docs2/Documentation.xml
+++ b/Shorewall-docs2/Documentation.xml
@@ -15,7 +15,7 @@
- 2005-04-06
+ 2005-04-132001-2005
@@ -1502,6 +1502,48 @@ DNAT net loc:192.168.1.3 tcp ssh
+
+ SAME
+
+
+ Added in Shorewall 2.2.4. SAME is useful when more than
+ one server IP address (an address range, for example) is given
+ in the DEST column below. SAME works similar to DNAT with the
+ exception that when multiple connections from an internet host
+ match a SAME rule then all of the connections will be sent to
+ the same internal server.
+
+
+ Unlike when using DNAT rules, SAME rules may not alter
+ the destination port number used for the connection.
+
+
+
+
+
+ SAME-
+
+
+ Added in Shorewall 2.2.4. SAME generates two iptables
+ rules:
+
+
+
+ a header-rewriting rule in the Netfilter
+ nat table
+
+
+
+ an ACCEPT rule in the Netfilter
+ filter table.
+
+
+
+ SAME- works like SAME but only generates the
+ header-rewriting rule.
+
+
+
REDIRECT
@@ -1736,8 +1778,9 @@ ACCEPT:info - - tc
the addresses in the range in a round-robin fashion
(load-balancing). This feature is available
with DNAT rules only with Shorewall 1.4.6 and later versions; it is
- available with DNAT- rules in all versions that support
- DNAT-.
+ available with DNAT- rules in all versions that support DNAT-. It is
+ available with SAME and SAME- rules in all versions that support
+ those actions.
@@ -1817,9 +1860,9 @@ ACCEPT:info - - tc
Specifying SNAT in a DNAT rule is deprecated and this
- feature will be removed from Shorewall in version 2.1.0. An entry
- in /etc/shorewall/masq can serve the
- same purpose and is the preferred method of performing SNAT with
+ feature was removed from Shorewall in version 2.1.0. An entry in
+ /etc/shorewall/masq can serve the same
+ purpose and is the preferred method of performing SNAT with
Shorewall. See FAQ 2 for an
example.
@@ -2197,6 +2240,28 @@ eth0 10.0.0.0/8 192.0.2.44:7000-8000 udp
#INTERFACE SUBNET ADDRESS PROTO
eth0 192.168.1.0/24 :4000-5000 tcp
+
+ Some internet application that establish multiple connections
+ from a client assume that when SNAT is being used that all
+ connections between the client and a particular client and a remote
+ server will appear to the server to come from the same external IP
+ address. Beginning with Shorewall 2.2.4, you can ensure that this is
+ the case by preceding the ADDRESS range by "SAME:".
+
+ Example:
+
+ #INTERFACE SUBNET ADDRESS
+eth0 10.0.0.0/8 SAME:192.0.2.44-192.168.2.50
+
+ If you want all connections from an internal system to use the
+ same external IP address regardless of the remote server that they
+ are connecting to then precede the ADDRESS range by
+ "SAME:nodst:".
+
+ Example:
+
+ #INTERFACE SUBNET ADDRESS
+eth0 10.0.0.0/8 SAME:nodst:192.0.2.44-192.168.2.50
@@ -3903,8 +3968,8 @@ all all tcp ftp-data - 8This file defines the hosts that are accessible from the firewall
when the firewall is stopped. Beginning with Shorewall version 2.2.3,
- entries in this file are also active while Shorewall is being [re]started.
-
+ entries in this file are also active while Shorewall is being
+ [re]started.
Columns in the file are:
diff --git a/Shorewall-docs2/PPTP.xml b/Shorewall-docs2/PPTP.xml
index 311d03c7d..691b12c49 100644
--- a/Shorewall-docs2/PPTP.xml
+++ b/Shorewall-docs2/PPTP.xml
@@ -15,7 +15,7 @@
- 2005-03-28
+ 2005-04-132001
@@ -440,65 +440,15 @@ esac
loc follows net in /etc/shorewall/zones.
