extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-05 04:58:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Documentation updates

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2054 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-04-15 22:22:36 +00:00
parent ea3fa8710e
commit a1d75c0887
5 changed files with 181 additions and 722 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

81
Shorewall-docs2/Documentation.xml
View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2005-04-06</pubdate> <pubdate>2005-04-13</pubdate>
<copyright> <copyright>
<year>2001-2005</year> <year>2001-2005</year>
@ -1502,6 +1502,48 @@ DNAT net loc:192.168.1.3 tcp ssh
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term>SAME</term>
<listitem>
<para>Added in Shorewall 2.2.4. SAME is useful when more than
one server IP address (an address range, for example) is given
in the DEST column below. SAME works similar to DNAT with the
exception that when multiple connections from an internet host
match a SAME rule then all of the connections will be sent to
the same internal server.</para>
<note>
<para>Unlike when using DNAT rules, SAME rules may not alter
the destination port number used for the connection.</para>
</note>
</listitem>
</varlistentry>
<varlistentry>
<term>SAME-</term>
<listitem>
<para>Added in Shorewall 2.2.4. SAME generates two iptables
rules:</para>
<orderedlist>
<listitem>
<para>a header-rewriting rule in the Netfilter
<quote>nat</quote> table</para>
</listitem>
<listitem>
<para>an ACCEPT rule in the Netfilter
<quote>filter</quote> table.</para>
</listitem>
</orderedlist>
<para>SAME- works like SAME but only generates the
header-rewriting rule.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term>REDIRECT</term> <term>REDIRECT</term>
@ -1736,8 +1778,9 @@ ACCEPT<emphasis role="bold">:info</emphasis> - - tc
the addresses in the range in a round-robin fashion the addresses in the range in a round-robin fashion
(load-balancing). <emphasis role="bold">This feature is available (load-balancing). <emphasis role="bold">This feature is available
with DNAT rules only with Shorewall 1.4.6 and later versions; it is with DNAT rules only with Shorewall 1.4.6 and later versions; it is
available with DNAT- rules in all versions that support available with DNAT- rules in all versions that support DNAT-. It is
DNAT-.</emphasis></para> available with SAME and SAME- rules in all versions that support
those actions.</emphasis></para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1817,9 +1860,9 @@ ACCEPT<emphasis role="bold">:info</emphasis> - - tc
<warning> <warning>
<para>Specifying SNAT in a DNAT rule is deprecated and this <para>Specifying SNAT in a DNAT rule is deprecated and this
feature will be removed from Shorewall in version 2.1.0. An entry feature was removed from Shorewall in version 2.1.0. An entry in
in <link linkend="Masq">/etc/shorewall/masq</link> can serve the <link linkend="Masq">/etc/shorewall/masq</link> can serve the same
same purpose and is the preferred method of performing SNAT with purpose and is the preferred method of performing SNAT with
Shorewall. See <ulink url="FAQ.htm#faq2">FAQ 2</ulink> for an Shorewall. See <ulink url="FAQ.htm#faq2">FAQ 2</ulink> for an
example.</para> example.</para>
</warning> </warning>
@ -2197,6 +2240,28 @@ eth0 10.0.0.0/8 192.0.2.44:7000-8000 udp</programlisting>
<programlisting>#INTERFACE SUBNET ADDRESS PROTO <programlisting>#INTERFACE SUBNET ADDRESS PROTO
eth0 192.168.1.0/24 :4000-5000 tcp</programlisting> eth0 192.168.1.0/24 :4000-5000 tcp</programlisting>
<para>Some internet application that establish multiple connections
