extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-02-23 21:21:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Shorewall-1.4.7

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@756 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-10-06 22:38:40 +00:00
parent acad75f82f
commit a30b326a4b
96 changed files with 26174 additions and 26168 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

73
Lrp/etc/shorewall/accounting Executable file
View File

@ -0,0 +1,73 @@
#
# Shorewall version 1.4 - Accounting File
#
# /etc/shorewall/accounting
#
# Accounting rules exist simply to count packets and bytes in categories
# that you define in this file. You may display these rules and their
# packet and byte counters using the "shorewall show accounting" command.
#
# Please see http://shorewall.net/Accounting.html for examples and
# additional information about how to use this file.
#
#
# Columns are:
#
# ACTION - What to do when a match is found.
#
# COUNT - Simply count the match and continue
# with the next rule
# DONE - Count the match and don't attempt
# to match any other accounting rules
# in the chain specified in the CHAIN
# column.
# <chain>[:COUNT]
# - Where <chain> is the name of
# a chain. Shorewall will create
# the chain automatically if it
# doesn't already exist. Causes
# a jump to that chain. If :COUNT
# is including, a counting rule
# matching this record will be
# added to <chain>
#
# CHAIN - The name of a chain. If specified as "-" the
# 'accounting' chain is assumed. This is the chain
# where the accounting rule is added. The chain will
# be created if it doesn't already exist.
#
# SOURCE - Packet Source
#
# The name of an interface, an address (host or net) or
# an interface name followed by ":"
# and a host or net address.
#
# DESTINATION - Packet Destination
#
# Format the same as the SOURCE column.
#
# PROTOCOL A protocol name (from /etc/protocols), a protocol
# number.
#
# DEST PORT Destination Port number
#
# Service name from /etc/services or port number. May
# only be specified if the protocol is TCP or UDP (6
# or 17).
#
# SOURCE PORT Source Port number
#
# Service name from /etc/services or port number. May
# only be specified if the protocol is TCP or UDP (6
# or 17).
#
# In all of the above columns except ACTION and CHAIN, the values "-",
# "any" and "all" may be used as wildcards
#
# Please see http://shorewall.net/Accounting.html for examples and
# additional information about how to use this file.
#
#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE
# PORT PORT
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

9
Lrp/etc/shorewall/interfaces
View File

@ -103,6 +103,15 @@
# This option has no effect if
# NEWNOTSYN=Yes.
#
# arp_filter - If specified, this interface will only
# respond to ARP who-has requests for IP
# addresses configured on the interface.
# If not specified, the interface can
# respond to ARP who-has requests for
# IP addresses on any of the firewall's
# interface. The interface must be up
# when Shorewall is started.
#
# The order in which you list the options is not
# significant but the list should have no embedded white
# space.

3
Lrp/etc/shorewall/masq
View File

@ -49,6 +49,9 @@
# <first ip in range>-<last ip in range>.
#
# Example: 206.124.146.177-206.124.146.180
#
# Finally, you may also specify a comma-separated
# list of ranges and/or addresses in this column.
#
# This column may not contain DNS Names.
#

3
Lrp/etc/shorewall/nat
View File

@ -32,5 +32,6 @@
# Yes or yes, NAT will be effective from the firewall
# system
##############################################################################
#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
#EXTERNAL INTERFACE INTERNAL ALL LOCAL
# INTERFACES
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

12
Lrp/etc/shorewall/policy
View File

@ -3,6 +3,8 @@
#
# /etc/shorewall/policy
#
# THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT
#
# This file determines what to do with a new connection request if we
# don't get a match from the /etc/shorewall/rules file or from the
# /etc/shorewall/common[.def] file. For each source/destination pair, the
@ -69,8 +71,12 @@
# d) All other connection requests are rejected and logged at level
# KERNEL.INFO.
###############################################################################
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
loc net ACCEPT
net all DROP info
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
#
# THE FOLLOWING POLICY MUST BE LAST
#
all all REJECT info
#LAST LINE -- DO NOT REMOVE

4
Lrp/etc/shorewall/rfc1918
View File

@ -22,7 +22,7 @@
255.255.255.255 RETURN # We need to allow limited broadcast
169.254.0.0/16 DROP # DHCP autoconfig
172.16.0.0/12 logdrop # RFC 1918
192.0.2.0/24 logdrop # Example addresses
192.0.2.0/24 logdrop # Example addresses (RFC 3330)
192.168.0.0/16 logdrop # RFC 1918
#
# The following are generated with the help of the Python program found at:
@ -46,7 +46,6 @@
49.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
50.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
58.0.0.0/7 logdrop # Reserved
60.0.0.0/8 logdrop # Reserved
70.0.0.0/7 logdrop # Reserved
72.0.0.0/5 logdrop # Reserved
83.0.0.0/8 logdrop # Reserved
@ -57,6 +56,7 @@
197.0.0.0/8 logdrop # Reserved
198.18.0.0/15 logdrop # Reserved
201.0.0.0/8 logdrop # Reserved - Central & South America
223.0.0.0/8 logdrop # Reserved - Returned by APNIC in 2003
240.0.0.0/4 logdrop # Reserved
#
# End of generated entries

72
Lrp/etc/shorewall/rules
View File

@ -47,10 +47,29 @@
# (those) zone(s).
# LOG -- Simply log the packet and continue.
#
# May optionally be followed by ":" and a syslog log
# level (e.g, REJECT:info). This causes the packet to be
# You may rate-limit the rule by optionally
# following ACCEPT, DNAT[-], REDIRECT[-] or LOG with
#
# < <rate>/<interval>[:<burst>] >
#
# where <rate> is the number of connections per
# <interval> ("sec" or "min") and <burst> is the
# largest burst permitted. If no <burst> is given,
# a value of 5 is assumed. There may be no
# no whitespace embedded in the specification.
#
# Example: ACCEPT<10/sec:20>
#
# The ACTION (and rate limit) may optionally be followed
# by ":" and a syslog log level (e.g, REJECT:info or
# DNAT<4/sec:8>:debugging). This causes the packet to be
# logged at the specified level.
#
# NOTE: For those of you who prefer to place the
# rate limit in a separate column, see the RATE LIMIT
# column below. If you specify a value in that column,
# you must not include a rate limit in the ACTION column
#
# You may also specify ULOG (must be in upper case) as a
# log level.This will log to the ULOG target for routing
# to a separate log through use of ulogd
@ -193,6 +212,39 @@
# If no source IP address is given, the original source
# address is not altered.
#
# RATE LIMIT You may rate-limit the rule by placing a value in
# this colume:
#
# <rate>/<interval>[:<burst>]
#
# where <rate> is the number of connections per
# <interval> ("sec" or "min") and <burst> is the
# largest burst permitted. If no <burst> is given,
# a value of 5 is assumed. There may be no
# no whitespace embedded in the specification.
#
# Example: 10/sec:20
#
# If you place a rate limit in this column, you may not
# place a similar limit in the ACTION column.
#
# USER SET This column may only be non-empty if the SOURCE is
# the firewall itself and the ACTION is ACCEPT, DROP or
# REJECT.
#
# The column may contain a user set name defined in the
# /etc/shorewall/usersets file or it may contain:
#
# [<user name or number>]:[<group name or number>]
#
# When this column is non-empty, the rule applies only
# if the program generating the output is running under
# the effective <user>(s) and/or <group>(s) specified.
# When a user set name is given, a log level may not be
# present in the ACTION column; logging for such rules is
# controlled by the user set's entry in
# /etc/shorewall/usersets.
#
# Example: Accept SMTP requests from the DMZ to the internet
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
@ -206,6 +258,14 @@
# # PORT PORT(S) DEST
# DNAT net loc:192.168.1.3 tcp ssh,http
#
# Example: Forward all http connection requests from the internet
# to local system 192.168.1.3 with a limit of 3 per second and
# a maximum burst of 10
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# DNAT<3/sec:10> net loc:192.168.1.3 tcp http
#
# Example: Redirect all locally-originating www connection requests to
# port 3128 on the firewall (Squid running on the firewall
# system) except when the destination address is 192.168.2.2
@ -226,9 +286,9 @@
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# ACCEPT net:130.252.100.69,130.252.100.70 \
# ACCEPT net:130.252.100.69,130.252.100.70 fw \
# tcp 22
##############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT PORT(S) DEST
####################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER
# PORT PORT(S) DEST LIMIT
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

29
Lrp/etc/shorewall/shorewall.conf
View File

@ -434,6 +434,35 @@ MUTEX_TIMEOUT=60
NEWNOTSYN=No
#
# FOR ADMINS THAT REPEATEDLY SHOOT THEMSELVES IN THE FOOT
#
# Normally, when a "shorewall stop" command is issued or an error occurs during
# the execution of another shorewall command, Shorewall puts the firewall into
# a state where only traffic to/from the hosts listed in
# /etc/shorewall/routestopped is accepted.
#
# When performing remote administration on a Shorewall firewall, it is
# therefore recommended that the IP address of the computer being used for
# administration be added to the firewall's /etc/shorewall/routestopped file.
#
# Some administrators have a hard time remembering to do this with the result
# that they get to drive across town in the middle of the night to restart
# a remote firewall (or worse, they have to get someone out of bed to drive
# across town to restart a very remote firewall).
#
# For those administrators, we offer ADMINISABSENTMINDED=Yes. With this setting,
# when the firewall enters the 'stopped' state:
#
# All traffic that is part of or related to established connections is still
# allowed and all OUTPUT traffic is allowed. This is in addition to traffic
# to and from hosts listed in /etc/shorewall/routestopped.
#
# If this variable is not set or it is set to the null value then
# ADMINISABSENTMINDED=No is assumed.
#
ADMINISABSENTMINDED=Yes
################################################################################
# P A C K E T D I S P O S I T I O N
################################################################################

3
Lrp/etc/shorewall/tcrules
View File

@ -58,5 +58,6 @@
# separated list of port names, port numbers or port
# ranges.
##############################################################################
#MARK SOURCE DEST PROTO PORT(S) CLIENT PORT(S)
#MARK SOURCE DEST PROTO PORT(S) CLIENT
# PORT(S)
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

22
Lrp/etc/shorewall/tunnels
View File

@ -10,13 +10,20 @@
# The columns are:
#
# TYPE -- must start in column 1 and be "ipsec", "ipsecnat","ip"
# "gre", "6to4", "pptpclient", "pptpserver" or "openvpn".
# "gre", "6to4", "pptpclient", "pptpserver", "openvpn" or
# "generic"
#
# If type is "openvpn", it may optionally be followed
# by ":" and the port number used by the tunnel. if no
# ":" and port number are included, then the default port
# of 5000 will be used
#
# If type is "generic", it must be followed by ":" and
# a protocol name (from /etc/protocols) or a protocol
# number. If the protocol is "tcp" or "udp" (6 or 17),
# then it may optionally be followed by ":" and a
# port number.
#
# ZONE -- The zone of the physical interface through which
# tunnel traffic passes. This is normally your internet
# zone.
@ -30,7 +37,7 @@
# column is a standalone host then this column should
# contain a comma-separated list of the names of the
# zones that the host might be in. This column only
# applies to IPSEC tunnels.
# applies to IPSEC and generic tunnels.
#
# Example 1:
#
@ -85,5 +92,14 @@
#
# openvpn:7777 net 4.33.99.124
#
# TYPE ZONE GATEWAY GATEWAY ZONE PORT
# Example 8:
#
# You have a tunnel that is not one of the supported types.
# Your tunnel uses UDP port 4444. The other end of the
# tunnel is 4.3.99.124.
#
# generic:udp:4444 net 4.3.99.124
#
# TYPE ZONE GATEWAY GATEWAY
# ZONE
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

25
Lrp/etc/shorewall/users Normal file
View File

@ -0,0 +1,25 @@
#
# Shorewall version 1.4 - Users File
#
# /etc/shorewall/users
#
# This file is used to associate local users and/or groups to Shorewall
# "User Sets".
# Columns are:
#
# USERSET The name of a user set defined in
# /etc/shorewall/usersets.
#
# USER A Linux user name or number defined in /etc/passwd.
#
# GROUP A linux group name or number defined in /etc/groups.
#
# The GROUP may be omitted. If it is supplied, then the USER may be
# entered as "-" in which case all members of the specified group are
# included in the USERSET.
#
################################################################################
#USERSET USER GROUP
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

29
Lrp/etc/shorewall/usersets Normal file
View File

@ -0,0 +1,29 @@
#
# Shorewall version 1.4 - Users Sets File
#
# /etc/shorewall/usersets
#
# A user set is a list of <user>, <group> or <user:group> names and can
# be used to control access by individual users to other network hosts
# from the firewall system.
#
# Columns are:
#
# USERSET The name of a user set. May be up to 6 characters in
# length and must be a valid shell identifier.
#
# REJECT The log level for REJECT rules that match a user in this
# userset.
#
# ACCEPT The log level for ACCEPT rules that match a user in this
# userset.
#
# DROP The log level for DROP rules that match a user in this
# userset.
#
# To omit one of the last three columns yet supply a value to one of the
# following ones, enter "-".
#
#USERSET REJECT ACCEPT DROP
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

5
Lrp/etc/shorewall/zones
View File

@ -7,6 +7,11 @@
# DISPLAY Display name of the zone
# COMMENTS Comments about the zone
#
# THE ORDER OF THE ENTRIES IN THIS FILE IS IMPORTANT IF YOU HAVE NESTED OR
# OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts.
#
# See http://www.shorewall.net/Documentation.htm#Nested
#
#ZONE DISPLAY COMMENTS
net Net Internet
loc Local Local networks

89
Lrp/sbin/shorewall
View File

@ -51,7 +51,7 @@
# compensate for a change of
# broadcast address on any "detect"
# interface.
# shorewall show <chain> Display the rules in a <chain>
# shorewall show <chain> [ <chain> ... ] Display the rules in each <chain> listed
# shorewall show log Print the last 20 log messages
# shorewall show connections Show the kernel's connection
# tracking table
@ -517,6 +517,15 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
done
}
#
# Help information
#
help()
{
[ -x $HELP ] && { export version; exec $HELP $*; }
echo "Help subsystem is not installed at $HELP"
}
#
# Give Usage Information
#
@ -525,27 +534,28 @@ usage() # $1 = exit status
echo "Usage: `basename $0` [debug] [nolock] [-c <directory>] <command>"
echo "where <command> is one of:"
echo " add <interface>[:<host>] <zone>"
echo " delete <interface>[:<host>] <zone>"
echo " show [<chain>|classifiers|connections|log|nat|tc|tos]"
echo " start"
echo " stop"
echo " reset"
echo " restart"
echo " status"
echo " clear"
echo " refresh"
echo " hits"
echo " monitor [<refresh interval>]"
echo " version"
echo " check"
echo " try <directory> [ <timeout> ]"
echo " logwatch [<refresh interval>]"
echo " drop <address> ..."
echo " reject <address> ..."
echo " allow <address> ..."
echo " save"
echo " check"
echo " clear"
echo " delete <interface>[:<host>] <zone>"
echo " drop <address> ..."
echo " help [ <command > | host | address ]"
echo " hits"
echo " ipcalc [ <address>/<vlsm> | <address> <netmask> ]"
echo " iprange <address>-<address>"
echo " logwatch [<refresh interval>]"
echo " monitor [<refresh interval>]"
echo " refresh"
echo " reject <address> ..."
echo " reset"
echo " restart"
echo " save"
echo " show [<chain> [ <chain> ... ]|classifiers|connections|log|nat|tc|tos]"
echo " start"
echo " stop"
echo " status"
echo " try <directory> [ <timeout> ]"
echo " version"
exit $1
}
@ -611,12 +621,11 @@ fi
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
MUTEX_TIMEOUT=
[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
SHARED_DIR=/usr/share/shorewall
FIREWALL=$SHARED_DIR/firewall
FUNCTIONS=$SHARED_DIR/functions
VERSION_FILE=$SHARED_DIR/version
HELP=$SHARED_DIR/help
if [ -f $FUNCTIONS ]; then
. $FUNCTIONS
@ -634,6 +643,8 @@ else
exit 2
fi
[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
if [ ! -f $FIREWALL ]; then
echo "ERROR: Shorewall is not properly installed"
if [ -L $FIREWALL ]; then
@ -687,26 +698,29 @@ case "$1" in
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1 $2 $3
;;
show|list)
[ $# -gt 2 ] && usage 1
case "$2" in
connections)
[ $# -gt 2 ] && usage 1
echo "Shorewall-$version Connections at $HOSTNAME - `date`"
echo
cat /proc/net/ip_conntrack
;;
nat)
[ $# -gt 2 ] && usage 1
echo "Shorewall-$version NAT at $HOSTNAME - `date`"
echo
show_reset
iptables -t nat -L -n -v
;;
tos|mangle)
[ $# -gt 2 ] && usage 1
echo "Shorewall-$version TOS at $HOSTNAME - `date`"
echo
show_reset
iptables -t mangle -L -n -v
;;
log)
[ $# -gt 2 ] && usage 1
get_config
echo "Shorewall-$version Log at $HOSTNAME - `date`"
echo
@ -715,20 +729,30 @@ case "$1" in
packet_log 20
;;
tc)
[ $# -gt 2 ] && usage 1
echo "Shorewall-$version Traffic Control at $HOSTNAME - `date`"
echo
show_tc
;;
classifiers)
[ $# -gt 2 ] && usage 1
echo "Shorewall-$version Clasifiers at $HOSTNAME - `date`"
echo
show_classifiers
;;
*)
echo "Shorewall-$version Chain $2 at $HOSTNAME - `date`"
shift
echo "Shorewall-$version `[ $# -gt 1 ] && echo Chains || echo Chain` $* at $HOSTNAME - `date`"
echo
show_reset
iptables -L $2 -n -v
if [ $# -gt 0 ]; then
for chain in $*; do
iptables -L $chain -n -v
done
else
iptables -L -n -v
fi
;;
esac
;;
@ -837,6 +861,8 @@ case "$1" in
mutex_on
while [ $# -gt 1 ]; do
shift
qt iptables -D dynamic -s $1 -j reject
qt iptables -D dynamic -s $1 -j DROP
iptables -A dynamic -s $1 -j DROP || break 1
echo "$1 Dropped"
done
@ -847,6 +873,8 @@ case "$1" in
mutex_on
while [ $# -gt 1 ]; do
shift
qt iptables -D dynamic -s $1 -j reject
qt iptables -D dynamic -s $1 -j DROP
iptables -A dynamic -s $1 -j reject || break 1
echo "$1 Rejected"
done
@ -857,13 +885,7 @@ case "$1" in
mutex_on
while [ $# -gt 1 ]; do
shift
if qt iptables -D dynamic -s $1 -j reject; then
#
# Address was rejected -- silently remove any drop as well
#
qt iptables -D dynamic -s $1 -j DROP
echo "$1 Allowed"
elif qt iptables -D dynamic -s $1 -j DROP; then
if qt iptables -D dynamic -s $1 -j reject || qt iptables -D dynamic -s $1 -j DROP; then
echo "$1 Allowed"
else
echo "$1 Not Dropped or Rejected"
@ -927,6 +949,11 @@ case "$1" in
shift;
$@
;;
help)
shift
[ $# -ne 1 ] && usage 1
help $@
;;
*)
usage 1
;;

800
Lrp/usr/share/shorewall/firewall
View File

File diff suppressed because it is too large Load Diff

142
Lrp/usr/share/shorewall/functions
View File

@ -269,6 +269,13 @@ encodeaddr() {
# Enumerate the members of an IP range -- When using a shell supporting only
# 32-bit signed arithmetic, the range cannot span 128.0.0.0.
#
# Comes in two flavors:
#
# ip_range() - produces a mimimal list of network/host addresses that spans
# the range.
#
# ip_range_explicit() - explicitly enumerates the range.
#
ip_range() {
local first last l x y z vlsm
@ -308,6 +315,31 @@ ip_range() {
done
}
ip_range_explicit() {
local first last
case $1 in
[0-9]*.*.*.*-*.*.*.*)
;;
*)
echo $1
return
;;
esac
first=`decodeaddr ${1%-*}`
last=`decodeaddr ${1#*-}`
if [ $first -gt $last ]; then
fatal_error "Invalid IP address range: $1"
fi
while [ $first -le $last ]; do
echo `encodeaddr $first`
first=$(($first + 1))
done
}
#
# Netmask from CIDR
#
@ -331,12 +363,11 @@ ip_network() {
# The following hack is supplied to compensate for the fact that many of
# the popular light-weight Bourne shell derivatives don't support XOR ("^").
#
# Note: 2147483647 = 0x7fffffff
ip_broadcast() {
local x=$(( ${1#*/} - 1 ))
local x=$(( 32 - ${1#*/} ))
[ $x -eq -1 ] && echo -1 || echo $(( 2147483647 >> $x ))
[ $x -eq 0 ] && echo -1 || echo $(( $(( 1 $LEFTSHIFT $x )) - 1 ))
}
#
@ -380,3 +411,108 @@ ip_vlsm() {
fi
}
#
# Chain name base for an interface -- replace all periods with underscores in the passed name.
# The result is echoed (less "+" and anything following).
#
chain_base() #$1 = interface
{
local c=${1%%+*}
while true; do
case $c in
*.*)
c="${c%.*}_${c##*.}"
;;
*)
echo ${c:=common}
return
;;
esac
done
}
#
# Remove trailing digits from a name
#
strip_trailing_digits() {
echo $1 | sed s'/[0-9].*$//'
}
#
# Loosly Match the name of an interface
#
if_match() # $1 = Name in interfaces file - may end in "+"
# $2 = Name from routing table
{
local if_file=$1
local rt_table=$2
case $if_file in
*+)
test "`strip_trailing_digits $rt_table`" = "${if_file%+}"
;;
*)
test "$rt_table" = "$if_file"
;;
esac
}
#
# Find the value 'dev' in the passed arguments then echo the next value
#
find_device() {
while [ $# -gt 1 ]; do
[ "x$1" = xdev ] && echo $2 && return
shift
done
}
#
# Find the interfaces that have a route to the passed address - the default
# route is not used.
#
find_rt_interface() {
ip route ls | while read addr rest; do
case $addr in
*/*)
in_subnet ${1%/*} $addr && echo `find_device $rest`
;;
default)
;;
*)
if [ "$addr" = "$1" -o "$addr/32" = "$1" ]; then
echo `find_device $rest`
fi
;;
esac
done
}
#
# Find the default route's interface
#
find_default_interface() {
ip route ls | while read first rest; do
[ "$first" = default ] && echo `find_device $rest` && return
done
}
#
# Echo the name of the interface(s) that will be used to send to the
# passed address
#
find_interface_by_address() {
local dev="`find_rt_interface $1`"
local first rest
[ -z "$dev" ] && dev=`find_default_interface`
[ -n "$dev" ] && echo $dev
}

2
Lrp/usr/share/shorewall/version
View File

@ -1 +1 @@
1.4.6
1.4.7

3
Lrp/var/lib/lrpkg/shorwall.conf
View File

@ -21,3 +21,6 @@
/etc/shorewall/start Start Commands executed after [re]start
/etc/shorewall/stop Stop Commands executed before stop
/etc/shorewall/stopped Stopped Commands executed after stop
/etc/shorewall/accounting Account Traffic Accounting Rules
/etc/shorewall/usersets UserSets User Set definitions
/etc/shorewall/users Users " " "

2
Lrp/var/lib/lrpkg/shorwall.version
View File

@ -1 +1 @@
1.4.6
1.4.7

111
STABLE/changelog.txt
View File

@ -1,66 +1,101 @@
Changes since 1.4.5
Changes since 1.4.6
1) Worked around RH7.3 "service" anomaly.
1) Added Smart Blacklisting.
2) Implemented 'newnotsyn' interface option.
2) Move determine_capabilities call to do_initialize to ensure that
MANGLE_ENABLED is set before it is tested.
3) Document range in masq ADDRESS column and suppress ADD_SNAT_ALIASES
behavior in that case.
3) Fixed MAC address handling in the SOURCE column of tcrules.
4) Enable ADD_SNAT_ALIASES=Yes for SNAT ranges.
4) Merged and corrected Steve Herber's command-specific help patch.
5) Allow Shorewall to add aliases to other than the first subnet on an
interface.
5) Removed some undocumented/braindead code from setup_masq()
6) Add support for load-balancing.
6) Don't allow 'stop' when startup is disabled
7) Toned down the disclaimer for the 'check' command.
7) Added ADMINISABSENTMINDED option.
8) Implemented support for the Connection Tracking Match extension in
iptables 1.2.8/Kernel 2.4.21.
8) Fixed adding addresses to ppp interfaces.
9) Removed the NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration
parameters and replaced them with code that detects these
capabilities.
9) Added generic tunnel support.
10) Added the SHOREWALL_SHELL configuraiton parameter.
10) Added support for Address Range Lists in /etc/shorewall/masq.
11) Fixed capability reporting (thanks to Simon Matter).
11) Simplify ip_broadcast()
12) Correct the implementation of destination IP list in DNAT[-] rules.
12) Add 'arp_filter' interface option.
13) Check for shells whose arithmetic support is broken.
13) Added accounting file support
14) Moved IP Address manipulation functions to
/usr/share/shorewall/functions.
14) Fixed bug where an interface name alone appears in the DESTINATION
column of the accounting file.
15. Added ipcalc command.
15) Add ACTION column to accounting file.
16. Fixed handling of destination DNS names containing a "-"
16) Add CHAIN declarations to accounting file.
17. Make ip_range() smarter.
17) Replace calls to chain_exists with calls to havechain in
accounting code.
18. Added /sbin/shorewall iprange command.
18) Allow degenerate DONE and COUNT rules.
19. Fixed handling of excluded zone processing in DNAT and REDIRECT
rules (re-added the protocol to the rule). Fixed parsing of exclude
zones.
19) Interface-specific dynamic blacklisting chains are now displayed by
"shorewall monitor".
20. Display policy chain along with policy in 'check' command.
20) Bridge interfaces (br[0-9]) can now be used in /etc/shorewall/maclist.
21. Support Linux 2.6 compressed modules.
21) Rate-limited rules added.
22. Don't display DHCP message when there are no DHCP interface.
22) Make burst optional in rate limited rules and policies.
23. Move determine_capabilities call to do_initialize to ensure that
MANGLE_ENABLED is set before it is tested.
23) Allow display of multiple chains in one "shorewall show" command.
24. Fixed MAC address handling in the SOURCE column of tcrules.
24) Add "RATE LIMIT" column for those who prefer their config files to
be wide but normalized.
25. Disabled 'stop' command when startup is disabled.
25) Redesign the accounting facility to make it simpler and more
flexible.
26. Fixed adding addresses to ppp interfaces.
26) Add Henry Wang's fix for LOGRATE/LOGBURST and enhance to resolve
conflict between that facility and rate-limited logging rules.
27. Corrected IP range in masq entry WRT ADD_SNAT_ALIASES
27) Add User Set capability.
28. Fix IPV6 address confusion.
28) Deimplement Smart Blacklisting and fix problem with multiple
'drop'/'reject' commands for the same address.
29) Update for 1.4.7 Beta 1.
30) Fix ADD_SNAT_ALIASES interaction with ip ranges used for
load-balancing.
31) Fix IPV6 address confusion.
32) Add "o.gz" to the list of module extensions.
33) Replace existing route to PROXY ARP host rather than adding another
one.
34) Update of rfc1918 file.
35) Correct rules file comment.
36) Extend USER SET column in /etc/shorewall/rules to allow user:group.
37) Reword error message to avoid the word 'illegal'.
38) Avoid shell error when there is no policy corresponding to a rule.
39) Fatal error if /etc/shorewall/common or /etc/shoreall/common.def do
not exist.
40) Process blacklist before DHCP.
41) Fix 'logunclean' log message disposition.
42) Update rfc1918.
43) Remove Conflict specification from shorewall.rpm to appease the
SuSE crowd.
44) Removed a fly-speck at the beginning of the 'masq' file.