-
- /etc/shorewall/tunnels
+ /etc/shorewall/tunnels:
-
-
-
- TYPE
+ #TYPE ZONE GATEWAY GATEWAY ZONE
+pptpserver net 0.0.0.0/0
- ZONE
+ /etc/shorewall/interfaces:
- GATEWAY
-
- GATEWAY ZONE
-
-
-
-
-
- pptpserver
-
- net
-
- 0.0.0.0/0
-
-
-
-
-
-
+ #ZONE INTERFACE BROADCAST OPTIONS
+net eth0 206.124.146.255 norfc1918
+loc eth2 192.168.10.255
+vpn ppp+Your policies and rules may now be configured for traffic
to/from the vpn zone.
@@ -651,185 +498,33 @@ esac
role="bold">net in /etc/shorewall/zones as shown
below.
-
- /etc/shorewall/tunnels
+ /etc/shorewall/tunnels:
-
-
-
- TYPE
+ #TYPE ZONE GATEWAY GATEWAY ZONE
+pptpserver net 0.0.0.0/0
- ZONE
+ /etc/shorewall/zones:
- GATEWAY
+ #ZONE DISPLAY COMMENTS
+net Internet The Internet
+loc Local Local Network
+vpn1 Remote1 Remote Network 1
+vpn2 Remote2 Remote Network 2
+vpn3 Remote3 Remote Network 3
- GATEWAY ZONE
-
-
+ /etc/shorewall/interfaces:
-
-
- pptpserver
+ #ZONE INTERFACE BROADCAST OPTIONS
+net eth0 206.124.146.255 norfc1918
+loc eth2 192.168.10.255
+- ppp+
- net
+ /etc/shorewall/hosts:
- 0.0.0.0/0
-
-
-
-
-
-
+ #ZONE HOST(S) OPTIONS
+vpn1 ppp+:192.168.1.0/24
+vpn2 ppp+:192.168.2.0/24
+vpn3 ppp+:192.168.3.0/24Your policies and rules can now be configured using separate
zones (vpn1, vpn2, and vpn3) for the three remote network.
@@ -843,125 +538,22 @@ esac
If you have a single external IP address, add the following to your
/etc/shorewall/rules file:
-
+ #ACTION SOURCE DEST PROTO DEST PORT(S)
+DNAT net loc:<server address> tcp 1723
+DNAT net loc:<server address> 47If you have multiple external IP address and you want to forward a
single <external address>, add the following to
your /etc/shorewall/rules file:
-
+ #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
+# PORT(S) DEST
+DNAT net loc:<server address> tcp 1723 - <external address>
+DNAT net loc:<server address> 47 - - <external address>
@@ -1021,179 +613,27 @@ loadmodule ip_nat_proto_gre
- Here are examples from my setup:
+ Here are examples from one of my old setups:
-
- /etc/shorewall/rules (For Shorewall versions up to and including
- 1.3.9b)
-
-
-
-
- ACTION
-
- SOURCE
-
- DEST
-
- PROTO
-
- DEST PORT(S)
-
- SOURCE PORT(S)
-
- ORIGINAL DEST
-
-
-
-
-
- ACCEPT
-
- fw
-
- net
-
- tcp
-
- 1723
-
-
-
-
-
-
-
- ACCEPT
-
- fw
-
- net
-
- 47
-
- -
-
-
-
-
-
-
-
-
-
-
- /etc/shorewall/tunnels (For Shorewall versions 1.3.10 and
- later)
-
-
-
-
- TYPE
-
- ZONE
-
- GATEWAY
-
- GATEWAY ZONE
-
-
-
-
-
- pptpclient
-
- net
-
- 0.0.0.0/0
-
-
-
-
-
-
+ #TYPE ZONE GATEWAY GATEWAY ZONE
+pptpclient net 0.0.0.0/0I use the combination of interface and hosts file to define the
cpq zone because I also run a PPTP server on my firewall
@@ -1347,7 +787,7 @@ echo "Attempting to restart PPTP"
restart_pptp > /dev/null 2>&1 &
Here's
- a scriptand corresponding ip-up.local from Jerry Vonau
+ a script and corresponding ip-up.local from Jerry Vonau
jvonau@home.com that controls two PPTP connections.