from a client assume that when SNAT is being used that all
connections between the client and a particular client and a remote
server will appear to the server to come from the same external IP
address. Beginning with Shorewall 2.2.4, you can ensure that this is
the case by preceding the ADDRESS range by "SAME:".</para>
<para>Example:</para>
<programlisting>#INTERFACE SUBNET ADDRESS
eth0 10.0.0.0/8 SAME:192.0.2.44-192.168.2.50</programlisting>
<para>If you want all connections from an internal system to use the
same external IP address regardless of the remote server that they
are connecting to then precede the ADDRESS range by
"SAME:nodst:".</para>
<para>Example:</para>
<programlisting>#INTERFACE SUBNET ADDRESS
eth0 10.0.0.0/8 SAME:nodst:192.0.2.44-192.168.2.50</programlisting>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -3903,8 +3968,8 @@ all all tcp ftp-data - 8</programlisting
<para>This file defines the hosts that are accessible from the firewall <para>This file defines the hosts that are accessible from the firewall
when the firewall is stopped. Beginning with Shorewall version 2.2.3, when the firewall is stopped. Beginning with Shorewall version 2.2.3,
entries in this file are also active while Shorewall is being [re]started. entries in this file are also active while Shorewall is being
</para> [re]started.</para>
<para>Columns in the file are:</para> <para>Columns in the file are:</para>

775
Shorewall-docs2/PPTP.xml
View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2005-03-28</pubdate> <pubdate>2005-04-13</pubdate>
<copyright> <copyright>
<year>2001</year> <year>2001</year>
@ -440,65 +440,15 @@ esac</programlisting>
<emphasis role="bold">loc</emphasis> follows <emphasis <emphasis role="bold">loc</emphasis> follows <emphasis
role="bold">net</emphasis> in /etc/shorewall/zones.</para> role="bold">net</emphasis> in /etc/shorewall/zones.</para>
<table> <para><filename>/etc/shorewall/tunnels</filename>:</para>
<title>/etc/shorewall/tunnels</title>
<tgroup cols="4"> <programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
<thead> pptpserver net 0.0.0.0/0</programlisting>
<row>
<entry align="center">TYPE</entry>
<entry align="center">ZONE</entry> <para><filename>/etc/shorewall/interfaces</filename>:</para>
<entry align="center">GATEWAY</entry> <programlisting>#ZONE INTERFACE BROADCAST OPTIONS
loc ppp+</programlisting>
<entry align="center">GATEWAY ZONE</entry>
</row>
</thead>
<tbody>
<row>
<entry>pptpserver</entry>
<entry>net</entry>
<entry>0.0.0.0/0</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<table>
<title>/etc/shorewall/interfaces</title>
<tgroup cols="4">
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">INTERFACE</entry>
<entry align="center">BROADCAST</entry>
<entry align="center">OPTIONS</entry>
</row>
</thead>
<tbody>
<row>
<entry>loc</entry>
<entry>ppp+</entry>
<entry>-</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
</section> </section>
<section> <section>
@ -511,127 +461,24 @@ esac</programlisting>
follows <emphasis role="bold">net</emphasis> in /etc/shorewall/zones follows <emphasis role="bold">net</emphasis> in /etc/shorewall/zones
as shown below.</para> as shown below.</para>
<table> <para><filename>/etc/shorewall/tunnels</filename>:</para>
<title>/etc/shorewall/tunnels</title>
<tgroup cols="4"> <programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
<thead> pptpserver net 0.0.0.0/0</programlisting>
<row>
<entry align="center">TYPE</entry>
<entry align="center">ZONE</entry> <para><filename>/etc/shorewall/zones</filename>:</para>
<entry align="center">GATEWAY</entry> <programlisting>#ZONE DISPLAY COMMENTS
net Internet The Internet
