extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-02 19:49:08 +01:00
Code Issues Packages Projects Releases Wiki Activity

Documentation updates

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2054 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-04-15 22:22:36 +00:00
parent ea3fa8710e
commit a1d75c0887
5 changed files with 181 additions and 722 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

81
Shorewall-docs2/Documentation.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2005-04-06</pubdate>
<pubdate>2005-04-13</pubdate>
<copyright>
<year>2001-2005</year>
@ -1502,6 +1502,48 @@ DNAT net loc:192.168.1.3 tcp ssh
</listitem>
</varlistentry>
<varlistentry>
<term>SAME</term>
<listitem>
<para>Added in Shorewall 2.2.4. SAME is useful when more than
one server IP address (an address range, for example) is given
in the DEST column below. SAME works similar to DNAT with the
exception that when multiple connections from an internet host
match a SAME rule then all of the connections will be sent to
the same internal server.</para>
<note>
<para>Unlike when using DNAT rules, SAME rules may not alter
the destination port number used for the connection.</para>
</note>
</listitem>
</varlistentry>
<varlistentry>
<term>SAME-</term>
<listitem>
<para>Added in Shorewall 2.2.4. SAME generates two iptables
rules:</para>
<orderedlist>
<listitem>
<para>a header-rewriting rule in the Netfilter
<quote>nat</quote> table</para>
</listitem>
<listitem>
<para>an ACCEPT rule in the Netfilter
<quote>filter</quote> table.</para>
</listitem>
</orderedlist>
<para>SAME- works like SAME but only generates the
header-rewriting rule.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>REDIRECT</term>
@ -1736,8 +1778,9 @@ ACCEPT<emphasis role="bold">:info</emphasis> - - tc
the addresses in the range in a round-robin fashion
(load-balancing). <emphasis role="bold">This feature is available
with DNAT rules only with Shorewall 1.4.6 and later versions; it is
available with DNAT- rules in all versions that support
DNAT-.</emphasis></para>
available with DNAT- rules in all versions that support DNAT-. It is
available with SAME and SAME- rules in all versions that support
those actions.</emphasis></para>
</listitem>
</varlistentry>
@ -1817,9 +1860,9 @@ ACCEPT<emphasis role="bold">:info</emphasis> - - tc
<warning>
<para>Specifying SNAT in a DNAT rule is deprecated and this
feature will be removed from Shorewall in version 2.1.0. An entry
in <link linkend="Masq">/etc/shorewall/masq</link> can serve the
same purpose and is the preferred method of performing SNAT with
feature was removed from Shorewall in version 2.1.0. An entry in
<link linkend="Masq">/etc/shorewall/masq</link> can serve the same
purpose and is the preferred method of performing SNAT with
Shorewall. See <ulink url="FAQ.htm#faq2">FAQ 2</ulink> for an
example.</para>
</warning>
@ -2197,6 +2240,28 @@ eth0 10.0.0.0/8 192.0.2.44:7000-8000 udp</programlisting>
<programlisting>#INTERFACE SUBNET ADDRESS PROTO
eth0 192.168.1.0/24 :4000-5000 tcp</programlisting>
<para>Some internet application that establish multiple connections
from a client assume that when SNAT is being used that all
connections between the client and a particular client and a remote
server will appear to the server to come from the same external IP
address. Beginning with Shorewall 2.2.4, you can ensure that this is
the case by preceding the ADDRESS range by "SAME:".</para>
<para>Example:</para>
<programlisting>#INTERFACE SUBNET ADDRESS
eth0 10.0.0.0/8 SAME:192.0.2.44-192.168.2.50</programlisting>
<para>If you want all connections from an internal system to use the
same external IP address regardless of the remote server that they
are connecting to then precede the ADDRESS range by
"SAME:nodst:".</para>
<para>Example:</para>
<programlisting>#INTERFACE SUBNET ADDRESS
eth0 10.0.0.0/8 SAME:nodst:192.0.2.44-192.168.2.50</programlisting>
</listitem>
</varlistentry>
@ -3903,8 +3968,8 @@ all all tcp ftp-data - 8</programlisting
<para>This file defines the hosts that are accessible from the firewall
when the firewall is stopped. Beginning with Shorewall version 2.2.3,
entries in this file are also active while Shorewall is being [re]started.