6312
STABLE/documentation/Documentation.htm
View File

File diff suppressed because it is too large Load Diff

2372
STABLE/documentation/FAQ.htm
View File

File diff suppressed because it is too large Load Diff

368
STABLE/documentation/FTP.html
View File

@ -1,234 +1,214 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall and FTP</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall and FTP</font></h1>
</td>
</tr>
</tbody>
</td>
</tr>
</tbody>
</table>
<h2></h2>
<blockquote> </blockquote>
<p>FTP transfers involve two TCP connections. The first <u>control</u> connection
goes from the FTP client to port 21 on the FTP server. This connection is
used for logon and to send commands and responses between the endpoints.
Data transfers (including the output of "ls" and "dir" commands) requires
a second <u>data</u> connection. The data connection is dependent on the <u>mode</u>
<blockquote> </blockquote>
<p>FTP transfers involve two TCP connections. The first <u>control</u>
connection goes from the FTP client to port 21 on the FTP server. This
connection is used for logon and to send commands and responses between
the endpoints. Data transfers (including the output of "ls" and "dir"
commands) requires a second <u>data</u> connection. The data
connection is dependent on the <u>mode</u>
that the client is operating in:<br>
</p>
</p>
<ul>
<li>Passive Mode (default for web browsers) -- The client issues a PASV
command. Upon receipt of this command, the server listens on a dynamically-allocated
port then sends a PASV reply to the client. The PASV reply gives the IP address
and port number that the server is listening on. The client then opens a
<li>Passive Mode (default for web browsers) -- The client issues a
PASV command. Upon receipt of this command, the server listens on a
dynamically-allocated port then sends a PASV reply to the client. The
PASV reply gives the IP address
and port number that the server is listening on. The client then opens
a
second connection to that IP address and port number.</li>
<li>Active Mode (often the default for line-mode clients) -- The client
listens on a dynamically-allocated port then sends a PORT command to the
server. The PORT command gives the IP address and port number that the client
is listening on. The server then opens a connection to that IP address and
port number; the <u>source port</u> for this connection is 20 (ftp-data in
/etc/services).</li>
<li>Active Mode (often the default for line-mode clients) -- The
client listens on a dynamically-allocated port then sends a PORT
command to the server. The PORT command gives the IP address and port
number that the client is listening on. The server then opens a
connection to that IP address and port number; the <u>source port</u>
for this connection is 20 (ftp-data in /etc/services).</li>
</ul>
You can see these commands in action using your linux ftp command-line
client in debugging mode. Note that my ftp client defaults to passive mode
and that I can toggle between passive and active mode by issuing a "passive"
command:<br>
<blockquote>
You can see these commands in action using your linux ftp command-line
client in debugging mode. Note that my ftp client defaults to passive
mode and that I can toggle between passive and active mode by issuing a
"passive" command:<br>
<blockquote>
<pre>[teastep@wookie Shorewall]$ <font color="#009900"><b>ftp ftp1.shorewall.net<br></b></font>Connected to lists.shorewall.net.<br>220-=(&lt;*&gt;)=-.:. (( Welcome to PureFTPd 1.0.12 )) .:.-=(&lt;*&gt;)=-<br>220-You are user number 1 of 50 allowed.<br>220-Local time is now 10:21 and the load is 0.14. Server port: 21.<br>220 You will be disconnected after 15 minutes of inactivity.<br>500 Security extensions not implemented<br>500 Security extensions not implemented<br>KERBEROS_V4 rejected as an authentication type<br>Name (ftp1.shorewall.net:teastep): ftp<br>331-Welcome to ftp.shorewall.net<br>331-<br>331 Any password will work<br>Password:<br>230 Any password will work<br>Remote system type is UNIX.<br>Using binary mode to transfer files.<br>ftp&gt; <font
color="#009900"><b>debug<br></b></font>Debugging on (debug=1).<br>ftp&gt; <font
color="#009900"><b>ls<br></b></font><b>---&gt; PASV</b><br><b>227 Entering Passive Mode (192,168,1,193,195,210)</b><br>---&gt; LIST<br>150 Accepted data connection<br>drwxr-xr-x 5 0 0 4096 Nov 9 2002 archives<br>drwxr-xr-x 2 0 0 4096 Feb 12 2002 etc<br>drwxr-sr-x 6 0 50 4096 Feb 19 15:24 pub<br>226-Options: -l<br>226 3 matches total<br>ftp&gt; <font
color="#009900"><b>passive<br></b></font>Passive mode off.<br>ftp&gt; <font
color="#009900"><b>ls<br></b></font><b>---&gt; PORT 192,168,1,3,142,58</b><br>200 PORT command successful<br>---&gt; LIST<br>150 Connecting to port 36410<br>drwxr-xr-x 5 0 0 4096 Nov 9 2002 archives<br>drwxr-xr-x 2 0 0 4096 Feb 12 2002 etc<br>drwxr-sr-x 6 0 50 4096 Feb 19 15:24 pub<br>226-Options: -l<br>226 3 matches total<br>ftp&gt;<br></pre>
</blockquote>
Things to notice:<br>
</blockquote>
Things to notice:<br>
<ol>
<li>The commands that I issued are in <b><font color="#009900">green.</font></b><br>
</li>
<li>Commands sent by the client to the server are preceded by <b>---&gt;</b></li>
<li>Command responses from the server over the control connection are
numbered.<br>
</li>
<li>FTP uses a comma as a separator between the bytes of the IP address;
and</li>
<li>When sending a port number, FTP sends the MSB then the LSB and separates
the two bytes by a comma. As shown in the PORT command, port 142,58 translates
<li>The commands that I issued are in <b><font color="#009900">green.</font></b><br>
</li>
<li>Commands sent by the client to the server are preceded by <b>---&gt;</b></li>
<li>Command responses from the server over the control connection are
numbered.<br>
</li>
<li>FTP uses a comma as a separator between the bytes of the IP
address; and</li>
<li>When sending a port number, FTP sends the MSB then the LSB and
separates the two bytes by a comma. As shown in the PORT command, port
142,58 translates
to 142*256+58 = 36410.<br>
</li>
</li>
</ol>
Given the normal loc-&gt;net policy of ACCEPT, passive mode access from
local clients to remote servers will always work but active mode requires
the firewall to dynamically open a "hole" for the server's connection back
to the client. Similarly, if you are running an FTP server in your local
zone then active mode should always work but passive mode requires the firewall
to dynamically open a "hole" for the client's second connection to the server.
This is the role of FTP connection-tracking support in the Linux kernel.
Given the normal loc-&gt;net policy of ACCEPT, passive mode access from
local clients to remote servers will always work but active mode
requires the firewall to dynamically open a "hole" for the server's
connection back to the client. Similarly, if you are running an FTP
server in your local
zone then active mode should always work but passive mode requires the
firewall to dynamically open a "hole" for the client's second
connection to the server. This is the role of FTP connection-tracking
support in the Linux kernel.
<div align="left"><br>
Where any form of NAT (SNAT, DNAT, Masquerading) on your firewall is involved,
the PORT commands and PASV responses may also need to be modified by the
firewall. This is the job of the FTP nat support kernel function.<br>
</div>
<p>Including FTP connection-tracking and NAT support normally means that the
modules "ip_conntrack_ftp" and "ip_nat_ftp" need to be loaded. Shorewall automatically
loads these "helper" modules from /lib/modules/&lt;<i>kernel-version&gt;</i>/kernel/net/ipv4/netfilter/
and you can determine if they are loaded using the 'lsmod' command:<br>
</p>
<blockquote>
Where any form of NAT (SNAT, DNAT, Masquerading) on your firewall is
involved, the PORT commands and PASV responses may also need to be
modified by the firewall. This is the job of the FTP nat support kernel
function.<br>
</div>
<p>Including FTP connection-tracking and NAT support normally means
that the
modules "ip_conntrack_ftp" and "ip_nat_ftp" need to be loaded.
Shorewall automatically
loads these "helper" modules from /lib/modules/&lt;<i>kernel-version&gt;</i>/kernel/net/ipv4/netfilter/
and you can determine if they are loaded using the 'lsmod' command:<br>
</p>
<blockquote>
<p>Example:<br>
</p>
<blockquote>
</p>
<blockquote>
<pre>[root@lists etc]# lsmod<br>Module Size Used by Not tainted<br>autofs 12148 0 (autoclean) (unused)<br>ipt_TOS 1560 12 (autoclean)<br>ipt_LOG 4120 5 (autoclean)<br>ipt_REDIRECT 1304 1 (autoclean)<br>ipt_REJECT 3736 4 (autoclean)<br>ipt_state 1048 13 (autoclean)<br>ip_nat_irc 3152 0 (unused)<br><b>ip_nat_ftp 3888 0 (unused)</b><br>ip_conntrack_irc 3984 1<br><b>ip_conntrack_ftp 5008 1</b><br>ipt_multiport 1144 2 (autoclean)<br>ipt_conntrack 1592 0 (autoclean)<br>iptable_filter 2316 1 (autoclean)<br>iptable_mangle 2680 1 (autoclean)<br>iptable_nat 20568 3 (autoclean) [ipt_REDIRECT ip_nat_irc ip_nat_ftp]<br>ip_conntrack 26088 5 (autoclean) [ipt_REDIRECT ipt_state ip_nat_irc ip_nat_ftp ip_conntrack_irc ip_conntrack_ftp ipt_conntrack iptable_nat]<br>ip_tables 14488 12 [ipt_TOS ipt_LOG ipt_REDIRECT ipt_REJECT ipt_state ipt_multiport ipt_conntrack iptable_filter iptable_mangle iptable_nat]<br>tulip 42464 0 (unused)<br>e100 50596 1<br>keybdev 2752 0 (unused)<br>mousedev 5236 0 (unused)<br>hid 20868 0 (unused)<br>input 5632 0 [keybdev mousedev hid]<br>usb-uhci 24684 0 (unused)<br>usbcore 73280 1 [hid usb-uhci]<br>ext3 64704 2<br>jbd 47860 2 [ext3]<br>[root@lists etc]#<br></pre>
</blockquote>
</blockquote>
<blockquote> </blockquote>
<p>If you want Shorewall to load these modules from an alternate directory,
you need to set the MODULESDIR variable in /etc/shorewall/shorewall.conf
to point to that directory.<br>
</p>
</blockquote>
</blockquote>
<blockquote> </blockquote>
<p>If you want Shorewall to load these modules from an alternate
directory, you need to set the MODULESDIR variable in
/etc/shorewall/shorewall.conf to point to that directory.<br>
</p>
<p>Server configuration is covered in <a href="Documentation.htm#Rules">the
/etc/shorewall/rules documentation</a>,<br>
</p>
<p>For a client, you must open outbound TCP port 21. <br>
</p>
<p>The above discussion about commands and responses makes it clear that the
FTP connection-tracking and NAT helpers must scan the traffic on the control
connection looking for PASV and PORT commands as well as PASV responses. If
you run an FTP server on a nonstandard port or you need to access such
a server,  you must therefore let the helpers know by specifying the port
in /etc/shorewall/modules entries for the helpers. For example, if you
run an FTP server that listens on port 49 then you would have:<br>
</p>
<blockquote>
/etc/shorewall/rules documentation</a>,<br>
</p>
<p>For a client, you must open outbound TCP port 21.&nbsp;<br>
</p>
<p>The above discussion about commands and responses makes it clear
that the
FTP connection-tracking and NAT helpers must scan the traffic on the
control
connection looking for PASV and PORT commands as well as PASV
responses. If
you run an FTP server on a nonstandard port or you need to access such
a server,&nbsp; you must therefore let the helpers know by specifying
the port
in /etc/shorewall/modules entries for the helpers. <span
style="font-weight: bold;">For example, if you
run an FTP server that listens on port 49 or you need to access a
server on the internet that listens on that port then you would have:</span><br>
</p>
<blockquote>
<p>loadmodule ip_conntrack_ftp ports=21,49<br>
loadmodule ip_nat_ftp ports=21,49<br>
</p>
</blockquote>
<p>Note that you MUST include port 21 in the <i>ports</i> list or you may
have problems accessing regular FTP servers.</p>
<p>If there is a possibility that these modules might be loaded before Shorewall
starts, then you should include the port list in /etc/modules.conf:<br>
</p>
<blockquote>
loadmodule ip_nat_ftp ports=21,49<br>
</p>
</blockquote>
<p>Note that you MUST include port 21 in the <i>ports</i> list or you
may have problems accessing regular FTP servers.</p>
<p>If there is a possibility that these modules might be loaded before
Shorewall starts, then you should include the port list in
/etc/modules.conf:<br>
</p>
<blockquote>
<p>options ip_conntrack_ftp ports=21,49<br>
options ip_nat_ftp ports=21,49<br>
</p>
</blockquote>
<p><b>IMPORTANT: </b>Once you have made these changes to /etc/shorewall/modules
and/or /etc/modules.conf, you must either:<br>
</p>
options ip_nat_ftp ports=21,49<br>
</p>
</blockquote>
<p><b>IMPORTANT: </b>Once you have made these changes to
/etc/shorewall/modules and/or /etc/modules.conf, you must either:<br>
</p>
<ol>
<li>Unload the modules and restart shorewall: (<b><font
color="#009900">rmmod ip_nat_ftp; rmmod ip_conntrack_ftp; shorewall restart</font></b>);
or</li>
<li>Reboot</li>
<li>Unload the modules and restart shorewall: (<b><font
color="#009900">rmmod ip_nat_ftp; rmmod ip_conntrack_ftp; shorewall
restart</font></b>); or</li>
<li>Reboot</li>
</ol>
One problem that I see occasionally involves active mode and the FTP server
in my DMZ. I see the active data connection <u>to certain client IP addresses</u>
being continuously rejected by my firewall. It is my conjecture that there
is some broken client out there that is sending a PORT command that is being
either missed or mis-interpreted by the FTP connection tracking helper yet
it is being accepted by my FTP server. My solution is to add the following
rule:<br>
<blockquote>
One problem that I see occasionally involves active mode and the FTP
server in my DMZ. I see the active data connection <u>to certain
client IP addresses</u> being continuously rejected by my firewall. It
is my conjecture that there is some broken client out there that is
sending a PORT command that is being either missed or mis-interpreted
by the FTP connection tracking helper yet it is being accepted by my
FTP server. My solution is to add the following rule:<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>ACTION<br>
</b></td>
<td valign="top"><b>SOURCE<br>
</b></td>
<td valign="top"><b>DESTINATION<br>
</b></td>
<td valign="top"><b>PROTOCOL<br>
</b></td>
<td valign="top"><b>PORT(S)<br>
</b></td>
<td valign="top"><b>SOURCE<br>
PORT(S)<br>
</b></td>
<td valign="top"><b>ORIGINAL<br>
DESTINATION<br>
</b></td>
</tr>
<tr>
<td valign="top">ACCEPT:info<br>
</td>
<td valign="top">dmz<br>
</td>
<td valign="top">net<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">-<br>
</td>
<td valign="top">20<br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
<tbody>
<tr>
<td valign="top"><b>ACTION<br>
</b></td>
<td valign="top"><b>SOURCE<br>
</b></td>
<td valign="top"><b>DESTINATION<br>
</b></td>
<td valign="top"><b>PROTOCOL<br>
</b></td>
<td valign="top"><b>PORT(S)<br>
</b></td>
<td valign="top"><b>SOURCE<br>
PORT(S)<br>
</b></td>
<td valign="top"><b>ORIGINAL<br>
DESTINATION<br>
</b></td>
</tr>
<tr>
<td valign="top">ACCEPT:info<br>
</td>
<td valign="top">dmz<br>
</td>
<td valign="top">net<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">-<br>
</td>
<td valign="top">20<br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
The above rule accepts and logs all active mode connections from my DMZ
to the net.<br>
<blockquote>
<p> </p>
</blockquote>
<blockquote> </blockquote>
<p><font size="2">Last updated 7/30/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2003 Thomas M. Eastep.</font></a><br>
<br>
<br>
<br>
</blockquote>
The above rule accepts and logs all active mode connections from my DMZ
to the net.<br>
<blockquote>
<p> </p>
</blockquote>
<blockquote> </blockquote>
<p><font size="2">Last updated 9/17/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2003 Thomas M. Eastep.</font></a><br>
<br>
<br>
<br>
</body>
</html>

1316
STABLE/documentation/IPSEC.htm
View File

File diff suppressed because it is too large Load Diff

8448
STABLE/documentation/News.htm
View File

File diff suppressed because it is too large Load Diff

1734
STABLE/documentation/PPTP.htm
View File

File diff suppressed because it is too large Load Diff

69
STABLE/documentation/Shorewall_Doesnt.html
View File

@ -2,51 +2,52 @@
<html>
<head>
<title>What Shorewall Cannot Do</title>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep">
</head>
<body>
<small> </small><small>
</small><small>
</small><small>
</small><small>
</small> <small> </small>
<body>
<small> </small><small> </small><small> </small><small> </small><small>
</small> <small> </small>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%"><small> </small>
<h1 align="center"><small><font color="#ffffff">Some things that Shorewall
<b>Cannot</b> Do</font></small></h1>
<small>
</small></td>
</tr>
</tbody>
<tbody>
<tr>
<td width="100%"><small> </small>
<h1 align="center"><small><font color="#ffffff">Some things that
Shorewall <b>Cannot</b> Do</font></small></h1>
<small> </small></td>
</tr>
</tbody>
</table>
<small><br>
</small>Shorewall cannot:<br>
<small><br>
</small>Shorewall cannot:<br>
<ul>
<li>Be used on a Linux System that is functioning as a Layer 2 Bridge</li>
<li>Act as a "Personal Firewall" that allows internet access by application.</li>
<li>Do content filtering -- better to use <a
href="Shorewall_Squid_Usage.html">Squid</a> for that.<br>
</li>
<li>Be used to filter traffic through a Layer 2 Bridge</li>
<li>Act as a "Personal Firewall" that allows internet access by
application.</li>
<li>Be used with an Operating System other than Linux (version &gt;=
2.4.0)<br>
</li>
<li>Do content filtering -- better to use <a
href="Shorewall_Squid_Usage.html">Squid</a> for that.</li>
</ul>
<br>
<font size="2">Last updated 7/9/2003 - <a href="support.htm">Tom Eastep</a></font>
In addition:<br>
<ul>
<li>Shorewall does not contain any support for Netfilter <span
style="font-style: italic;">Patch-O-Matic</span> features -- Shorewall
only supports features from released kernels.<br>
</li>
</ul>
<br>
<font size="2">Last updated 9/28/2003 - <a href="support.htm">Tom
Eastep</a></font>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
<br>
<br>
</p>
<br>
<br>
<br>
</body>
</html>

868
STABLE/documentation/Shorewall_Squid_Usage.html
View File

@ -2,540 +2,462 @@
<html>
<head>
<title>Shorewall Squid Usage</title>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep">
</head>
<body>
<body>
<table cellpadding="0" cellspacing="0" border="0" width="100%"
bgcolor="#3366ff">
<tbody>
<tr>
<td valign="middle" width="33%" bgcolor="#3366ff"><a
<tbody>
<tr>
<td valign="middle" width="33%" bgcolor="#3366ff"><a
href="http://www.squid-cache.org/"><img src="images/squidnow.gif"
alt="" width="88" height="31" hspace="4">
</a><br>
</td>
<td valign="middle" height="90" align="center"
width="34%">
alt="" width="88" height="31" hspace="4"> </a><br>
</td>
<td valign="middle" height="90" align="center" width="34%">
<h1><font color="#ffffff"><b>Using Shorewall with Squid</b></font></h1>
<h1> </h1>
</td>
<td valign="middle" height="90" width="33%"
align="right"><a href="http://www.squid-cache.org/"><img
src="images/cache_now.gif" alt="" width="100" height="31" hspace="4">
</a><br>
</td>
</tr>
</tbody>
<h1> </h1>
</td>
<td valign="middle" height="90" width="33%" align="right"><a
href="http://www.squid-cache.org/"><img src="images/cache_now.gif"
alt="" width="100" height="31" hspace="4"> </a><br>
</td>
</tr>
</tbody>
</table>
<br>
This page covers Shorewall configuration to use with <a
href="http://www.squid-cache.org/">Squid </a>running as a <u><b>Transparent
Proxy</b></u>. If you are running Shorewall 1.3, please see <a
<br>
This page covers Shorewall configuration to use with <a
href="http://www.squid-cache.org/">Squid </a>running as a <u><b>Transparent
Proxy</b></u>. If you are running Shorewall 1.3, please see <a
href="1.3/Shorewall_Squid_Usage.html">this documentation</a>.<br>
<br>
<img border="0" src="images/j0213519.gif" width="60"
height="60" alt="Caution" align="middle">
&nbsp;&nbsp;&nbsp; Please observe the following general requirements:<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13"
height="13">
&nbsp;&nbsp;&nbsp; </b>In all cases, Squid should be configured
to run as a transparent proxy as described at <a
<br>
<img border="0" src="images/j0213519.gif" width="60" height="60"
alt="Caution" align="middle"> &nbsp;&nbsp;&nbsp; Please observe the
following general requirements:<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
&nbsp;&nbsp;&nbsp; </b>In all cases, Squid should be configured to run
as a transparent proxy as described at <a
href="http://tldp.org/HOWTO/mini/TransparentProxy.html">http://tldp.org/HOWTO/mini/TransparentProxy.html</a>.<br>
<b><br>
</b><b><img src="images/BD21298_3.gif" alt="" width="13"
height="13">
&nbsp;&nbsp;&nbsp; </b>The following instructions mention
the files /etc/shorewall/start and /etc/shorewall/init -- if you don't
have those files, siimply create them.<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13"
height="13">
</b>&nbsp;&nbsp;&nbsp; When the Squid server is in the DMZ
zone or in the local zone, that zone must be defined ONLY by its interface
-- no /etc/shorewall/hosts file entries. That is because the packets
being routed to the Squid server still have their original destination
IP addresses.<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13"
height="13">
</b>&nbsp;&nbsp;&nbsp; You must have iptables installed on
your Squid server.<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13"
height="13">
</b>&nbsp;&nbsp;&nbsp; If you run a Shorewall version earlier
than 1.4.6, you must have NAT and MANGLE enabled in your /etc/shorewall/conf
file<br>
<br>
&nbsp;&nbsp;&nbsp; <b><font color="#009900">&nbsp;&nbsp;&nbsp;
NAT_ENABLED=Yes<br>
</font></b>&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <font
color="#009900"><b>MANGLE_ENABLED=Yes</b></font><br>
<br>
Three different configurations are covered:<br>
<b><br>
</b><b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
&nbsp;&nbsp;&nbsp; </b>The following instructions mention
the files /etc/shorewall/start and /etc/shorewall/init -- if you don't
have those files, siimply create them.<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13"> </b>&nbsp;&nbsp;&nbsp;
When the Squid server is in the DMZ zone or in the local zone, that
zone must be defined ONLY by its interface -- no /etc/shorewall/hosts
file entries. That is because the packets being routed to the Squid
server still have their original destination IP addresses.<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13"> </b>&nbsp;&nbsp;&nbsp;
You must have iptables installed on your Squid server.<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13"> </b>&nbsp;&nbsp;&nbsp;
If you run a Shorewall version earlier than 1.4.6, you must have NAT
and MANGLE enabled in your /etc/shorewall/conf file<br>
<br>
&nbsp;&nbsp;&nbsp; <b><font color="#009900">&nbsp;&nbsp;&nbsp;
NAT_ENABLED=Yes<br>
</font></b>&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <font color="#009900"><b>MANGLE_ENABLED=Yes</b></font><br>
<br>
Three different configurations are covered:<br>
<ol>
<li><a href="Shorewall_Squid_Usage.html#Firewall">Squid
running on the Firewall.</a></li>
<li><a href="Shorewall_Squid_Usage.html#Local">Squid running
in the local network</a></li>
<li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running
in the DMZ</a></li>
<li><a href="Shorewall_Squid_Usage.html#Firewall">Squid
running on the Firewall.</a></li>
<li><a href="Shorewall_Squid_Usage.html#Local">Squid running in the
local network</a></li>
<li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running in the DMZ</a></li>
</ol>
<h2><a name="Firewall"></a>Squid Running on the Firewall</h2>
You want to redirect all local www connection requests
EXCEPT those to your
own http server
(206.124.146.177) to a Squid
transparent proxy running on the firewall
and listening on port 3128. Squid will of course require access
You want to redirect all local www connection requests
EXCEPT those to your own http server (206.124.146.177) to a Squid
transparent proxy running on the firewall
and listening on port 3128. Squid will of course require access
to remote web servers.<br>
<br>
In /etc/shorewall/rules:<br>
<br>
<blockquote>
<br>
In /etc/shorewall/rules:<br>
<br>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>ACTION</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b> PROTO</b></td>
<td><b>DEST<br>
PORT(S)</b></td>
<td><b>SOURCE<br>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
</tr>
<tr>
<td>REDIRECT</td>
<td>loc</td>
<td>3128</td>
<td>tcp</td>
<td>www</td>
<td> -<br>
</td>
<td>!206.124.146.177</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>fw</td>
<td>net</td>
<td>tcp</td>
<td>www</td>
<td> <br>
</td>
<td> <br>
</td>
</tr>
</tbody>
<tbody>
<tr>
<td><b>ACTION</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b> PROTO</b></td>
<td><b>DEST<br>
PORT(S)</b></td>
<td><b>SOURCE<br>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
</tr>
<tr>
<td>REDIRECT</td>
<td>loc</td>
<td>3128</td>
<td>tcp</td>
<td>www</td>
<td> -<br>
</td>
<td>!206.124.146.177</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>fw</td>
<td>net</td>
<td>tcp</td>
<td>www</td>
<td> <br>
</td>
<td> <br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
There may be a requirement to exclude additional destination
hosts or networks from being redirected. For example, you might also want
requests destined for 130.252.100.0/24 to not be routed to Squid. In that
case, you must add a manual rule in /etc/shorewall/start:<br>
<blockquote>
<br>
</blockquote>
There may be a requirement to exclude additional destination
hosts or networks from being redirected. For example, you might also
want
requests destined for 130.252.100.0/24 to not be routed to Squid. In
that
case, you must add a manual rule in /etc/shorewall/start:<br>
<blockquote>
<pre>run_iptables -t nat -I loc_dnat -p tcp --dport www -d 130.252.100.0/24 -j RETURN<br></pre>
</blockquote>
&nbsp;To exclude additional hosts or networks, just add additional
similar rules.<br>
</blockquote>
&nbsp;To exclude additional hosts or networks, just add additional
similar rules.<br>
<h2><a name="Local"></a>Squid Running in the local network</h2>
You want to redirect all local www connection requests
to a Squid transparent
proxy running in your local zone at 192.168.1.3 and listening
on port 3128. Your local interface is eth1. There may also be a web
server running on 192.168.1.3. It is assumed that web access is already
enabled from the local zone to the internet.<br>
<p><font color="#ff0000"><b>WARNING: </b></font>This setup may conflict with
other aspects of your gateway including but not limited to traffic
shaping and route redirection. For that reason, <b>I don't recommend
it</b>.<br>
</p>
You want to redirect all local www connection requests to a Squid
transparent proxy running in your local zone at 192.168.1.3 and
listening
on port 3128. Your local interface is eth1. There may also be a web
server running on 192.168.1.3. It is assumed that web access is already
enabled from the local zone to the internet..<br>
<ul>
<li>On your firewall system, issue the following command<br>
</li>
<li>On your firewall system, issue the following command<br>
</li>
</ul>
<blockquote>
<blockquote>
<pre><b><font color="#009900">echo 202 www.out &gt;&gt; /etc/iproute2/rt_tables</font></b><br></pre>
</blockquote>
</blockquote>
<ul>
<li>In /etc/shorewall/init, put:<br>
</li>
<li>In /etc/shorewall/init, put:<br>
</li>
</ul>
<blockquote>
<blockquote>
<pre><b><font color="#009900">if [ -z "`ip rule list | grep www.out`" ] ; then<br> ip rule add fwmark 202 table www.out<br> ip route add default via 192.168.1.3 dev eth1 table www.out<br> ip route flush cache<br> echo 0 &gt; /proc/sys/net/ipv4/conf/eth1/send_redirects<br>fi<br></font></b></pre>
</blockquote>
</blockquote>
<ul>
<li>If you are running Shorewall 1.4.1 or Shorewall 1.4.1a,
please upgrade to Shorewall 1.4.2 or later.<br>
<br>
</li>
<li>If you are running Shorewall 1.4.2 or later, then in /etc/shorewall/interfaces:<br>
<br>
<li>If you are running Shorewall 1.4.1 or Shorewall 1.4.1a, please
upgrade to Shorewall 1.4.2 or later.<br>
<br>
</li>
<li>If you are running Shorewall 1.4.2 or later, then in
/etc/shorewall/interfaces:<br>
<br>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top">ZONE<br>
</td>
<td valign="top">INTERFACE<br>
</td>
<td valign="top">BROADCAST<br>
</td>
<td valign="top">OPTIONS<br>
</td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">eth1<br>
</td>
<td valign="top">detect<br>
</td>
<td valign="top"><b>routeback</b><br>
</td>
</tr>
</tbody>
<tbody>
<tr>
<td valign="top">ZONE<br>
</td>
<td valign="top">INTERFACE<br>
</td>
<td valign="top">BROADCAST<br>
</td>
<td valign="top">OPTIONS<br>
</td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">eth1<br>
</td>
<td valign="top">detect<br>
</td>
<td valign="top"><b>routeback</b><br>
</td>
</tr>
</tbody>
</table>
<br>
</li>
<li>In /etc/shorewall/rules:<br>
<br>
<br>
</li>
<li>In /etc/shorewall/rules:<br>
<br>
<table border="1" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>ACTION</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b> PROTO</b></td>
<td><b>DEST<br>
PORT(S)</b></td>
<td><b>SOURCE<br>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
</tr>
<tr>
<td>ACCEPT<br>
</td>
<td>loc</td>
<td>loc<br>
</td>
<td>tcp</td>
<td>www</td>
<td> <br>
</td>
<td><br>
</td>
</tr>
</tbody>
<tbody>
<tr>
<td><b>ACTION</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b> PROTO</b></td>
<td><b>DEST<br>
PORT(S)</b></td>
<td><b>SOURCE<br>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
</tr>
<tr>
<td>ACCEPT<br>
</td>
<td>loc</td>
<td>loc<br>
</td>
<td>tcp</td>
<td>www</td>
<td> <br>
</td>
<td><br>
</td>
</tr>
</tbody>
</table>
</li>
<br>
<li>Alternativfely, if you are running Shorewall 1.4.0 you can have
the following policy in place of the above rule:<br>
</li>
<br>
<li>Alternativfely, if you are running Shorewall 1.4.0 you can have
the following policy in place of the above rule:<br>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>SOURCE<br>
</b></td>
<td valign="top"><b>DESTINATION<br>
</b></td>
<td valign="top"><b>POLICY<br>
</b></td>
<td valign="top"><b>LOG LEVEL<br>
</b></td>
<td valign="top"><b>BURST PARAMETERS<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">loc<br>
</td>
<td valign="top">ACCEPT<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
<tbody>
<tr>
<td valign="top"><b>SOURCE<br>
</b></td>
<td valign="top"><b>DESTINATION<br>
</b></td>
<td valign="top"><b>POLICY<br>
</b></td>
<td valign="top"><b>LOG LEVEL<br>
</b></td>
<td valign="top"><b>BURST PARAMETERS<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">loc<br>
</td>
<td valign="top">ACCEPT<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</li>
<li>In /etc/shorewall/start add:<br>
</li>
<br>
</li>
<li>In /etc/shorewall/start add:<br>
</li>
</ul>
<blockquote>
<blockquote>
<pre><font color="#009900"><b>iptables -t mangle -A PREROUTING -i eth1 -s ! 192.168.1.3 -p tcp --dport 80 -j MARK --set-mark 202</b></font><br></pre>
</blockquote>
</blockquote>
<ul>
<li>On 192.168.1.3, arrange for the following command to
be executed after networking has come up<br>
<li>On 192.168.1.3, arrange for the following command to be executed
after networking has come up<br>
<pre><b><font color="#009900">iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128</font></b><br></pre>
</li>
</li>
</ul>
<blockquote> If you are running RedHat on the server, you can simply execute
the following commands after you have typed the iptables command above:<br>
</blockquote>
<blockquote>
<blockquote> </blockquote>
<blockquote> If you are running RedHat on the server, you can simply
execute the following commands after you have typed the iptables
command above:<br>
</blockquote>
<blockquote>
<blockquote> </blockquote>
<pre><font color="#009900"><b>iptables-save &gt; /etc/sysconfig/iptables</b></font><font
color="#009900"><b><br>chkconfig --level 35 iptables on<br></b></font></pre>
</blockquote>
<blockquote> </blockquote>
</blockquote>
<blockquote> </blockquote>
<h2><a name="DMZ"></a>Squid Running in the DMZ (This is what I do)</h2>
You have a single Linux system in your DMZ with IP address
192.0.2.177. You want to run both a web server and Squid on that system.
Your DMZ interface is eth1 and your local interface is eth2.<br>
You have a single Linux system in your DMZ with IP address 192.0.2.177.
You want to run both a web server and Squid on that system. Your DMZ
interface is eth1 and your local interface is eth2.<br>
<ul>
<li>On your firewall system, issue the following command<br>
</li>
<li>On your firewall system, issue the following command<br>
</li>
</ul>
<blockquote>
<blockquote>
<pre><font color="#009900"><b>echo 202 www.out &gt;&gt; /etc/iproute2/rt_tables</b></font><br></pre>
</blockquote>
</blockquote>
<ul>
<li>In /etc/shorewall/init, put:<br>
</li>
<li>In /etc/shorewall/init, put:<br>
</li>
</ul>
<blockquote>
<blockquote>
<pre><font color="#009900"><b>if [ -z "`ip rule list | grep www.out`" ] ; then<br> ip rule add fwmark 202 table www.out<br> ip route add default via 192.0.2.177 dev eth1 table www.out<br> ip route flush cache<br>fi</b></font><br></pre>
</blockquote>
</blockquote>
<ul>
<li>&nbsp;Do<b> one </b>of the following:<br>
<br>
A) In /etc/shorewall/start add<br>
</li>
<li>&nbsp;Do<b> one </b>of the following:<br>
<br>
A) In /etc/shorewall/start add<br>
</li>
</ul>
<blockquote>
<blockquote>
<pre><b><font color="#009900"> iptables -t mangle -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 202</font></b><br></pre>
</blockquote>
<blockquote>B) Set MARK_IN_FORWARD_CHAIN=No in /etc/shorewall/shorewall.conf
and add the following entry in /etc/shorewall/tcrules:<br>
</blockquote>
<blockquote>
<blockquote>
</blockquote>
<blockquote>B) Set MARK_IN_FORWARD_CHAIN=No in
/etc/shorewall/shorewall.conf and add the following entry in
/etc/shorewall/tcrules:<br>
</blockquote>
<blockquote>
<blockquote>
<table cellpadding="2" border="1" cellspacing="0">
<tbody>
<tr>
<td valign="top">MARK<br>
</td>
<td valign="top">SOURCE<br>
</td>
<td valign="top">DESTINATION<br>
</td>
<td valign="top">PROTOCOL<br>
</td>
<td valign="top">PORT<br>
</td>
<td valign="top">CLIENT PORT<br>
</td>
</tr>
<tr>
<td valign="top">202<br>
</td>
<td valign="top">eth2<br>
</td>
<td valign="top">0.0.0.0/0<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">80<br>
</td>
<td valign="top">-<br>
</td>
</tr>
</tbody>
<tbody>
<tr>
<td valign="top">MARK<br>
</td>
<td valign="top">SOURCE<br>
</td>
<td valign="top">DESTINATION<br>
</td>
<td valign="top">PROTOCOL<br>
</td>
<td valign="top">PORT<br>
</td>
<td valign="top">CLIENT PORT<br>
</td>
</tr>
<tr>
<td valign="top">202<br>
</td>
<td valign="top">eth2<br>
</td>
<td valign="top">0.0.0.0/0<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">80<br>
</td>
<td valign="top">-<br>
</td>
</tr>
</tbody>
</table>
</blockquote>
C) Run Shorewall 1.3.14 or later and add the following entry
in /etc/shorewall/tcrules:<br>
</blockquote>
<blockquote>
<blockquote>
</blockquote>
C) Run Shorewall 1.3.14 or later and add the following entry
in /etc/shorewall/tcrules:<br>
</blockquote>
<blockquote>
<blockquote>
<table cellpadding="2" border="1" cellspacing="0">
<tbody>
<tr>
<td valign="top">MARK<br>
</td>
<td valign="top">SOURCE<br>
</td>
<td valign="top">DESTINATION<br>
</td>
<td valign="top">PROTOCOL<br>
</td>
<td valign="top">PORT<br>
</td>
<td valign="top">CLIENT PORT<br>
</td>
</tr>
<tr>
<td valign="top">202:P<br>
</td>
<td valign="top">eth2<br>
</td>
<td valign="top">0.0.0.0/0<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">80<br>
</td>
<td valign="top">-<br>
</td>
</tr>
</tbody>
<tbody>
<tr>
<td valign="top">MARK<br>
</td>
<td valign="top">SOURCE<br>
</td>
<td valign="top">DESTINATION<br>
</td>
<td valign="top">PROTOCOL<br>
</td>
<td valign="top">PORT<br>
</td>
<td valign="top">CLIENT PORT<br>
</td>
</tr>
<tr>
<td valign="top">202:P<br>
</td>
<td valign="top">eth2<br>
</td>
<td valign="top">0.0.0.0/0<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">80<br>
</td>
<td valign="top">-<br>
</td>
</tr>
</tbody>
</table>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<ul>
<li>In /etc/shorewall/rules, you will need:</li>
<li>In /etc/shorewall/rules, you will need:</li>
</ul>
<blockquote>
<blockquote>
<table cellpadding="2" border="1" cellspacing="0">
<tbody>
<tr>
<td valign="top">ACTION<br>
</td>
<td valign="top">SOURCE<br>
</td>
<td valign="top">DEST<br>
</td>
<td valign="top">PROTO<br>
</td>
<td valign="top">DEST<br>
PORT(S)<br>
</td>
<td valign="top">CLIENT<br>
PORT(2)<br>
</td>
<td valign="top">ORIGINAL<br>
DEST<br>
</td>
</tr>
<tr>
<td valign="top">ACCEPT<br>
</td>
<td valign="top">loc<br>
</td>
<td valign="top">dmz<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">80<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
<tr>
<td valign="top">ACCEPT<br>
</td>
<td valign="top">dmz<br>
</td>
<td valign="top">net<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">80<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
<tbody>
<tr>
<td valign="top">ACTION<br>
</td>
<td valign="top">SOURCE<br>
</td>
<td valign="top">DEST<br>
</td>
<td valign="top">PROTO<br>
</td>
<td valign="top">DEST<br>
PORT(S)<br>
</td>
<td valign="top">CLIENT<br>
PORT(2)<br>
</td>
<td valign="top">ORIGINAL<br>
DEST<br>
</td>
</tr>
<tr>
<td valign="top">ACCEPT<br>
</td>
<td valign="top">loc<br>
</td>
<td valign="top">dmz<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">80<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
<tr>
<td valign="top">ACCEPT<br>
</td>
<td valign="top">dmz<br>
</td>
<td valign="top">net<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">80<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
<br>
</blockquote>
<ul>
<li>On 192.0.2.177 (your Web/Squid server), arrange for
the following command to be executed after networking has come up<br>
<li>On 192.0.2.177 (your Web/Squid server), arrange for the following
command to be executed after networking has come up<br>
<pre><font color="#009900"><b>iptables -t nat -A PREROUTING -i eth0 -d ! 192.0.2.177 -p tcp --dport 80 -j REDIRECT --to-ports 3128</b></font><br></pre>
</li>
</li>
</ul>
<blockquote> If you are running RedHat on the server, you can simply execute
the following commands after you have typed the iptables command above:<br>
</blockquote>
<blockquote>
<blockquote> </blockquote>
<blockquote> If you are running RedHat on the server, you can simply
execute the following commands after you have typed the iptables
command above:<br>
</blockquote>
<blockquote>
<blockquote> </blockquote>
<pre><font color="#009900"><b>iptables-save &gt; /etc/sysconfig/iptables</b></font><font
color="#009900"><b><br>chkconfig --level 35 iptables on<br></b></font></pre>
</blockquote>
<blockquote> </blockquote>
<p><font size="-1"> Updated 8/4/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<a href="copyright.htm"><font size="2">Copyright</font>
&copy; <font size="2">2003 Thomas M. Eastep.</font></a><br>
</blockquote>
<blockquote> </blockquote>
<p><font size="-1"> Updated 8/9/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
size="2">2003 Thomas M. Eastep.</font></a><br>
</body>
</html>