loc Local Local Network
vpn VPN Remote Users</programlisting>
<entry align="center">GATEWAY ZONE</entry> <para><filename>/etc/shorewall/interfaces</filename>:</para>
</row>
</thead>
<tbody> <programlisting>#ZONE INTERFACE BROADCAST OPTIONS
<row> net eth0 206.124.146.255 norfc1918
<entry>pptpserver</entry> loc eth2 192.168.10.255
vpn ppp+</programlisting>
<entry>net</entry>
<entry>0.0.0.0/0</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<table>
<title>/etc/shorewall/zones</title>
<tgroup cols="3">
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">DISPLAY</entry>
<entry align="center">COMMENTS</entry>
</row>
</thead>
<tbody>
<row>
<entry>net</entry>
<entry>Internet</entry>
<entry>The Internet</entry>
</row>
<row>
<entry>loc</entry>
<entry>Local</entry>
<entry>Local Network</entry>
</row>
<row>
<entry>vpn</entry>
<entry>VPN</entry>
<entry>Remote Users</entry>
</row>
</tbody>
</tgroup>
</table>
<table>
<title>/etc/shorewall/interfaces</title>
<tgroup cols="4">
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">INTERFACE</entry>
<entry align="center">BROADCAST</entry>
<entry align="center">OPTIONS</entry>
</row>
</thead>
<tbody>
<row>
<entry>net</entry>
<entry>eth0</entry>
<entry>206.124.146.255</entry>
<entry>norfc1918</entry>
</row>
<row>
<entry>loc</entry>
<entry>eth2</entry>
<entry>192.168.10.255</entry>
<entry></entry>
</row>
<row>
<entry>vpn</entry>
<entry>ppp+</entry>
<entry>-</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<para>Your policies and rules may now be configured for traffic <para>Your policies and rules may now be configured for traffic
to/from the <emphasis role="bold">vpn</emphasis> zone.</para> to/from the <emphasis role="bold">vpn</emphasis> zone.</para>
@ -651,185 +498,33 @@ esac</programlisting>
role="bold">net</emphasis> in /etc/shorewall/zones as shown role="bold">net</emphasis> in /etc/shorewall/zones as shown
below.</para> below.</para>
<table> <para><filename>/etc/shorewall/tunnels</filename>:</para>
<title>/etc/shorewall/tunnels</title>
<tgroup cols="4"> <programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
<thead> pptpserver net 0.0.0.0/0</programlisting>
<row>
<entry align="center">TYPE</entry>
<entry align="center">ZONE</entry> <para><filename>/etc/shorewall/zones</filename>:</para>
<entry align="center">GATEWAY</entry> <programlisting>#ZONE DISPLAY COMMENTS
net Internet The Internet
loc Local Local Network
vpn1 Remote1 Remote Network 1
vpn2 Remote2 Remote Network 2
vpn3 Remote3 Remote Network 3</programlisting>
<entry align="center">GATEWAY ZONE</entry> <para><filename>/etc/shorewall/interfaces</filename>:</para>
</row>
</thead>
<tbody> <programlisting>#ZONE INTERFACE BROADCAST OPTIONS
<row> net eth0 206.124.146.255 norfc1918
<entry>pptpserver</entry> loc eth2 192.168.10.255
- ppp+</programlisting>
<entry>net</entry> <para><filename>/etc/shorewall/hosts</filename>:</para>
<entry>0.0.0.0/0</entry> <programlisting>#ZONE HOST(S) OPTIONS
vpn1 ppp+:192.168.1.0/24
<entry></entry> vpn2 ppp+:192.168.2.0/24
</row> vpn3 ppp+:192.168.3.0/24</programlisting>
</tbody>
</tgroup>
</table>
<table>
<title>/etc/shorewall/zones</title>
<tgroup cols="3">
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">DISPLAY</entry>
<entry align="center">COMMENTS</entry>
</row>
</thead>
<tbody>
<row>
<entry>net</entry>
<entry>Internet</entry>
<entry>The Internet</entry>
</row>
<row>
<entry>loc</entry>
<entry>Local</entry>
<entry>Local Network</entry>
</row>
<row>
<entry>vpn1</entry>
<entry>Remote1</entry>
<entry>Remote Network 1</entry>
</row>
<row>
<entry>vpn2</entry>
<entry>Remote2</entry>
<entry>Remote Network 2</entry>
</row>
<row>
<entry>vpn3</entry>