@@ -1387,31 +827,8 @@ restart_pptp > /dev/null 2>&1 &
Add this entry to /etc/shorewall/zones:
-
+ #ZONE DISPLAY COMMENTS
+modem Modem ADSL ModemThat entry defines a new zone called modem which
will contain only your ADSL modem.
@@ -1420,35 +837,8 @@ restart_pptp > /dev/null 2>&1 &
Add the following entry to /etc/shorewall/interfaces:
-
+ #ZONE INTERFACE BROADCAST OPTIONS
+modem eth0 192.168.1.255 dhcpYou will of course modify the net entry in
/etc/shorewall/interfaces to specify ppp0 as the
@@ -1459,35 +849,8 @@ restart_pptp > /dev/null 2>&1 &
Add the following to /etc/shorewall/tunnels:
-
+ #TYPE ZONE GATEWAY GATEWAY ZONE
+pptpclient modem 192.168.1.1That entry allows a PPTP tunnel to be established between your
Shorewall system and the PPTP server in the modem.
diff --git a/Shorewall-docs2/myfiles.xml b/Shorewall-docs2/myfiles.xml
index 53e94e0de..b10645f62 100644
--- a/Shorewall-docs2/myfiles.xml
+++ b/Shorewall-docs2/myfiles.xml
@@ -15,7 +15,7 @@
- 2005-03-08
+ 2005-04-152001-2005
@@ -67,7 +67,7 @@
I use one-to-one NAT for Ursa (my personal system that run SuSE
- 9.2) - Internal address 192.168.1.5 and external address
+ 9.3) - Internal address 192.168.1.5 and external address
206.124.146.178.
@@ -80,7 +80,7 @@
I use SNAT through 206.124.146.176 for my Wife's Windows XP
system Tarry, and our dual-booting (SuSE
- 9.2/Windows XP) laptop Tipper which connects through
+ 9.3/Windows XP) laptop Tipper which connects through
the Wireless Access Point (wap) via a Wireless Bridge (wet), and my
work laptop when it is not docked in my office.While the distance between the WAP and where I usually use
diff --git a/Shorewall-docs2/samba.xml b/Shorewall-docs2/samba.xml
index 38025839e..9688b0c7a 100644
--- a/Shorewall-docs2/samba.xml
+++ b/Shorewall-docs2/samba.xml
@@ -15,7 +15,7 @@
- 2005-01-25
+ 2005-04-142002
@@ -79,7 +79,34 @@ AllowSMB Z2 Z1
To make network browsing (Network Neighborhood) work
properly between Z1 and Z2 requires a Windows Domain Controller and/or a
- WINS server. I run Samba on my firewall to handle browsing between two zones
- connected to my firewall. Details are here.
+ WINS server. I have run Samba on my firewall to handle browsing between two
+ zones connected to my firewall.
+
+ When debugging Samba/SMB problems, I recommend that you do the
+ following:
+
+
+
+ Copy action.Drop and
+ action.Reject from /usr/share/shorewall to /etc/shorewall.
+
+
+
+ Edit the copies and remove the DropSMB and RejectSMB lines.
+
+
+
+ shorewall restart
+
+
+
+ The above steps will cause SMB traffic that is dropped or rejected by
+ policy to be logged rather than handled silently.
+
+ You can just remove the copies and shorewall
+ restart when you are finished debugging.
\ No newline at end of file
diff --git a/Shorewall-docs2/starting_and_stopping_shorewall.xml b/Shorewall-docs2/starting_and_stopping_shorewall.xml
index 00fe9d7c1..1be38f2c9 100644
--- a/Shorewall-docs2/starting_and_stopping_shorewall.xml
+++ b/Shorewall-docs2/starting_and_stopping_shorewall.xml
@@ -15,7 +15,7 @@
- 2005-04-06
+ 2005-04-132004
@@ -744,6 +744,10 @@
shorewall show log - display the last 20
packet log entries.
+ shorewall show capabilities - Added in
+ Shorewall version 2.2.4 and displays your kernel/iptables
+ capabilities
+
shorewall show connections - displays the
IP connections currently being tracked by the firewall.