636
STABLE/documentation/configuration_file_basics.htm
View File

@ -1,409 +1,341 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Configuration File Basics</title>
</head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Configuration Files</font></h1>
</td>
</tr>
</tbody>
</td>
</tr>
</tbody>
</table>
<p><b><font color="#ff0000">Warning: </font>If you copy or edit your configuration
files on a system running Microsoft Windows, you <u>must</u>
run them through <a
href="http://www.megaloman.com/%7Ehany/software/hd2u/"> dos2unix</a>
before you use them with Shorewall.</b></p>
<p><b><font color="#ff0000">Warning: </font>If you copy or edit your
configuration files on a system running Microsoft Windows, you <u>must</u>
run them through <a
href="http://www.megaloman.com/%7Ehany/software/hd2u/"> dos2unix</a>
before you use them with Shorewall.</b></p>
<h2><a name="Files"></a>Files</h2>
<p>Shorewall's configuration files are in the directory /etc/shorewall.</p>
<ul>
<li>/etc/shorewall/shorewall.conf - used to
set several firewall parameters.</li>
<li>/etc/shorewall/params - use this file to
set shell variables that you will expand in other files.</li>
<li>/etc/shorewall/zones - partition the firewall's
view of the world into <i>zones.</i></li>
<li>/etc/shorewall/policy - establishes firewall
high-level policy.</li>
<li>/etc/shorewall/interfaces - describes the
interfaces on the firewall system.</li>
<li>/etc/shorewall/hosts - allows defining zones
in terms of individual hosts and subnetworks.</li>
<li>/etc/shorewall/masq - directs the firewall
where to use many-to-one (dynamic) Network Address Translation
(a.k.a. Masquerading) and Source Network Address Translation
(SNAT).</li>
<li>/etc/shorewall/modules - directs the firewall
to load kernel modules.</li>
<li>/etc/shorewall/rules - defines rules that
are exceptions to the overall policies established in /etc/shorewall/policy.</li>
<li>/etc/shorewall/nat - defines static NAT
<li>/etc/shorewall/shorewall.conf - used to
set several firewall parameters.</li>
<li>/etc/shorewall/params - use this file to set shell variables that
you will expand in other files.</li>
<li>/etc/shorewall/zones - partition the firewall's view of the world
into <i>zones.</i></li>
<li>/etc/shorewall/policy - establishes firewall high-level policy.</li>
<li>/etc/shorewall/interfaces - describes the interfaces on the
firewall system.</li>
<li>/etc/shorewall/hosts - allows defining zones in terms of
individual hosts and subnetworks.</li>
<li>/etc/shorewall/masq - directs the firewall where to use
many-to-one (dynamic) Network Address Translation (a.k.a. Masquerading)
and Source Network Address Translation (SNAT).</li>
<li>/etc/shorewall/modules - directs the firewall to load kernel
modules.</li>
<li>/etc/shorewall/rules - defines rules that are exceptions to the
overall policies established in /etc/shorewall/policy.</li>
<li>/etc/shorewall/nat - defines static NAT
rules.</li>
<li>/etc/shorewall/proxyarp - defines use of
Proxy ARP.</li>
<li>/etc/shorewall/routestopped (Shorewall 1.3.4
and later) - defines hosts accessible when Shorewall is stopped.</li>
<li>/etc/shorewall/tcrules - defines marking
of packets for later use by traffic control/shaping or policy
routing.</li>
<li>/etc/shorewall/tos - defines rules for setting
the TOS field in packet headers.</li>
<li>/etc/shorewall/tunnels - defines IPSEC,
GRE and IPIP tunnels with end-points on the firewall system.</li>
<li>/etc/shorewall/blacklist - lists blacklisted
IP/subnet/MAC addresses.</li>
<li>/etc/shorewall/init - commands that you wish to execute at
the beginning of a "shorewall start" or "shorewall restart".</li>
<li>/etc/shorewall/start - commands that you wish to execute at
the completion of a "shorewall start" or "shorewall restart"</li>
<li>/etc/shorewall/stop - commands that you wish to execute at
the beginning of a "shorewall stop".</li>
<li>/etc/shorewall/stopped - commands that you wish to execute
at the completion of a "shorewall stop".</li>
<li>/etc/shorewall/ecn - disable Explicit Congestion Notification (ECN
- RFC 3168) to remote hosts or networks.<br>
</li>
<li>/etc/shorewall/proxyarp - defines use of Proxy ARP.</li>
<li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines
hosts accessible when Shorewall is stopped.</li>
<li>/etc/shorewall/tcrules - defines marking of packets for later use
by traffic control/shaping or policy routing.</li>
<li>/etc/shorewall/tos - defines rules for setting the TOS field in
packet headers.</li>
<li>/etc/shorewall/tunnels - defines IPSEC,
GRE and IPIP tunnels with end-points on the firewall system.</li>
<li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC
addresses.</li>
<li>/etc/shorewall/init - commands that you wish to execute at
the beginning of a "shorewall start" or "shorewall restart".</li>
<li>/etc/shorewall/start - commands that you wish to execute at the
completion of a "shorewall start" or "shorewall restart"</li>
<li>/etc/shorewall/stop - commands that you wish to execute at
the beginning of a "shorewall stop".</li>
<li>/etc/shorewall/stopped - commands that you wish to execute
at the completion of a "shorewall stop".</li>
<li>/etc/shorewall/ecn - disable Explicit Congestion Notification
(ECN - RFC 3168) to remote hosts or networks.</li>
<li>/etc/shorewall/accounting - define IP traffic accounting rules</li>
<li>/etc/shorewall/usersets and /etc/shorewall/users - define sets of
users/groups with
similar access rights<br>
</li>
</ul>
<h2><a name="Comments"></a>Comments</h2>
<p>You may place comments in configuration files by making the first non-whitespace
character a pound sign ("#"). You may also place comments
at the end of any line, again by delimiting the comment from the
rest of the line with a pound sign.</p>
<h2>Comments</h2>
<p>You may place comments in configuration files by making the first
non-whitespace character a pound sign ("#"). You may also place
comments at the end of any line, again by delimiting the comment from
the
rest of the line with a pound sign.</p>
<p>Examples:</p>
<pre># This is a comment</pre>
<pre>ACCEPT net fw tcp www #This is an end-of-line comment</pre>
<h2><a name="Continuation"></a>Line Continuation</h2>
<p>You may continue lines in the configuration files using the usual backslash
("\") followed immediately by a new line character.</p>
<p>You may continue lines in the configuration files using the usual
backslash ("\") followed immediately by a new line character.</p>
<p>Example:</p>
<pre>ACCEPT net fw tcp \<br>smtp,www,pop3,imap #Services running on the firewall</pre>
<h2><a name="INCLUDE"></a>IN<small><small></small></small>CLUDE Directive</h2>
Beginning with Shorewall version 1.4.2, any file may contain INCLUDE directives.
An INCLUDE directive consists of the word INCLUDE followed by a file name
and causes the contents of the named file to be logically included into
the file containing the INCLUDE. File names given in an INCLUDE directive
are assumed to reside in /etc/shorewall or in an alternate configuration
directory if one has been specified for the command.<br>
<br>
INCLUDE's may be nested to a level of 3 -- further nested INCLUDE directives
are ignored with a warning message.<big><big><br>
<br>
</big></big> Examples:<big> </big> <br>
<blockquote>    shorewall/params.mgmt:<br>
<blockquote>    MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3<br>
   TIME_SERVERS=4.4.4.4<br>
   BACKUP_SERVERS=5.5.5.5<br>
</blockquote>
   ----- end params.mgmt -----<br>
</blockquote>
<blockquote>    shorewall/params:<br>
</blockquote>
<blockquote>
<blockquote>    # Shorewall 1.3 /etc/shorewall/params<br>
   [..]<br>
   #######################################<br>
 <br>
   INCLUDE params.mgmt    <br>
  <br>
   # params unique to this host here<br>
   #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE<br>
</blockquote>
</blockquote>
<blockquote>    ----- end params -----<br>
</blockquote>
<blockquote>    shorewall/rules.mgmt:<br>
</blockquote>
<blockquote>
<blockquote>    ACCEPT net:$MGMT_SERVERS          $FW    tcp    22<br>
   ACCEPT $FW          net:$TIME_SERVERS    udp    123<br>
   ACCEPT $FW          net:$BACKUP_SERVERS  tcp    22<br>
</blockquote>
</blockquote>
<blockquote>    ----- end rules.mgmt -----<br>
</blockquote>
<blockquote>    shorewall/rules:<br>
</blockquote>
<blockquote>
<blockquote>    # Shorewall version 1.3 - Rules File<br>
   [..]<br>
   #######################################<br>
 <br>
   INCLUDE rules.mgmt     <br>
  <br>
   # rules unique to this host here<br>
   #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE<br>
</blockquote>
</blockquote>
<blockquote>    ----- end rules -----<br>
</blockquote>
<h2><a name="INCLUDE"></a>IN<small><small></small></small>CLUDE
Directive</h2>
Beginning with Shorewall version 1.4.2, any file may contain INCLUDE
directives. An INCLUDE directive consists of the word INCLUDE followed
by a file name and causes the contents of the named file to be
logically included into the file containing the INCLUDE. File names
given in an INCLUDE directive are assumed to reside in /etc/shorewall
or in an alternate configuration directory if one has been specified
for the command.<br>
<br>
INCLUDE's may be nested to a level of 3 -- further nested INCLUDE
directives are ignored with a warning message.<big><big><br>
<br>
</big></big> Examples:<big> </big> <br>
<blockquote> &nbsp;&nbsp; shorewall/params.mgmt:<br>
<blockquote> &nbsp;&nbsp; MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3<br>
&nbsp;&nbsp; TIME_SERVERS=4.4.4.4<br>
&nbsp;&nbsp; BACKUP_SERVERS=5.5.5.5<br>
</blockquote>
&nbsp;&nbsp; ----- end params.mgmt -----<br>
</blockquote>
<blockquote> &nbsp;&nbsp; shorewall/params:<br>
</blockquote>
<blockquote>
<blockquote> &nbsp;&nbsp; # Shorewall 1.3 /etc/shorewall/params<br>
&nbsp;&nbsp; [..]<br>
&nbsp;&nbsp; #######################################<br>
&nbsp;<br>
&nbsp;&nbsp; INCLUDE params.mgmt&nbsp;&nbsp;&nbsp; <br>
&nbsp; <br>
&nbsp;&nbsp; # params unique to this host here<br>
&nbsp;&nbsp; #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT
REMOVE<br>
</blockquote>
</blockquote>
<blockquote> &nbsp;&nbsp; ----- end params -----<br>
</blockquote>
<blockquote> &nbsp;&nbsp; shorewall/rules.mgmt:<br>
</blockquote>
<blockquote>
<blockquote> &nbsp;&nbsp; ACCEPT
net:$MGMT_SERVERS&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
$FW&nbsp;&nbsp;&nbsp; tcp&nbsp;&nbsp;&nbsp; 22<br>
&nbsp;&nbsp; ACCEPT
$FW&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
net:$TIME_SERVERS&nbsp;&nbsp;&nbsp; udp&nbsp;&nbsp;&nbsp; 123<br>
&nbsp;&nbsp; ACCEPT
$FW&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
net:$BACKUP_SERVERS&nbsp; tcp&nbsp;&nbsp;&nbsp; 22<br>
</blockquote>
</blockquote>
<blockquote> &nbsp;&nbsp; ----- end rules.mgmt -----<br>
</blockquote>
<blockquote> &nbsp;&nbsp; shorewall/rules:<br>
</blockquote>
<blockquote>
<blockquote> &nbsp;&nbsp; # Shorewall version 1.3 - Rules File<br>
&nbsp;&nbsp; [..]<br>
&nbsp;&nbsp; #######################################<br>
&nbsp;<br>
&nbsp;&nbsp; INCLUDE rules.mgmt&nbsp;&nbsp;&nbsp;&nbsp; <br>
&nbsp; <br>
&nbsp;&nbsp; # rules unique to this host here<br>
&nbsp;&nbsp; #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT
REMOVE<br>
</blockquote>
</blockquote>
<blockquote> &nbsp;&nbsp; ----- end rules -----<br>
</blockquote>
<h2><a name="dnsnames"></a>Using DNS Names</h2>
<p align="left"> </p>
<p align="left"><b>WARNING: I personally recommend strongly <u>against</u>
using DNS names in Shorewall configuration files. If you use DNS
names and you are called out of bed at 2:00AM because Shorewall won't
start as a result of DNS problems then don't say that you were not forewarned.
<br>
</b></p>
<p align="left"><b>    -Tom<br>
</b></p>
<p align="left">Beginning with Shorewall 1.3.9, Host addresses in Shorewall
configuration files may be specified as either IP addresses or DNS
Names.<br>
<br>
DNS names in iptables rules aren't nearly as useful
as they first appear. When a DNS name appears in a rule, the iptables
utility resolves the name to one or more IP addresses and inserts
those addresses into the rule. So changes in the DNS-&gt;IP address
relationship that occur after the firewall has started have absolutely
no effect on the firewall's ruleset. </p>
<p align="left"> If your firewall rules include DNS names then:</p>
<p align="left"> </p>
<p align="left"><b>WARNING: I personally recommend strongly <u>against</u>
using DNS names in Shorewall configuration files. If you use DNS names
and you are called out of bed at 2:00AM because Shorewall won't start
as a result of DNS problems then don't say that you were not
forewarned. <br>
</b></p>
<p align="left"><b>&nbsp;&nbsp;&nbsp; -Tom<br>
</b></p>
<p align="left">Beginning with Shorewall 1.3.9, Host addresses in
Shorewall configuration files may be specified as either IP addresses
or DNS Names.<br>
<br>
DNS names in iptables rules aren't nearly as useful
as they first appear. When a DNS name appears in a rule, the iptables
utility resolves the name to one or more IP addresses and inserts those
addresses into the rule. So changes in the DNS-&gt;IP address
relationship that occur after the firewall has started have absolutely
no effect on the firewall's ruleset. </p>
<p align="left"> If your firewall rules include DNS names then:</p>
<ul>
<li>If your /etc/resolv.conf is wrong then your firewall
won't start.</li>
<li>If your /etc/nsswitch.conf is wrong then your firewall
won't start.</li>
<li>If your Name Server(s) is(are) down then your firewall
won't start.</li>
<li>If your startup scripts try to start your firewall
before starting your DNS server then your firewall won't start.<br>
</li>
<li>Factors totally outside your control (your ISP's
router is down for example), can prevent your firewall from starting.</li>
<li>You must bring up your network interfaces prior
to starting your firewall.<br>
</li>
<li>If your /etc/resolv.conf is wrong then your firewall won't start.</li>
<li>If your /etc/nsswitch.conf is wrong then your firewall won't
start.</li>
<li>If your Name Server(s) is(are) down then your firewall won't
start.</li>
<li>If your startup scripts try to start your firewall before
starting your DNS server then your firewall won't start.<br>
</li>
<li>Factors totally outside your control (your ISP's router is down
for example), can prevent your firewall from starting.</li>
<li>You must bring up your network interfaces prior
to starting your firewall.<br>
</li>
</ul>
<p align="left"> Each DNS name much be fully qualified and include a minumum
of two periods (although one may be trailing). This restriction is
imposed by Shorewall to insure backward compatibility with existing
configuration files.<br>
<br>
Examples of valid DNS names:<br>
</p>
<p align="left"> Each DNS name much be fully qualified and include a
minumum of two periods (although one may be trailing). This restriction
is imposed by Shorewall to insure backward compatibility with existing
configuration files.<br>
<br>
Examples of valid DNS names:<br>
</p>
<ul>
<li>mail.shorewall.net</li>
<li>shorewall.net. (note the trailing period).</li>
<li>mail.shorewall.net</li>
<li>shorewall.net. (note the trailing period).</li>
</ul>
Examples of invalid DNS names:<br>
Examples of invalid DNS names:<br>
<ul>
<li>mail (not fully qualified)</li>
<li>shorewall.net (only one period)</li>
<li>mail (not fully qualified)</li>
<li>shorewall.net (only one period)</li>
</ul>
DNS names may not be used as:<br>
DNS names may not be used as:<br>
<ul>
<li>The server address in a DNAT rule (/etc/shorewall/rules
file)</li>
<li>In the ADDRESS column of an entry in /etc/shorewall/masq.</li>
<li>In the /etc/shorewall/nat file.</li>
<li>The server address in a DNAT rule (/etc/shorewall/rules file)</li>
<li>In the ADDRESS column of an entry in /etc/shorewall/masq.</li>
<li>In the /etc/shorewall/nat file.</li>
</ul>
These restrictions are not imposed by Shorewall simply
for your inconvenience but are rather limitations of iptables.<br>
These restrictions are not imposed by Shorewall simply for your
inconvenience but are rather limitations of iptables.<br>
<h2><a name="Compliment"></a>Complementing an Address or Subnet</h2>
<p>Where specifying an IP address, a subnet or an interface, you can precede
the item with "!" to specify the complement of the item. For example,
!192.168.1.4 means "any host but 192.168.1.4". There must be no white space
following the "!".</p>
<p>Where specifying an IP address, a subnet or an interface, you can
precede the item with "!" to specify the complement of the item. For
example, !192.168.1.4 means "any host but 192.168.1.4". There must be
no white space following the "!".</p>
<h2><a name="Lists"></a>Comma-separated Lists</h2>
<p>Comma-separated lists are allowed in a number of contexts within the
configuration files. A comma separated list:</p>
<p>Comma-separated lists are allowed in a number of contexts within the
configuration files. A comma separated list:</p>
<ul>
<li>Must not have any embedded white space.<br>
Valid: routefilter,dhcp,norfc1918<br>
Invalid: routefilter,     dhcp,    
norfc1818</li>
<li>If you use line continuation to break a
comma-separated list, the continuation line(s) must begin
in column 1 (or there would be embedded white space)</li>
<li>Entries in a comma-separated list may appear
in any order.</li>
<li>Must not have any embedded white space.<br>
Valid: routefilter,dhcp,norfc1918<br>
Invalid: routefilter,&nbsp;&nbsp;&nbsp;&nbsp;
dhcp,&nbsp;&nbsp;&nbsp;&nbsp; norfc1818</li>
<li>If you use line continuation to break a
comma-separated list, the continuation line(s) must begin
in column 1 (or there would be embedded white space)</li>
<li>Entries in a comma-separated list may appear in any order.</li>
</ul>
<h2><a name="Ports"></a>Port Numbers/Service Names</h2>
<p>Unless otherwise specified, when giving a port number you can use either
an integer or a service name from /etc/services. </p>
<p>Unless otherwise specified, when giving a port number you can use
either an integer or a service name from /etc/services. </p>
<h2><a name="Ranges"></a>Port Ranges</h2>
<p>If you need to specify a range of ports, the proper syntax is &lt;<i>low
port number</i>&gt;:&lt;<i>high port number</i>&gt;. For example,
if you want to forward the range of tcp ports 4000 through 4100 to
local host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
</p>
<p>If you need to specify a range of ports, the proper syntax is &lt;<i>low
port number</i>&gt;:&lt;<i>high port number</i>&gt;. For example, if
you want to forward the range of tcp ports 4000 through 4100 to local
host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
</p>
<pre> DNAT net loc:192.168.1.3 tcp 4000:4100<br></pre>
If you omit the low port number, a value of zero is assumed; if you
omit the high port number, a value of 65535 is assumed.<br>
If you omit the low port number, a value of zero is assumed; if you
omit the high port number, a value of 65535 is assumed.<br>
<h2><a name="Variables"></a>Using Shell Variables</h2>
<p>You may use the /etc/shorewall/params file to set shell variables
that you can then use in some of the other configuration files.</p>
<p>You may use the /etc/shorewall/params file to set shell variables
that you can then use in some of the other configuration files.</p>
<p>It is suggested that variable names begin with an upper case letter<font
size="1"> </font>to distinguish them from variables used internally
within the Shorewall programs</p>
size="1"> </font>to distinguish them from variables used internally
within the Shorewall programs</p>
<p>Example:</p>
<blockquote>
<blockquote>
<pre>NET_IF=eth0<br>NET_BCAST=130.252.100.255<br>NET_OPTIONS=routefilter,norfc1918</pre>
</blockquote>
</blockquote>
<p><br>
Example (/etc/shorewall/interfaces record):</p>
<font
face="Century Gothic, Arial, Helvetica">
<blockquote>
Example (/etc/shorewall/interfaces record):</p>
<font face="Century Gothic, Arial, Helvetica">
<blockquote>
<pre><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></pre>
</blockquote>
</font>
</blockquote>
</font>
<p>The result will be the same as if the record had been written</p>
<font
face="Century Gothic, Arial, Helvetica">
<blockquote>
<font face="Century Gothic, Arial, Helvetica">
<blockquote>
<pre>net eth0 130.252.100.255 routefilter,norfc1918</pre>
</blockquote>
</font>
<p>Variables may be used anywhere in the other configuration
files.</p>
</blockquote>
</font>
<p>Variables may be used anywhere in the other configuration files.</p>
<h2><a name="MAC"></a>Using MAC Addresses</h2>
<p>Media Access Control (MAC) addresses can be used to specify packet
source in several of the configuration files. To use this
feature, your kernel must have MAC Address Match support
(CONFIG_IP_NF_MATCH_MAC) included.</p>
<p>MAC addresses are 48 bits wide and each Ethernet Controller has a unique
MAC address.<br>
<br>
In GNU/Linux, MAC addresses are usually written
as a series of 6 hex numbers separated by colons. Example:<br>
<br>
     [root@gateway root]# ifconfig eth0<br>
     eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>
     inet addr:206.124.146.176 Bcast:206.124.146.255
Mask:255.255.255.0<br>
     UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br>
     RX packets:2398102 errors:0 dropped:0 overruns:0
frame:0<br>
     TX packets:3044698 errors:0 dropped:0 overruns:0
carrier:0<br>
     collisions:30394 txqueuelen:100<br>
     RX bytes:419871805 (400.4 Mb) TX bytes:1659782221
(1582.8 Mb)<br>
     Interrupt:11 Base address:0x1800<br>
<br>
Because Shorewall uses colons as a separator for
address fields, Shorewall requires MAC addresses to be written
in another way. In Shorewall, MAC addresses begin with a tilde
("~") and consist of 6 hex numbers separated by hyphens. In Shorewall,
the MAC address in the example above would be written "~02-00-08-E3-FA-55".<br>
</p>
<p><b>Note: </b>It is not necessary to use the special Shorewall notation
in the <a href="MAC_Validation.html">/etc/shorewall/maclist</a> file.<br>
</p>
<p>Media Access Control (MAC) addresses can be used to specify packet
source in several of the configuration files. To use this feature, your
kernel must have MAC Address Match support
(CONFIG_IP_NF_MATCH_MAC) included.</p>
<p>MAC addresses are 48 bits wide and each Ethernet Controller has a
unique MAC address.<br>
<br>
In GNU/Linux, MAC addresses are usually written as a series of 6 hex
numbers separated by colons. Example:<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp; [root@gateway root]# ifconfig eth0<br>
&nbsp;&nbsp;&nbsp;&nbsp; eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>
&nbsp;&nbsp;&nbsp;&nbsp; inet addr:206.124.146.176
Bcast:206.124.146.255 Mask:255.255.255.0<br>
&nbsp;&nbsp;&nbsp;&nbsp; UP BROADCAST RUNNING MULTICAST MTU:1500
Metric:1<br>
&nbsp;&nbsp;&nbsp;&nbsp; RX packets:2398102 errors:0 dropped:0
overruns:0 frame:0<br>
&nbsp;&nbsp;&nbsp;&nbsp; TX packets:3044698 errors:0 dropped:0
overruns:0 carrier:0<br>
&nbsp;&nbsp;&nbsp;&nbsp; collisions:30394 txqueuelen:100<br>
&nbsp;&nbsp;&nbsp;&nbsp; RX bytes:419871805 (400.4 Mb) TX
bytes:1659782221 (1582.8 Mb)<br>
&nbsp;&nbsp;&nbsp;&nbsp; Interrupt:11 Base address:0x1800<br>
<br>
Because Shorewall uses colons as a separator for address fields,
Shorewall requires MAC addresses to be written in another way. In
Shorewall, MAC addresses begin with a tilde ("~") and consist of 6 hex
numbers separated by hyphens. In Shorewall, the MAC address in the
example above would be written "~02-00-08-E3-FA-55".<br>
</p>
<p><b>Note: </b>It is not necessary to use the special Shorewall
notation in the <a href="MAC_Validation.html">/etc/shorewall/maclist</a>
file.<br>
</p>
<h2><a name="Levels"></a>Shorewall Configurations</h2>
<p> Shorewall allows you to have configuration directories other than /etc/shorewall.
The <a href="starting_and_stopping_shorewall.htm">shorewall check,
start and restart</a> commands allow you to specify an alternate
configuration directory and Shorewall will use the files in the alternate
directory rather than the corresponding files in /etc/shorewall. The
alternate directory need not contain a complete configuration; those
files not in the alternate directory will be read from /etc/shorewall.</p>
<p> This facility permits you to easily create a test or temporary configuration
by:</p>
<p> Shorewall allows you to have configuration directories other than
/etc/shorewall. The <a href="starting_and_stopping_shorewall.htm">shorewall
check, start and restart</a> commands allow you to specify an alternate
configuration directory and Shorewall will use the files in the
alternate directory rather than the corresponding files in
/etc/shorewall. The alternate directory need not contain a complete
configuration; those files not in the alternate directory will be read
from /etc/shorewall.</p>
<p> This facility permits you to easily create a test or temporary
configuration by:</p>
<ol>
<li> copying the files that need modification
from /etc/shorewall to a separate directory;</li>
<li> modify those files in the separate directory;
and</li>
<li> specifying the separate directory in a
shorewall start or shorewall restart command (e.g., <i><b>shorewall
-c /etc/testconfig restart</b></i> )</li>
<li> copying the files that need modification from /etc/shorewall to
a separate directory;</li>
<li> modify those files in the separate directory; and</li>
<li> specifying the separate directory in a shorewall start or
shorewall restart command (e.g., <i><b>shorewall -c /etc/testconfig
restart</b></i> )</li>
</ol>
The <a href="starting_and_stopping_shorewall.htm"><b>try</b> command</a>
allows you to attempt to restart using an alternate configuration and if an
The <a href="starting_and_stopping_shorewall.htm"><b>try</b> command</a>
allows you to attempt to restart using an alternate configuration and
if an
error occurs to automatically restart the standard configuration.<br>
<p><font size="2"> Updated 6/29/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
<p><font size="2"> Updated 8/22/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
</body>
</html>

348
STABLE/documentation/download.htm
View File

@ -1,234 +1,196 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Download</title>
</head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Download</font></h1>
</td>
</tr>
</tbody>
</td>
</tr>
</tbody>
</table>
<p><b>I strongly urge you to read and print a copy of the <a
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
for the configuration that most closely matches your own.<br>
</b></p>
<p>The entire set of Shorewall documentation is available in PDF format at:</p>
<p>    <a href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a
<p><b>I strongly urge you to read and print a copy of the <a
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
for the configuration that most closely matches your own.<br>
</b></p>
<p>The entire set of Shorewall documentation is available in PDF format
at:</p>
<p>&nbsp;&nbsp;&nbsp; <a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
&nbsp;&nbsp;&nbsp; <a
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
    <a
href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>
</p>
<p>The documentation in HTML format is included in the .rpm and in the .tgz
&nbsp;&nbsp;&nbsp; <a
href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>
</p>
<p>The documentation in HTML format is included in the .rpm and in the
.tgz
packages below.</p>
<p> Once you've printed the appropriate QuickStart Guide, download <u>
one</u> of the modules:</p>
<p> Once you've printed the appropriate QuickStart Guide, download <u>
one</u> of the modules:</p>
<ul>
<li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>,
<b> Linux PPC</b> or <b> TurboLinux</b> distribution
with a 2.4 kernel, you can use the RPM version (note: the
RPM should also work with other distributions that store
init scripts in /etc/init.d and that include chkconfig
or insserv). If you find that it works in other cases, let <a
href="mailto:teastep@shorewall.net"> me</a> know so that
I can mention them here. See the <a href="Install.htm">Installation
Instructions</a> if you have problems installing the RPM.</li>
<li>If you are running LRP, download the .lrp
file (you might also want to download the .tgz so you will
have a copy of the documentation).</li>
<li>If you run <a
href="http://www.debian.org"><b>Debian</b></a> and would
like a .deb package, Shorewall is included in both the <a
href="http://packages.debian.org/testing/net/shorewall.html">Debian
Testing Branch</a> and the <a
href="http://packages.debian.org/unstable/net/shorewall.html">Debian Unstable
Branch</a>.</li>
<li>Otherwise, download the <i>shorewall</i>
module (.tgz)</li>
<li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <b> Linux
PPC</b>, <span style="font-weight: bold;">Trustix</span> or <b>
TurboLinux</b> distribution with a 2.4 kernel, you can
use the RPM version (note: the RPM should also work with other
distributions that store init scripts in /etc/init.d and that include
chkconfig or insserv). If you find that it works in other cases, let <a
href="mailto:teastep@shorewall.net"> me</a> know so that I can mention
them here. See the <a href="Install.htm">Installation Instructions</a>
if you have problems installing the RPM.</li>
<li>If you are running LRP, download the .lrp file (you might also
want to download the .tgz so you will have a copy of the documentation).</li>
<li>If you run <a href="http://www.debian.org"><b>Debian</b></a> and
would like a .deb package, Shorewall is included in both the <a
href="http://packages.debian.org/testing/net/shorewall.html">Debian
Testing Branch</a> and the <a
href="http://packages.debian.org/unstable/net/shorewall.html">Debian
Unstable Branch</a>.</li>
<li>Otherwise, download the <i>shorewall</i> module (.tgz)</li>
</ul>
<p>The documentation in HTML format is included in the .tgz and .rpm files
and there is an documentation .deb that also contains the documentation.  The
.rpm will install the documentation in your default document directory
which can be obtained using the following command:<br>
</p>
<blockquote>
<p><font color="#009900"><b>rpm --eval '%{defaultdocdir}'</b></font></p>
</blockquote>
<p>Please check the <font color="#ff0000"> <a href="errata.htm"> errata</a></font>
to see if there are updates that apply to the version
that you have downloaded.</p>
<p><font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY INSTALL
THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed configuration
of your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.</b></font></p>
<p>The documentation in HTML format is included in the .tgz and .rpm
files and there is an documentation .deb that also contains the
documentation.&nbsp;&nbsp;The .rpm will install the documentation in
your default document directory which can be obtained using the
following command:<br>
</p>
<blockquote>
<p><font color="#009900"><b>rpm --eval '%{_defaultdocdir}'</b></font></p>
</blockquote>
<p>Please check the <font color="#ff0000"> <a href="errata.htm">
errata</a></font> to see if there are updates that apply to the version
that you have downloaded.</p>
<p><font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY
INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME
CONFIGURATION IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have
completed configuration of your firewall, you can enable startup by
removing the file /etc/shorewall/startup_disabled.</b></font></p>
<p><b></b></p>
<p><b>Download Sites:</b></p>
<blockquote>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>SERVER LOCATION</b></td>
<td><b>DOMAIN</b></td>
<td><b>HTTP</b></td>
<td><b>FTP</b></td>
</tr>
<tr>
<td>SourceForge<br>
</td>
<td>sf.net</td>
<td><a
<tbody>
<tr>
<td><b>SERVER LOCATION</b></td>
<td><b>DOMAIN</b></td>
<td><b>HTTP</b></td>
<td><b>FTP</b></td>
</tr>
<tr>
<td>SourceForge<br>
</td>
<td>sf.net</td>
<td><a
href="http://sourceforge.net/project/showfiles.php?group_id=22587">Browse</a></td>
<td>N/A</td>
</tr>
<tr>
<td>Slovak Republic</td>
<td>Shorewall.net</td>
<td><a
href="http://slovakia.shorewall.net/pub/shorewall/">Browse</a></td>
<td> <a target="_blank"
<td>N/A</td>
</tr>
<tr>
<td>Slovak Republic</td>
<td>Shorewall.net</td>
<td><a href="http://slovakia.shorewall.net/pub/shorewall/">Browse</a></td>
<td> <a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/">Browse</a></td>
</tr>
<tr>
<td>Texas, USA</td>
<td>Infohiiway.com</td>
<td><a
href="http://shorewall.infohiiway.com/pub/shorewall">Browse</a></td>
<td><a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/">Browse (Temporarily Unavailable)</a></td>
</tr>
<tr>
<td>Hamburg, Germany</td>
<td>Shorewall.net</td>
<td><a
href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a target="_blank"
</tr>
<tr>
<td>Texas, USA</td>
<td>Infohiiway.com</td>
<td><a href="http://shorewall.infohiiway.com/pub/shorewall">Browse</a></td>
<td><a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/">Browse (Temporarily
Unavailable)</a></td>
</tr>
<tr>
<td>Hamburg, Germany</td>
<td>Shorewall.net</td>
<td><a href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall">Browse</a></td>
</tr>
<tr>
<td>France</td>
<td>Shorewall.net</td>
<td><a
</tr>
<tr>
<td>France</td>
<td>Shorewall.net</td>
<td><a
href="http://france.shorewall.net/pub/shorewall/LATEST.lrp">Browse</a></td>
<td> <a target="_blank"
<td> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/">Browse</a></td>
</tr>
<tr>
<td valign="top">Taiwan<br>
</td>
<td valign="top">Greshko.com<br>
</td>
<td valign="top"><a
</tr>
<tr>
<td valign="top">Taiwan<br>
</td>
<td valign="top">Greshko.com<br>
</td>
<td valign="top"><a
href="http://shorewall.greshko.com/pub/shorewall/">Browse<br>
</a></td>
<td valign="top"><a
</a></td>
<td valign="top"><a
href="ftp://shorewall.greshko.com/pub/shorewall/" target="_top">Browse</a><br>
</td>
</tr>
<tr>
<td valign="top">Argentina<br>
</td>
<td valign="top">Shorewall.net<br>
</td>
<td valign="top"><a
</td>
</tr>
<tr>
<td valign="top">Argentina<br>
</td>
<td valign="top">Shorewall.net<br>
</td>
<td valign="top"><a
href="http://argentina.shorewall.net/pub/shorewall/shorewall">Browse</a><br>
</td>
<td valign="top">N/A<br>
</td>
</tr>
<tr>
<td valign="top">Brazil<br>
</td>
<td valign="top">securityopensource.org.br<br>
</td>
<td valign="top"><a
</td>
<td valign="top">N/A<br>
</td>
</tr>
<tr>
<td valign="top">Brazil<br>
</td>
<td valign="top">securityopensource.org.br<br>
</td>
<td valign="top"><a
href="http://shorewall.securityopensource.org.br/pub/shorewall/">Browse</a><br>
</td>
<td valign="top">N/A<br>
</td>
</tr>
<tr>
<td>Washington State, USA</td>
<td>Shorewall.net</td>
<td><a
href="http://www.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a
href="ftp://ftp.shorewall.net/pub/shorewall/" target="_blank">Browse</a></td>
</tr>
</tbody>
</td>
<td valign="top">N/A<br>
</td>
</tr>
<tr>
<td>Washington State, USA</td>
<td>Shorewall.net</td>
<td><a href="http://www.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a href="ftp://ftp.shorewall.net/pub/shorewall/"
target="_blank">Browse</a></td>
</tr>
</tbody>
</table>
</blockquote>
</blockquote>
<p align="left"><b>CVS:</b></p>
<blockquote>
<blockquote>
<p align="left">The <a target="_top"
href="http://cvs.shorewall.net/Shorewall_CVS_Access.html">CVS repository
at cvs.shorewall.net</a> contains the latest snapshots of the
each Shorewall component. There's no guarantee that what you find
there will work at all.<br>
</p>
</blockquote>
href="http://cvs.shorewall.net/Shorewall_CVS_Access.html">CVS
repository at cvs.shorewall.net</a> contains the latest snapshots of
the each Shorewall component. There's no guarantee that what you find
there will work at all.<br>
</p>
</blockquote>
<p align="left"><b>Shapshots:<br>
</b></p>
<blockquote>
</b></p>
<blockquote>
<p align="left">Periodic snapshots from CVS may be found at <a
href="http://shorewall.net/pub/shorewall/Snapshots/">http://shorewall.net/pub/shorewall/Snapshots</a>
(<a href="ftp://shorewall.net/pub/shorewall/Snapshots/" target="_top">FTP</a>).
These snapshots have undergone initial testing and will have been installed
and run at shorewall.net.<br>
</p>
</blockquote>
<p align="left"><font size="2">Last Updated 8/4/2003 - <a
(<a href="ftp://shorewall.net/pub/shorewall/Snapshots/" target="_top">FTP</a>).
These snapshots have undergone initial testing and will have been
installed and run at shorewall.net.<br>
</p>
</blockquote>
<p align="left"><font size="2">Last Updated 9/25/2003 - <a
href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</p>
</body>
</html>