<entry>Remote3</entry>
<entry>Remote Network 3</entry>
</row>
</tbody>
</tgroup>
</table>
<table>
<title>/etc/shorewall/interfaces</title>
<tgroup cols="4">
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">INTERFACE</entry>
<entry align="center">BROADCAST</entry>
<entry align="center">OPTIONS</entry>
</row>
</thead>
<tbody>
<row>
<entry>net</entry>
<entry>eth0</entry>
<entry>206.124.146.255</entry>
<entry>norfc1918</entry>
</row>
<row>
<entry>loc</entry>
<entry>eth2</entry>
<entry>192.168.10.255</entry>
<entry></entry>
</row>
<row>
<entry>-</entry>
<entry>ppp+</entry>
<entry>-</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<table>
<title>/etc/shorewall/hosts</title>
<tgroup cols="3">
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">HOST(S)</entry>
<entry align="center">OPTIONS</entry>
</row>
</thead>
<tbody>
<row>
<entry>vpn1</entry>
<entry>ppp+:192.168.1.0/24</entry>
<entry></entry>
</row>
<row>
<entry>vpn2</entry>
<entry>ppp+:192.168.2.0/24</entry>
<entry></entry>
</row>
<row>
<entry>vpn3</entry>
<entry>ppp+:192.168.3.0/24</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<para>Your policies and rules can now be configured using separate <para>Your policies and rules can now be configured using separate
zones (vpn1, vpn2, and vpn3) for the three remote network.</para> zones (vpn1, vpn2, and vpn3) for the three remote network.</para>
@ -843,125 +538,22 @@ esac</programlisting>
<para>If you have a single external IP address, add the following to your <para>If you have a single external IP address, add the following to your
/etc/shorewall/rules file:</para> /etc/shorewall/rules file:</para>
<table> <para><filename>/etc/shorewall/rules</filename>:</para>
<title>/etc/shorewall/rules</title>
<tgroup cols="7"> <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
<thead> DNAT net loc:<emphasis>&lt;server address&gt;</emphasis> tcp 1723
<row> DNAT net loc:<emphasis>&lt;server address&gt;</emphasis> 47</programlisting>
<entry align="center">ACTION</entry>
<entry align="center">SOURCE</entry>
<entry>DEST</entry>
<entry>PROTO</entry>
<entry>DEST PORT(S)</entry>
<entry>SOURCE PORT(S)</entry>
<entry>ORIGINAL DEST</entry>
</row>
</thead>
<tbody>
<row>
<entry>DNAT</entry>
<entry>net</entry>
<entry>loc:&lt;<emphasis>server address</emphasis>&gt;</entry>
<entry>tcp</entry>
<entry>1723</entry>
<entry></entry>
<entry></entry>
</row>
<row>
<entry>DNAT</entry>
<entry>net</entry>
<entry>loc:&lt;<emphasis>server address</emphasis>&gt;</entry>
<entry>47</entry>
<entry>-</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<para>If you have multiple external IP address and you want to forward a <para>If you have multiple external IP address and you want to forward a
single &lt;<emphasis>external address</emphasis>&gt;, add the following to single &lt;<emphasis>external address</emphasis>&gt;, add the following to
your /etc/shorewall/rules file:</para> your /etc/shorewall/rules file:</para>
<table> <para><filename>/etc/shorewall/rules</filename>:</para>
<title>/etc/shorewall/rules</title>
<tgroup cols="7"> <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
<thead> # PORT(S) DEST
<row> DNAT net loc:<emphasis>&lt;server address&gt;</emphasis> tcp 1723 - <emphasis>&lt;external address&gt;</emphasis>
<entry align="center">ACTION</entry> DNAT net loc:<emphasis>&lt;server address&gt;</emphasis> 47 - - <emphasis>&lt;external address&gt;</emphasis></programlisting>
<entry align="center">SOURCE</entry>
<entry>DEST</entry>
<entry>PROTO</entry>
<entry>DEST PORT(S)</entry>
<entry>SOURCE PORT(S)</entry>
<entry>ORIGINAL DEST</entry>
</row>
</thead>
<tbody>
<row>
<entry>DNAT</entry>
<entry>net</entry>