</para>
entries in this file are also active while Shorewall is being
[re]started.</para>
<para>Columns in the file are:</para>

775
Shorewall-docs2/PPTP.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2005-03-28</pubdate>
<pubdate>2005-04-13</pubdate>
<copyright>
<year>2001</year>
@ -440,65 +440,15 @@ esac</programlisting>
<emphasis role="bold">loc</emphasis> follows <emphasis
role="bold">net</emphasis> in /etc/shorewall/zones.</para>
<table>
<title>/etc/shorewall/tunnels</title>
<para><filename>/etc/shorewall/tunnels</filename>:</para>
<tgroup cols="4">
<thead>
<row>
<entry align="center">TYPE</entry>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
pptpserver net 0.0.0.0/0</programlisting>
<entry align="center">ZONE</entry>
<para><filename>/etc/shorewall/interfaces</filename>:</para>
<entry align="center">GATEWAY</entry>
<entry align="center">GATEWAY ZONE</entry>
</row>
</thead>
<tbody>
<row>
<entry>pptpserver</entry>
<entry>net</entry>
<entry>0.0.0.0/0</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<table>
<title>/etc/shorewall/interfaces</title>
<tgroup cols="4">
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">INTERFACE</entry>
<entry align="center">BROADCAST</entry>
<entry align="center">OPTIONS</entry>
</row>
</thead>
<tbody>
<row>
<entry>loc</entry>
<entry>ppp+</entry>
<entry>-</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
loc ppp+</programlisting>
</section>
<section>
@ -511,127 +461,24 @@ esac</programlisting>
follows <emphasis role="bold">net</emphasis> in /etc/shorewall/zones
as shown below.</para>
<table>
<title>/etc/shorewall/tunnels</title>
<para><filename>/etc/shorewall/tunnels</filename>:</para>
<tgroup cols="4">
<thead>
<row>
<entry align="center">TYPE</entry>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
pptpserver net 0.0.0.0/0</programlisting>
<entry align="center">ZONE</entry>
<para><filename>/etc/shorewall/zones</filename>:</para>
<entry align="center">GATEWAY</entry>
<programlisting>#ZONE DISPLAY COMMENTS
net Internet The Internet
loc Local Local Network
vpn VPN Remote Users</programlisting>
<entry align="center">GATEWAY ZONE</entry>
</row>
</thead>
<para><filename>/etc/shorewall/interfaces</filename>:</para>
<tbody>
<row>
<entry>pptpserver</entry>
<entry>net</entry>
<entry>0.0.0.0/0</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<table>
<title>/etc/shorewall/zones</title>
<tgroup cols="3">
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">DISPLAY</entry>
<entry align="center">COMMENTS</entry>
</row>
</thead>
<tbody>
<row>
<entry>net</entry>
<entry>Internet</entry>
<entry>The Internet</entry>
</row>
<row>
<entry>loc</entry>
<entry>Local</entry>
<entry>Local Network</entry>
</row>
<row>
<entry>vpn</entry>
<entry>VPN</entry>
<entry>Remote Users</entry>
</row>
</tbody>
</tgroup>
</table>
<table>
<title>/etc/shorewall/interfaces</title>
<tgroup cols="4">
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">INTERFACE</entry>
<entry align="center">BROADCAST</entry>
<entry align="center">OPTIONS</entry>
</row>
</thead>
<tbody>
<row>
<entry>net</entry>
<entry>eth0</entry>
<entry>206.124.146.255</entry>
<entry>norfc1918</entry>
</row>
<row>
<entry>loc</entry>
<entry>eth2</entry>
<entry>192.168.10.255</entry>
<entry></entry>
</row>
<row>
<entry>vpn</entry>
<entry>ppp+</entry>
<entry>-</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net eth0 206.124.146.255 norfc1918
loc eth2 192.168.10.255
vpn ppp+</programlisting>
<para>Your policies and rules may now be configured for traffic