530
STABLE/documentation/errata.htm
View File

@ -1,391 +1,319 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall 1.4 Errata</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none">
<meta name="author" content="Tom Eastep">
</head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1>
</td>
</tr>
</tbody>
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade
Issues</font></h1>
</td>
</tr>
</tbody>
</table>
<p align="center"> <b><u>IMPORTANT</u></b></p>
<p align="center"> <b><u>IMPORTANT</u></b></p>
<ol>
<li>
<p align="left"> <b><u>I</u>f you use a Windows system to download
a corrected script, be sure to run the script through
<u> <a
<li>
<p align="left"> <b><u>I</u>f you use a Windows system to download
a corrected script, be sure to run the script through <u> <a
href="http://www.megaloman.com/%7Ehany/software/hd2u/"
style="text-decoration: none;"> dos2unix</a></u> after you have moved
it to your Linux system.</b></p>
</li>
<li>
<p align="left"> <b>If you are installing Shorewall for the first
time and plan to use the .tgz and install.sh script, you can untar
the archive, replace the 'firewall' script in the untarred directory
with the one you downloaded below, and then run install.sh.</b></p>
</li>
<li>
<p align="left"> <b>When the instructions say to install a corrected
firewall script in /usr/share/shorewall/firewall,
you may rename the existing file before copying in the new file.</b></p>
</li>
<li>
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER
BELOW. For example, do NOT install the 1.3.9a firewall script
if you are running 1.3.7c.</font></b><br>
</p>
</li>
style="text-decoration: none;"> dos2unix</a></u> after you have moved
it to your Linux system.</b></p>
</li>
<li>
<p align="left"> <b>If you are installing Shorewall for the first
time and plan to use the .tgz and install.sh script, you can untar
the archive, replace the 'firewall' script in the untarred directory
with the one you downloaded below, and then run install.sh.</b></p>
</li>
<li>
<p align="left"> <b>When the instructions say to install a
corrected firewall script in /usr/share/shorewall/firewall,
you may rename the existing file before copying in the new file.</b></p>
</li>
<li>
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED
COMPONENTS ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER
BELOW. For example, do NOT install the 1.3.9a firewall script
if you are running 1.3.7c.</font></b><br>
</p>
</li>
</ol>
<ul>
<li><b><a
href="upgrade_issues.htm">Upgrade Issues</a></b></li>
<li><b><a href="#V1.4">Problems in Version 1.4</a></b><br>
</li>
<li> <b><a
href="errata_3.html">Problems in Version 1.3</a></b></li>
<li> <b><a
href="errata_2.htm">Problems in Version 1.2</a></b></li>
<li> <b><font
color="#660066"> <a href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
<li> <b><font
color="#660066"><a href="#iptables"> Problem with iptables version 1.2.3
on RH7.2</a></font></b></li>
<li> <b><a
href="#Debug">Problems with kernels &gt;= 2.4.18 and RedHat
<li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
<li><b><a href="#V1.4">Problems in Version 1.4</a></b><br>
</li>
<li> <b><a href="errata_3.html">Problems in Version 1.3</a></b></li>
<li> <b><a href="errata_2.htm">Problems in Version 1.2</a></b></li>
<li> <b><font color="#660066"> <a href="errata_1.htm">Problems in
Version 1.1</a></font></b></li>
<li> <b><font color="#660066"><a href="#iptables"> Problem with
iptables version 1.2.3 on RH7.2</a></font></b></li>
<li> <b><a href="#Debug">Problems with kernels &gt;= 2.4.18 and
RedHat
iptables</a></b></li>
<li><b><a href="#SuSE">Problems installing/upgrading
RPM on SuSE</a></b></li>
<li><b><a href="#Multiport">Problems
with iptables version 1.2.7 and MULTIPORT=Yes</a></b></li>
<li><b><a href="#NAT">Problems with RH Kernel
2.4.18-10 and NAT</a></b></li>
<li><b><a href="#REJECT">Problems with RH Kernels after 2.4.20-9 and
REJECT (also applies to 2.4.21-RC1) <img src="images/new10.gif"
alt="(New)" width="28" height="12" border="0">
</a><br>
</b></li>
<li><b><a href="#SuSE">Problems installing/upgrading RPM on SuSE</a></b></li>
<li><b><a href="#Multiport">Problems with iptables version 1.2.7 and
MULTIPORT=Yes</a></b></li>
<li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10 and NAT</a></b></li>
<li><b><a href="#REJECT">Problems with RH Kernels after 2.4.20-9 and
REJECT (also applies to 2.4.21-RC1) <img src="images/new10.gif"
alt="(New)" width="28" height="12" border="0"> </a><br>
</b></li>
</ul>
<hr>
<hr>
<h2 align="left"><a name="V1.4"></a>Problems in Version 1.4</h2>
<h3></h3>
<h3>1.4.6</h3>
<ul>
<li>If TC_ENABLED is set to yes in shorewall.conf then Shorewall would
fail to start with the error "ERROR:  Traffic Control requires Mangle";
that problem has been corrected in <a
href="http://shorewall.net/pub/shorewall/errata/1.4.6/firewall">this firewall
script</a> which may be installed in /var/share/shorewall/firewall as described
above. This problem is also corrected in bugfix release 1.4.6a.</li>
<li>This problem occurs in all versions supporting traffic control. If
a MAC address is used in the SOURCE column, an error occurs as follows:<br>
<br>
     <font size="3"><tt>iptables v1.2.8: Bad mac adress `00:08:B5:35:52:E7-d`</tt></font><br>
<br>
For Shorewall 1.4.6 and 1.4.6a users, this problem has been corrected in
<a href="http://shorewall.net/pub/shorewall/errata/1.4.6/firewall">this
firewall script</a> which may be installed in /var/share/shorewall/firewall
as described above. For all other versions, you will have to edit your 'firewall'
script (in versions 1.4.*, it is located in /usr/share/shorewall/firewall).
Locate the function add_tcrule_() and in that function, replace this line:<br>
<br>
    r=`mac_match $source` <br>
<br>
with<br>
<br>
     r="`mac_match $source` "<br>
<br>
Note that there must be a space before the ending quote!<br>
</li>
<li>If TC_ENABLED is set to yes in shorewall.conf then Shorewall
would fail to start with the error "ERROR:&nbsp; Traffic Control
requires Mangle";
that problem has been corrected in <a
href="http://shorewall.net/pub/shorewall/errata/1.4.6/firewall">this
firewall script</a> which may be installed in
/var/share/shorewall/firewall as described above. This problem is also
corrected in bugfix release 1.4.6a.</li>
<li>This problem occurs in all versions supporting traffic control.
If a MAC address is used in the SOURCE column, an error occurs as
follows:<br>
<br>
&nbsp; &nbsp; &nbsp;<font size="3"><tt>iptables v1.2.8: Bad mac adress
`00:08:B5:35:52:E7-d`</tt></font><br>
<br>
For Shorewall 1.4.6 and 1.4.6a users, this problem has been corrected
in <a href="http://shorewall.net/pub/shorewall/errata/1.4.6/firewall">this
firewall script</a> which may be installed in
/var/share/shorewall/firewall
as described above. For all other versions, you will have to edit your
'firewall'
script (in versions 1.4.*, it is located in
/usr/share/shorewall/firewall).
Locate the function add_tcrule_() and in that function, replace this
line:<br>
<br>
&nbsp; &nbsp; <span style="font-family: monospace;">r=`mac_match
$source`&nbsp;</span><br>
<br>
with<br>
<br>
&nbsp; &nbsp; &nbsp;<span style="font-family: monospace;">r="`mac_match
$source` "</span><br>
<br>
Note that there must be a space before the ending quote!<br>
</li>
</ul>
<h3>1.4.4b</h3>
<ul>
<li>Shorewall is ignoring records in /etc/shorewall/routestopped
that have an empty second column (HOSTS). This problem may be corrected
by installing <a
<li>Shorewall is ignoring records in /etc/shorewall/routestopped
that have an empty second column (HOSTS). This problem may be corrected
by installing <a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4b/firewall"
target="_top">this firewall script</a> in /usr/share/shorewall/firewall as
target="_top">this firewall script</a> in
/usr/share/shorewall/firewall as
described above.</li>
<li>The INCLUDE directive doesn't work when placed in the /etc/shorewall/zones
file. This problem may be corrected by installing <a
<li>The INCLUDE directive doesn't work when placed in the
/etc/shorewall/zones file. This problem may be corrected by installing <a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4b/functions"
target="_top">this functions script</a> in /usr/share/shorewall/functions.<br>
</li>
target="_top">this functions script</a> in
/usr/share/shorewall/functions.<br>
</li>
</ul>
<h3>1.4.4-1.4.4a</h3>
<ul>
<li>Log messages are being displayed on the system console even
though the log level for the console is set properly according to <a
href="FAQ.htm#faq16">FAQ 16</a>. This problem may be corrected by installing
<a
<li>Log messages are being displayed on the system console even
though the log level for the console is set properly according to <a
href="FAQ.htm#faq16">FAQ 16</a>. This problem may be corrected by
installing <a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4a/firewall"
target="_top">this firewall script</a> in /usr/share/shorewall/firewall as
target="_top">this firewall script</a> in
/usr/share/shorewall/firewall as
described above.<br>
</li>
</li>
</ul>
<h3>1.4.4<br>
</h3>
</h3>
<ul>
<li> If you have zone names that are 5 characters long, you may
experience problems starting Shorewall because the --log-prefix in a logging
rule is too long. Upgrade to Version 1.4.4a to fix this problem..</li>
<li> If you have zone names that are 5 characters long, you may
experience problems starting Shorewall because the --log-prefix in a
logging rule is too long. Upgrade to Version 1.4.4a to fix this
problem..</li>
</ul>
<h3>1.4.3</h3>
<ul>
<li>The LOGMARKER variable introduced in version 1.4.3 was intended
to allow integration of Shorewall with Fireparse (http://www.firewparse.com).
Unfortunately, LOGMARKER only solved part of the integration problem.
I have implimented a new LOGFORMAT variable which will replace LOGMARKER
which has completely solved this problem and is currently in production
with fireparse here at shorewall.net. The updated files may be found at
<a
<li>The LOGMARKER variable introduced in version 1.4.3 was intended
to allow integration of Shorewall with Fireparse
(http://www.firewparse.com). Unfortunately, LOGMARKER only solved part
of the integration problem. I have implimented a new LOGFORMAT variable
which will replace LOGMARKER which has completely solved this problem
and is currently in production with fireparse here at shorewall.net.
The updated files may be found at <a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/"
target="_top">ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/</a>.
See the 0README.txt file for details.<br>
</li>
target="_top">ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/</a>.
See the 0README.txt file for details.<br>
</li>
</ul>
<h3>1.4.2</h3>
<ul>
<li>When an 'add' or 'delete' command is executed, a temporary
directory created in /tmp is not being removed. This problem may be corrected
by installing <a
<li>When an 'add' or 'delete' command is executed, a temporary
directory created in /tmp is not being removed. This problem may be
corrected by installing <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.2/firewall"
target="_top">this firewall script</a> in /usr/share/shorewall/firewall as
target="_top">this firewall script</a> in
/usr/share/shorewall/firewall as
described above. <br>
</li>
</li>
</ul>
<h3>1.4.1a, 1.4.1 and 1.4.0</h3>
<ul>
<li>Some TCP requests are rejected in the 'common' chain with
an ICMP port-unreachable response rather than the more appropriate TCP
RST response. This problem is corrected in <a
<li>Some TCP requests are rejected in the 'common' chain with an ICMP
port-unreachable response rather than the more appropriate TCP RST
response. This problem is corrected in <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1a/common.def"
target="_top">this updated common.def file</a> which may be installed in
/etc/shorewall/common.def.<br>
</li>
target="_top">this updated common.def file</a> which may be installed
in /etc/shorewall/common.def.<br>
</li>
</ul>
<h3>1.4.1</h3>
<ul>
<li>When a "shorewall check" command is executed, each "rule"
produces the harmless additional message:<br>
<br>
     /usr/share/shorewall/firewall: line 2174: [: =: unary operator
expected<br>
<br>
You may correct the problem by installing <a
<li>When a "shorewall check" command is executed, each "rule"
produces the harmless additional message:<br>
<br>
&nbsp; &nbsp; &nbsp;/usr/share/shorewall/firewall: line 2174: [: =:
unary operator expected<br>
<br>
You may correct the problem by installing <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1/firewall"
target="_top">this corrected script</a> in /usr/share/shorewall/firewall
as described above.<br>
</li>
target="_top">this corrected script</a> in
/usr/share/shorewall/firewall as described above.<br>
</li>
</ul>
<h3>1.4.0</h3>
<ul>
<li>When running under certain shells Shorewall will attempt
to create ECN rules even when /etc/shorewall/ecn is empty. You may
either just remove /etc/shorewall/ecn or you can install <a
<li>When running under certain shells Shorewall will attempt to
create ECN rules even when /etc/shorewall/ecn is empty. You may
either just remove /etc/shorewall/ecn or you can install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.4.0/firewall">this
correct script</a> in /usr/share/shorewall/firewall as described above.<br>
</li>
correct script</a> in /usr/share/shorewall/firewall as described above.<br>
</li>
</ul>
<hr width="100%" size="2">
<hr width="100%" size="2">
<h2 align="left"><a name="Upgrade"></a>Upgrade Issues</h2>
<p align="left">The upgrade issues have moved to <a
<p align="left">The upgrade issues have moved to <a
href="upgrade_issues.htm">a separate page</a>.</p>
<hr>
<h3 align="left"><a name="iptables"></a><font color="#660066"> Problem with
iptables version 1.2.3</font></h3>
<blockquote>
<p align="left">There are a couple of serious bugs in iptables 1.2.3 that
prevent it from working with Shorewall. Regrettably,
RedHat released this buggy iptables in RedHat 7.2. </p>
<hr>
<h3 align="left"><a name="iptables"></a><font color="#660066"> Problem
with iptables version 1.2.3</font></h3>
<blockquote>
<p align="left">There are a couple of serious bugs in iptables 1.2.3
that prevent it from working with Shorewall. Regrettably, RedHat
released this buggy iptables in RedHat 7.2.&nbsp;</p>
<p align="left"> I have built a <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
corrected 1.2.3 rpm which you can download here</a>  and
I have also built an <a
corrected 1.2.3 rpm which you can download here</a>&nbsp; and I have
also built an <a
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
iptables-1.2.4 rpm which you can download here</a>. If you are currently
running RedHat 7.1, you can install either of these RPMs
<b><u>before</u> </b>you upgrade to RedHat 7.2.</p>
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
has released an iptables-1.2.4 RPM of their own which
you can download from<font color="#ff6633"> <a
iptables-1.2.4 rpm which you can download here</a>. If you are
currently running RedHat 7.1, you can install either of these RPMs <b><u>before</u>
</b>you upgrade to RedHat 7.2.</p>
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
has released an iptables-1.2.4 RPM of their own which
you can download from<font color="#ff6633"> <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
</font>I have installed this RPM on my firewall and
it works fine.</p>
<p align="left">If you would like to patch iptables 1.2.3 yourself,
the patches are available for download. This <a
</font>I have installed this RPM on my firewall and
it works fine.</p>
<p align="left">If you would like to patch iptables 1.2.3 yourself,
the patches are available for download. This <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
which corrects a problem with parsing of the --log-level
specification while this <a
which corrects a problem with parsing of the --log-level specification
while this <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
corrects a problem in handling the  TOS target.</p>
corrects a problem in handling the&nbsp; TOS target.</p>
<p align="left">To install one of the above patches:</p>
<ul>
<li>cd iptables-1.2.3/extensions</li>
<li>patch -p0 &lt; <i>the-patch-file</i></li>
<li>cd iptables-1.2.3/extensions</li>
<li>patch -p0 &lt; <i>the-patch-file</i></li>
</ul>
</blockquote>
<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18 and
</blockquote>
<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18 and
RedHat iptables</h3>
<blockquote>
<p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19
may experience the following:</p>
<blockquote>
<blockquote>
<p>Users who use RedHat iptables RPMs and who upgrade to kernel
2.4.18/19 may experience the following:</p>
<blockquote>
<pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre>
</blockquote>
<p>The RedHat iptables RPM is compiled with debugging enabled but the
user-space debugging code was not updated to reflect recent changes in
the Netfilter 'mangle' table. You can correct the problem by
installing <a
</blockquote>
<p>The RedHat iptables RPM is compiled with debugging enabled but the
user-space debugging code was not updated to reflect recent changes in
the Netfilter 'mangle' table. You can correct the problem by installing
<a
href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
this iptables RPM</a>. If you are already running a
1.2.5 version of iptables, you will need to specify the
--oldpackage option to rpm (e.g., "iptables -Uvh --oldpackage
this iptables RPM</a>. If you are already running a
1.2.5 version of iptables, you will need to specify the
--oldpackage option to rpm (e.g., "iptables -Uvh --oldpackage
iptables-1.2.5-1.i386.rpm").</p>
</blockquote>
<h3><a name="SuSE"></a>Problems installing/upgrading
RPM on SuSE</h3>
<p>If you find that rpm complains about a conflict with kernel &lt;=
2.2 yet you have a 2.4 kernel installed, simply use the
"--nodeps" option to rpm.</p>
</blockquote>
<h3><a name="SuSE"></a>Problems installing/upgrading RPM on SuSE</h3>
<p>If you find that rpm complains about a conflict with kernel &lt;=
2.2 yet you have a 2.4 kernel installed, simply use the "--nodeps"
option to rpm.</p>
<p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<h3><a name="Multiport"></a><b>Problems with iptables version 1.2.7 and
MULTIPORT=Yes</b></h3>
<p>The iptables 1.2.7 release of iptables has made an incompatible
change to the syntax used to specify multiport match rules;
as a consequence, if you install iptables 1.2.7 you
must be running Shorewall 1.3.7a or later or:</p>
<h3><a name="Multiport"></a><b>Problems with iptables version 1.2.7 and
MULTIPORT=Yes</b></h3>
<p>The iptables 1.2.7 release of iptables has made an incompatible
change to the syntax used to specify multiport match rules; as a
consequence, if you install iptables 1.2.7 you must be running
Shorewall 1.3.7a or later or:</p>
<ul>
<li>set
MULTIPORT=No in /etc/shorewall/shorewall.conf;
or </li>
<li>if
you are running Shorewall 1.3.6 you may
install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this firewall script</a> in /var/lib/shorewall/firewall
as described above.</li>
<li>set MULTIPORT=No in /etc/shorewall/shorewall.conf; or </li>
<li>if you are running Shorewall 1.3.6 you may install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this firewall script</a> in /var/lib/shorewall/firewall as described
above.</li>
</ul>
<h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br>
</h3>
/etc/shorewall/nat entries of the following
form will result in Shorewall being unable to start:<br>
<br>
<pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22    eth0    192.168.9.22   yes     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
Error message is:<br>
</h3>
/etc/shorewall/nat entries of the following form will result in
Shorewall being unable to start:<br>
<br>
<pre>#EXTERNAL&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; INTERFACE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; INTERNAL&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ALL INTERFACES&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LOCAL<br>192.0.2.22&nbsp;&nbsp;&nbsp; eth0&nbsp;&nbsp;&nbsp; 192.168.9.22&nbsp;&nbsp; yes&nbsp;&nbsp;&nbsp;&nbsp; yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
Error message is:<br>
<pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
The solution is to put "no" in the LOCAL column.
Kernel support for LOCAL=yes has never worked properly and 2.4.18-10
has disabled it. The 2.4.19 kernel contains corrected support
under a new kernel configuraiton option; see <a
The solution is to put "no" in the LOCAL column. Kernel support for
LOCAL=yes has never worked properly and 2.4.18-10 has disabled it. The
2.4.19 kernel contains corrected support
under a new kernel configuraiton option; see <a
href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
<br>
<h3><a name="REJECT"></a><b> Problems with RH Kernels after 2.4.20-9 and REJECT
<br>
<h3><a name="REJECT"></a><b> Problems with RH Kernels after 2.4.20-9
and REJECT
(also applies to 2.4.21-RC1)</b></h3>
Beginning with errata kernel 2.4.20-13.9, "REJECT --reject-with tcp-reset"
is broken. The symptom most commonly seen is that REJECT rules act just
like DROP rules when dealing with TCP. A kernel patch and precompiled modules
to fix this problem are available at <a
Beginning with errata kernel 2.4.20-13.9, "REJECT --reject-with
tcp-reset" is broken. The symptom most commonly seen is that REJECT
rules act just like DROP rules when dealing with TCP. A kernel patch
and precompiled modules to fix this problem are available at <a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel"
target="_top">ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel</a>.<br>
<hr>
<p><font size="2"> Last updated 7/23/2003 - <a href="support.htm">Tom Eastep</a></font>
<hr>
<p><font size="2"> Last updated 7/23/2003 - <a href="support.htm">Tom
Eastep</a></font>
</p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
<br>
</p>
<br>
<br>
</body>
</html>

BIN
STABLE/documentation/images/Netfilter.png
View File

Binary file not shown.

BIN
STABLE/documentation/images/menuconfig1.jpg
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 88 KiB

After

Width:  |  Height:  |  Size: 103 KiB

BIN
STABLE/documentation/images/netopts.jpg
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 110 KiB

After

Width:  |  Height:  |  Size: 107 KiB

225
STABLE/documentation/kernel.htm
View File

@ -1,165 +1,102 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall Kernel Configuration</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Kernel Configuration</font></h1>
</td>
</tr>
</tbody>
</td>
</tr>
</tbody>
</table>
<p>For information regarding configuring and building GNU/Linux kernels,
see <a href="http://www.kernelnewbies.org">http://www.kernelnewbies.org</a>.</p>
<p>For information regarding configuring and building GNU/Linux kernels, see
<a href="http://www.kernelnewbies.org">http://www.kernelnewbies.org</a>.</p>
<p>Here's a screen shot of my Network Options Configuration:</p>
<blockquote>
<blockquote>
<p> <img border="0" src="images/netopts.jpg" width="609" height="842">
</p>
</blockquote>
<p>While not all of the options that I've selected are required, they should
be sufficient for most applications. Here's an excerpt from the corresponding
.config file (Note: If you are running a kernel older than 2.4.17, be sure
to select CONFIG_NETLINK and CONFIG_RTNETLINK):</p>
<blockquote> <font size="2">
<p>#<br>
# Networking options<br>
#<br>
CONFIG_PACKET=y<br>
# CONFIG_PACKET_MMAP is not set<br>
# CONFIG_NETLINK_DEV is not set<br>
CONFIG_NETFILTER=y<br>
CONFIG_NETFILTER_DEBUG=y<br>
CONFIG_FILTER=y<br>
CONFIG_UNIX=y<br>
CONFIG_INET=y<br>
CONFIG_IP_MULTICAST=y<br>
CONFIG_IP_ADVANCED_ROUTER=y<br>
CONFIG_IP_MULTIPLE_TABLES=y<br>
CONFIG_IP_ROUTE_FWMARK=y<br>
CONFIG_IP_ROUTE_NAT=y<br>
CONFIG_IP_ROUTE_MULTIPATH=y<br>
CONFIG_IP_ROUTE_TOS=y<br>
CONFIG_IP_ROUTE_VERBOSE=y<br>
# CONFIG_IP_ROUTE_LARGE_TABLES is not set<br>
# CONFIG_IP_PNP is not set<br>
CONFIG_NET_IPIP=m<br>
CONFIG_NET_IPGRE=m<br>
# CONFIG_NET_IPGRE_GROADCAST is not set<br>
# CONFIG_IP_MROUTE is not set<br>
# CONFIG_ARPD is not set<br>
CONFIG_INET_ECN=y<br>
CONFIG_SYN_COOKIES=y</p>
</font> </blockquote>
<p>Here's a screen shot of my Netfilter configuration:</p>
<blockquote>
<p><img border="0" src="images/menuconfig.jpg" width="609"
height="842">
</p>
</blockquote>
<p>Here's an excerpt from the corresponding .config file.</p>
<blockquote>
<p><font size="2">#<br>
# IP: Netfilter Configuration<br>
#<br>
CONFIG_IP_NF_CONNTRACK=y<br>
CONFIG_IP_NF_FTP=m<br>
# CONFIG_IP_NF_QUEUE is not set<br>
CONFIG_IP_NF_IPTABLES=y<br>
CONFIG_IP_NF_MATCH_LIMIT=y<br>
CONFIG_IP_NF_MATCH_MAC=y<br>
CONFIG_IP_NF_MATCH_MARK=y<br>
CONFIG_IP_NF_MATCH_MULTIPORT=y<br>
CONFIG_IP_NF_MATCH_TOS=y<br>
# CONFIG_IP_NF_MATCH_TCPMSS is not set<br>
CONFIG_IP_NF_MATCH_STATE=y<br>
# CONFIG_IP_NF_MATCH_UNCLEAN is not set<br>
# CONFIG_IP_NF_MATCH_OWNER is not set<br>
CONFIG_IP_NF_FILTER=y<br>
CONFIG_IP_NF_TARGET_REJECT=y<br>
# CONFIG_IP_NF_TARGET_MIRROR is not set<br>
CONFIG_IP_NF_NAT=y<br>
CONFIG_IP_NF_NAT_NEEDED=y<br>
CONFIG_IP_NF_TARGET_MASQUERADE=y<br>
CONFIG_IP_NF_TARGET_REDIRECT=y<br>
CONFIG_IP_NF_NAT_FTP=m<br>
CONFIG_IP_NF_MANGLE=y<br>
CONFIG_IP_NF_TARGET_TOS=y<br>
CONFIG_IP_NF_TARGET_MARK=y<br>
CONFIG_IP_NF_TARGET_LOG=y<br>
CONFIG_IP_NF_TARGET_TCPMSS=y<br>
# CONFIG_IPV6 is not set</font><font face="Courier"><br>
</font></p>
</blockquote>
<p>Note that I have built everything I need into the kernel except for the
FTP connection tracking and NAT modules. I have also run successfully with
all of the options selected above built as modules:</p>
<blockquote>
<p><img border="0" src="images/menuconfig1.jpg" width="609"
height="842">
</p>
<p><font size="2">#<br>
# IP: Netfilter Configuration<br>
#<br>
CONFIG_IP_NF_CONNTRACK=m<br>
CONFIG_IP_NF_FTP=m<br>
# CONFIG_IP_NF_QUEUE is not set<br>
CONFIG_IP_NF_IPTABLES=m<br>
CONFIG_IP_NF_MATCH_LIMIT=m<br>
CONFIG_IP_NF_MATCH_MAC=m<br>
CONFIG_IP_NF_MATCH_MARK=m<br>
CONFIG_IP_NF_MATCH_MULTIPORT=m<br>
CONFIG_IP_NF_MATCH_TOS=m<br>
# CONFIG_IP_NF_MATCH_TCPMSS is not set<br>
CONFIG_IP_NF_MATCH_STATE=m<br>
# CONFIG_IP_NF_MATCH_UNCLEAN is not set<br>
# CONFIG_IP_NF_MATCH_OWNER is not set<br>
CONFIG_IP_NF_FILTER=m<br>
CONFIG_IP_NF_TARGET_REJECT=m<br>
# CONFIG_IP_NF_TARGET_MIRROR is not set<br>
CONFIG_IP_NF_NAT=m<br>
CONFIG_IP_NF_NAT_NEEDED=m<br>
CONFIG_IP_NF_TARGET_MASQUERADE=m<br>
CONFIG_IP_NF_TARGET_REDIRECT=m<br>
CONFIG_IP_NF_NAT_FTP=m<br>
CONFIG_IP_NF_MANGLE=m<br>
CONFIG_IP_NF_TARGET_TOS=m<br>
CONFIG_IP_NF_TARGET_MARK=m<br>
CONFIG_IP_NF_TARGET_LOG=m<br>
CONFIG_IP_NF_TARGET_TCPMSS=m<br>
# CONFIG_IPV6 is not set<br>
</font></p>
</p>
</blockquote>
<p><font size="2">Last updated 3/10/2002 - </font><font size="2"> <a
<p>While not all of the options that I've selected are required, they should
be sufficient for most applications. Here's an excerpt from the corresponding
.config file (Note: If you are running a kernel older than 2.4.17, be sure
to select CONFIG_NETLINK and CONFIG_RTNETLINK):</p>
<blockquote> <font size="2">
<p>#<br>
# Networking options<br>
#<br>
CONFIG_PACKET=y<br>
# CONFIG_PACKET_MMAP is not set<br>
# CONFIG_NETLINK_DEV is not set<br>
CONFIG_NETFILTER=y<br>
# CONFIG_NETFILTER_DEBUG is not set<br>
CONFIG_FILTER=y<br>
CONFIG_UNIX=y<br>
CONFIG_INET=y<br>
CONFIG_IP_MULTICAST=y<br>
CONFIG_IP_ADVANCED_ROUTER=y<br>
CONFIG_IP_MULTIPLE_TABLES=y<br>
CONFIG_IP_ROUTE_FWMARK=y<br>
CONFIG_IP_ROUTE_NAT=y<br>
CONFIG_IP_ROUTE_MULTIPATH=y<br>
CONFIG_IP_ROUTE_TOS=y<br>
CONFIG_IP_ROUTE_VERBOSE=y<br>
# CONFIG_IP_ROUTE_LARGE_TABLES is not set<br>
# CONFIG_IP_PNP is not set<br>
CONFIG_NET_IPIP=y<br>
CONFIG_NET_IPGRE=y<br>
# CONFIG_NET_IPGRE_BROADCAST is not set<br>
# CONFIG_IP_MROUTE is not set<br>
# CONFIG_ARPD is not set<br>
CONFIG_INET_ECN=y<br>
CONFIG_SYN_COOKIES=y<br>
</p>
</font> </blockquote>
<p>Here's a screen shot of my Netfilter configuration:</p>
<blockquote>
<p><img src="images/menuconfig1.jpg" alt="(Netfilter Options)"
width="589" height="849">
<br>
</p>
</blockquote>
<p>Note that I have built everything I need as modules. You can also build
everything into your kernel but if you want to be able to deal with FTP running
on a non-standard port then I recommend that you modularize FTP Protocol
support.<br>
</p>
<p>Here's the corresponding part of my .config file:<br>
</p>
<blockquote>
<pre>#<br>#   IP: Netfilter Configuration<br>#<br>CONFIG_IP_NF_CONNTRACK=m<br>CONFIG_IP_NF_FTP=m<br>CONFIG_IP_NF_AMANDA=m<br>CONFIG_IP_NF_TFTP=m<br># CONFIG_IP_NF_IRC is not set<br># CONFIG_IP_NF_QUEUE is not set<br>CONFIG_IP_NF_IPTABLES=m<br>CONFIG_IP_NF_MATCH_LIMIT=m<br>CONFIG_IP_NF_MATCH_MAC=m<br>CONFIG_IP_NF_MATCH_PKTTYPE=m<br>CONFIG_IP_NF_MATCH_MARK=m<br>CONFIG_IP_NF_MATCH_MULTIPORT=m<br>CONFIG_IP_NF_MATCH_TOS=m<br>CONFIG_IP_NF_MATCH_ECN=m<br>CONFIG_IP_NF_MATCH_DSCP=m<br>CONFIG_IP_NF_MATCH_AH_ESP=m<br>CONFIG_IP_NF_MATCH_LENGTH=m<br># CONFIG_IP_NF_MATCH_TTL is not set<br>CONFIG_IP_NF_MATCH_TCPMSS=m<br>CONFIG_IP_NF_MATCH_HELPER=m<br>CONFIG_IP_NF_MATCH_STATE=m<br>CONFIG_IP_NF_MATCH_CONNTRACK=m<br>CONFIG_IP_NF_MATCH_UNCLEAN=m<br># CONFIG_IP_NF_MATCH_OWNER is not set<br>CONFIG_IP_NF_FILTER=m<br>CONFIG_IP_NF_TARGET_REJECT=m<br># CONFIG_IP_NF_TARGET_MIRROR is not set<br>CONFIG_IP_NF_NAT=m<br>CONFIG_IP_NF_NAT_NEEDED=y<br>CONFIG_IP_NF_TARGET_MASQUERADE=m<br>CONFIG_IP_NF_TARGET_REDIRECT=m<br>CONFIG_IP_NF_NAT_AMANDA=m<br>CONFIG_IP_NF_NAT_LOCAL=y<br># CONFIG_IP_NF_NAT_SNMP_BASIC is not set<br>CONFIG_IP_NF_NAT_FTP=m<br>CONFIG_IP_NF_NAT_TFTP=m<br>CONFIG_IP_NF_MANGLE=m<br>CONFIG_IP_NF_TARGET_TOS=m<br>CONFIG_IP_NF_TARGET_ECN=m<br>CONFIG_IP_NF_TARGET_DSCP=m<br>CONFIG_IP_NF_TARGET_MARK=m<br>CONFIG_IP_NF_TARGET_LOG=m<br>CONFIG_IP_NF_TARGET_ULOG=m<br>CONFIG_IP_NF_TARGET_TCPMSS=m<br>CONFIG_IP_NF_ARPTABLES=m<br>CONFIG_IP_NF_ARPFILTER=m<br># CONFIG_IP_NF_COMPAT_IPCHAINS is not set<br># CONFIG_IP_NF_COMPAT_IPFWADM is not set<br></pre>
</blockquote>
<p><font size="2">Last updated 7/20/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002 Thomas M. Eastep.</font></a><br>
<a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001-2003,  Thomas M. Eastep.</font></a><br>
<br>
</body>
</html>