<entry>loc:&lt;<emphasis>server address</emphasis>&gt;</entry>
<entry>tcp</entry>
<entry>1723</entry>
<entry>-</entry>
<entry>&lt;<emphasis>external address</emphasis>&gt;</entry>
</row>
<row>
<entry>DNAT</entry>
<entry>net</entry>
<entry>loc:&lt;<emphasis>server address</emphasis>&gt;</entry>
<entry>47</entry>
<entry>-</entry>
<entry>-</entry>
<entry>&lt;<emphasis>external address</emphasis>&gt;</entry>
</row>
</tbody>
</tgroup>
</table>
</section> </section>
<section id="ClientsBehind"> <section id="ClientsBehind">
@ -1021,179 +613,27 @@ loadmodule ip_nat_proto_gre</programlisting>
</listitem> </listitem>
</orderedlist> </orderedlist>
<para>Here are examples from my setup:</para> <para>Here are examples from one of my old setups:</para>
<table> <para><filename>/etc/shorewall/zones</filename>:</para>
<title>/etc/shorewall/zones</title>
<tgroup cols="3"> <programlisting>#ZONE DISPLAY COMMENTS
<thead> cpq Compaq Compaq Intranet</programlisting>
<row>
<entry align="center">ZONE</entry>
<entry align="center">DISPLAY</entry> <para><filename>/etc/shorewall/interfaces</filename>:</para>
<entry align="center">COMMENTS</entry> <programlisting>#ZONE INTERFACE BROADCAST OPTIONS
</row> - ppp+</programlisting>
</thead>
<tbody> <para>/etc/shorewall/hosts:</para>
<row>
<entry>cpq</entry>
<entry>Compaq</entry> <programlisting>#ZONE HOST(S) OPTIONS
cpq ppp+:!192.168.1.0/24</programlisting>
<entry>Compaq Intranet</entry> <para><filename>/etc/shorewall/tunnels</filename>:</para>
</row>
</tbody>
</tgroup>
</table>
<table> <programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
<title>/etc/shorewall/interfaces</title> pptpclient net 0.0.0.0/0</programlisting>
<tgroup cols="4">
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">INTERFACE</entry>
<entry align="center">BROADCAST</entry>
<entry align="center">OPTIONS</entry>
</row>
</thead>
<tbody>
<row>
<entry>-</entry>
<entry>ppp+</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<table>
<title>/etc/shorewall/hosts</title>
<tgroup cols="3">
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">HOST(S)</entry>
<entry align="center">OPTIONS</entry>
</row>
</thead>
<tbody>
<row>
<entry>-</entry>
<entry>ppp+:!192.168.1.0/24</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<table>
<title>/etc/shorewall/rules (For Shorewall versions up to and including
1.3.9b)</title>
<tgroup cols="7">
<thead>
<row>
<entry align="center">ACTION</entry>
<entry align="center">SOURCE</entry>
<entry align="center">DEST</entry>
<entry align="center">PROTO</entry>
<entry align="center">DEST PORT(S)</entry>
<entry align="center">SOURCE PORT(S)</entry>
<entry align="center">ORIGINAL DEST</entry>
</row>
</thead>
<tbody>
<row>
<entry>ACCEPT</entry>
<entry>fw</entry>
<entry>net</entry>
<entry>tcp</entry>
<entry>1723</entry>
<entry></entry>
<entry></entry>
</row>
<row>
<entry>ACCEPT</entry>
<entry>fw</entry>
<entry>net</entry>
<entry>47</entry>
<entry>-</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<table>
<title>/etc/shorewall/tunnels (For Shorewall versions 1.3.10 and
later)</title>
<tgroup cols="4">
<thead>
<row>
<entry align="center">TYPE</entry>
<entry align="center">ZONE</entry>
<entry align="center">GATEWAY</entry>
<entry align="center">GATEWAY ZONE</entry>
</row>
</thead>
<tbody>
<row>
<entry>pptpclient</entry>
<entry>net</entry>
<entry>0.0.0.0/0</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<para>I use the combination of interface and hosts file to define the <para>I use the combination of interface and hosts file to define the
<quote>cpq</quote> zone because I also run a PPTP server on my firewall <quote>cpq</quote> zone because I also run a PPTP server on my firewall