to/from the <emphasis role="bold">vpn</emphasis> zone.</para>
@ -651,185 +498,33 @@ esac</programlisting>
role="bold">net</emphasis> in /etc/shorewall/zones as shown
below.</para>
<table>
<title>/etc/shorewall/tunnels</title>
<para><filename>/etc/shorewall/tunnels</filename>:</para>
<tgroup cols="4">
<thead>
<row>
<entry align="center">TYPE</entry>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
pptpserver net 0.0.0.0/0</programlisting>
<entry align="center">ZONE</entry>
<para><filename>/etc/shorewall/zones</filename>:</para>
<entry align="center">GATEWAY</entry>
<programlisting>#ZONE DISPLAY COMMENTS
net Internet The Internet
loc Local Local Network
vpn1 Remote1 Remote Network 1
vpn2 Remote2 Remote Network 2
vpn3 Remote3 Remote Network 3</programlisting>
<entry align="center">GATEWAY ZONE</entry>
</row>
</thead>
<para><filename>/etc/shorewall/interfaces</filename>:</para>
<tbody>
<row>
<entry>pptpserver</entry>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net eth0 206.124.146.255 norfc1918
loc eth2 192.168.10.255
- ppp+</programlisting>
<entry>net</entry>
<para><filename>/etc/shorewall/hosts</filename>:</para>
<entry>0.0.0.0/0</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<table>
<title>/etc/shorewall/zones</title>
<tgroup cols="3">
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">DISPLAY</entry>
<entry align="center">COMMENTS</entry>
</row>
</thead>
<tbody>
<row>
<entry>net</entry>
<entry>Internet</entry>
<entry>The Internet</entry>
</row>
<row>
<entry>loc</entry>
<entry>Local</entry>
<entry>Local Network</entry>
</row>
<row>
<entry>vpn1</entry>
<entry>Remote1</entry>
<entry>Remote Network 1</entry>
</row>
<row>
<entry>vpn2</entry>
<entry>Remote2</entry>
<entry>Remote Network 2</entry>
</row>
<row>
<entry>vpn3</entry>
<entry>Remote3</entry>
<entry>Remote Network 3</entry>
</row>
</tbody>
</tgroup>
</table>
<table>
<title>/etc/shorewall/interfaces</title>
<tgroup cols="4">
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">INTERFACE</entry>
<entry align="center">BROADCAST</entry>
<entry align="center">OPTIONS</entry>
</row>
</thead>
<tbody>
<row>
<entry>net</entry>
<entry>eth0</entry>
<entry>206.124.146.255</entry>
<entry>norfc1918</entry>
</row>
<row>
<entry>loc</entry>
<entry>eth2</entry>
<entry>192.168.10.255</entry>
<entry></entry>
</row>
<row>
<entry>-</entry>
<entry>ppp+</entry>
<entry>-</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<table>
<title>/etc/shorewall/hosts</title>
<tgroup cols="3">
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">HOST(S)</entry>
<entry align="center">OPTIONS</entry>
</row>
</thead>
<tbody>
<row>
<entry>vpn1</entry>
<entry>ppp+:192.168.1.0/24</entry>
<entry></entry>
</row>
<row>
<entry>vpn2</entry>
<entry>ppp+:192.168.2.0/24</entry>
<entry></entry>
</row>
<row>
<entry>vpn3</entry>
<entry>ppp+:192.168.3.0/24</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<programlisting>#ZONE HOST(S) OPTIONS
vpn1 ppp+:192.168.1.0/24
vpn2 ppp+:192.168.2.0/24
vpn3 ppp+:192.168.3.0/24</programlisting>
<para>Your policies and rules can now be configured using separate
zones (vpn1, vpn2, and vpn3) for the three remote network.</para>
@ -843,125 +538,22 @@ esac</programlisting>
<para>If you have a single external IP address, add the following to your
/etc/shorewall/rules file:</para>
<table>
<title>/etc/shorewall/rules</title>
<para><filename>/etc/shorewall/rules</filename>:</para>
<tgroup cols="7">
<thead>
<row>
<entry align="center">ACTION</entry>