394
STABLE/documentation/mailing_list.htm
View File

@ -1,153 +1,117 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Mailing Lists</title>
<meta name="Microsoft Theme" content="none">
</head>
<body>
<body>
<table height="90" bgcolor="#3366ff" id="AutoNumber1" width="100%"
style="border-collapse: collapse;" cellspacing="0" cellpadding="0"
border="0">
<tbody>
<tr>
<td width="33%" valign="middle"
align="left">
<tbody>
<tr>
<td width="33%" valign="middle" align="left">
<h1 align="center"><a
href="http://www.centralcommand.com/linux_products.html"><img
src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78"
height="79" align="left">
</a></h1>
<a
href="http://www.gnu.org/software/mailman/mailman.html"> <img
height="79" align="left"> </a></h1>
<a href="http://www.gnu.org/software/mailman/mailman.html"> <img
border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110"
height="35" alt="">
</a>
<p align="right"><font color="#ffffff"><b>  </b></font><a
height="35" alt=""> </a>
<p align="right"><font color="#ffffff"><b>&nbsp; </b></font><a
href="http://razor.sourceforge.net/"><img src="images/razor.gif"
alt="(Razor Logo)" width="100" height="22" align="left" border="0">
</a> </p>
</td>
<td valign="middle" width="34%" align="center">
alt="(Razor Logo)" width="100" height="22" align="left" border="0"> </a>
</p>
</td>
<td valign="middle" width="34%" align="center">
<h1 align="center"><font color="#ffffff">Shorewall Mailing Lists</font></h1>
</td>
<td valign="middle" width="33%">
<a href="http://www.postfix.org/"> <img
src="images/postfix-white.gif" align="right" border="0" width="158"
height="84" alt="(Postfix Logo)">
</a><br>
</td>
<td valign="middle" width="33%"> <a
href="http://www.postfix.org/"> <img src="images/postfix-white.gif"
align="right" border="0" width="158" height="84" alt="(Postfix Logo)">
</a><br>
<div align="left"><a href="http://www.spamassassin.org"><img
src="images/ninjalogo.png" alt="" width="110" height="42" align="right"
border="0">
</a> </div>
<br>
border="0"> </a> </div>
<br>
<div align="right"><b><font color="#ffffff"><br>
</font></b><br>
</div>
</td>
</tr>
</tbody>
</font></b><br>
</div>
</td>
</tr>
</tbody>
</table>
<h1>REPORTING A PROBLEM OR ASKING FOR HELP? If you haven't already, please
read the <a href="http://www.shorewall.net/support.htm">Shorewall Support
Guide</a>.<br>
</h1>
<p align="left">If you experience problems with any of these lists, please
let <a href="mailto:postmaster@shorewall.net">me</a> know</p>
<br>
<big><span style="color: rgb(255, 0, 0);"><span
style="font-weight: bold;">If you are reporting a problem or asking a
question, you are at the wrong place -- please see the <a
href="http://www.shorewall.net/support.htm">Shorewall Support Guide</a>.</span></span></big><br>
<br>
If you experience problems with any of these lists,
please let <a href="mailto:postmaster@shorewall.net">me</a>
know
<h2 align="left">Not able to Post Mail to shorewall.net?</h2>
<p align="left">You can report such problems by sending mail to tmeastep
at hotmail dot com.</p>
<h2>A Word about the SPAM Filters at Shorewall.net <a
<p align="left">You can report such problems by sending mail to
tmeastep at
hotmail dot com.</p>
<h2>A Word about the SPAM Filters at Shorewall.net&nbsp;<a
href="http://osirusoft.com/"> </a></h2>
<p>Please note that the mail server at shorewall.net
checks incoming mail:<br>
</p>
<p>Please note that the mail server at shorewall.net checks
incoming mail:<br>
</p>
<ol>
<li>against <a
href="http://spamassassin.org">Spamassassin</a> (including <a
href="http://razor.sourceforge.net/">Vipul's Razor</a>).<br>
</li>
<li>to ensure that the sender address is fully
qualified.</li>
<li>to verify that the sender's domain has
an A or MX record in DNS.</li>
<li>to ensure that the host name in the HELO/EHLO
command is a valid fully-qualified DNS name that resolves.</li>
<li>against <a href="http://spamassassin.org">Spamassassin</a>
(including <a href="http://razor.sourceforge.net/">Vipul's Razor</a>).<br>
</li>
<li>to ensure that the sender address is
fully qualified.</li>
<li>to verify that the sender's domain has an A or MX record in DNS.</li>
<li>to ensure that the host name in the HELO/EHLO command is a valid
fully-qualified DNS name.</li>
</ol>
<h2>Please post in plain text</h2>
A growing number of MTAs serving list subscribers
are rejecting all HTML traffic. At least one MTA has gone so far
as to blacklist shorewall.net "for continuous abuse" because it has
been my policy to allow HTML in list posts!!<br>
<br>
I think that blocking all HTML is a Draconian way
to control spam and that the ultimate losers here are not the spammers
but the list subscribers whose MTAs are bouncing all shorewall.net
mail. As one list subscriber wrote to me privately "These e-mail admin's
need to get a <i>(explitive deleted)</i> life instead of trying to rid
the planet of HTML based e-mail". Nevertheless, to allow subscribers
to receive list posts as must as possible, I have now configured the
list server at shorewall.net to strip all HTML from outgoing posts. This
means that HTML-only posts will be bounced by the list server.<br>
A growing number of MTAs serving list subscribers are rejecting all
HTML traffic. At least one MTA has gone so far as to blacklist
shorewall.net "for continuous abuse" because it has been my policy to
allow HTML in list posts!!<br>
<br>
I think that blocking all HTML is a Draconian way to control spam and
that the ultimate losers here are not the spammers but the list
subscribers whose MTAs are bouncing all shorewall.net mail. As one list
subscriber wrote to me privately "These e-mail admin's need to get a <i>(explitive
deleted)</i> life instead of trying to
rid the planet of HTML based e-mail". Nevertheless, to allow
subscribers to receive list posts as must as possible, I have now
configured the list server at shorewall.net to strip all HTML from
outgoing posts.
This means that HTML-only posts will be bounced by the list server.<br>
<p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br>
</p>
</p>
<h2>Other Mail Delivery Problems</h2>
If you find that you are missing an occasional list
post, your e-mail admin may be blocking mail whose <i>Received:</i>
headers contain the names of certain ISPs. Again, I believe that such
policies hurt more than they help but I'm not prepared to go so far
as to start stripping <i>Received:</i> headers to circumvent those
policies.<br>
If you find that you are missing an occasional list post, your e-mail
admin may be blocking mail whose <i>Received:</i> headers contain the
names of certain ISPs. Again, I believe that such policies hurt more
than they help but I'm not prepared to go so far as to start stripping <i>Received:</i>
headers to circumvent those policies.<br>
<h2 align="left">Mailing Lists Archive Search</h2>
<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
<p> <font size="-1"> Match:
<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
<p> <font size="-1"> Match:
<select name="method">
<option value="and">All </option>
<option value="or">Any </option>
<option value="boolean">Boolean </option>
</select>
Format:
Format:
<select name="format">
<option value="builtin-long">Long </option>
<option value="builtin-short">Short </option>
</select>
Sort by:
Sort by:
<select name="sort">
<option value="score">Score </option>
<option value="time">Time </option>
@ -156,134 +120,122 @@ policies.<br>
<option value="revtime">Reverse Time </option>
<option value="revtitle">Reverse Title </option>
</select>
</font> <input type="hidden"
name="config" value="htdig"> <input type="hidden" name="restrict"
value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden"
name="exclude" value=""> <br>
Search: <input type="text" size="30"
name="words" value=""> <input type="submit" value="Search"> </p>
</form>
<h2 align="left"><font color="#ff0000">Please do not try to download the
entire Archive -- it is 75MB (and growing daily) and my slow DSL line simply
won't stand the traffic. If I catch you, you will be blacklisted.<br>
</font></h2>
</font> <input type="hidden" name="config" value="htdig"> <input
type="hidden" name="restrict"
value="[http://lists.shorewall.net/pipermail/.*]"> <input
type="hidden" name="exclude" value=""> <br>
Search: <input type="text" size="30" name="words" value=""> <input
type="submit" value="Search"> </p>
</form>
<h2 align="left"><font color="#ff0000">Please do not try to download
the entire
Archive -- it is 164MB (and growing daily) and my slow DSL line simply
won't
stand the traffic. If I catch you, you will be blacklisted.<br>
</font></h2>
<h2 align="left">Shorewall CA Certificate</h2>
If you want to trust X.509 certificates issued
by Shoreline Firewall (such as the one used on my web site),
you may <a href="Shorewall_CA_html.html">download and install my CA certificate</a>
in your browser. If you don't wish to trust my certificates
then you can either use unencrypted access when subscribing to
Shorewall mailing lists or you can use secure access (SSL) and accept
the server's certificate when prompted by your browser.<br>
If you want to trust X.509 certificates issued by Shoreline Firewall
(such as the one used on my web site), you may <a
href="Shorewall_CA_html.html">download and install my CA certificate</a>
in your browser. If you don't wish to trust my certificates then you
can either use unencrypted access when subscribing to Shorewall mailing
lists or you can use secure access (SSL) and
accept the server's certificate when prompted by your browser.<br>
<h2 align="left">Shorewall Users Mailing List</h2>
<p align="left">The Shorewall Users Mailing list provides a way for users
to get answers to questions and to report problems. Information
of general interest to the Shorewall user community is also
posted to this list.</p>
<p align="left"><b>To post a problem report to this list or to subscribe
to the list, please see the <a
href="http://www.shorewall.net/support.htm">problem reporting guidelines</a>.</b></p>
<p align="left">The Shorewall Users Mailing list provides a way for
users to get answers to questions and to report problems. Information
of general interest to the Shorewall user community is also posted to
this list.</p>
<p align="left" style="color: rgb(255, 0, 0);"><big><b>Before posting
to this list, please see the <a
href="http://www.shorewall.net/support.htm">problem
reporting guidelines</a>.<br>
</b></big></p>
<p align="left">To subscribe: <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-users"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-users</a></p>
<ul>
</ul>
<p align="left"> To post to the list, post to <a
href="mailto:shorewall-users@lists.shorewall.net">shorewall-users@lists.shorewall.net</a>.
<br>
</p>
<p align="left">The list archives are at <a
href="http://lists.shorewall.net/pipermail/shorewall-users/index.html">http://lists.shorewall.net/pipermail/shorewall-users</a>.</p>
<p align="left">Note that prior to 1/1/2002, the mailing list was hosted at
<a href="http://sourceforge.net">Sourceforge</a>. The archives from that list
may be found at <a
<p align="left">Note that prior to 1/1/2002, the mailing list was
hosted
at <a href="http://sourceforge.net">Sourceforge</a>. The archives from
that
list may be found at <a
href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p>
<h2 align="left">Shorewall Announce Mailing List</h2>
<p align="left">This list is for announcements of general interest to the
Shorewall community. To subscribe:<br>
</p>
<p align="left"></p>
<ul>
<li><b>Insecure:</b> <a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-announce">http://lists.shorewall.net/mailman/listinfo/shorewall-announce</a></li>
<li><b>SSL</b>: <a
<p align="left">This list is for announcements of general interest to
the Shorewall community. <big><span style="color: rgb(255, 0, 0);"><span
style="font-weight: bold;">DO NOT USE THIS LIST FOR REPORTING PROBLEMS
OR ASKING FOR HELP.</span></span></big><br>
</p>
<p align="left">To subscribe: <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-announce"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-announce.</a></li>
</ul>
<p align="left"><br>
The list archives are at <a
href="http://lists.shorewall.net/pipermail/shorewall-announce">http://lists.shorewall.net/pipermail/shorewall-announce</a>.</p>
<h2 align="left">Shorewall Development Mailing List</h2>
<p align="left">The Shorewall Development Mailing list provides a forum for
the exchange of ideas about the future of Shorewall and for
coordinating ongoing Shorewall Development.</p>
<p align="left">To subscribe to the mailing list:<br>
</p>
target="_top">https://lists.shorewall.net/mailman/listinfo/shorewall-announce</a>.
<br>
</p>
<a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-announce"
target="_top"></a>
<ul>
<li><b>Insecure: </b><a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-devel">http://lists.shorewall.net/mailman/listinfo/shorewall-devel</a></li>
<li><b>SSL:</b> <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-devel"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-devel.</a></li>
</ul>
<p align="left"> To post to the list, post to <a
href="mailto:shorewall-devel@lists.shorewall.net">shorewall-devel@lists.shorewall.net</a>. </p>
The list archives are at <a
href="http://lists.shorewall.net/pipermail/shorewall-announce">http://lists.shorewall.net/pipermail/shorewall-announce</a>.
<h2 align="left">Shorewall Development Mailing List</h2>
<p align="left">The Shorewall Development Mailing list provides a forum
for the exchange of ideas about the future of Shorewall and
for coordinating ongoing Shorewall Development. <big><span
style="color: rgb(255, 0, 0);"><span style="font-weight: bold;">DO NOT
USE THIS LIST FOR REPORTING PROBLEMS OR ASKING FOR HELP.</span></span></big></p>
<p align="left">To subscribe to the mailing list: <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-devel"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-devel.</a></p>
<ul>
</ul>
<p align="left"> To post to the list, post to <a
href="mailto:shorewall-devel@lists.shorewall.net">shorewall-devel@lists.shorewall.net</a>.&nbsp;</p>
<p align="left">The list archives are at <a
href="http://lists.shorewall.net/pipermail/shorewall-devel">http://lists.shorewall.net/pipermail/shorewall-devel</a>.</p>
<h2 align="left"><a name="Unsubscribe"></a>How to Unsubscribe from one of
the Mailing Lists</h2>
<p align="left">There seems to be near-universal confusion about unsubscribing
from Mailman-managed lists although Mailman 2.1 has attempted
to make this less confusing. To unsubscribe:</p>
<h2 align="left"><a name="Unsubscribe"></a>How to Unsubscribe from one
of the Mailing Lists</h2>
<p align="left">There seems to be near-universal confusion about
unsubscribing from Mailman-managed lists although Mailman 2.1 has
attempted to make this less confusing. To unsubscribe:</p>
<ul>
<li>
<p align="left">Follow the same link above that you used to subscribe
to the list.</p>
</li>
<li>
<p align="left">Down at the bottom of that page is the following text:
" To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>, get
a password reminder, or change your subscription options enter
your subscription email address:". Enter your email address
in the box and click on the "<b>Unsubscribe</b> or edit options"
button.</p>
</li>
<li>
<p align="left">There will now be a box where you can enter your password
and click on "Unsubscribe"; if you have forgotten your password,
there is another button that will cause your password to be
emailed to you.</p>
</li>
<li>
<p align="left">Follow the same link above that you used to
subscribe to the list.</p>
</li>
<li>
<p align="left">Down at the bottom of that page is the following
text: " To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>,
get a password reminder, or change your subscription options
enter your subscription email address:". Enter your email address in
the box and click on the "<b>Unsubscribe</b> or edit
options" button.</p>
</li>
<li>
<p align="left">There will now be a box where you can enter your
password and click on "Unsubscribe"; if you have forgotten your
password, there is another button that will cause your password
to be emailed to you.</p>
</li>
</ul>
<hr>
<h2 align="left">Frustrated by having to Rebuild Mailman to use it with Postfix?</h2>
<hr>
<h2 align="left">Frustrated by having to Rebuild Mailman to use it with
Postfix?</h2>
<p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p>
<p align="left"><font size="2">Last updated 8/1/2003 - <a
<p align="left"><font size="2">Last updated 9/17/2003 - <a
href="http://www.shorewall.net/support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
©
<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
</body>
</html>

403
STABLE/documentation/myfiles.htm
View File

File diff suppressed because one or more lines are too long

300
STABLE/documentation/ping.html
View File

@ -2,190 +2,170 @@
<html>
<head>
<title>ICMP Echo-request (Ping)</title>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep">
</head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">ICMP Echo-request (Ping)</font></h1>
</td>
</tr>
</tbody>
</td>
</tr>
</tbody>
</table>
<br>
Shorewall 'Ping' management has evolved over time with the latest
change coming in Shorewall version 1.4.0. To find out which version of
Shorewall you are running, at a shell prompt type "<font color="#009900"><b>/sbin/shorewall
version</b></font>". If that command gives you an error, it's time to upgrade
since you have a very old version of Shorewall installed (1.2.4 or earlier).<br>
<br>
Shorewall 'Ping' management has evolved over time with the latest
change coming in Shorewall version 1.4.0. To find out which version of
Shorewall you are running, at a shell prompt type "<font color="#009900"><b>/sbin/shorewall
version</b></font>". If that command gives you an error, it's time to
upgrade since you have a very old version of Shorewall installed (1.2.4
or earlier).<br>
<h2>Shorewall Versions &gt;= 1.4.0</h2>
In Shoreall 1.4.0 and later version, ICMP echo-request's are treated just
like any other connection request.<br>
<br>
In order to accept ping requests from zone z1 to zone z2 where the policy
for z1 to z2 is not ACCEPT, you need a rule in /etc/shoreall/rules of the
form:<br>
<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp;
</i>icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
Example: <br>
<br>
To permit ping from the local zone to the firewall:<br>
<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;
icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
If you would like to accept 'ping' by default even when the relevant
policy is DROP or REJECT, create <b>/etc/shorewall/icmpdef </b>if it doesn't
already exist and in that file place the following command:<br>
<blockquote>
In Shoreall 1.4.0 and later version, ICMP echo-request's are treated
just like any other connection request.<br>
<br>
In order to accept ping requests from zone z1 to zone z2 where the
policy for z1 to z2 is not ACCEPT, you need a rule in
/etc/shoreall/rules of the form:<br>
<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp;
z2&nbsp;&nbsp;&nbsp; </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
Example: <br>
<br>
To permit ping from the local zone to the firewall:<br>
<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
fw&nbsp;&nbsp;&nbsp; icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
If you would like to accept 'ping' by default even when the relevant
policy is DROP or REJECT, create <b>/etc/shorewall/icmpdef </b>if it
doesn't already exist and in that file place the following command:<br>
<blockquote>
<pre><b><font color="#009900">run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT<br></font></b></pre>
</blockquote>
With that rule in place, if you want to ignore 'ping' from z1 to z2
then you need a rule of the form:<br>
<blockquote>DROP&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp;
</i>icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
Example:<br>
<br>
To drop ping from the internet, you would need this rule in /etc/shorewall/rules:<br>
<br>
<blockquote>DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;
icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
<h2>Shorewall Versions &gt;= 1.3.14 &nbsp;and &lt; 1.4.0 with OLD_PING_HANDLING=No
in /etc/shorewall/shorewall.conf</h2>
In 1.3.14, Ping handling was put under control of the rules and policies
just like any other connection request. In order to accept ping requests
from zone z1 to zone z2 where the policy for z1 to z2 is not ACCEPT, you
need a rule in /etc/shoreall/rules of the form:<br>
<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp;
</i>icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
Example: <br>
<br>
To permit ping from the local zone to the firewall:<br>
<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;
icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
If you would like to accept 'ping' by default even when the relevant
policy is DROP or REJECT, create <b>/etc/shorewall/icmpdef </b>if it doesn't
already exist and in that file place the following command:<br>
<blockquote>
</blockquote>
With that rule in place, if you want to ignore 'ping' from z1 to z2
then you need a rule of the form:<br>
<blockquote>DROP&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp;
z2&nbsp;&nbsp;&nbsp; </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
Example:<br>
<br>
To drop ping from the internet, you would need this rule in
/etc/shorewall/rules:<br>
<br>
<blockquote>DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp;
fw&nbsp;&nbsp;&nbsp; icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
<h2>Shorewall Versions &gt;= 1.3.14 &nbsp;and &lt; 1.4.0 with
OLD_PING_HANDLING=No in /etc/shorewall/shorewall.conf</h2>
In 1.3.14, Ping handling was put under control of the rules and
policies just like any other connection request. In order to accept
ping requests from zone z1 to zone z2 where the policy for z1 to z2 is
not ACCEPT, you need a rule in /etc/shoreall/rules of the form:<br>
<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp;
z2&nbsp;&nbsp;&nbsp; </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
Example: <br>
<br>
To permit ping from the local zone to the firewall:<br>
<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
fw&nbsp;&nbsp;&nbsp; icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
If you would like to accept 'ping' by default even when the relevant
policy is DROP or REJECT, create <b>/etc/shorewall/icmpdef </b>if it
doesn't already exist and in that file place the following command:<br>
<blockquote>
<pre><b><font color="#009900">run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT<br></font></b></pre>
</blockquote>
With that rule in place, if you want to ignore 'ping' from z1 to z2
then you need a rule of the form:<br>
<blockquote>DROP&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp;
</i>icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
Example:<br>
<br>
To drop ping from the internet, you would need this rule in /etc/shorewall/rules:<br>
<blockquote>DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;
icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
<blockquote> </blockquote>
<h2>Shorewall Versions &lt; 1.3.14 or with OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf<br>
</h2>
There are several aspects to the old Shorewall Ping management:<br>
</blockquote>
With that rule in place, if you want to ignore 'ping' from z1 to z2
then you need a rule of the form:<br>
<blockquote>DROP&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp;
z2&nbsp;&nbsp;&nbsp; </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
Example:<br>
<br>
To drop ping from the internet, you would need this rule in
/etc/shorewall/rules:<br>
<blockquote>DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp;
fw&nbsp;&nbsp;&nbsp; icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
<span style="font-weight: bold;">NOTE:&nbsp; </span>There is one
exception to the above description. In 1.3.14 and 1.3.14a, ping from
the firewall itself is enabled unconditionally. This suprising
"feature" was removed in version 1.4.0.<br>
<blockquote> </blockquote>
<blockquote> </blockquote>
<h2>Shorewall Versions &lt; 1.3.14 or with OLD_PING_HANDLING=Yes in
/etc/shorewall/shorewall.conf<br>
</h2>
There are several aspects to the old Shorewall Ping management:<br>
<ol>
<li>The <b>noping</b> and <b>filterping </b>interface options in
<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
<li>The <b>FORWARDPING</b> option in<a
href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf</a>.</li>
<li>Explicit rules in <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
<li>The <b>noping</b> and <b>filterping </b>interface options in <a
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
<li>The <b>FORWARDPING</b> option in<a href="Documentation.htm#Conf">
/etc/shorewall/shorewall.conf</a>.</li>
<li>Explicit rules in <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
</ol>
There are two cases to consider:<br>
There are two cases to consider:<br>
<ol>
<li>Ping requests addressed to the firewall itself; and</li>
<li>Ping requests being forwarded to another system. Included here
are all cases of packet forwarding including NAT, DNAT rule, Proxy ARP
and simple routing.</li>
<li>Ping requests addressed to the firewall itself; and</li>
<li>Ping requests being forwarded to another system. Included here
are all cases of packet forwarding including NAT, DNAT rule, Proxy ARP
and simple routing.</li>
</ol>
These cases will be covered separately.<br>
These cases will be covered separately.<br>
<h3>Ping Requests Addressed to the Firewall Itself</h3>
For ping requests addressed to the firewall, the sequence is as follows:<br>
For ping requests addressed to the firewall, the sequence is as follows:<br>
<ol>
<li>If neither <b>noping</b> nor <b>filterping </b>are specified
for the interface that receives the ping request then the request will
be responded to with an ICMP echo-reply.</li>
<li>If <b>noping</b> is specified for the interface that receives
the ping request then the request is ignored.</li>
<li>If <b>filterping </b>is specified for the interface then the
request is passed to the rules/policy evaluation.</li>
<li>If neither <b>noping</b> nor <b>filterping </b>are specified
for the interface that receives the ping request then the request will
be responded to with an ICMP echo-reply.</li>
<li>If <b>noping</b> is specified for the interface that receives
the ping request then the request is ignored.</li>
<li>If <b>filterping </b>is specified for the interface then the
request is passed to the rules/policy evaluation.</li>
</ol>
<h3>Ping Requests Forwarded by the Firewall</h3>
These requests are <b>always</b> passed to rules/policy evaluation.<br>
These requests are <b>always</b> passed to rules/policy evaluation.<br>
<h3>Rules Evaluation</h3>
Ping requests are ICMP type 8. So the general rule format is:<br>
<br>
&nbsp;&nbsp;&nbsp; <i>Target&nbsp;&nbsp;&nbsp; Source&nbsp;&nbsp;&nbsp;
Destination&nbsp;&nbsp;&nbsp; </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
<br>
Example 1. Accept pings from the net to the dmz (pings are responded
to with an ICMP echo-reply):<br>
<br>
&nbsp;&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp;
dmz&nbsp;&nbsp;&nbsp; icmp&nbsp;&nbsp;&nbsp; 8<br>
<br>
Example 2. Drop pings from the net to the firewall<br>
<br>
&nbsp;&nbsp;&nbsp; DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;
icmp&nbsp;&nbsp;&nbsp; 8<br>
Ping requests are ICMP type 8. So the general rule format is:<br>
<br>
&nbsp;&nbsp;&nbsp; <i>Target&nbsp;&nbsp;&nbsp;
Source&nbsp;&nbsp;&nbsp; Destination&nbsp;&nbsp;&nbsp; </i>icmp&nbsp;&nbsp;&nbsp;
8<br>
<br>
Example 1. Accept pings from the net to the dmz (pings are responded to
with an ICMP echo-reply):<br>
<br>
&nbsp;&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp;
dmz&nbsp;&nbsp;&nbsp; icmp&nbsp;&nbsp;&nbsp; 8<br>
<br>
Example 2. Drop pings from the net to the firewall<br>
<br>
&nbsp;&nbsp;&nbsp; DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp;
fw&nbsp;&nbsp;&nbsp; icmp&nbsp;&nbsp;&nbsp; 8<br>
<h3>Policy Evaluation</h3>
If no applicable rule is found, then the policy for the source to
the destination is applied.<br>
If no applicable rule is found, then the policy for the source to
the destination is applied.<br>
<ol>
<li>If the relevant policy is ACCEPT then the request is responded
to with an ICMP echo-reply.</li>
<li>If <b>FORWARDPING</b> is set to Yes in /etc/shorewall/shorewall.conf
then the request is responded to with an ICMP echo-reply.</li>
<li>Otherwise, the relevant REJECT or DROP policy is used and the
request is either rejected or simply ignored.</li>
<li>If the relevant policy is ACCEPT then the request is responded to
with an ICMP echo-reply.</li>
<li>If <b>FORWARDPING</b> is set to Yes in
/etc/shorewall/shorewall.conf then the request is responded to with an
ICMP echo-reply.</li>
<li>Otherwise, the relevant REJECT or DROP policy is used and the
request is either rejected or simply ignored.</li>
</ol>
<p><font size="2">Updated 7/7/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
<div style="text-align: justify;"><font size="2">Updated 8/23/2003 - <a
href="support.htm">Tom Eastep</a></font></div>
<p><font size="2"> </font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
</p>
<br>
</body>
</html>

164
STABLE/documentation/samba.htm
View File

@ -1,112 +1,102 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Samba</title>
</head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tbody>
<tr>
<td width="100%">
<td width="100%">
<h1 align="center"><font color="#ffffff">Samba</font></h1>
</td>
</tr>
</td>
</tr>
</tbody>
</table>
<p>If you wish to run Samba on your firewall and access shares between the
firewall and local hosts, you need the following rules:</p>
<p>If you wish to run Samba on your firewall and access shares between
the firewall and local hosts, you need the following rules:</p>
<h4>/etc/shorewall/rules:</h4>
<blockquote> <font face="Century Gothic, Arial, Helvetica"> </font>
<blockquote> <font face="Century Gothic, Arial, Helvetica"> </font>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tbody>
<tr>
<td><b>ACTION</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b> PROTO</b></td>
<td><b>DEST<br>
PORT(S)</b></td>
<td><b>SOURCE<br>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
</tr>
<tr>
<td>ACCEPT</td>
<td>fw</td>
<td>loc</td>
<td>udp</td>
<td>137:139</td>
<td> </td>
<td> </td>
</tr>
<tr>
<td>ACCEPT</td>
<td>fw</td>
<td>loc</td>
<td>tcp</td>
<td>137,139</td>
<td> </td>
<td> </td>
</tr>
<tr>
<td>ACCEPT</td>
<td>fw</td>
<td>loc</td>
<td>udp</td>
<td>1024:</td>
<td>137</td>
<td> </td>
</tr>
<tr>
<td>ACCEPT</td>
<td>loc</td>
<td>fw</td>
<td>udp</td>
<td>137:139</td>
<td> </td>
<td> </td>
</tr>
<tr>
<td>ACCEPT</td>
<td>loc</td>
<td>fw</td>
<td>tcp</td>
<td>137,139</td>
<td> </td>
<td> </td>
</tr>
<tr>
<td>ACCEPT</td>
<td>loc</td>
<td>fw</td>
<td>udp</td>
<td>1024:</td>
<td>137</td>
<td> </td>
</tr>
<td><b>ACTION</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b> PROTO</b></td>
<td><b>DEST<br>
PORT(S)</b></td>
<td><b>SOURCE<br>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
</tr>
<tr>
<td>ACCEPT</td>
<td>fw</td>
<td>loc</td>
<td>udp</td>
<td>137:139</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>fw</td>
<td>loc</td>
<td>tcp</td>
<td>137,139,445</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>fw</td>
<td>loc</td>
<td>udp</td>
<td>1024:</td>
<td>137</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>loc</td>
<td>fw</td>
<td>udp</td>
<td>137:139</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>loc</td>
<td>fw</td>
<td>tcp</td>
<td>137,139,445</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>loc</td>
<td>fw</td>
<td>udp</td>
<td>1024:</td>
<td>137</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<p><font size="2">Last modified 5/29/2002 - <a href="support.htm">Tom Eastep</a></font></p>
</blockquote>
<p><font size="2">Last modified 8/17/2002 - <a href="support.htm">Tom
Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"> <font size="2">Copyright</font>
© <font size="2">2002 Thomas M. Eastep.</font></a></font></p>
<br>

1088
STABLE/documentation/seattlefirewall_index.htm
View File

File diff suppressed because it is too large Load Diff

140
STABLE/documentation/shoreline.htm
View File

@ -1,119 +1,67 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>About the Shorewall Author</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none">
</head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Tom Eastep</font></h1>
</td>
</tr>
</tbody>
</td>
</tr>
</tbody>
</table>
<p align="center"> <img border="3" src="images/Tom.jpg"
alt="Aging Geek - June 2003" width="320" height="240">
</p>
<p align="center">Tom -- June 2003<br>
<br>
</p>
<p align="center"> <img border="3" src="images/Tom.jpg"
alt="Aging Geek - June 2003" width="320" height="240"> </p>
<p align="center">"The Aging Geek" -- June 2003<br>
<br>
</p>
<ul>
<li>Born 1945 in <a
href="http://www.experiencewashington.com">Washington State</a> .</li>
<li>BA Mathematics from <a
href="http://www.wsu.edu">Washington State University</a> 1967</li>
<li>MA Mathematics from <a
href="http://www.washington.edu">University of Washington</a> 1969</li>
<li>Burroughs Corporation (now <a
href="http://www.unisys.com">Unisys</a> ) 1969 - 1980</li>
<li><a href="http://www.tandem.com">Tandem
Computers, Incorporated</a> (now part of the <a
href="http://www.hp.com">The New HP</a>) 1980 - present</li>
<li>Married 1969 - no children.</li>
<li>Born 1945 in <a href="http://www.experiencewashington.com">Washington
State</a> .</li>
<li>BA Mathematics from <a href="http://www.wsu.edu">Washington
State University</a> 1967</li>
<li>MA Mathematics from <a href="http://www.washington.edu">University
of Washington</a> 1969</li>
<li>Burroughs Corporation (now <a href="http://www.unisys.com">Unisys</a>
) 1969 - 1980</li>
<li><a href="http://www.tandem.com">Tandem Computers, Incorporated</a>
(now part of the <a href="http://www.hp.com">The New HP</a>) 1980 -
present</li>
<li>Married 1969 - no children.</li>
</ul>
<p>I am currently a member of the design team for the next-generation operating
system from the NonStop Enterprise Division of HP. </p>
<p>I became interested in Internet Security when I established a home office
in 1999 and had DSL service installed in our home. I
investigated ipchains and developed the scripts which are now
collectively known as <a href="http://seawall.sourceforge.net"> Seattle
Firewall</a>. Expanding on what I learned from Seattle
Firewall, I then designed and wrote Shorewall. </p>
<p>I am currently a member of the design team for the next-generation
operating system from the NonStop Enterprise Division of HP. </p>
<p>I became interested in Internet Security when I established a home
office in 1999 and had DSL service installed in our home. I
investigated ipchains and developed the scripts which are now
collectively known as <a href="http://seawall.sourceforge.net">
Seattle Firewall</a>. Expanding on what I learned from Seattle
Firewall, I then designed and wrote Shorewall. </p>
<p>I telework from our <a
href="http://lists.shorewall.net/SeattleInTheSpring.html">home</a> in <a
href="http://www.cityofshoreline.com">Shoreline, Washington</a> where
I live with my wife Tarry.  </p>
href="http://lists.shorewall.net/SeattleInTheSpring.html">home</a>
in&nbsp;<a href="http://www.cityofshoreline.com">Shoreline, Washington</a>
where
I live with my wife Tarry.&nbsp; </p>
<p></p>
<ul>
</ul>
<p>For information about our home network see <a href="myfiles.htm">my Shorewall
Configuration files.</a></p>
<p>All of our other systems are made by <a
href="http://www.compaq.com">Compaq</a> (part of the new <a
href="http://www.hp.com/">HP</a>).</p>
<p><a href="http://www.redhat.com"><img border="0"
src="images/poweredby.png" width="88" height="31">
</a><a href="http://www.compaq.com"><img
border="0" src="images/poweredbycompaqlog0.gif" hspace="3" width="83"
height="25">
</a><a href="http://www.pureftpd.org"><img
border="0" src="images/pure.jpg" width="88" height="31">
</a><font size="4"><a
href="http://www.apache.org"><img border="0"
src="images/apache_pb1.gif" hspace="2" width="170" height="20">
</a><a href="http://www.mandrakelinux.com"><img
src="images/medbutton.png" alt="Powered by Mandrake" width="90"
height="32">
</a><img src="images/ProtectedBy.png"
alt="Protected by Shorewall" width="200" height="42" hspace="4">
<a href="http://www.opera.com"><img src="images/opera.png"
alt="(Opera Logo)" width="102" height="39" border="0">
</a>  <a href="http://www.hp.com"><img
src="images/penquin_in_blue_racer_sm2.gif" alt="" width="120"
height="75" border="0">
</a><a href="http://www.opera.com"> </a> </font></p>
<p><font size="2">Last updated 7/20/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<font face="Trebuchet MS"><a
href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<p>For information about our home network see <a href="myfiles.htm">my
Shorewall Configuration files.</a></p>
<p>All of our other systems are made by <a href="http://www.compaq.com">Compaq</a>
(part of the new <a href="http://www.hp.com/">HP</a>).</p>
<p><font size="2">Last updated 7/20/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</body>
</html>

262
STABLE/documentation/shorewall_logging.html
View File

@ -2,155 +2,159 @@
<html>
<head>
<title>Shorewall Logging</title>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep">
</head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Logging</font></h1>
</td>
</tr>
</tbody>
</td>
</tr>
</tbody>
</table>
<br>
By default, Shorewall directs NetFilter to log using syslog (8). Syslog
classifies log messages by a <i>facility</i> and a <i>priority</i> (using
the notation <i>facility.priority</i>). <br>
<br>
The facilities defined by syslog are <i>auth, authpriv, cron, daemon,
kern, lpr, mail, mark, news, syslog, user, uucp</i> and <i>local0</i>
through <i>local7</i>.<br>
<br>
Throughout the Shorewall documentation, I will use the term <i>level</i>
rather than <i>priority</i> since <i>level</i> is the term used by NetFilter.
The syslog documentation uses the term <i>priority</i>.<br>
<br>
By default, Shorewall directs NetFilter to log using syslog (8). Syslog
classifies log messages by a <i>facility</i> and a <i>priority</i>
(using the notation <i>facility.priority</i>). <br>
<br>
The facilities defined by syslog are <i>auth, authpriv, cron, daemon,
kern, lpr, mail, mark, news, syslog, user, uucp</i> and <i>local0</i>
through <i>local7</i>.<br>
<br>
Throughout the Shorewall documentation, I will use the term <i>level</i>
rather than <i>priority</i> since <i>level</i> is the term used by
NetFilter. The syslog documentation uses the term <i>priority</i>.<br>
<h3>Syslog Levels<br>
</h3>
Syslog levels are a method of describing to syslog (8) the importance
of a message and a number of Shorewall parameters have a syslog level
as their value.<br>
<br>
Valid levels are:<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 7&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
debug<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 6&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
info<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 5&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
notice<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 4&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
warning<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 3&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
err<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
crit<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
alert<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
emerg<br>
<br>
For most Shorewall logging, a level of 6 (info) is appropriate.
Shorewall log messages are generated by NetFilter and are logged using
the <i>kern</i> facility and the level that you specify. If you are
unsure of the level to choose, 6 (info) is a safe bet. You may specify
levels by name or by number.<br>
<br>
Syslogd writes log messages to files (typically in /var/log/*)
based on their facility and level. The mapping of these facility/level
pairs to log files is done in /etc/syslog.conf (5). If you make changes
to this file, you must restart syslogd before the changes can take effect.<br>
</h3>
Syslog levels are a method of describing to syslog (8) the importance
of a message and a number of Shorewall parameters have a syslog level
as their value.<br>
<br>
Valid levels are:<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
7&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="font-weight: bold;">debug</span>
(Debug-level messages)<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
6&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="font-weight: bold;">info</span>
(Informational)<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
5&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="font-weight: bold;">notice</span>
(Normal but significant Condition)<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
4&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<span style="font-weight: bold;">
warning</span> (Warning Conditions)<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
3&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="font-weight: bold;">err</span>
(Error Conditions)<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
2&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="font-weight: bold;">crit</span>
(Critical Conditions)<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="font-weight: bold;">alert</span>
(Must be handled immediately)<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="font-weight: bold;">emerg</span>
(System is unusable)<br>
<br>
For most Shorewall logging, a level of 6 (info) is appropriate.
Shorewall log messages are generated by NetFilter and are logged using
the <i>kern</i> facility and the level that you specify. If you are
unsure of the level to choose, 6 (info) is a safe bet. You may specify
levels by name or by number.<br>
<br>
Syslogd writes log messages to files (typically in /var/log/*)
based on their facility and level. The mapping of these facility/level
pairs to log files is done in /etc/syslog.conf (5). If you make changes
to this file, you must restart syslogd before the changes can take
effect.<br>
<h3>Configuring a Separate Log for Shorewall Messages</h3>
There are a couple of limitations to syslogd-based logging:<br>
There are a couple of limitations to syslogd-based logging:<br>
<ol>
<li>If you give, for example, kern.info it's own log destination then
that destination will also receive all kernel messages of levels 5 (notice)
through 0 (emerg).</li>
<li>All kernel.info messages will go to that destination and not just
those from NetFilter.<br>
</li>
<li>If you give, for example, kern.info it's own log destination then
that destination will also receive all kernel messages of levels 5
(notice) through 0 (emerg).</li>
<li>All kernel.info messages will go to that destination and not just
those from NetFilter.<br>
</li>
</ol>
Beginning with Shorewall version 1.3.12, if your kernel has ULOG
target support (and most vendor-supplied kernels do), you may also specify
a log level of ULOG (must be all caps). When ULOG is used, Shorewall will
direct netfilter to log the related messages via the ULOG target which
will send them to a process called 'ulogd'. The ulogd program is available
from http://www.gnumonks.org/projects/ulogd and can be configured to log
all Shorewall message to their own log file.<br>
<br>
<b>Note: </b>The ULOG logging mechanism is <u>completely separate</u>
from syslog. Once you switch to ULOG, the settings in /etc/syslog.conf have
absolutely no effect on your Shorewall logging (except for Shorewall status
messages which still go to syslog).<br>
<br>
You will need to have the kernel source available to compile ulogd.<br>
<br>
Download the ulod tar file and:<br>
Beginning with Shorewall version 1.3.12, if your kernel has ULOG target
support (and most vendor-supplied kernels do), you may also specify a
log level of ULOG (must be all caps). When ULOG is used, Shorewall will
direct netfilter to log the related messages via the ULOG target which
will send them to a process called 'ulogd'. The ulogd program is
available from http://www.gnumonks.org/projects/ulogd and can be
configured to log all Shorewall message to their own log file.<br>
<br>
<b>Note: </b>The ULOG logging mechanism is <u>completely separate</u>
from syslog. Once you switch to ULOG, the settings in /etc/syslog.conf
have
absolutely no effect on your Shorewall logging (except for Shorewall
status
messages which still go to syslog).<br>
<br>
You will need to have the kernel source available to compile ulogd.<br>
<br>
Download the ulod tar file and:<br>
<ol>
<li>Be sure that /usr/src/linux is linked to your kernel source tree<br>
</li>
<li>cd /usr/local/src (or wherever you do your builds)</li>
<li>tar -zxf <i>source-tarball-that-you-downloaded</i></li>
<li>cd ulogd-<i>version</i><br>
</li>
<li>./configure</li>
<li>make</li>
<li>make install<br>
</li>
<li>Be sure that /usr/src/linux is linked to your kernel source tree<br>
</li>
<li>cd /usr/local/src (or wherever you do your builds)</li>
<li>tar -zxf <i>source-tarball-that-you-downloaded</i></li>
<li>cd ulogd-<i>version</i><br>
</li>
<li>./configure</li>
<li>make</li>
<li>make install<br>
</li>
</ol>
If you are like me and don't have a development environment on your
firewall, you can do the first six steps on another system then either NFS
mount your /usr/local/src directory or tar up the /usr/local/src/ulogd-<i>version</i>
directory and move it to your firewall system.<br>
<br>
Now on the firewall system, edit /usr/local/etc/ulogd.conf and set:<br>
If you are like me and don't have a development environment on your
firewall, you can do the first six steps on another system then either
NFS
mount your /usr/local/src directory or tar up the /usr/local/src/ulogd-<i>version</i>
directory and move it to your firewall system.<br>
<br>
Now on the firewall system, edit /usr/local/etc/ulogd.conf and set:<br>
<ol>
<li>syslogfile <i>&lt;file that you wish to log to&gt;</i></li>
<li>syslogsync 1</li>
<li>syslogfile <i>&lt;file that you wish to log to&gt;</i></li>
<li>syslogsync 1</li>
</ol>
Also on the firewall system:<br>
<blockquote>touch &lt;<i>file that you wish to log to</i>&gt;<br>
</blockquote>
I also copied the file /usr/local/src/ulogd-<i>version</i>/ulogd.init
to /etc/init.d/ulogd. I had to edit the line that read "daemon /usr/local/sbin/ulogd"
to read daemon /usr/local/sbin/ulogd -d". On a RedHat system, a simple
"chkconfig --level 3 ulogd on" starts ulogd during boot up. Your init system
may need something else done to activate the script.<br>
<br>
You will need to change all instances of log levels (usually 'info') in
your configuration files to 'ULOG' - this includes entries in the policy,
rules and shorewall.conf files. Here's what I have:<br>
I also copied the file /usr/local/src/ulogd-<i>version</i>/ulogd.init
to /etc/init.d/ulogd. I had to edit the line that read "daemon
/usr/local/sbin/ulogd" to read daemon /usr/local/sbin/ulogd -d". On a
RedHat system, a simple
"chkconfig --level 3 ulogd on" starts ulogd during boot up. Your init
system
may need something else done to activate the script.<br>
<br>
You will need to change all instances of log levels (usually 'info') in
your configuration files to 'ULOG' - this includes entries in the
policy, rules and shorewall.conf files. Here's what I have:<br>
<pre> [root@gateway shorewall]# grep ULOG *<br> policy:loc&nbsp; fw&nbsp;&nbsp; REJECT&nbsp; ULOG<br> policy:net&nbsp; all&nbsp; DROP&nbsp;&nbsp;&nbsp; ULOG&nbsp;&nbsp;&nbsp;10/sec:40<br> policy:all&nbsp; all&nbsp; REJECT&nbsp; ULOG<br> rules:REJECT:ULOG loc net tcp 6667<br> shorewall.conf:TCP_FLAGS_LOG_LEVEL=ULOG<br> shorewall.conf:RFC1918_LOG_LEVEL=ULOG<br> [root@gateway shorewall]#<br></pre>
Finally edit /etc/shorewall/shorewall.conf and set LOGFILE=<i>&lt;file
that you wish to log to&gt;</i>. This tells the /sbin/shorewall program
where to look for the log when processing its "show log", "logwatch" and
"monitor" commands.<br>
<p><font size="2"> Updated 7/25/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy;
<font size="2">2001, 2002, 2003 Thomas M. Eastep</font></a><br>
</p>
<br>
<br>
Finally edit /etc/shorewall/shorewall.conf and set LOGFILE=<i>&lt;file
that you wish to log to&gt;</i>. This tells the /sbin/shorewall program
where to look for the log when processing its "show log", "logwatch"
and
"monitor" commands.<br>
<h2>Syslog-ng</h2>
<a
href="http://marc.theaimsgroup.com/?l=gentoo-security&amp;m=106040714910563&amp;w=2">Here</a>
is a post describing configuring syslog-ng to work with Shorewall.<br>
<p><font size="2"> Updated 9/29/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
size="2">2001, 2002, 2003 Thomas M. Eastep</font></a><br>
</p>
<br>
<br>
</body>
</html>