@ -1347,7 +787,7 @@ echo "Attempting to restart PPTP"
restart_pptp &gt; /dev/null 2&gt;&amp;1 &amp;</programlisting> restart_pptp &gt; /dev/null 2&gt;&amp;1 &amp;</programlisting>
<para><ulink url="ftp://ftp.shorewall.net/pub/shorewall/misc/Vonau">Here's <para><ulink url="ftp://ftp.shorewall.net/pub/shorewall/misc/Vonau">Here's
a scriptand corresponding ip-up.local</ulink> from Jerry Vonau a script and corresponding ip-up.local</ulink> from Jerry Vonau
<email>jvonau@home.com</email> that controls two PPTP connections.</para> <email>jvonau@home.com</email> that controls two PPTP connections.</para>
</section> </section>
@ -1387,31 +827,8 @@ restart_pptp &gt; /dev/null 2&gt;&amp;1 &amp;</programlisting>
<listitem> <listitem>
<para>Add this entry to /etc/shorewall/zones:</para> <para>Add this entry to /etc/shorewall/zones:</para>
<table> <programlisting>#ZONE DISPLAY COMMENTS
<title>/etc/shorewall/zones</title> modem Modem ADSL Modem</programlisting>
<tgroup cols="3">
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">DISPLAY</entry>
<entry align="center">COMMENTS</entry>
</row>
</thead>
<tbody>
<row>
<entry>modem</entry>
<entry>Modem</entry>
<entry>ADSL Modem</entry>
</row>
</tbody>
</tgroup>
</table>
<para>That entry defines a new zone called <quote>modem</quote> which <para>That entry defines a new zone called <quote>modem</quote> which
will contain only your ADSL modem.</para> will contain only your ADSL modem.</para>
@ -1420,35 +837,8 @@ restart_pptp &gt; /dev/null 2&gt;&amp;1 &amp;</programlisting>
<listitem> <listitem>
<para>Add the following entry to /etc/shorewall/interfaces:</para> <para>Add the following entry to /etc/shorewall/interfaces:</para>
<table> <programlisting>#ZONE INTERFACE BROADCAST OPTIONS
<title>/etc/shorewall/interfaces</title> modem eth0 192.168.1.255 dhcp</programlisting>
<tgroup cols="4">
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">INTERFACE</entry>
<entry align="center">BROADCAST</entry>
<entry align="center">OPTIONS</entry>
</row>
</thead>
<tbody>
<row>
<entry>modem</entry>
<entry>eth0</entry>
<entry>192.168.1.255</entry>
<entry>dhcp</entry>
</row>
</tbody>
</tgroup>
</table>
<para>You will of course modify the <quote>net</quote> entry in <para>You will of course modify the <quote>net</quote> entry in
/etc/shorewall/interfaces to specify <quote>ppp0</quote> as the /etc/shorewall/interfaces to specify <quote>ppp0</quote> as the
@ -1459,35 +849,8 @@ restart_pptp &gt; /dev/null 2&gt;&amp;1 &amp;</programlisting>
<listitem> <listitem>
<para>Add the following to /etc/shorewall/tunnels:</para> <para>Add the following to /etc/shorewall/tunnels:</para>
<table> <programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
<title>/etc/shorewall/tunnels</title> pptpclient modem 192.168.1.1</programlisting>
<tgroup cols="4">
<thead>
<row>
<entry align="center">TYPE</entry>
<entry align="center">ZONE</entry>
<entry align="center">GATEWAY</entry>
<entry align="center">GATEWAY ZONE</entry>
</row>
</thead>
<tbody>
<row>
<entry>pptpclient</entry>
<entry>modem</entry>
<entry>192.168.1.1</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<para>That entry allows a PPTP tunnel to be established between your <para>That entry allows a PPTP tunnel to be established between your
Shorewall system and the PPTP server in the modem.</para> Shorewall system and the PPTP server in the modem.</para>

6
Shorewall-docs2/myfiles.xml
View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2005-03-08</pubdate> <pubdate>2005-04-15</pubdate>
<copyright> <copyright>
<year>2001-2005</year> <year>2001-2005</year>
@ -67,7 +67,7 @@