<entry align="center">SOURCE</entry>
<entry>DEST</entry>
<entry>PROTO</entry>
<entry>DEST PORT(S)</entry>
<entry>SOURCE PORT(S)</entry>
<entry>ORIGINAL DEST</entry>
</row>
</thead>
<tbody>
<row>
<entry>DNAT</entry>
<entry>net</entry>
<entry>loc:&lt;<emphasis>server address</emphasis>&gt;</entry>
<entry>tcp</entry>
<entry>1723</entry>
<entry></entry>
<entry></entry>
</row>
<row>
<entry>DNAT</entry>
<entry>net</entry>
<entry>loc:&lt;<emphasis>server address</emphasis>&gt;</entry>
<entry>47</entry>
<entry>-</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
DNAT net loc:<emphasis>&lt;server address&gt;</emphasis> tcp 1723
DNAT net loc:<emphasis>&lt;server address&gt;</emphasis> 47</programlisting>
<para>If you have multiple external IP address and you want to forward a
single &lt;<emphasis>external address</emphasis>&gt;, add the following to
your /etc/shorewall/rules file:</para>
<table>
<title>/etc/shorewall/rules</title>
<para><filename>/etc/shorewall/rules</filename>:</para>
<tgroup cols="7">
<thead>
<row>
<entry align="center">ACTION</entry>
<entry align="center">SOURCE</entry>
<entry>DEST</entry>
<entry>PROTO</entry>
<entry>DEST PORT(S)</entry>
<entry>SOURCE PORT(S)</entry>
<entry>ORIGINAL DEST</entry>
</row>
</thead>
<tbody>
<row>
<entry>DNAT</entry>
<entry>net</entry>
<entry>loc:&lt;<emphasis>server address</emphasis>&gt;</entry>
<entry>tcp</entry>
<entry>1723</entry>
<entry>-</entry>
<entry>&lt;<emphasis>external address</emphasis>&gt;</entry>
</row>
<row>
<entry>DNAT</entry>
<entry>net</entry>
<entry>loc:&lt;<emphasis>server address</emphasis>&gt;</entry>
<entry>47</entry>
<entry>-</entry>
<entry>-</entry>
<entry>&lt;<emphasis>external address</emphasis>&gt;</entry>
</row>
</tbody>
</tgroup>
</table>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
# PORT(S) DEST
DNAT net loc:<emphasis>&lt;server address&gt;</emphasis> tcp 1723 - <emphasis>&lt;external address&gt;</emphasis>
DNAT net loc:<emphasis>&lt;server address&gt;</emphasis> 47 - - <emphasis>&lt;external address&gt;</emphasis></programlisting>
</section>
<section id="ClientsBehind">
@ -1021,179 +613,27 @@ loadmodule ip_nat_proto_gre</programlisting>
</listitem>
</orderedlist>
<para>Here are examples from my setup:</para>
<para>Here are examples from one of my old setups:</para>
<table>
<title>/etc/shorewall/zones</title>
<para><filename>/etc/shorewall/zones</filename>:</para>
<tgroup cols="3">
<thead>
<row>
<entry align="center">ZONE</entry>
<programlisting>#ZONE DISPLAY COMMENTS
cpq Compaq Compaq Intranet</programlisting>
<entry align="center">DISPLAY</entry>
<para><filename>/etc/shorewall/interfaces</filename>:</para>
<entry align="center">COMMENTS</entry>
</row>
</thead>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
- ppp+</programlisting>
<tbody>
<row>
<entry>cpq</entry>
<para>/etc/shorewall/hosts:</para>
<entry>Compaq</entry>
<programlisting>#ZONE HOST(S) OPTIONS
cpq ppp+:!192.168.1.0/24</programlisting>
<entry>Compaq Intranet</entry>
</row>
</tbody>
</tgroup>
</table>
<para><filename>/etc/shorewall/tunnels</filename>:</para>
<table>
<title>/etc/shorewall/interfaces</title>
<tgroup cols="4">
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">INTERFACE</entry>
<entry align="center">BROADCAST</entry>
<entry align="center">OPTIONS</entry>
</row>
</thead>
<tbody>
<row>
<entry>-</entry>
<entry>ppp+</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<table>
<title>/etc/shorewall/hosts</title>
<tgroup cols="3">
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">HOST(S)</entry>