135
STABLE/documentation/shorewall_mirrors.htm
View File

@ -1,98 +1,89 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Mirrors</title>
</head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Mirrors</font></h1>
</td>
</tr>
</tbody>
</td>
</tr>
</tbody>
</table>
<p align="left"><b>Remember that updates to the mirrors are often delayed
for 6-12 hours after an update to the primary rsync site. For HTML content,
the main web site (<a href="http://shorewall.sf.net">http://shorewall.sf.net</a>)
is updated at the same time as the rsync site.</b></p>
<p align="left"><b>Remember that updates to the mirrors are often
delayed for 6-12 hours after an update to the primary rsync site. For
HTML content, the main web site (<a href="http://shorewall.sf.net">http://shorewall.sf.net</a>)
is updated at the same time as the rsync site.</b></p>
<p align="left">The main Shorewall Web Site is <a
href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>
and is located in California, USA. It is mirrored at:</p>
href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>
and is located in California, USA. It is mirrored at:</p>
<ul>
<li><a target="_top" href="http://slovakia.shorewall.net">
http://slovakia.shorewall.net</a> (Slovak Republic).</li>
<li> <a href="http://www.infohiiway.com/shorewall"
target="_top"> http://shorewall.infohiiway.com</a> (Texas, USA).</li>
<li><a target="_top" href="http://germany.shorewall.net">
http://germany.shorewall.net</a> (Hamburg, Germany)</li>
<li><a target="_top"
href="http://france.shorewall.net">http://france.shorewall.net</a>
<li><a target="_top" href="http://slovakia.shorewall.net">http://slovakia.shorewall.net</a>
(Slovak Republic).</li>
<li> <a href="http://www.infohiiway.com/shorewall" target="_top">http://shorewall.infohiiway.com</a>
(Texas, USA).</li>
<li><a target="_top" href="http://germany.shorewall.net">http://germany.shorewall.net</a>
- Also accessible as <a href="http://www.shorewall.de" target="_top">http://www.shorewall.de</a>
(Hamburg, Germany)</li>
<li><a target="_top" href="http://france.shorewall.net">http://france.shorewall.net</a>
(Paris, France)</li>
<li><a href="http://shorewall.syachile.cl" target="_top">http://shorewall.syachile.cl
</a>(Santiago Chile)</li>
<li><a href="http://shorewall.greshko.com" target="_top">http://shorewall.greshko.com</a>
(Taipei, Taiwan)</li>
<li><a href="http://argentina.shorewall.net" target="_top">http://argentina.shorewall.net</a>
(Argentina)</li>
<li><a href="http://shorewall.securityopensource.org.br"
target="_top">http://shorewall.securityopensource.org.br</a> (Brazil)<br>
</li>
<li><a href="http://www.shorewall.net" target="_top">http://www.shorewall.net</a>
(Washington State, USA)<br>
</li>
<li><a href="http://shorewall.syachile.cl" target="_top">http://shorewall.syachile.cl
</a>(Santiago Chile)</li>
<li><a href="http://shorewall.greshko.com" target="_top">http://shorewall.greshko.com</a>
(Taipei, Taiwan)</li>
<li><a href="http://argentina.shorewall.net" target="_top">http://argentina.shorewall.net</a>
(Argentina)</li>
<li><a href="http://shorewall.securityopensource.org.br" target="_top">http://shorewall.securityopensource.org.br</a>
(Brazil)</li>
<li><a href="http://www.shorewall.com.au" target="_top">http://www.shorewall.com.au</a>
(Australia)<br>
</li>
<li><a href="http://www.shorewall.net" target="_top">http://www.shorewall.net</a>
(Washington State, USA)<br>
</li>
</ul>
<p align="left">The rsync site is mirrored via FTP at:</p>
<ul>
<li><a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/">ftp://slovakia.shorewall.net/mirror/shorewall</a>
(Slovak Republic).</li>
<li> <a
href="ftp://ftp.infohiiway.com/pub/mirrors/shorewall/" target="_blank">ftp://ftp.infohiiway.com/pub/shorewall</a>
(Texas, USA -- temporarily unavailable).</li>
<li><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall"> ftp://germany.shorewall.net/pub/shorewall</a>
(Hamburg, Germany)</li>
<li> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall</a>
(Paris, France)</li>
<li><a href="ftp://shorewall.greshko.com/pub/shorewall"
target="_top">ftp://shorewall.greshko.com</a> (Taipei, Taiwan)</li>
<li><a href="ftp://ftp.shorewall.net/pub/shorewall"
target="_blank">ftp://ftp.shorewall.net </a>(Washington State, USA)<br>
</li>
<li><a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/">ftp://slovakia.shorewall.net/mirror/shorewall</a>
(Slovak Republic).</li>
<li> <a href="ftp://ftp.infohiiway.com/pub/mirrors/shorewall/"
target="_blank">ftp://ftp.infohiiway.com/pub/shorewall</a> (Texas, USA
-- temporarily unavailable).</li>
<li><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall">ftp://germany.shorewall.net/pub/shorewall</a>
AKA <a href="ftp://www.shorewall.de/pub/shorewall" target="_top">ftp://www.shorewall.de/pub/shorewall</a>
(Hamburg, Germany)</li>
<li> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall</a>
(Paris, France)</li>
<li><a href="ftp://shorewall.greshko.com/pub/shorewall" target="_top">ftp://shorewall.greshko.com</a>
(Taipei, Taiwan)</li>
<li><a href="ftp://ftp.shorewall.com.au" target="_top">ftp://ftp.shorewall.com.au</a>
(Australia)<br>
</li>
<li><a href="ftp://ftp.shorewall.net/pub/shorewall" target="_blank">ftp://ftp.shorewall.net
</a>(Washington State, USA)<br>
</li>
</ul>
Search results and the mailing list archives are always fetched
from the site in Washington State.<br>
<p align="left"><font size="2">Last Updated 8/4/2003 - <a
Search results and the mailing list archives are always fetched from
the site in Washington State.<br>
<p align="left"><font size="2">Last Updated 8/27/2003 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep</font></a></font><br>
</p>
<br>
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M.
Eastep</font></a></font><br>
</p>
<br>
</body>
</html>

547
STABLE/documentation/shorewall_quickstart_guide.htm
View File

@ -1,373 +1,282 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall QuickStart Guide</title>
<meta name="Microsoft Theme" content="none">
</head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides
(HOWTO's)<br>
</font></h1>
</td>
</tr>
</tbody>
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall QuickStart
Guides (HOWTO's)<br>
</font></h1>
</td>
</tr>
</tbody>
</table>
<p align="center">With thanks to Richard who reminded me once again that we
must all first walk before we can run.<br>
The French Translations are courtesy of Patrice Vetsel<br>
</p>
<p align="center">With thanks to Richard who reminded me once again
that we
must all first walk before we can run.<br>
The French Translations of the single-IP guides are courtesy of Patrice
Vetsel<br>
The French Translation of the Shorewall Setup Guide is courtesy of
Fabien Demassieux.<br>
</p>
<h2>The Guides</h2>
<p>These guides provide step-by-step instructions for configuring Shorewall
in common firewall setups.</p>
<p>If you have a <font color="#ff0000"><big><big><b>single public IP address</b></big></big></font>:</p>
<blockquote>
<p>These guides provide step-by-step instructions for configuring
Shorewall in common firewall setups.</p>
<p>If you have a <font color="#ff0000"><big><big><b>single public IP
address</b></big></big></font>:</p>
<blockquote>
<ul>
<li><a href="standalone.htm">Standalone</a>
Linux System (<a href="standalone_fr.html">Version Française</a>)</li>
<li><a href="two-interface.htm">Two-interface</a>
Linux System acting as a firewall/router for a small local
network (<a href="two-interface_fr.html">Version Française</a>)</li>
<li><a
href="three-interface.htm">Three-interface</a> Linux System
acting as a firewall/router for a small local network and
a DMZ. (<a href="three-interface_fr.html">Version Française</a>)</li>
<li><a href="standalone.htm">Standalone</a> Linux System (<a
href="standalone_fr.html">Version Française</a>)</li>
<li><a href="two-interface.htm">Two-interface</a> Linux System
acting as a firewall/router for a small local network (<a
href="two-interface_fr.html">Version Française</a>)</li>
<li><a href="three-interface.htm">Three-interface</a> Linux System
acting as a firewall/router for a small local network and a DMZ. (<a
href="three-interface_fr.html">Version Française</a>)</li>
</ul>
<p>The above guides are designed to get your first firewall up and running
quickly in the three most common Shorewall configurations.
If you want to learn more about Shorewall than is explained in the above
simple guides,  the <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a>
(See Index Below) is for you.</p>
</blockquote>
<p>If you have <font color="#ff0000"><big><big><b>more than one public IP
address</b></big></big></font>:<br>
</p>
<blockquote>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a>
(See Index Below) outlines the steps necessary to set up
a firewall where there are <small><small><big><big>multiple
public IP addresses</big></big></small></small> involved or if you
want to learn more about Shorewall than is explained in the
single-address guides above.</blockquote>
<p>The above guides are designed to get your first firewall up and
running quickly in the three most common Shorewall configurations. If
you want to learn more about Shorewall than is explained in the above
simple guides,&nbsp; the <a href="shorewall_setup_guide.htm">Shorewall
Setup Guide</a> (See Index Below) is for you.</p>
</blockquote>
<p>If you have <font color="#ff0000"><big><big><b>more than one public
IP address</b></big></big></font>:<br>
</p>
<blockquote>The <a href="shorewall_setup_guide.htm">Shorewall Setup
Guide</a> (See Index Below) outlines the steps necessary to set up a
firewall where there are multiple public IP
addresses involved or if you
want to learn more about Shorewall than is explained in the
single-address guides above (<a href="shorewall_setup_guide_fr.htm">Version
Française</a>).</blockquote>
<ul>
</ul>
<h2><b><a name="Documentation"></a></b>Documentation Index</h2>
<p>The following documentation covers a variety of topics and <b>supplements
the <a href="shorewall_quickstart_guide.htm">QuickStart
Guides</a> described above</b>. Please review the appropriate
guide before trying to use this documentation directly.</p>
<p>The following documentation covers a variety of topics and <b>supplements
the <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a>
described above</b>. Please review the appropriate guide before trying
to use this documentation directly.</p>
<ul>
<li><a
href="Shorewall_and_Aliased_Interfaces.html">Aliased (virtual) Interfaces
(e.g., eth0:0)</a><br>
</li>
<li><a href="blacklisting_support.htm">Blacklisting</a>
<li><a href="Accounting.html">Accounting</a><br>
</li>
<li><a href="Shorewall_and_Aliased_Interfaces.html">Aliased (virtual)
Interfaces (e.g., eth0:0)</a><br>
</li>
<li><a href="blacklisting_support.htm">Blacklisting</a>
<ul>
<li>Static Blacklisting using /etc/shorewall/blacklist</li>
<li>Dynamic Blacklisting using
<li>Static Blacklisting using /etc/shorewall/blacklist</li>
<li>Dynamic Blacklisting using
/sbin/shorewall</li>
</ul>
</li>
<li><a
href="starting_and_stopping_shorewall.htm">Commands</a> (Description of
</li>
<li><a href="starting_and_stopping_shorewall.htm">Commands</a>
(Description of
all /sbin/shorewall commands)</li>
<li><a href="configuration_file_basics.htm">Common configuration
file features</a> </li>
<li><a href="configuration_file_basics.htm">Common configuration file
features</a>&nbsp;</li>
<ul>
<li><a href="configuration_file_basics.htm#Comments">Comments in configuration
files</a></li>
<li><a href="configuration_file_basics.htm#Continuation">Line Continuation</a></li>
<li><a href="configuration_file_basics.htm#INCLUDE">INCLUDE Directive</a></li>
<li><a href="configuration_file_basics.htm#Ports">Port Numbers/Service
Names</a></li>
<li><a href="configuration_file_basics.htm#Ranges">Port Ranges</a></li>
<li><a href="configuration_file_basics.htm#Variables">Using Shell
<li><a href="configuration_file_basics.htm#Comments">Comments in
configuration files</a></li>
<li><a href="configuration_file_basics.htm#Continuation">Line
Continuation</a></li>
<li><a href="configuration_file_basics.htm#INCLUDE">INCLUDE
Directive</a></li>
<li><a href="configuration_file_basics.htm#Ports">Port
Numbers/Service Names</a></li>
<li><a href="configuration_file_basics.htm#Ranges">Port Ranges</a></li>
<li><a href="configuration_file_basics.htm#Variables">Using Shell
Variables</a></li>
<li><a href="configuration_file_basics.htm#dnsnames">Using DNS Names</a></li>
<li><a href="configuration_file_basics.htm#Compliment">Complementing
an IP address or Subnet</a></li>
<li><a href="configuration_file_basics.htm#Configs">Shorewall Configurations
(making a test configuration)</a></li>
<li><a href="configuration_file_basics.htm#MAC">Using MAC Addresses
in Shorewall</a>
</li>
<li><a href="configuration_file_basics.htm#dnsnames">Using DNS Names</a></li>
<li><a href="configuration_file_basics.htm#Compliment">Complementing
an IP address or Subnet</a></li>
<li><a href="configuration_file_basics.htm#Configs">Shorewall
Configurations (making a test configuration)</a></li>
<li><a href="configuration_file_basics.htm#MAC">Using MAC Addresses
in Shorewall</a> </li>
</ul>
<li><a href="Documentation.htm">Configuration
File Reference Manual</a>
<li><a href="Documentation.htm">Configuration File Reference Manual</a>
<ul>
<li> <a
href="Documentation.htm#Variables">params</a></li>
<li><font color="#000099"><a
href="Documentation.htm#Zones">zones</a></font></li>
<li><font color="#000099"><a
href="Documentation.htm#Interfaces">interfaces</a></font></li>
<li><font color="#000099"><a
href="Documentation.htm#Hosts">hosts</a></font></li>
<li><font color="#000099"><a
href="Documentation.htm#Policy">policy</a></font></li>
<li><font color="#000099"><a
href="Documentation.htm#Rules">rules</a></font></li>
<li><a
href="Documentation.htm#Common">common</a></li>
<li><font color="#000099"><a
href="Documentation.htm#Masq">masq</a></font></li>
<li><font color="#000099"><a
href="Documentation.htm#ProxyArp">proxyarp</a></font></li>
<li><font color="#000099"><a
href="Documentation.htm#NAT">nat</a></font></li>
<li><font color="#000099"><a
href="Documentation.htm#Tunnels">tunnels</a></font></li>
<li><a
href="traffic_shaping.htm#tcrules">tcrules</a></li>
<li><font color="#000099"><a
href="Documentation.htm#Conf">shorewall.conf</a></font></li>
<li><a
href="Documentation.htm#modules">modules</a></li>
<li><a
href="Documentation.htm#TOS">tos</a> </li>
<li><a
href="Documentation.htm#Blacklist">blacklist</a></li>
<li><a
href="Documentation.htm#rfc1918">rfc1918</a></li>
<li><a
href="Documentation.htm#Routestopped">routestopped</a></li>
<li> <a href="Documentation.htm#Variables">params</a></li>
<li><font color="#000099"><a href="Documentation.htm#Zones">zones</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Interfaces">interfaces</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Hosts">hosts</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Policy">policy</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Rules">rules</a></font></li>
<li><a href="Documentation.htm#Common">common</a></li>
<li><font color="#000099"><a href="Documentation.htm#Masq">masq</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#ProxyArp">proxyarp</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#NAT">nat</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Tunnels">tunnels</a></font></li>
<li><a href="traffic_shaping.htm#tcrules">tcrules</a></li>
<li><font color="#000099"><a href="Documentation.htm#Conf">shorewall.conf</a></font></li>
<li><a href="Documentation.htm#modules">modules</a></li>
<li><a href="Documentation.htm#TOS">tos</a> </li>
<li><a href="Documentation.htm#Blacklist">blacklist</a></li>
<li><a href="Documentation.htm#rfc1918">rfc1918</a></li>
<li><a href="Documentation.htm#Routestopped">routestopped</a></li>
<li><a href="Accounting.html">accounting</a></li>
<li><a href="UserSets.html">usersets and users</a><br>
</li>
</ul>
</li>
<li><a href="CorpNetwork.htm">Corporate
Network Example</a> (Contributed by a Graeme Boyle)<br>
</li>
<li><a href="dhcp.htm">DHCP</a></li>
<li><a href="ECN.html">ECN Disabling
by host or subnet</a></li>
<li><a href="errata.htm">Errata</a><br>
</li>
<li><font color="#000099"><a
href="shorewall_extension_scripts.htm">Extension Scripts</a></font>
(How to extend Shorewall without modifying Shorewall code through the
use of files in /etc/shorewall -- /etc/shorewall/start, /etc/shorewall/stopped,
etc.)</li>
<li><a href="fallback.htm">Fallback/Uninstall</a></li>
<li><a href="FAQ.htm">FAQs</a><br>
</li>
<li><a href="shorewall_features.htm">Features</a><br>
</li>
<li><a
href="shorewall_firewall_structure.htm">Firewall Structure</a></li>
<li><a href="FTP.html">FTP and Shorewall</a><br>
</li>
<li><a href="support.htm">Getting help or answers to questions</a></li>
<li>Greater Seattle Linux Users Group Presentation</li>
</li>
<li><a href="CorpNetwork.htm">Corporate Network Example</a>
(Contributed by a Graeme Boyle)<br>
</li>
<li><a href="dhcp.htm">DHCP</a></li>
<li><a href="ECN.html">ECN Disabling by host or subnet</a></li>
<li><a href="errata.htm">Errata</a><br>
</li>
<li><font color="#000099"><a href="shorewall_extension_scripts.htm">Extension
Scripts</a></font> (How to extend Shorewall without modifying Shorewall
code through the use of files in /etc/shorewall --
/etc/shorewall/start, /etc/shorewall/stopped, etc.)</li>
<li><a href="fallback.htm">Fallback/Uninstall</a></li>
<li><a href="FAQ.htm">FAQs</a><br>
</li>
<li><a href="shorewall_features.htm">Features</a><br>
</li>
<li><a href="shorewall_firewall_structure.htm">Firewall Structure</a></li>
<li><a href="FTP.html">FTP and Shorewall</a><br>
</li>
<li><a href="support.htm">Getting help or answers to questions</a></li>
<li>Greater Seattle Linux Users Group Presentation</li>
<ul>
<li><a href="GSLUG.htm">HTML</a></li>
<li><a href="GSLUG.ppt">PowerPoint</a></li>
<li><a href="GSLUG.htm">HTML</a></li>
<li><a href="GSLUG.ppt">PowerPoint</a></li>
</ul>
<li><a href="Install.htm">Installation/Upgrade</a><br>
</li>
<li><font color="#000099"><a
href="kernel.htm">Kernel Configuration</a></font></li>
<li><a href="shorewall_logging.html">Logging</a><br>
</li>
<li><a
href="MAC_Validation.html">MAC Verification</a></li>
<li><a href="http://lists.shorewall.net">Mailing Lists</a><br>
</li>
<li><a href="myfiles.htm">My
Shorewall Configuration (How I personally use Shorewall)</a></li>
<li><a href="starting_and_stopping_shorewall.htm">Operating Shorewall</a><br>
</li>
<li><a href="ping.html">'Ping' Management</a><br>
</li>
<li><a href="ports.htm">Port Information</a>
<li><a href="Install.htm">Installation/Upgrade</a><br>
</li>
<li><font color="#000099"><a href="kernel.htm">Kernel Configuration</a></font></li>
<li><a href="shorewall_logging.html">Logging</a><br>
</li>
<li><a href="MAC_Validation.html">MAC Verification</a></li>
<li><a href="http://lists.shorewall.net">Mailing Lists</a><br>
</li>
<li><a href="myfiles.htm">My Shorewall Configuration (How I
personally use Shorewall)</a></li>
<li><a href="starting_and_stopping_shorewall.htm">Operating Shorewall</a><br>
</li>
<li><a href="ping.html">'Ping' Management</a><br>
</li>
<li><a href="ports.htm">Port Information</a>
<ul>
<li>Which applications use which
ports</li>
<li>Ports used by Trojans</li>
<li>Which applications use which ports</li>
<li>Ports used by Trojans</li>
</ul>
</li>
<li><a href="ProxyARP.htm">Proxy
</li>
<li><a href="ProxyARP.htm">Proxy
ARP</a></li>
<li><a href="shorewall_prerequisites.htm">Requirements</a><br>
</li>
<li><a href="samba.htm">Samba</a></li>
<li><a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a><br>
</li>
<li><a href="shorewall_prerequisites.htm">Requirements</a><br>
</li>
<li><a href="samba.htm">Samba</a></li>
<li><a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a><br>
</li>
<ul>
<li><a href="shorewall_setup_guide.htm#Introduction">1.0
Introduction</a></li>
<li><a href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall
Concepts</a></li>
<li><a href="shorewall_setup_guide.htm#Interfaces">3.0
Network Interfaces</a></li>
<li><a href="shorewall_setup_guide.htm#Addressing">4.0
Addressing, Subnets and Routing</a>
<li><a href="shorewall_setup_guide.htm#Introduction">1.0
Introduction</a></li>
<li><a href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall
Concepts</a></li>
<li><a href="shorewall_setup_guide.htm#Interfaces">3.0 Network
Interfaces</a></li>
<li><a href="shorewall_setup_guide.htm#Addressing">4.0 Addressing,
Subnets and Routing</a>
<ul>
<li><a href="shorewall_setup_guide.htm#Addresses">4.1
IP Addresses</a></li>
<li><a href="shorewall_setup_guide.htm#Subnets">4.2
<li><a href="shorewall_setup_guide.htm#Addresses">4.1 IP
Addresses</a></li>
<li><a href="shorewall_setup_guide.htm#Subnets">4.2
Subnets</a></li>
<li><a href="shorewall_setup_guide.htm#Routing">4.3
Routing</a></li>
<li><a href="shorewall_setup_guide.htm#ARP">4.4 Address
Resolution Protocol (ARP)</a></li>
<li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
<li><a href="shorewall_setup_guide.htm#ARP">4.4 Address
Resolution Protocol (ARP)</a></li>
</ul>
<ul>
<li><a href="shorewall_setup_guide.htm#RFC1918">4.5
RFC 1918</a></li>
<li><a href="shorewall_setup_guide.htm#RFC1918">4.5 RFC 1918</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Options">5.0 Setting
up your Network</a>
</li>
<li><a href="shorewall_setup_guide.htm#Options">5.0 Setting up your
Network</a>
<ul>
<li><a href="shorewall_setup_guide.htm#Routed">5.1
Routed</a></li>
<li><a href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
</ul>
<ul>
<li><a href="shorewall_setup_guide.htm#NonRouted">5.2
Non-routed</a>
<li><a href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a>
<ul>
<li><a href="shorewall_setup_guide.htm#SNAT">5.2.1
SNAT</a></li>
<li><a href="shorewall_setup_guide.htm#DNAT">5.2.2
DNAT</a></li>
<li><a
href="shorewall_setup_guide.htm#ProxyARP">5.2.3 Proxy ARP</a></li>
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4
Static NAT</a></li>
<li><a href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li>
<li><a href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li>
<li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3
Proxy ARP</a></li>
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4 Static NAT</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Rules">5.3
Rules</a></li>
<li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4
Odds and Ends</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li>
<li><a
href="shorewall_setup_guide.htm#StartingAndStopping">7.0 Starting
and Stopping the Firewall</a></li>
</ul>
<li><font color="#000099"><a
href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font></li>
<ul>
<li>Description of all /sbin/shorewall
commands</li>
<li>How to safely test a Shorewall configuration
change<br>
</li>
</ul>
<li><font color="#000099"><a
href="NAT.htm">Static NAT</a></font></li>
<li><a href="Shorewall_Squid_Usage.html">Squid as
a Transparent Proxy with Shorewall</a></li>
<li><a
href="traffic_shaping.htm">Traffic Shaping/QOS</a></li>
<li><a href="troubleshoot.htm">Troubleshooting (Things to try if
it doesn't work)</a><br>
</li>
<li><a href="upgrade_issues.htm">Upgrade Issues</a><br>
</li>
<li>VPN
<li><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li>
<li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds
and Ends</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li>
<li><a href="shorewall_setup_guide.htm#StartingAndStopping">7.0
Starting and Stopping the Firewall</a></li>
</ul>
<li><font color="#000099"><a
href="starting_and_stopping_shorewall.htm">Starting/stopping the
Firewall</a></font></li>
<ul>
<li>Description of all /sbin/shorewall
commands</li>
<li>How to safely test a Shorewall configuration change<br>
</li>
</ul>
<li><font color="#000099"><a href="NAT.htm">Static NAT</a></font></li>
<li><a href="Shorewall_Squid_Usage.html">Squid as a Transparent Proxy
with Shorewall</a></li>
<li><a href="Accounting.html">Traffic Accounting</a><br>
</li>
<li><a href="traffic_shaping.htm">Traffic Shaping/QOS</a></li>
<li><a href="troubleshoot.htm">Troubleshooting (Things to try if it
doesn't work)</a></li>
<li><a href="UserSets.html">UID/GID Based Rules</a><br>
</li>
<li><a href="upgrade_issues.htm">Upgrade Issues</a><br>
</li>
<li>VPN
<ul>
<li><a href="IPSEC.htm">IPSEC</a></li>
<li><a href="IPIP.htm">GRE and
<li><a href="IPSEC.htm">IPSEC</a></li>
<li><a href="IPIP.htm">GRE and
IPIP</a></li>
<li><a href="OPENVPN.html">OpenVPN</a><br>
</li>
<li><a href="PPTP.htm">PPTP</a></li>
<li><a href="6to4.htm">6t04</a><br>
</li>
<li><a href="VPN.htm">IPSEC/PPTP</a>
from a system behind your firewall to a remote network.</li>
<li><a href="OPENVPN.html">OpenVPN</a><br>
</li>
<li><a href="PPTP.htm">PPTP</a></li>
<li><a href="6to4.htm">6t04</a><br>
</li>
<li><a href="VPN.htm">IPSEC/PPTP</a> from a system behind your
firewall to a remote network.</li>
<li><a href="GenericTunnels.html">Other VPN types</a>.<br>
</li>
</ul>
</li>
<li><a
href="whitelisting_under_shorewall.htm">White List Creation</a></li>
</li>
<li><a href="whitelisting_under_shorewall.htm">White List Creation</a></li>
</ul>
<p>If you use one of these guides and have a suggestion for improvement <a
href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
<p><font size="2">Last modified 7/30/2003 - <a href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright 2002, 2003 Thomas M.
Eastep</font></a><br>
</p>
<br>
<p>If you use one of these guides and have a suggestion for improvement
<a href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
<p><font size="2">Last modified 9/23/2003 - <a href="support.htm">Tom
Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright 2002, 2003 Thomas
M. Eastep</font></a><br>
</p>
<br>
</body>
</html>