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>I use one-to-one NAT for Ursa (my personal system that run SuSE <para>I use one-to-one NAT for Ursa (my personal system that run SuSE
9.2) - Internal address 192.168.1.5 and external address 9.3) - Internal address 192.168.1.5 and external address
206.124.146.178.</para> 206.124.146.178.</para>
</listitem> </listitem>
@ -80,7 +80,7 @@
<listitem> <listitem>
<para>I use SNAT through 206.124.146.176 for&nbsp;my Wife's Windows XP <para>I use SNAT through 206.124.146.176 for&nbsp;my Wife's Windows XP
system <quote>Tarry</quote>, and our&nbsp; dual-booting (SuSE system <quote>Tarry</quote>, and our&nbsp; dual-booting (SuSE
9.2/Windows XP) laptop <quote>Tipper</quote> which connects through 9.3/Windows XP) laptop <quote>Tipper</quote> which connects through
the Wireless Access Point (wap) via a Wireless Bridge (wet), and my the Wireless Access Point (wap) via a Wireless Bridge (wet), and my
work laptop when it is not docked in my office.<note> work laptop when it is not docked in my office.<note>
<para>While the distance between the WAP and where I usually use <para>While the distance between the WAP and where I usually use

35
Shorewall-docs2/samba.xml
View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2005-01-25</pubdate> <pubdate>2005-04-14</pubdate>
<copyright> <copyright>
<year>2002</year> <year>2002</year>
@ -79,7 +79,34 @@ AllowSMB Z2 Z1</programlisting>
<para>To make network browsing (<quote>Network Neighborhood</quote>) work <para>To make network browsing (<quote>Network Neighborhood</quote>) work
properly between Z1 and Z2 requires a Windows Domain Controller and/or a properly between Z1 and Z2 requires a Windows Domain Controller and/or a
WINS server. I run Samba on my firewall to handle browsing between two zones WINS server. I have run Samba on my firewall to handle browsing between two
connected to my firewall. Details are <ulink zones connected to my firewall.</para>
url="myfiles.htm">here</ulink>.</para>
<para>When debugging Samba/SMB problems, I recommend that you do the
following:</para>
<orderedlist>
<listitem>
<para>Copy <filename>action.Drop</filename> and
<filename>action.Reject</filename> from <filename
class="directory">/usr/share/shorewall</filename> to <filename
class="directory">/etc/shorewall</filename>.</para>
</listitem>
<listitem>
<para>Edit the copies and remove the <emphasis
role="bold">DropSMB</emphasis> and <emphasis
role="bold">RejectSMB</emphasis> lines.</para>
</listitem>
<listitem>
<para><command>shorewall restart</command></para>
</listitem>
</orderedlist>
<para>The above steps will cause SMB traffic that is dropped or rejected by
policy to be logged rather than handled silently.</para>
<para>You can just remove the copies and <command>shorewall
restart</command> when you are finished debugging.</para>
</article> </article>

6
Shorewall-docs2/starting_and_stopping_shorewall.xml
View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2005-04-06</pubdate> <pubdate>2005-04-13</pubdate>
<copyright> <copyright>
<year>2004</year> <year>2004</year>
@ -744,6 +744,10 @@
<para><command>shorewall show log</command> - display the last 20 <para><command>shorewall show log</command> - display the last 20
packet log entries.</para> packet log entries.</para>
<para><command>shorewall show capabilities</command> - Added in
Shorewall version 2.2.4 and displays your kernel/iptables
capabilities</para>
<para><command>shorewall show connections</command> - displays the <para><command>shorewall show connections</command> - displays the
IP connections currently being tracked by the firewall.</para> IP connections currently being tracked by the firewall.</para>