<entry align="center">OPTIONS</entry>
</row>
</thead>
<tbody>
<row>
<entry>-</entry>
<entry>ppp+:!192.168.1.0/24</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<table>
<title>/etc/shorewall/rules (For Shorewall versions up to and including
1.3.9b)</title>
<tgroup cols="7">
<thead>
<row>
<entry align="center">ACTION</entry>
<entry align="center">SOURCE</entry>
<entry align="center">DEST</entry>
<entry align="center">PROTO</entry>
<entry align="center">DEST PORT(S)</entry>
<entry align="center">SOURCE PORT(S)</entry>
<entry align="center">ORIGINAL DEST</entry>
</row>
</thead>
<tbody>
<row>
<entry>ACCEPT</entry>
<entry>fw</entry>
<entry>net</entry>
<entry>tcp</entry>
<entry>1723</entry>
<entry></entry>
<entry></entry>
</row>
<row>
<entry>ACCEPT</entry>
<entry>fw</entry>
<entry>net</entry>
<entry>47</entry>
<entry>-</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<table>
<title>/etc/shorewall/tunnels (For Shorewall versions 1.3.10 and
later)</title>
<tgroup cols="4">
<thead>
<row>
<entry align="center">TYPE</entry>
<entry align="center">ZONE</entry>
<entry align="center">GATEWAY</entry>
<entry align="center">GATEWAY ZONE</entry>
</row>
</thead>
<tbody>
<row>
<entry>pptpclient</entry>
<entry>net</entry>
<entry>0.0.0.0/0</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
pptpclient net 0.0.0.0/0</programlisting>
<para>I use the combination of interface and hosts file to define the
<quote>cpq</quote> zone because I also run a PPTP server on my firewall
@ -1347,7 +787,7 @@ echo "Attempting to restart PPTP"
restart_pptp &gt; /dev/null 2&gt;&amp;1 &amp;</programlisting>
<para><ulink url="ftp://ftp.shorewall.net/pub/shorewall/misc/Vonau">Here's
a scriptand corresponding ip-up.local</ulink> from Jerry Vonau
a script and corresponding ip-up.local</ulink> from Jerry Vonau
<email>jvonau@home.com</email> that controls two PPTP connections.</para>
</section>
@ -1387,31 +827,8 @@ restart_pptp &gt; /dev/null 2&gt;&amp;1 &amp;</programlisting>
<listitem>
<para>Add this entry to /etc/shorewall/zones:</para>
<table>
<title>/etc/shorewall/zones</title>
<tgroup cols="3">
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">DISPLAY</entry>
<entry align="center">COMMENTS</entry>
</row>
</thead>
<tbody>
<row>
<entry>modem</entry>
<entry>Modem</entry>
<entry>ADSL Modem</entry>
</row>
</tbody>
</tgroup>
</table>
<programlisting>#ZONE DISPLAY COMMENTS
modem Modem ADSL Modem</programlisting>
<para>That entry defines a new zone called <quote>modem</quote> which
will contain only your ADSL modem.</para>
@ -1420,35 +837,8 @@ restart_pptp &gt; /dev/null 2&gt;&amp;1 &amp;</programlisting>
<listitem>
<para>Add the following entry to /etc/shorewall/interfaces:</para>
<table>
<title>/etc/shorewall/interfaces</title>
<tgroup cols="4">
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">INTERFACE</entry>
<entry align="center">BROADCAST</entry>
<entry align="center">OPTIONS</entry>
</row>
</thead>
<tbody>
<row>
<entry>modem</entry>
<entry>eth0</entry>
<entry>192.168.1.255</entry>
<entry>dhcp</entry>
</row>
</tbody>
</tgroup>
</table>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
modem eth0 192.168.1.255 dhcp</programlisting>
<para>You will of course modify the <quote>net</quote> entry in
/etc/shorewall/interfaces to specify <quote>ppp0</quote> as the
@ -1459,35 +849,8 @@ restart_pptp &gt; /dev/null 2&gt;&amp;1 &amp;</programlisting>
<listitem>
<para>Add the following to /etc/shorewall/tunnels:</para>
<table>