4555
STABLE/documentation/shorewall_setup_guide.htm
View File

File diff suppressed because it is too large Load Diff

1251
STABLE/documentation/sourceforge_index.htm
View File

File diff suppressed because it is too large Load Diff

690
STABLE/documentation/standalone.htm
View File

@ -1,435 +1,375 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Standalone Firewall</title>
</head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber6" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Standalone Firewall</font></h1>
</td>
</tr>
</tbody>
</td>
</tr>
</tbody>
</table>
<p align="left">Setting up Shorewall on a standalone Linux system is very
easy if you understand the basics and follow the documentation.</p>
<p>This guide doesn't attempt to acquaint you with all of the features of
Shorewall. It rather focuses on what is required to configure Shorewall
in one of its most common configurations:</p>
<p align="left">Setting up Shorewall on a standalone Linux system is
very easy if you understand the basics and follow the documentation.</p>
<p>This guide doesn't attempt to acquaint you with all of the features
of Shorewall. It rather focuses on what is required to configure
Shorewall in one of its most common configurations:</p>
<ul>
<li>Linux system</li>
<li>Single external IP address</li>
<li>Connection through Cable Modem, DSL, ISDN, Frame Relay,
<li>Linux system</li>
<li>Single external IP address</li>
<li>Connection through Cable Modem, DSL, ISDN, Frame Relay,
dial-up...</li>
</ul>
<p>Shorewall requires that you have the iproute/iproute2 package installed
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell
if this package is installed by the presence of an <b>ip</b> program
on your firewall system. As root, you can use the 'which' command to
check for this program:</p>
<p>Shorewall requires that you have the iproute/iproute2 package
installed (on RedHat, the package is called <i>iproute</i>)<i>. </i>You
can tell if this package is installed by the presence of an <b>ip</b>
program
on your firewall system. As root, you can use the 'which' command to
check for this program:</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
<p>I recommend that you read through the guide first to familiarize yourself
with what's involved then go back through it again making your configuration
changes.  Points at which configuration changes are recommended are
flagged with <img border="0" src="images/BD21298_.gif" width="13"
height="13">
.</p>
<p>I recommend that you read through the guide first to familiarize
yourself with what's involved then go back through it again making your
configuration changes.&nbsp; Points at which configuration changes are
recommended are
flagged with <img border="0" src="images/BD21298_.gif" width="13"
height="13"> .</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60">
    If you edit your configuration files on a Windows system,
you must save them as Unix files if your editor supports that option
or you must run them through dos2unix before trying to use them. Similarly,
if you copy a configuration file from your Windows hard drive to a floppy
disk, you must run dos2unix against the copy before using it with Shorewall.</p>
&nbsp;&nbsp;&nbsp; If you edit your configuration files on a Windows
system,
you must save them as Unix files if your editor supports that option
or you must run them through dos2unix before trying to use them.
Similarly,
if you copy a configuration file from your Windows hard drive to a
floppy disk, you must run dos2unix against the copy before using it
with Shorewall.</p>
<ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows
Version of dos2unix</a></li>
<li><a
href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
of dos2unix</a></li>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
of dos2unix</a></li>
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
Version of dos2unix</a></li>
</ul>
<h2 align="left">PPTP/ADSL</h2>
<img style="border: 0px solid ; width: 13px; height: 13px;"
src="images/BD21298_3.gif" title="" alt="">&nbsp;&nbsp;&nbsp; If you
have an ADSL Modem and you use PPTP to communicate with a server in
that modem, you must make the <a href="PPTP.htm#PPTP_ADSL">changes
recommended here</a> in addition to those described in the steps below.
ADSL with PPTP is most commonly found in Europe, notably in Austria.<br>
<h2 align="left">Shorewall Concepts</h2>
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
alt="">
    The configuration files for Shorewall are contained in the directory
/etc/shorewall -- for simple setups, you only need to deal with a few
of these as described in this guide. After you have <a
href="Install.htm">installed Shorewall</a>, <b>download the <a
href="http://www1.shorewall.net/pub/shorewall/Samples/">one-interface sample</a>,
un-tar it (tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewall
(they will replace files with the same names that were placed in /etc/shorewall
during Shorewall installation)</b>.</p>
<p>As each file is introduced, I suggest that you look through the actual
file on your system -- each file contains detailed configuration instructions
and default entries.</p>
<p>Shorewall views the network where it is running as being composed of a
set of <i>zones.</i> In the one-interface sample configuration, only
one zone is defined:</p>
alt=""> &nbsp;&nbsp;&nbsp; The configuration files for Shorewall are
contained in the directory /etc/shorewall -- for simple setups, you
only need to deal with a few of these as described in this guide. After
you have <a href="Install.htm">installed Shorewall</a>, <b>download
the <a href="http://www1.shorewall.net/pub/shorewall/Samples/">one-interface
sample</a>, un-tar it (tar -zxvf one-interface.tgz) and and copy the
files to /etc/shorewall (they will replace files with the same names
that were placed in /etc/shorewall during Shorewall installation)</b>.</p>
<p>As each file is introduced, I suggest that you look through the
actual file on your system -- each file contains detailed configuration
instructions and default entries.</p>
<p>Shorewall views the network where it is running as being composed of
a set of <i>zones.</i> In the one-interface sample configuration, only
one zone is defined:</p>
<table border="0" style="border-collapse: collapse;" cellpadding="3"
cellspacing="0" id="AutoNumber2">
<tbody>
<tr>
<td><u><b>Name</b></u></td>
<td><u><b>Description</b></u></td>
</tr>
<tr>
<td><b>net</b></td>
<td><b>The Internet</b></td>
</tr>
</tbody>
<tbody>
<tr>
<td><u><b>Name</b></u></td>
<td><u><b>Description</b></u></td>
</tr>
<tr>
<td><b>net</b></td>
<td><b>The Internet</b></td>
</tr>
</tbody>
</table>
<p>Shorewall zones are defined in <a href="Documentation.htm#Zones"> /etc/shorewall/zones</a>.</p>
<p>Shorewall also recognizes the firewall system as its own zone - by default,
the firewall itself is known as <b>fw</b>.</p>
<p>Rules about what traffic to allow and what traffic to deny are expressed
in terms of zones.</p>
<p>Shorewall zones are defined in <a href="Documentation.htm#Zones">
/etc/shorewall/zones</a>.</p>
<p>Shorewall also recognizes the firewall system as its own zone - by
default, the firewall itself is known as <b>fw</b>.</p>
<p>Rules about what traffic to allow and what traffic to deny are
expressed in terms of zones.</p>
<ul>
<li>You express your default policy for connections from one
zone to another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
</a>file.</li>
<li>You define exceptions to those default policies in the
<a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
<li>You express your default policy for connections from one zone to
another zone in the<a href="Documentation.htm#Policy">
/etc/shorewall/policy </a>file.</li>
<li>You define exceptions to those default policies in the <a
href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
</ul>
<p>For each connection request entering the firewall, the request is first
checked against the /etc/shorewall/rules file. If no rule in that file
matches the connection request then the first policy in /etc/shorewall/policy
that matches the request is applied. If that policy is REJECT or DROP 
the request is first checked against the rules in /etc/shorewall/common
(the samples provide that file for you).</p>
<p>The /etc/shorewall/policy file included with the one-interface sample
has the following policies:</p>
<blockquote>
<p>For each connection request entering the firewall, the request is
first checked against the /etc/shorewall/rules file. If no rule in that
file matches the connection request then the first policy in
/etc/shorewall/policy that matches the request is applied. If that
policy is REJECT or DROP&nbsp; the request is first checked against the
rules in /etc/shorewall/common (the samples provide that file for you).</p>
<p>The /etc/shorewall/policy file included with the one-interface
sample
has the following policies:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber3">
<tbody>
<tr>
<td><u><b>SOURCE ZONE</b></u></td>
<td><u><b>DESTINATION ZONE</b></u></td>
<td><u><b>POLICY</b></u></td>
<td><u><b>LOG LEVEL</b></u></td>
<td><u><b>LIMIT:BURST</b></u></td>
</tr>
<tr>
<td>fw</td>
<td>net</td>
<td>ACCEPT</td>
<td> </td>
<td> </td>
</tr>
<tr>
<td>net</td>
<td>all<br>
</td>
<td>DROP</td>
<td>info</td>
<td> </td>
</tr>
<tr>
<td>all</td>
<td>all</td>
<td>REJECT</td>
<td>info</td>
<td> </td>
</tr>
</tbody>
<tbody>
<tr>
<td><u><b>SOURCE ZONE</b></u></td>
<td><u><b>DESTINATION ZONE</b></u></td>
<td><u><b>POLICY</b></u></td>
<td><u><b>LOG LEVEL</b></u></td>
<td><u><b>LIMIT:BURST</b></u></td>
</tr>
<tr>
<td>fw</td>
<td>net</td>
<td>ACCEPT</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>net</td>
<td>all<br>
</td>
<td>DROP</td>
<td>info</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>all</td>
<td>all</td>
<td>REJECT</td>
<td>info</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
</blockquote>
<p>The above policy will:</p>
<ol>
<li>allow all connection requests from the firewall to the internet</li>
<li>drop (ignore) all connection requests from the internet
to your firewall</li>
<li>reject all other connection requests (Shorewall requires
this catchall policy).</li>
<li>allow all connection requests from the firewall to the internet</li>
<li>drop (ignore) all connection requests from the internet
to your firewall</li>
<li>reject all other connection requests (Shorewall requires this
catchall policy).</li>
</ol>
<p>At this point, edit your /etc/shorewall/policy and make any changes that
you wish.</p>
<p>At this point, edit your /etc/shorewall/policy and make any changes
that you wish.</p>
<h2 align="left">External Interface</h2>
<p align="left">The firewall has a single network interface. Where Internet
connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
will be the ethernet adapter (<b>eth0</b>) that is connected to that
"Modem"  <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint
<u>P</u>rotocol over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint
<u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External
Interface will be a <b>ppp0</b>. If you connect via a regular modem, your
External Interface will also be <b>ppp0</b>. If you connect using ISDN,
your external interface will be<b> ippp0.</b></p>
<p align="left">The firewall has a single network interface. Where
Internet connectivity is through a cable or DSL "Modem", the <i>External
Interface</i> will be the ethernet adapter (<b>eth0</b>) that is
connected to that "Modem"&nbsp; <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint
<u>P</u>rotocol over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint
<u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the
External Interface will be a <b>ppp0</b>. If you connect via a regular
modem, your External Interface will also be <b>ppp0</b>. If you
connect using ISDN, your external interface will be<b> ippp0.</b></p>
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
height="13">
    The Shorewall one-interface sample configuration assumes that
the external interface is <b>eth0</b>. If your configuration is different,
you will have to modify the sample /etc/shorewall/interfaces file accordingly.
While you are there, you may wish to review the list of options that
are specified for the interface. Some hints:</p>
height="13"> &nbsp;&nbsp;&nbsp; The Shorewall one-interface sample
configuration assumes that the external interface is <b>eth0</b>. If
your configuration is different, you will have to modify the sample
/etc/shorewall/interfaces file accordingly. While you are there, you
may wish to review the list of options that are specified for the
interface. Some hints:</p>
<ul>
<li>
<li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>,
you can replace the "detect" in the second column with "-". </p>
</li>
<li>
you can replace the "detect" in the second column with "-". </p>
</li>
<li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>
or if you have a static IP address, you can remove "dhcp" from the
option list. </p>
</li>
or if you have a static IP address, you can remove "dhcp" from the
option list.<br>
</p>
</li>
</ul>
<div align="left">
<div align="left">
<h2 align="left">IP Addresses</h2>
</div>
<div align="left">
<p align="left">RFC 1918 reserves several <i>Private </i>IP address ranges
for use in private networks:</p>
<div align="left">
</div>
<div align="left">
<p align="left">RFC 1918 reserves several <i>Private </i>IP address
ranges for use in private networks:</p>
<div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
</div>
</div>
<p align="left">These addresses are sometimes referred to as <i>non-routable</i>
because the Internet backbone routers will not forward a packet whose
destination address is reserved by RFC 1918. In some cases though,
ISPs are assigning these addresses then using <i>Network Address Translation
</i>to rewrite packet headers when forwarding to/from the internet.</p>
because the Internet backbone routers will not forward a packet whose
destination address is reserved by RFC 1918. In some cases though,
ISPs are assigning these addresses then using <i>Network Address
Translation </i>to rewrite packet headers when forwarding to/from the
internet.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" align="left"
width="13" height="13">
     Before starting Shorewall, you should look at the IP address
of your external interface and if it is one of the above ranges, you
should remove the 'norfc1918' option from the entry in /etc/shorewall/interfaces.</p>
</div>
<div align="left">
width="13" height="13"> &nbsp;&nbsp;&nbsp;&nbsp; Before starting
Shorewall, you should look at the IP address of your external interface
and if it is one of the above ranges, you should remove the 'norfc1918'
option from the entry in /etc/shorewall/interfaces.</p>
</div>
<div align="left">
<h2 align="left">Enabling other Connections</h2>
</div>
<div align="left">
<p align="left">If you wish to enable connections from the internet to your
firewall, the general format is:</p>
</div>
<div align="left">
<blockquote>
</div>
<div align="left">
<p align="left">If you wish to enable connections from the internet to
your firewall, the general format is:</p>
</div>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber4">
<tbody>
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr>
<tr>
<td>ACCEPT</td>
<td>net</td>
<td>fw</td>
<td><i>&lt;protocol&gt;</i></td>
<td><i>&lt;port&gt;</i></td>
<td> </td>
<td> </td>
</tr>
</tbody>
<tbody>
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr>
<tr>
<td>ACCEPT</td>
<td>net</td>
<td>fw</td>
<td><i>&lt;protocol&gt;</i></td>
<td><i>&lt;port&gt;</i></td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
</div>
<div align="left">
<p align="left">Example - You want to run a Web Server and a POP3 Server
on your firewall system:</p>
</div>
<div align="left">
<blockquote>
</blockquote>
</div>
<div align="left">
<p align="left">Example - You want to run a Web Server and a POP3
Server
on your firewall system:</p>
</div>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber5">
<tbody>
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr>
<tr>
<td>ACCEPT</td>
<td>net</td>
<td>fw</td>
<td>tcp</td>
<td>80</td>
<td> </td>
<td> </td>
</tr>
<tr>
<td>ACCEPT</td>
<td>net</td>
<td>fw</td>
<td>tcp</td>
<td>110</td>
<td> </td>
<td> </td>
</tr>
</tbody>
<tbody>
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr>
<tr>
<td>ACCEPT</td>
<td>net</td>
<td>fw</td>
<td>tcp</td>
<td>80</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>net</td>
<td>fw</td>
<td>tcp</td>
<td>110</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
</div>
<div align="left">
<p align="left">If you don't know what port and protocol a particular application
uses, see <a href="ports.htm">here</a>.</p>
</div>
<div align="left">
<p align="left"><b>Important: </b>I don't recommend enabling telnet to/from
the internet because it uses clear text (even for login!). If you
want shell access to your firewall from the internet, use SSH:</p>
</div>
<div align="left">
<blockquote>
</blockquote>
</div>
<div align="left">
<p align="left">If you don't know what port and protocol a particular
application uses, see <a href="ports.htm">here</a>.</p>
</div>
<div align="left">
<p align="left"><b>Important: </b>I don't recommend enabling telnet
to/from the internet because it uses clear text (even for login!). If
you
want shell access to your firewall from the internet, use SSH:</p>
</div>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber4">
<tbody>
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr>
<tr>
<td>ACCEPT</td>
<td>net</td>
<td>fw</td>
<td>tcp</td>
<td>22</td>
<td> </td>
<td> </td>
</tr>
</tbody>
<tbody>
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr>
<tr>
<td>ACCEPT</td>
<td>net</td>
<td>fw</td>
<td>tcp</td>
<td>22</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
</div>
<div align="left">
</blockquote>
</div>
<div align="left">
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
height="13">
    At this point, edit /etc/shorewall/rules to add other connections
as desired.</p>
</div>
<div align="left">
height="13"> &nbsp;&nbsp;&nbsp; At this point, edit
/etc/shorewall/rules to add other connections as desired.</p>
</div>
<div align="left">
<h2 align="left">Starting and Stopping Your Firewall</h2>
</div>
<div align="left">
<p align="left"> <img border="0" src="images/BD21298_2.gif"
width="13" height="13" alt="Arrow">
    The <a href="Install.htm">installation procedure </a> configures
your system to start Shorewall at system boot but beginning with Shorewall
version 1.3.9 startup is disabled so that your system won't try to start
Shorewall before configuration is complete. Once you have completed configuration
of your firewall, you can enable Shorewall startup by removing the file
/etc/shorewall/startup_disabled.<br>
</p>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Users of the .deb
package must edit /etc/default/shorewall and set 'startup=1'.</font><br>
</p>
</div>
<div align="left">
<p align="left">The firewall is started using the "shorewall start" command
and stopped using "shorewall stop". When the firewall is stopped,
routing is enabled on those hosts that have an entry in <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A
running firewall may be restarted using the "shorewall restart" command.
If you want to totally remove any trace of Shorewall from your Netfilter
configuration, use "shorewall clear".</p>
</div>
<div align="left">
<p align="left"><b>WARNING: </b>If you are connected to your firewall from
the internet, do not issue a "shorewall stop" command unless you
have added an entry for the IP address that you are connected from
to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to create
an <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i>
and test it using the <a
href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p>
</div>
<p align="left"><font size="2">Last updated 2/21/2003 - <a
</div>
<div align="left">
<p align="left"> <img border="0" src="images/BD21298_2.gif" width="13"
height="13" alt="Arrow"> &nbsp;&nbsp;&nbsp; The <a href="Install.htm">installation
procedure </a> configures your system to start Shorewall at system
boot but beginning with Shorewall version 1.3.9 startup is disabled so
that your system won't try to start Shorewall before configuration is
complete. Once you have completed configuration of your firewall, you
can enable Shorewall startup by removing the file
/etc/shorewall/startup_disabled.<br>
</p>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Users of the
.deb package must edit /etc/default/shorewall and set 'startup=1'.</font><br>
</p>
</div>
<div align="left">
<p align="left">The firewall is started using the "shorewall start"
command and stopped using "shorewall stop". When the firewall is
stopped,
routing is enabled on those hosts that have an entry in <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
A running firewall may be restarted using the "shorewall restart"
command. If you want to totally remove any trace of Shorewall from your
Netfilter configuration, use "shorewall clear".</p>
</div>
<div align="left">
<p align="left"><b>WARNING: </b>If you are connected to your firewall
from the internet, do not issue a "shorewall stop" command unless you
have added an entry for the IP address that you are connected from
to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to
create an <i><a href="configuration_file_basics.htm#Configs">alternate
configuration</a></i> and test it using the <a
href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p>
</div>
<p align="left"><font size="2">Last updated 2/08/2003 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002, 2003
Thomas M. Eastep</font></a></p>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002,
2003 Thomas M. Eastep</font></a></p>
</body>
</html>

596
STABLE/documentation/starting_and_stopping_shorewall.htm
View File

@ -1,368 +1,326 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Starting and Stopping Shorewall</title>
</head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Starting/Stopping and Monitoring
the Firewall</font></h1>
</td>
</tr>
</tbody>
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Starting/Stopping and
Monitoring the Firewall</font></h1>
</td>
</tr>
</tbody>
</table>
<p> If you have a permanent internet connection such as DSL or Cable,
I recommend that you start the firewall automatically at boot.
Once you have installed "firewall" in your init.d directory, simply
type "chkconfig --add firewall". This will start the firewall
in run levels 2-5 and stop it in run levels 1 and 6. If you want
to configure your firewall differently from this default, you can
use the "--level" option in chkconfig (see "man chkconfig") or using
your favorite graphical run-level editor.</p>
<p><strong><u> <font color="#000099"> Important Notes:</font></u></strong><br>
</p>
<p> If you have a permanent internet connection such as DSL or Cable, I
recommend that you start the firewall automatically at boot. Once you
have installed "firewall" in your init.d directory, simply type
"chkconfig --add firewall". This will start the firewall in run levels
2-5 and stop it in run levels 1 and 6. If you want to configure your
firewall differently from this default, you can
use the "--level" option in chkconfig (see "man chkconfig") or using
your favorite graphical run-level editor.</p>
<p><strong><u> <font color="#000099"> Important Notes:</font></u></strong><br>
</p>
<ol>
<li>Shorewall startup is disabled by default. Once you
have configured your firewall, you can enable startup by removing the
file /etc/shorewall/startup_disabled. Note: Users of the .deb package
must edit /etc/default/shorewall and set 'startup=1'.<br>
</li>
<li>If you use dialup, you may want to start the firewall
in your /etc/ppp/ip-up.local script. I recommend just placing "shorewall
restart" in that script.</li>
<li>Shorewall startup is disabled by default. Once you have
configured your firewall, you can enable startup by removing the
file /etc/shorewall/startup_disabled. Note: Users of the .deb package
must edit /etc/default/shorewall and set 'startup=1'.<br>
</li>
<li>If you use dialup, you may want to start the firewall in your
/etc/ppp/ip-up.local script. I recommend just placing "shorewall
restart" in that script.</li>
</ol>
<p> </p>
<p> You can manually start and stop Shoreline Firewall using the "shorewall"
shell program. Please refer to the <a
<p> </p>
<p> You can manually start and stop Shoreline Firewall using the
"shorewall" shell program. Please refer to the <a
href="file:///vfat/Shorewall-docs/starting_and_stopping_shorewall.htm#StateDiagram">Shorewall
State Diagram</a> is shown at the bottom of this page. </p>
State Diagram</a> is shown at the bottom of this page. </p>
<ul>
<li>shorewall start - starts the firewall</li>
<li>shorewall stop - stops the firewall; the only traffic
permitted through the firewall is from systems listed in /etc/shorewall/routestopped
(Beginning with version 1.4.7, if ADMINISABSENTMINDED=Yes in /etc/shorewall/shorewall.conf
then in addition, all existing connections are permitted and any new connections
<li>shorewall start - starts the firewall</li>
<li>shorewall stop - stops the firewall; the only traffic permitted
through the firewall is from systems listed in
/etc/shorewall/routestopped
(Beginning with version 1.4.7, if ADMINISABSENTMINDED=Yes in
/etc/shorewall/shorewall.conf
then in addition, all existing connections are permitted and any new
connections
originating from the firewall itself are allowed).</li>
<li>shorewall restart - stops the firewall (if it's
running) and then starts it again</li>
<li>shorewall reset - reset the packet and byte counters
in the firewall</li>
<li>shorewall clear - remove all rules and chains
installed by Shoreline Firewall. The firewall is "wide open"</li>
<li>shorewall refresh - refresh the rules involving
the broadcast addresses of firewall interfaces, <a
<li>shorewall restart - stops the firewall (if it's running) and then
starts it again</li>
<li>shorewall reset - reset the packet and byte counters in the
firewall</li>
<li>shorewall clear - remove all rules and chains installed by
Shoreline Firewall. The firewall is "wide open"</li>
<li>shorewall refresh - refresh the rules involving
the broadcast addresses of firewall interfaces, <a
href="blacklisting_support.htm">the black list</a>, <a
href="traffic_shaping.htm">traffic control rules</a> and <a
href="ECN.html">ECN control rules</a>.</li>
</ul>
If you include the keyword <i>debug</i> as the first argument,
then a shell trace of the command is produced as in:<br>
If you include the keyword <i>debug</i> as the first argument, then a
shell trace of the command is produced as in:<br>
<pre> <font color="#009900"><b>shorewall debug start 2&gt; /tmp/trace</b></font><br></pre>
<p>The above command would trace the 'start' command and place the trace information
<p>The above command would trace the 'start' command and place the
trace information
in the file /tmp/trace<br>
</p>
<p>Beginning with version 1.4.7, shorewall can give detailed help about each
of its commands:<br>
</p>
</p>
<p>Beginning with version 1.4.7, shorewall can give detailed help about
each of its commands:<br>
</p>
<ul>
<li>shorewall help [ <i>command</i> | host | address ]<br>
</li>
<li>shorewall help [ <i>command</i> | host | address ]<br>
</li>
</ul>
<p>The "shorewall" program may also be used to monitor the firewall.</p>
<p>The "shorewall" program may also be used to monitor the firewall.</p>
<ul>
<li>shorewall status - produce a verbose report about
the firewall (iptables -L -n -v)</li>
<li>shorewall show <i>chain</i> - produce a verbose
report about <i>chain </i>(iptables -L <i>chain</i>
-n -v)</li>
<li>shorewall show nat - produce a verbose report about
the nat table (iptables -t nat -L -n -v)</li>
<li>shorewall show tos - produce a verbose report about
the mangle table (iptables -t mangle -L -n -v)</li>
<li>shorewall show log - display the last 20 packet
log entries.</li>
<li>shorewall show connections - displays the IP connections
currently being tracked by the firewall.</li>
<li>shorewall
show tc
- displays information about the traffic control/shaping configuration.</li>
<li>shorewall monitor [ delay ] - Continuously display
the firewall status, last 20 log entries and nat. When the
log entry display changes, an audible alarm is sounded.</li>
<li>shorewall hits - Produces several reports about
the Shorewall packet log messages in the current /var/log/messages
file.</li>
<li>shorewall version - Displays the installed
version number.</li>
<li>shorewall check - Performs a <u>cursory</u> validation of
the zones, interfaces, hosts, rules and policy files.<br>
<br>
<font size="4" color="#ff6666"><b>The "check" command is totally
unsuppored and does not parse and validate the generated iptables
commands. Even though the "check" command completes successfully,
the configuration may fail to start. Problem reports that complain about
errors that the 'check' command does not detect will not be accepted.<br>
<br>
See the recommended way to make configuration changes described
below.</b></font><br>
<br>
</li>
<li>shorewall try<i> configuration-directory</i> [<i>
timeout</i> ] - Restart shorewall using the specified configuration
and if an error occurs or if the<i> timeout </i> option is given
and the new configuration has been up for that many seconds then
shorewall is restarted using the standard configuration.</li>
<li>shorewall deny, shorewall reject, shorewall accept
and shorewall save implement <a
href="blacklisting_support.htm">dynamic blacklisting</a>.</li>
<li>shorewall logwatch (added in version 1.3.2) - Monitors
the <a href="#Conf">LOGFILE </a>and produces an audible alarm
when new Shorewall messages are logged.</li>
<li>shorewall status - produce a verbose report about the firewall
(iptables -L -n -v)</li>
<li>shorewall show <i>chain</i>1 [ <span style="font-style: italic;">chain2
... </span>] - produce a verbose
report about the listed <i>chains </i>(iptables -L <i>chain</i>
-n -v) <span style="font-weight: bold;">Note: </span>You may only
list one chain in the <span style="font-weight: bold;">show</span>
command when running Shorewall version 1.4.6 and earlier.&nbsp; Version
1.4.7 and later allow you to list multiple chains in one command.<br>
</li>
<li>shorewall show nat - produce a verbose report about the nat table
(iptables -t nat -L -n -v)</li>
<li>shorewall show tos - produce a verbose report about the mangle
table (iptables -t mangle -L -n -v)</li>
<li>shorewall show log - display the last 20 packet
log entries.</li>
<li>shorewall show connections - displays the IP connections
currently being tracked by the firewall.</li>
<li>shorewall show tc - displays information about the traffic
control/shaping configuration.</li>
<li>shorewall monitor [ delay ] - Continuously display the firewall
status, last 20 log entries and nat. When the log entry display
changes, an audible alarm is sounded.</li>
<li>shorewall hits - Produces several reports about
the Shorewall packet log messages in the current /var/log/messages file.</li>
<li>shorewall version - Displays the installed version number.</li>
<li>shorewall check - Performs a <u>cursory</u> validation of the
zones, interfaces, hosts, rules and policy files.<br>
<br>
<font size="4" color="#ff6666"><b>The "check" command is totally
unsuppored and does not parse and validate the generated iptables
commands. Even though the "check" command completes successfully,
the configuration may fail to start. Problem reports that complain
about
errors that the 'check' command does not detect will not be accepted.<br>
<br>
See the recommended way to make configuration changes described below.</b></font><br>
<br>
</li>
<li>shorewall try<i> configuration-directory</i> [<i> timeout</i> ] -
Restart shorewall using the specified configuration and if an error
occurs or if the<i> timeout </i> option is given
and the new configuration has been up for that many seconds then
shorewall is restarted using the standard configuration.</li>
<li>shorewall logwatch (added in version 1.3.2) - Monitors the <a
href="#Conf">LOGFILE </a>and produces an audible alarm when new
Shorewall messages are logged.</li>
</ul>
Beginning with Shorewall 1.4.6, /sbin/shorewall supports a couple of
commands for dealing with IP addresses and IP address ranges:<br>
Beginning with Shorewall 1.4.6, /sbin/shorewall supports a couple of
commands for dealing with IP addresses and IP address ranges:<br>
<ul>
<li>shorewall ipcalc [ <i>address mask </i>| <i>address/vlsm</i> ]
- displays the network address, broadcast address, network in CIDR notation
and netmask corresponding to the input[s].</li>
<li>shorewall iprange <i>address1-address2</i> - Decomposes the specified
range of IP addresses into the equivalent list of network/host addresses.
<br>
</li>
<li>shorewall ipcalc [ <i>address mask </i>| <i>address/vlsm</i> ]
- displays the network address, broadcast address, network in CIDR
notation and netmask corresponding to the input[s].</li>
<li>shorewall iprange <i>address1-address2</i> - Decomposes the
specified range of IP addresses into the equivalent list of
network/host addresses. <br>
</li>
</ul>
There is a set of commands dealing with <a
There is a set of commands dealing with <a
href="blacklisting_support.htm">dynamic blacklisting</a>:<br>
<ul>
<li>shorewall drop <i>&lt;ip address list&gt; </i>- causes packets from
the listed IP addresses to be silently dropped by the firewall.</li>
<li>shorewall reject <i>&lt;ip address list&gt; </i>- causes packets from
the listed IP addresses to be rejected by the firewall.</li>
<li>shorewall allow <i>&lt;ip address list&gt; </i>- re-enables receipt
of packets from hosts previously blacklisted by a <i>drop</i> or <i>reject</i>
command.</li>
<li>shorewall save - save the dynamic blacklisting configuration so that
it will be automatically restored the next time that the firewall is
restarted.</li>
<li>show dynamic - displays the dynamic blacklisting chain.<br>
</li>
<li>shorewall drop <i>&lt;ip address list&gt; </i>- causes packets
from the listed IP addresses to be silently dropped by the firewall.</li>
<li>shorewall reject <i>&lt;ip address list&gt; </i>- causes
packets from the listed IP addresses to be rejected by the firewall.</li>
<li>shorewall allow <i>&lt;ip address list&gt; </i>- re-enables
receipt of packets from hosts previously blacklisted by a <i>drop</i>
or <i>reject</i> command.</li>
<li>shorewall save - save the dynamic blacklisting configuration so
that it will be automatically restored the next time that the firewall
is restarted.</li>
<li>show dynamic - displays the dynamic blacklisting chain.<br>
</li>
</ul>
Finally, the "shorewall" program may be used to dynamically alter the
contents of a zone.<br>
Finally, the "shorewall" program may be used to dynamically alter the
contents of a zone.<br>
<ul>
<li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone
</i>- Adds the specified interface (and host if included) to the
specified zone.</li>
<li>shorewall delete <i>interface</i>[:<i>host]</i> <i>zone
</i>- Deletes the specified interface (and host if included) from
the specified zone.</li>
<li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone </i>-
Adds the specified interface (and host if included) to the specified
zone.</li>
<li>shorewall delete <i>interface</i>[:<i>host]</i> <i>zone </i>-
Deletes the specified interface (and host if included) from the
specified zone.</li>
</ul>
<blockquote>Examples:<br>
<blockquote><font color="#009900"><b>shorewall add ipsec0:192.0.2.24 vpn1</b></font>
-- adds the address 192.0.2.24 from interface ipsec0 to the zone vpn1<br>
<font color="#009900"><b> shorewall delete ipsec0:192.0.2.24
vpn1</b></font> -- deletes the address 192.0.2.24 from interface ipsec0
from zone vpn1<br>
</blockquote>
</blockquote>
<p> The <b>shorewall start</b>, <b>shorewall restart, shorewall check, </b>and
<b>shorewall try </b>commands allow you to specify which <a
href="configuration_file_basics.htm#Configs"> Shorewall configuration</a>
to use:</p>
<blockquote>
<p> shorewall [ -c <i>configuration-directory</i> ] {start|restart|check}<br>
shorewall try <i>configuration-directory</i></p>
</blockquote>
<p> If a <i>configuration-directory</i> is specified, each time that Shorewall
is going to use a file in /etc/shorewall it will first look in the
<i>configuration-directory</i> . If the file is present in the <i>configuration-directory</i>,
that file will be used; otherwise, the file in /etc/shorewall will
be used.</p>
<p> When changing the configuration of a production firewall, I recommend
the following:</p>
<blockquote><font color="#009900"><b>shorewall add ipsec0:192.0.2.24
vpn1</b></font> -- adds the address 192.0.2.24 from interface ipsec0 to
the zone vpn1<br>
<font color="#009900"><b> shorewall delete ipsec0:192.0.2.24 vpn1</b></font>
-- deletes the address 192.0.2.24 from interface ipsec0 from zone vpn1<br>
</blockquote>
</blockquote>
<p> The <b>shorewall start</b>, <b>shorewall restart, shorewall
check, </b>and <b>shorewall try </b>commands allow you to specify
which <a href="configuration_file_basics.htm#Configs"> Shorewall
configuration</a> to use:</p>
<blockquote>
<p> shorewall [ -c <i>configuration-directory</i> ]
{start|restart|check}<br>
shorewall try <i>configuration-directory</i></p>
</blockquote>
<p> If a <i>configuration-directory</i> is specified, each time that
Shorewall is going to use a file in /etc/shorewall it will first look
in the <i>configuration-directory</i> . If the file is present in the <i>configuration-directory</i>,
that file will be used; otherwise, the file in /etc/shorewall will be
used.</p>
<p> When changing the configuration of a production firewall, I
recommend the following:</p>
<ul>
<li><font color="#009900"><b>mkdir /etc/test</b></font></li>
<li><font color="#009900"><b>cd /etc/test</b></font></li>
<li>&lt;copy any files that you need to change
from /etc/shorewall to . and change them here&gt;</li>
<li><font color="#009900"><b>shorewall -c . check</b></font></li>
<li>&lt;correct any errors found by check and check again&gt;</li>
<li><font
color="#009900"><b>/sbin/shorewall try .</b></font></li>
<li><font color="#009900"><b>mkdir /etc/test</b></font></li>
<li><font color="#009900"><b>cd /etc/test</b></font></li>
<li>&lt;copy any files that you need to change from /etc/shorewall to
. and change them here&gt;</li>
<li><font color="#009900"><b>shorewall -c . check</b></font></li>
<li>&lt;correct any errors found by check and check again&gt;</li>
<li><font color="#009900"><b>/sbin/shorewall try .</b></font></li>
</ul>
<p> If the configuration starts but doesn't work, just "shorewall restart"
to restore the old configuration. If the new configuration fails
to start, the "try" command will automatically start the old one for
you.</p>
<p> When the new configuration works then just </p>
<p> If the configuration starts but doesn't work, just "shorewall
restart" to restore the old configuration. If the new configuration
fails to start, the "try" command will automatically start the old one
for you.</p>
<p> When the new configuration works then just </p>
<ul>
<li><font color="#009900"><b>cp * /etc/shorewall</b></font></li>
<li><font color="#009900"><b>cd</b></font></li>
<li><font color="#009900"><b>rm -rf /etc/test</b></font></li>
<li><font color="#009900"><b>cp * /etc/shorewall</b></font></li>
<li><font color="#009900"><b>cd</b></font></li>
<li><font color="#009900"><b>rm -rf /etc/test</b></font></li>
</ul>
<p><a name="StateDiagram"></a>The Shorewall State Diargram is depicted below.<br>
</p>
<p><a name="StateDiagram"></a>The Shorewall State Diargram is depicted
below.<br>
</p>
<div align="center"><img src="images/State_Diagram.png"
alt="(State Diagram)" width="747" height="714" align="middle">
<br>
</div>
<p>  <br>
</p>
You will note that the commands that result in state transitions
use the word "firewall" rather than "shorewall". That is because the
actual transitions are done by /usr/share/shorewall/firewall; /sbin/shorewall
runs 'firewall" according to the following table:<br>
<br>
alt="(State Diagram)" width="747" height="714" align="middle"> <br>
</div>
<p>&nbsp; <br>
</p>
You will note that the commands that result in state transitions use
the word "firewall" rather than "shorewall". That is because the actual
transitions are done by /usr/share/shorewall/firewall; /sbin/shorewall
runs 'firewall" according to the following table:<br>
<br>
<table cellpadding="2" cellspacing="2" border="1">
<tbody>
<tr>
<td valign="top"><u><b>/sbin/shorewall Command</b><br>
</u></td>
<td valign="top"><u><b>Resulting /usr/share/shorewall/firewall Command</b><br>
</u></td>
<td valign="top"><u><b>Effect if the Command Succeeds</b><br>
</u></td>
</tr>
<tr>
<td valign="top">shorewall start<br>
</td>
<td valign="top">firewall start<br>
</td>
<td valign="top">The system filters packets based on your current
<tbody>
<tr>
<td valign="top"><u><b>/sbin/shorewall Command</b><br>
</u></td>
<td valign="top"><u><b>Resulting /usr/share/shorewall/firewall
Command</b><br>
</u></td>
<td valign="top"><u><b>Effect if the Command Succeeds</b><br>
</u></td>
</tr>
<tr>
<td valign="top">shorewall start<br>
</td>
<td valign="top">firewall start<br>
</td>
<td valign="top">The system filters packets based on your current
Shorewall Configuration<br>
</td>
</tr>
<tr>
<td valign="top">shorewall stop<br>
</td>
<td valign="top">firewall stop<br>
</td>
<td valign="top">Only traffic to/from hosts listed in /etc/shorewall/hosts
is passed to/from/through the firewall. For Shorewall versions beginning
with 1.4.7, if ADMINISABSENTMINDED=Yes in /etc/shorewall/shorewall.conf then
in addition, all existing connections are retained and all connection requests
</td>
</tr>
<tr>
<td valign="top">shorewall stop<br>
</td>
<td valign="top">firewall stop<br>
</td>
<td valign="top">Only traffic to/from hosts listed in
/etc/shorewall/hosts is passed to/from/through the firewall. For
Shorewall versions beginning
with 1.4.7, if ADMINISABSENTMINDED=Yes in /etc/shorewall/shorewall.conf
then
in addition, all existing connections are retained and all connection
requests
from the firewall are accepted.<br>
</td>
</tr>
<tr>
<td valign="top">shorewall restart<br>
</td>
<td valign="top">firewall restart<br>
</td>
<td valign="top">Logically equivalent to "firewall stop;firewall
</td>
</tr>
<tr>
<td valign="top">shorewall restart<br>
</td>
<td valign="top">firewall restart<br>
</td>
<td valign="top">Logically equivalent to "firewall stop;firewall
start"<br>
</td>
</tr>
<tr>
<td valign="top">shorewall add<br>
</td>
<td valign="top">firewall add<br>
</td>
<td valign="top">Adds a host or subnet to a dynamic zone<br>
</td>
</tr>
<tr>
<td valign="top">shorewall delete<br>
</td>
<td valign="top">firewall delete<br>
</td>
<td valign="top">Deletes a host or subnet from a dynamic zone<br>
</td>
</tr>
<tr>
<td valign="top">shorewall refresh<br>
</td>
<td valign="top">firewall refresh<br>
</td>
<td valign="top">Reloads rules dealing with static blacklisting,
traffic control and ECN.<br>
</td>
</tr>
<tr>
<td valign="top">shorewall clear<br>
</td>
<td valign="top">firewall clear<br>
</td>
<td valign="top">Removes all Shorewall rules, chains, addresses,
routes and ARP entries.<br>
</td>
</tr>
<tr>
<td valign="top">shorewall try<br>
</td>
<td valign="top">firewall -c &lt;new configuration&gt;
restart<br>
If unsuccessful then firewall start (standard configuration)<br>
If timeout then firewall restart (standard configuration)<br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</td>
</tr>
<tr>
<td valign="top">shorewall add<br>
</td>
<td valign="top">firewall add<br>
</td>
<td valign="top">Adds a host or subnet to a dynamic zone<br>
</td>
</tr>
<tr>
<td valign="top">shorewall delete<br>
</td>
<td valign="top">firewall delete<br>
</td>
<td valign="top">Deletes a host or subnet from a dynamic zone<br>
</td>
</tr>
<tr>
<td valign="top">shorewall refresh<br>
</td>
<td valign="top">firewall refresh<br>
</td>
<td valign="top">Reloads rules dealing with static blacklisting,
traffic control and ECN.<br>
</td>
</tr>
<tr>
<td valign="top">shorewall clear<br>
</td>
<td valign="top">firewall clear<br>
</td>
<td valign="top">Removes all Shorewall rules, chains, addresses,
routes and ARP entries.<br>
</td>
</tr>
<tr>
<td valign="top">shorewall try<br>
</td>
<td valign="top">firewall -c &lt;new configuration&gt; restart<br>
If unsuccessful then firewall start (standard configuration)<br>
If timeout then firewall restart (standard configuration)<br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
<p><font size="2"> Updated 7/31/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
<br>
<p><font size="2"> Updated 8/25/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
</body>
</html>