<title>/etc/shorewall/tunnels</title>
<tgroup cols="4">
<thead>
<row>
<entry align="center">TYPE</entry>
<entry align="center">ZONE</entry>
<entry align="center">GATEWAY</entry>
<entry align="center">GATEWAY ZONE</entry>
</row>
</thead>
<tbody>
<row>
<entry>pptpclient</entry>
<entry>modem</entry>
<entry>192.168.1.1</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
pptpclient modem 192.168.1.1</programlisting>
<para>That entry allows a PPTP tunnel to be established between your
Shorewall system and the PPTP server in the modem.</para>

6
Shorewall-docs2/myfiles.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2005-03-08</pubdate>
<pubdate>2005-04-15</pubdate>
<copyright>
<year>2001-2005</year>
@ -67,7 +67,7 @@
<itemizedlist>
<listitem>
<para>I use one-to-one NAT for Ursa (my personal system that run SuSE
9.2) - Internal address 192.168.1.5 and external address
9.3) - Internal address 192.168.1.5 and external address
206.124.146.178.</para>
</listitem>
@ -80,7 +80,7 @@
<listitem>
<para>I use SNAT through 206.124.146.176 for&nbsp;my Wife's Windows XP
system <quote>Tarry</quote>, and our&nbsp; dual-booting (SuSE
9.2/Windows XP) laptop <quote>Tipper</quote> which connects through
9.3/Windows XP) laptop <quote>Tipper</quote> which connects through
the Wireless Access Point (wap) via a Wireless Bridge (wet), and my
work laptop when it is not docked in my office.<note>
<para>While the distance between the WAP and where I usually use

35
Shorewall-docs2/samba.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2005-01-25</pubdate>
<pubdate>2005-04-14</pubdate>
<copyright>
<year>2002</year>
@ -79,7 +79,34 @@ AllowSMB Z2 Z1</programlisting>
<para>To make network browsing (<quote>Network Neighborhood</quote>) work
properly between Z1 and Z2 requires a Windows Domain Controller and/or a
WINS server. I run Samba on my firewall to handle browsing between two zones
connected to my firewall. Details are <ulink
url="myfiles.htm">here</ulink>.</para>
WINS server. I have run Samba on my firewall to handle browsing between two
zones connected to my firewall.</para>
<para>When debugging Samba/SMB problems, I recommend that you do the
following:</para>
<orderedlist>
<listitem>
<para>Copy <filename>action.Drop</filename> and
<filename>action.Reject</filename> from <filename
class="directory">/usr/share/shorewall</filename> to <filename
class="directory">/etc/shorewall</filename>.</para>
</listitem>
<listitem>
<para>Edit the copies and remove the <emphasis
role="bold">DropSMB</emphasis> and <emphasis
role="bold">RejectSMB</emphasis> lines.</para>
</listitem>
<listitem>
<para><command>shorewall restart</command></para>
</listitem>
</orderedlist>
<para>The above steps will cause SMB traffic that is dropped or rejected by
policy to be logged rather than handled silently.</para>
<para>You can just remove the copies and <command>shorewall
restart</command> when you are finished debugging.</para>
</article>

6
Shorewall-docs2/starting_and_stopping_shorewall.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2005-04-06</pubdate>
<pubdate>2005-04-13</pubdate>
<copyright>
<year>2004</year>
@ -744,6 +744,10 @@
<para><command>shorewall show log</command> - display the last 20
packet log entries.</para>
<para><command>shorewall show capabilities</command> - Added in
Shorewall version 2.2.4 and displays your kernel/iptables
capabilities</para>
<para><command>shorewall show connections</command> - displays the
IP connections currently being tracked by the firewall.</para>