445
STABLE/documentation/support.htm
View File

@ -1,92 +1,62 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall Support Guide</title>
</head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Support Guide<img
src="images/obrasinf.gif" alt="" width="90" height="90" align="middle">
</font></h1>
</td>
</font></h1>
</td>
</tr>
</tbody>
</tbody>
</table>
<h2>Before Reporting a Problem or Asking a Question<br>
</h2>
There are a number of sources of Shorewall information. Please
try these before you post.
</h2>
There are a number of sources of Shorewall information. Please try
these before you post.
<ul>
<li>Shorewall versions
earlier that 1.3.0 are no longer supported.<br>
</li>
<li>More than half of the questions posted on the support
list have answers directly accessible from the <a
href="http://www.shorewall.net/shorewall_quickstart_guide.htm#Documentation">Documentation
Index</a><br>
</li>
<li>
The <a href="http://www.shorewall.net/FAQ.htm">FAQ</a>
has solutions to more than 20 common problems.
</li>
<li>
The <a href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a>
Information contains a number of tips
to help you solve common problems. </li>
<li>
The <a href="http://www.shorewall.net/errata.htm"> Errata</a>
has links to download updated components. </li>
<li>
The Site and Mailing List Archives search facility
can locate documents and posts about similar problems:
</li>
<li>Shorewall versions earlier that 1.3.0 are no longer supported.<br>
</li>
<li>More than half of the questions posted on the support list have
answers directly accessible from the <a
href="http://www.shorewall.net/shorewall_quickstart_guide.htm#Documentation">Documentation
Index</a><br>
</li>
<li> The <a href="http://www.shorewall.net/FAQ.htm">FAQ</a> has
solutions to more than 20 common problems. </li>
<li> The <a href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a>
Information contains a number of tips
to help you solve common problems. </li>
<li> The <a href="http://www.shorewall.net/errata.htm"> Errata</a>
has links to download updated components. </li>
<li> The Site and Mailing List Archives search facility can locate
documents and posts about similar problems: </li>
</ul>
<h2>Site and Mailing List Archive Search</h2>
<blockquote>
<blockquote>
<form method="post"
action="http://lists.shorewall.net/cgi-bin/htsearch"> <font size="-1"> Match:
action="http://lists.shorewall.net/cgi-bin/htsearch"> <font size="-1">Match:
<select name="method">
<option value="and">All </option>
<option value="or">Any </option>
<option value="boolean">Boolean </option>
</select>
Format:
Format:
<select name="format">
<option value="builtin-long">Long </option>
<option value="builtin-short">Short </option>
</select>
Sort by:
Sort by:
<select name="sort">
<option value="score">Score </option>
<option value="time">Time </option>
@ -95,250 +65,193 @@ can locate documents and posts about similar problems:
<option value="revtime">Reverse Time </option>
<option value="revtitle">Reverse Title </option>
</select>
</font><input type="hidden" name="config"
value="htdig"><input type="hidden" name="restrict" value=""><font
size="-1"> Include Mailing List Archives:
</font><input type="hidden" name="config" value="htdig"><input
type="hidden" name="restrict" value=""><font size="-1"> Include
Mailing List Archives:
<select size="1" name="exclude">
<option value="">Yes</option>
<option value="[http://lists.shorewall.net/pipermail/.*]">No</option>
</select>
</font><br>
Search: <input type="text" size="30"
name="words" value=""> <input type="submit" value="Search"><br>
</form>
</blockquote>
</font><br>
Search: <input type="text" size="30" name="words" value=""> <input
type="submit" value="Search"><br>
</form>
</blockquote>
<h2>Problem Reporting Guidelines<br>
</h2>
</h2>
<ul>
<li>Please remember we only
know what is posted in your message. Do not leave out
any information that appears to be correct, or was mentioned
in a previous post. There have been countless posts by people
who were sure that some part of their configuration was correct
when it actually contained a small error. We tend to be skeptics
where detail is lacking.<br>
<br>
</li>
<li>Please keep in mind that
you're asking for <strong>free</strong> technical
support. Any help we offer is an act of generosity, not an obligation.
Try to make it easy for us to help you. Follow good, courteous
practices in writing and formatting your e-mail. Provide details
that we need if you expect good answers. <em>Exact quoting </em>
of error messages, log entries, command output, and other output is
better than a paraphrase or summary.<br>
<br>
</li>
<li>
Please don't describe your environment and then
ask us to send you custom configuration files.
We're here to answer your questions but we can't
do your job for you.<br>
<br>
</li>
<li>When reporting a problem,
<strong>ALWAYS</strong> include this information:</li>
<li>Please remember we only know what is posted in your message. Do
not leave out
any information that appears to be correct, or was mentioned in a
previous post. There have been countless posts by people who were sure
that some part of their configuration was correct when it actually
contained a small error. We tend to be skeptics where detail is lacking.<br>
<br>
</li>
<li>Please keep in mind that you're asking for <strong>free</strong>
technical support. Any help we offer is an act of generosity, not an
obligation. Try to make it easy for us to help you. Follow good,
courteous practices in writing and formatting your e-mail. Provide
details
that we need if you expect good answers. <em>Exact quoting </em> of
error messages, log entries, command output, and other output is
better than a paraphrase or summary.<br>
<br>
</li>
<li> Please don't describe your environment and then ask us to send
you custom configuration files. We're here to answer your questions but
we can't do your job for you.<br>
<br>
</li>
<li>When reporting a problem, <strong>ALWAYS</strong> include this
information:</li>
</ul>
<ul>
<ul>
<li>the exact version of
Shorewall you are running.<br>
<br>
<b><font
color="#009900">shorewall version</font><br>
</b> <br>
</li>
<li>the exact version of Shorewall you are running.<br>
<br>
<b><font color="#009900">shorewall version</font><br>
</b> <br>
</li>
</ul>
<ul>
</ul>
<ul>
<li>the complete, exact
output of<br>
<br>
<font color="#009900"><b>ip
addr show<br>
<br>
</b></font></li>
<li>the complete, exact
output of<br>
<br>
<font color="#009900"><b>ip addr show<br>
<br>
</b></font></li>
</ul>
<ul>
<li>the complete, exact
output of<br>
<br>
<font color="#009900"><b>ip
route show<br>
</b></font></li>
<li>the complete, exact
output of<br>
<br>
<font color="#009900"><b>ip route show<br>
</b></font></li>
</ul>
<ul>
</ul>
</ul>
<ul>
<ul>
<li><small><small><font color="#ff0000"><u><i><big><b>THIS
IS IMPORTANT!</b></big></i></u></font></small></small><big> </big>If your
problem is that some type of connection to/from or through your firewall
isn't working then please perform the following four steps:<br>
<br>
1. <b><font color="#009900">/sbin/shorewall reset</font></b><br>
<br>
2. Try making the connection that is failing.<br>
<br>
3.<b><font color="#009900"> /sbin/shorewall
status &gt; /tmp/status.txt</font></b><br>
<br>
4. Post the /tmp/status.txt file as an
attachment (you may compress it if you like).<br>
<br>
</li>
<li>the exact wording of any <code
<li><small><small><font color="#ff0000"><u><i><big><b>THIS
IS IMPORTANT!</b></big></i></u></font></small></small><big> </big>If
your
problem is that some type of connection to/from or through your
firewall
isn't working then please perform the following four steps:<br>
<br>
1. <b><font color="#009900">/sbin/shorewall reset</font></b><br>
<br>
2. Try making the connection that is failing.<br>
<br>
3.<b><font color="#009900"> /sbin/shorewall status &gt; /tmp/status.txt</font></b><br>
<br>
4. Post the /tmp/status.txt file as an
attachment (you may compress it if you like).<br>
<br>
</li>
<li>the exact wording of any <code
style="color: green; font-weight: bold;">ping</code> failure responses<br>
<br>
</li>
<li>If you installed Shorewall using one of the QuickStart
Guides, please indicate which one. <br>
<br>
</li>
<li><b>If you are running Shorewall under Mandrake
using the Mandrake installation of Shorewall, please say so.<br>
<br>
</b></li>
<br>
</li>
<li>If you installed Shorewall using one of the QuickStart Guides,
please indicate which one. <br>
<br>
</li>
<li><b>If you are running Shorewall under Mandrake
using the Mandrake installation of Shorewall, please say so.<br>
<br>
</b></li>
</ul>
<li>As a general matter, please <strong>do not edit the
diagnostic information</strong> in an attempt to conceal
your IP address, netmask, nameserver addresses, domain name,
etc. These aren't secrets, and concealing them often misleads
us (and 80% of the time, a hacker could derive them anyway
from information contained in the SMTP headers of your post).<br>
<br>
<strong></strong></li>
<li>Do you see any "Shorewall" messages
("<b><font color="#009900">/sbin/shorewall show log</font></b>")
when you exercise the function that is giving you problems?
If so, include the message(s) in your post along with a copy of
your /etc/shorewall/interfaces file.<br>
<br>
</li>
<li>Please include any of the Shorewall configuration
files (especially the /etc/shorewall/hosts file
if you have modified that file) that you think are
relevant. If you include /etc/shorewall/rules, please include
/etc/shorewall/policy as well (rules are meaningless unless
one also knows the policies).<br>
<br>
</li>
<li>If an error occurs when you try
to "<font color="#009900"><b>shorewall start</b></font>", include
a trace (See the <a
href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a>
section for instructions).<br>
<br>
</li>
<li><b>The list server limits posts to 120kb
so don't post GIFs of your network
layout, etc. to the Mailing List -- your post will be
<li>As a general matter, please <strong>do not edit the diagnostic
information</strong> in an attempt to conceal your IP address, netmask,
nameserver addresses, domain name, etc. These aren't secrets, and
concealing them often misleads us (and 80% of the time, a hacker could
derive them anyway from information contained in the SMTP headers of
your post).<br>
<br>
<strong></strong></li>
<li>Do you see any "Shorewall" messages ("<b><font color="#009900">/sbin/shorewall
show log</font></b>") when you exercise the function that is giving you
problems? If so, include the message(s) in your post along with a copy
of your /etc/shorewall/interfaces file.<br>
<br>
</li>
<li>Please include any of the Shorewall configuration files
(especially the /etc/shorewall/hosts file if you have modified that
file) that you think are relevant. If you include /etc/shorewall/rules,
please include /etc/shorewall/policy as well (rules are meaningless
unless one also knows the policies).<br>
<br>
</li>
<li>If an error occurs when you try to "<font color="#009900"><b>shorewall
start</b></font>", include a trace (See the <a
href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a>
section for instructions).<br>
<br>
</li>
<li><b>The list server limits posts to 120kb so don't post GIFs of
your network
layout, etc. to the Mailing List -- your post will be
rejected.</b></li>
</ul>
<blockquote> The author gratefully acknowleges that the above list was
heavily plagiarized from the excellent LEAF document by <i>Ray</i>
<em>Olszewski</em> found at <a
<blockquote> The author gratefully acknowleges that the above list was
heavily plagiarized from the excellent LEAF document by <i>Ray</i> <em>Olszewski</em>
found at <a
href="http://leaf-project.org/pub/doc/docmanager/docid_1891.html">http://leaf-project.org/pub/doc/docmanager/docid_1891.html</a>.<br>
</blockquote>
</blockquote>
<h2>When using the mailing list, please post in plain text</h2>
<blockquote> A growing number of MTAs serving list subscribers are
rejecting all HTML traffic. At least one MTA has gone so far as to
blacklist shorewall.net "for continuous abuse" because it has been
my policy to allow HTML in list posts!!<br>
<br>
I think that blocking all
HTML is a Draconian way to control spam and that the
ultimate losers here are not the spammers but the list subscribers
whose MTAs are bouncing all shorewall.net mail. As one list
subscriber wrote to me privately "These e-mail admin's need
to get a <i>(expletive deleted)</i> life instead of trying to
rid the planet of HTML based e-mail". Nevertheless, to allow
subscribers to receive list posts as must as possible, I have now
configured the list server at shorewall.net to strip all HTML from
outgoing posts.<br>
</blockquote>
<blockquote> A growing number of MTAs serving list subscribers are
rejecting all HTML traffic. At least one MTA has gone so far as to
blacklist shorewall.net "for continuous abuse" because it has been
my policy to allow HTML in list posts!!<br>
<br>
I think that blocking all HTML is a Draconian way to control spam and
that the ultimate losers here are not the spammers but the list
subscribers whose MTAs are bouncing all shorewall.net mail. As one list
subscriber wrote to me privately "These e-mail admin's need to get a <i>(expletive
deleted)</i> life instead of trying to rid the planet of HTML based
e-mail". Nevertheless, to allow
subscribers to receive list posts as must as possible, I have now
configured the list server at shorewall.net to convert all HTML to
plain text. These converted posts are difficult to read so all of us
will appreciate it if you just post in plain text to begin with.<br>
</blockquote>
<h2>Where to Send your Problem Report or to Ask for Help</h2>
<blockquote>
<blockquote>
<h4>If you run Shorewall under Bering -- <span
style="font-weight: 400;">please post your question or problem
to the <a
href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing
list</a>.</span></h4>
<b>If you run Shorewall
under MandrakeSoft Multi Network Firewall (MNF) and
you have not purchased an MNF license from MandrakeSoft then
you can post non MNF-specific Shorewall questions to the </b><a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
list</a>. <b>Do not expect to get free MNF support on the list</b>
style="font-weight: 400;">please post your question or problem to the <a
href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing list</a>.</span></h4>
<b>If you run Shorewall under MandrakeSoft Multi Network Firewall
(MNF) and you have not purchased an MNF license from MandrakeSoft then
you can post non MNF-specific Shorewall questions to the </b><a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users
mailing list</a>. <b>Do not expect to get free MNF support on the list</b>
<p>Otherwise, please post your question or problem to the <a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
list.</a> </p>
</blockquote>
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users
mailing list.</a> </p>
</blockquote>
<h2>Subscribing to the Users Mailing List<br>
</h2>
<blockquote>
<p> To Subscribe to the mailing list go to <a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a>
<br>
Secure: <a
<p> To Subscribe to the mailing list go to <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-users"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-users</a>.<br>
</p>
</blockquote>
</p>
</blockquote>
<p>For information on other Shorewall mailing lists, go to <a
href="http://lists.shorewall.net">http://lists.shorewall.net</a><br>
</p>
<p align="left"><font size="2">Last Updated 8/1/2003 - Tom Eastep</font></p>
</p>
<p align="left"><font size="2">Last Updated 9/17/2003 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
<br>
<br>
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M.
Eastep.</font></a></font><br>
</p>
<br>
<br>
<br>
</body>
</html>

2076
STABLE/documentation/three-interface.htm
View File

File diff suppressed because it is too large Load Diff

344
STABLE/documentation/troubleshoot.htm
View File

@ -1,226 +1,208 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall Troubleshooting</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Troubleshooting<img
src="images/obrasinf.gif" alt="Beating head on table" width="90"
height="90" align="middle">
</font></h1>
</td>
</tr>
</tbody>
height="90" align="middle"> </font></h1>
</td>
</tr>
</tbody>
</table>
<h3 style="text-align: center;"><span style="font-style: italic;">"If
you think you can you can; if you think you can't you're right.<br>
If you don't believe that you can, why should someone else?" -- Gunnar
Tapper<br>
</span></h3>
<h3 align="left">Check the Errata</h3>
<p align="left">Check the <a href="errata.htm">Shorewall Errata</a> to be
sure that there isn't an update that you are missing for your version
of the firewall.</p>
<p align="left">Check the <a href="errata.htm">Shorewall Errata</a> to
be sure that there isn't an update that you are missing for your
version of the firewall.</p>
<h3 align="left">Check the FAQs</h3>
<p align="left">Check the <a href="FAQ.htm">FAQs</a> for solutions to common
problems.</p>
<p align="left">Check the <a href="FAQ.htm">FAQs</a> for solutions to
common problems.</p>
<h3 align="left">If the firewall fails to start</h3>
If you receive an error message when starting or restarting
the firewall and you can't determine the cause, then do the following:
If you receive an error message when starting or restarting the
firewall and you can't determine the cause, then do the following:
<ul>
<li>Make a note of the error message that you see.<br>
</li>
<li>shorewall debug start 2&gt; /tmp/trace</li>
<li>Look at the /tmp/trace file and see if that helps you
determine what the problem is. Be sure you find the place in the log
where the error message you saw is generated -- If you are using Shorewall
1.4.0 or later, you should find the message near the end of the log.</li>
<li>If you still can't determine what's wrong then see the
<a href="support.htm">support page</a>.</li>
<li>Make a note of the error message that you see.<br>
</li>
<li>shorewall debug start 2&gt; /tmp/trace</li>
<li>Look at the /tmp/trace file and see if that helps you determine
what the problem is. Be sure you find the place in the log where the
error message you saw is generated -- If you are using Shorewall 1.4.0
or later, you should find the message near the end of the log.</li>
<li>If you still can't determine what's wrong then see the <a
href="support.htm">support page</a>.</li>
</ul>
Here's an example. During startup, a user sees the following:<br>
<blockquote>
Here's an example. During startup, a user sees the following:<br>
<blockquote>
<pre>Adding Common Rules<br>iptables: No chain/target/match by that name<br>Terminated<br></pre>
</blockquote>
A search through the trace for "No chain/target/match by that name"
turned up the following: 
<blockquote>
</blockquote>
A search through the trace for "No chain/target/match by that name"
turned up the following:&nbsp;
<blockquote>
<pre>+ echo 'Adding Common Rules'<br>+ add_common_rules<br>+ run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset<br>++ echo -A reject -p tcp -j REJECT --reject-with tcp-reset<br>++ sed 's/!/! /g'<br>+ iptables -A reject -p tcp -j REJECT --reject-with tcp-reset<br>iptables: No chain/target/match by that name<br></pre>
</blockquote>
The command that failed was: "iptables -A reject -p tcp -j REJECT --reject-with
tcp-reset". In this case, the user had compiled his own kernel and had
forgotten to include REJECT target support (see <a href="kernel.htm">kernel.htm</a>)
</blockquote>
The command that failed was: "iptables -A reject -p tcp -j REJECT
--reject-with tcp-reset". In this case, the user had compiled his own
kernel and had
forgotten to include REJECT target support (see <a href="kernel.htm">kernel.htm</a>)
<h3>Your network environment</h3>
<p>Many times when people have problems with Shorewall, the problem is actually
an ill-conceived network setup. Here are several popular snafus: </p>
<p>Many times when people have problems with Shorewall, the problem is
actually an ill-conceived network setup. Here are several popular
snafus: </p>
<ul>
<li>Port Forwarding where client and server are
in the same subnet. See <a href="FAQ.htm">FAQ 2.</a></li>
<li>Changing the IP address of a local system to be in the
external subnet, thinking that Shorewall will suddenly believe
that the system is in the 'net' zone.</li>
<li>Multiple interfaces connected to the same HUB or Switch.
Given the way that the Linux kernel respond to ARP "who-has" requests,
this type of setup does NOT work the way that you expect it to.</li>
<li>Port Forwarding where client and server are in the same subnet.
See <a href="FAQ.htm">FAQ 2.</a></li>
<li>Changing the IP address of a local system to be in the external
subnet, thinking that Shorewall will suddenly believe
that the system is in the 'net' zone.</li>
<li>Multiple interfaces connected to the same HUB or Switch. Given
the way that the Linux kernel respond to ARP "who-has" requests, this
type of setup does NOT work the way that you expect it to. If you
are running Shorewall version 1.4.7 or later, you can test using this
kind of configuration if you specify
the <span style="font-weight: bold;">arp_filter</span>
option in /etc/shorewall/interfaces for all interfaces connected to the
common hub/switch. Using such a setup with a production firewall is
strongly recommended against.</li>
</ul>
<h3 align="left">If you are having connection problems:</h3>
<p align="left">If the appropriate policy for the connection that you are
trying to make is ACCEPT, please DO NOT ADD ADDITIONAL ACCEPT RULES
TRYING TO MAKE IT WORK. Such additional rules will NEVER make it work,
they add clutter to your rule set and they represent a big security hole
in the event that you forget to remove them later.</p>
<p align="left">I also recommend against setting all of your policies to
ACCEPT in an effort to make something work. That robs you of one of
your best diagnostic tools - the "Shorewall" messages that Netfilter
will generate when you try to connect in a way that isn't permitted
by your rule set.</p>
<p align="left">Check your log ("/sbin/shorewall show log"). If you don't
see Shorewall messages, then your problem is probably NOT a Shorewall
problem. If you DO see packet messages, it may be an indication that
you are missing one or more rules -- see <a href="FAQ.htm#faq17">FAQ 17</a>.</p>
<p align="left">While you are troubleshooting, it is a good idea to clear
two variables in /etc/shorewall/shorewall.conf:</p>
<p align="left">If the appropriate policy for the connection that you
are trying to make is ACCEPT, please DO NOT ADD ADDITIONAL ACCEPT RULES
TRYING TO MAKE IT WORK. Such additional rules will NEVER make it work,
they add clutter to your rule set and they represent a big security
hole
in the event that you forget to remove them later.</p>
<p align="left">I also recommend against setting all of your policies
to ACCEPT in an effort to make something work. That robs you of one of
your best diagnostic tools - the "Shorewall" messages that Netfilter
will generate when you try to connect in a way that isn't permitted by
your rule set.</p>
<p align="left">Check your log ("/sbin/shorewall show log"). If you
don't see Shorewall messages, then your problem is probably NOT a
Shorewall problem. If you DO see packet messages, it may be an
indication that
you are missing one or more rules -- see <a href="FAQ.htm#faq17">FAQ 17</a>.</p>
<p align="left">While you are troubleshooting, it is a good idea to
clear two variables in /etc/shorewall/shorewall.conf:</p>
<p align="left">LOGRATE=""<br>
LOGBURST=""</p>
<p align="left">This way, you will see all of the log messages being generated
(be sure to restart shorewall after clearing these variables).</p>
LOGBURST=""</p>
<p align="left">This way, you will see all of the log messages being
generated (be sure to restart shorewall after clearing these variables).</p>
<p align="left">Example:</p>
<font face="Century Gothic, Arial, Helvetica">
<p align="left"><font face="Courier">Jun 27 15:37:56 gateway kernel: Shorewall:all2all:REJECT:IN=eth2
OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3 LEN=67 TOS=0x00 PREC=0x00 TTL=63
ID=5805 DF PROTO=UDP SPT=1803 DPT=53 LEN=47</font></p>
</font>
<font face="Century Gothic, Arial, Helvetica">
<p align="left"><font face="Courier">Jun 27 15:37:56 gateway kernel:
Shorewall:all2all:REJECT:IN=eth2 OUT=eth1 SRC=192.168.2.2
DST=192.168.1.3 LEN=67 TOS=0x00 PREC=0x00 TTL=63 ID=5805 DF PROTO=UDP
SPT=1803 DPT=53 LEN=47</font></p>
</font>
<p align="left">Let's look at the important parts of this message:</p>
<ul>
<li>all2all:REJECT - This packet was REJECTed out of the
all2all chain -- the packet was rejected under the "all"-&gt;"all"
REJECT policy (see <a href="FAQ.htm#faq17">FAQ 17).</a></li>
<li>IN=eth2 - the packet entered the firewall via eth2</li>
<li>OUT=eth1 - if accepted, the packet would be sent on eth1</li>
<li>SRC=192.168.2.2 - the packet was sent by 192.168.2.2</li>
<li>DST=192.168.1.3 - the packet is destined for 192.168.1.3</li>
<li>PROTO=UDP - UDP Protocol</li>
<li>DPT=53 - DNS</li>
<li>all2all:REJECT - This packet was REJECTed out of the
all2all chain -- the packet was rejected under the "all"-&gt;"all"
REJECT policy (see <a href="FAQ.htm#faq17">FAQ 17).</a></li>
<li>IN=eth2 - the packet entered the firewall via eth2</li>
<li>OUT=eth1 - if accepted, the packet would be sent on eth1</li>
<li>SRC=192.168.2.2 - the packet was sent by 192.168.2.2</li>
<li>DST=192.168.1.3 - the packet is destined for 192.168.1.3</li>
<li>PROTO=UDP - UDP Protocol</li>
<li>DPT=53 - DNS</li>
</ul>
<p align="left">In this case, 192.168.2.2 was in the "dmz" zone and 192.168.1.3
is in the "loc" zone. I was missing the rule:</p>
<p align="left">ACCEPT    dmz    loc    udp    53<br>
</p>
<p align="left">See <a href="FAQ.htm#faq17">FAQ 17</a> for additional information
about how to interpret the chain name appearing in a Shorewall log message.<br>
</p>
<p align="left">In this case, 192.168.2.2 was in the "dmz" zone and
192.168.1.3 is in the "loc" zone. I was missing the rule:</p>
<p align="left">ACCEPT&nbsp;&nbsp;&nbsp; dmz&nbsp;&nbsp;&nbsp;
loc&nbsp;&nbsp;&nbsp; udp&nbsp;&nbsp;&nbsp; 53<br>
</p>
<p align="left">See <a href="FAQ.htm#faq17">FAQ 17</a> for additional
information about how to interpret the chain name appearing in a
Shorewall log message.<br>
</p>
<h3 align="left">'Ping' Problems?</h3>
Either can't ping when you think you should be able to or are able to
ping when you think that you shouldn't be allowed? Shorewall's 'Ping' Management<a
href="ping.html"> is described here</a>.<br>
Either can't ping when you think you should be able to or are able to
ping when you think that you shouldn't be allowed? Shorewall's 'Ping'
Management<a href="ping.html"> is described here</a>.<br>
<h3 align="left">Other Gotchas</h3>
<ul>
<li>Seeing rejected/dropped packets logged out of the INPUT
or FORWARD chains? This means that:
<li>Seeing rejected/dropped packets logged out of the INPUT or
FORWARD chains? This means that:
<ol>
<li>your zone definitions are screwed up and the host that
is sending the packets or the destination host isn't in any zone
(using an <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>
file are you?); or</li>
<li>the source and destination hosts are both connected
to the same interface and you don't have a policy or rule for the
<li>your zone definitions are screwed up and the host that is
sending the packets or the destination host isn't in any zone (using an
<a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> file
are you?); or</li>
<li>the source and destination hosts are both connected to the
same interface and you don't have a policy or rule for the
source zone to or from the destination zone.</li>
</ol>
</li>
<li>Remember that Shorewall doesn't automatically allow ICMP
type 8 ("ping") requests to be sent between zones. If you want pings
to be allowed between zones, you need a rule of the form:<br>
<br>
    ACCEPT    &lt;source zone&gt;    &lt;destination
zone&gt;    icmp    echo-request<br>
<br>
The ramifications of this can be subtle. For example, if
you have the following in /etc/shorewall/nat:<br>
<br>
    10.1.1.2    eth0    130.252.100.18<br>
<br>
and you ping 130.252.100.18, unless you have allowed icmp
type 8 between the zone containing the system you are pinging from
and the zone containing 10.1.1.2, the ping requests will be dropped. </li>
<li>If you specify "routefilter" for an interface, that
interface must be up prior to starting the firewall.</li>
<li>Is your routing correct? For example, internal systems
usually need to be configured with their default gateway set to
the IP address of their nearest firewall interface. One often overlooked
aspect of routing is that in order for two hosts to communicate,
the routing between them must be set up <u>in both directions.</u>
So when setting up routing between <b>A</b> and<b> B</b>, be sure
to verify that the route from <b>B</b> back to <b>A</b> is defined.</li>
<li>Some versions of LRP (EigerStein2Beta for example) have
a shell with broken variable expansion. <a
href="ftp://ftp.shorewall.net/pub/shorewall/ash.gz"> You can get a corrected
shell from the Shorewall Errata download site.</a> </li>
<li>Do you have your kernel properly configured? <a
href="kernel.htm">Click here to see my kernel configuration.</a> </li>
<li>Shorewall requires the "ip" program. That program
is generally included in the "iproute" package which should be included
with your distribution (though many distributions don't install iproute
by default). You may also download the latest source tarball from
<a href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank"> ftp://ftp.inr.ac.ru/ip-routing</a>
.</li>
<li>Problems with NAT? Be sure that you let
Shorewall add all external addresses to be use with NAT unless you
have set <a href="Documentation.htm#Aliases"> ADD_IP_ALIASES</a> =No
</li>
<li>Remember that Shorewall doesn't automatically allow ICMP type 8
("ping") requests to be sent between zones. If you want pings to be
allowed between zones, you need a rule of the form:<br>
<br>
&nbsp;&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; &lt;source
zone&gt;&nbsp;&nbsp;&nbsp; &lt;destination zone&gt;&nbsp;&nbsp;&nbsp;
icmp&nbsp;&nbsp;&nbsp; echo-request<br>
<br>
The ramifications of this can be subtle. For example, if you have the
following in /etc/shorewall/nat:<br>
<br>
&nbsp;&nbsp;&nbsp; 10.1.1.2&nbsp;&nbsp;&nbsp; eth0&nbsp;&nbsp;&nbsp;
130.252.100.18<br>
<br>
and you ping 130.252.100.18, unless you have allowed icmp type 8
between the zone containing the system you are pinging from and the
zone containing 10.1.1.2, the ping requests will be dropped.&nbsp;</li>
<li>If you specify "routefilter" for an interface, that interface
must be up prior to starting the firewall.</li>
<li>Is your routing correct? For example, internal systems usually
need to be configured with their default gateway set to
the IP address of their nearest firewall interface. One often
overlooked aspect of routing is that in order for two hosts to
communicate,
the routing between them must be set up <u>in both directions.</u>
So when setting up routing between <b>A</b> and<b> B</b>, be sure
to verify that the route from <b>B</b> back to <b>A</b> is defined.</li>
<li>Some versions of LRP (EigerStein2Beta for example) have a shell
with broken variable expansion. <a
href="ftp://ftp.shorewall.net/pub/shorewall/ash.gz"> You can get a
corrected shell from the Shorewall Errata download site.</a> </li>
<li>Do you have your kernel properly configured? <a href="kernel.htm">Click
here to see my kernel configuration.</a> </li>
<li>Shorewall requires the "ip" program. That program is generally
included in the "iproute" package which should be included with your
distribution (though many distributions don't install iproute by
default). You may also download the latest source tarball from <a
href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank">
ftp://ftp.inr.ac.ru/ip-routing</a> .</li>
<li>Problems with NAT? Be sure that you let
Shorewall add all external addresses to be use with NAT unless you
have set <a href="Documentation.htm#Aliases"> ADD_IP_ALIASES</a> =No
in /etc/shorewall/shorewall.conf.</li>
</ul>
<h3>Still Having Problems?</h3>
<p>See the<a href="support.htm"> support page.<br>
</a></p>
<font face="Century Gothic, Arial, Helvetica">
</a></p>
<font face="Century Gothic, Arial, Helvetica">
<blockquote> </blockquote>
</font>
<p><font size="2">Last updated 4/29/2003 - Tom Eastep</font> </p>
</font>
<p><font size="2">Last updated 8/29/2003 - Tom Eastep</font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
</body>
</html>

1771
STABLE/documentation/two-interface.htm
View File

File diff suppressed because it is too large Load Diff

9
STABLE/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=1.4.6c
VERSION=1.4.7
usage() # $1 = exit status
{
@ -82,6 +82,7 @@ restore_file /etc/shorewall/functions
restore_file /usr/lib/shorewall/functions
restore_file /var/lib/shorewall/functions
restore_file /usr/lib/shorewall/firewall
restore_file /usr/lib/shorewall/help
restore_file /etc/shorewall/common.def
@ -133,6 +134,12 @@ restore_file /etc/shorewall/stopped
restore_file /etc/shorewall/ecn
restore_file /etc/shorewall/accounting
restore_file /etc/shorewall/usersets
restore_file /etc/shorewall/users
if [ -f /usr/lib/shorewall/version-${VERSION}.bkout ]; then
restore_file /usr/lib/shorewall/version
oldversion="`cat /usr/lib/shorewall/version`"

743
STABLE/firewall
View File

File diff suppressed because it is too large Load Diff

119
STABLE/functions
View File

@ -269,6 +269,13 @@ encodeaddr() {
# Enumerate the members of an IP range -- When using a shell supporting only
# 32-bit signed arithmetic, the range cannot span 128.0.0.0.
#
# Comes in two flavors:
#
# ip_range() - produces a mimimal list of network/host addresses that spans
# the range.
#
# ip_range_explicit() - explicitly enumerates the range.
#
ip_range() {
local first last l x y z vlsm
@ -327,8 +334,6 @@ ip_range_explicit() {
fatal_error "Invalid IP address range: $1"
fi
l=$(( $last + 1 ))
while [ $first -le $last ]; do
echo `encodeaddr $first`
first=$(($first + 1))
@ -358,12 +363,11 @@ ip_network() {
# The following hack is supplied to compensate for the fact that many of
# the popular light-weight Bourne shell derivatives don't support XOR ("^").
#
# Note: 2147483647 = 0x7fffffff
ip_broadcast() {
local x=$(( ${1#*/} - 1 ))
local x=$(( 32 - ${1#*/} ))
[ $x -eq -1 ] && echo -1 || echo $(( 2147483647 >> $x ))
[ $x -eq 0 ] && echo -1 || echo $(( $(( 1 $LEFTSHIFT $x )) - 1 ))
}
#
@ -407,3 +411,108 @@ ip_vlsm() {
fi
}
#
# Chain name base for an interface -- replace all periods with underscores in the passed name.
# The result is echoed (less "+" and anything following).
#
chain_base() #$1 = interface
{
local c=${1%%+*}
while true; do
case $c in
*.*)
c="${c%.*}_${c##*.}"
;;
*)
echo ${c:=common}
return
;;
esac
done
}
#
# Remove trailing digits from a name
#
strip_trailing_digits() {
echo $1 | sed s'/[0-9].*$//'
}
#
# Loosly Match the name of an interface
#
if_match() # $1 = Name in interfaces file - may end in "+"
# $2 = Name from routing table
{
local if_file=$1
local rt_table=$2
case $if_file in
*+)
test "`strip_trailing_digits $rt_table`" = "${if_file%+}"
;;
*)
test "$rt_table" = "$if_file"
;;
esac
}
#
# Find the value 'dev' in the passed arguments then echo the next value
#
find_device() {
while [ $# -gt 1 ]; do
[ "x$1" = xdev ] && echo $2 && return
shift
done
}
#
# Find the interfaces that have a route to the passed address - the default
# route is not used.
#
find_rt_interface() {
ip route ls | while read addr rest; do
case $addr in
*/*)
in_subnet ${1%/*} $addr && echo `find_device $rest`
;;
default)
;;
*)
if [ "$addr" = "$1" -o "$addr/32" = "$1" ]; then
echo `find_device $rest`
fi
;;
esac
done
}
#
# Find the default route's interface
#
find_default_interface() {
ip route ls | while read first rest; do
[ "$first" = default ] && echo `find_device $rest` && return
done
}
#
# Echo the name of the interface(s) that will be used to send to the
# passed address
#
find_interface_by_address() {
local dev="`find_rt_interface $1`"
local first rest
[ -z "$dev" ] && dev=`find_default_interface`
[ -n "$dev" ] && echo $dev
}

42
STABLE/install.sh
View File

@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall.
#
VERSION=1.4.6c
VERSION=1.4.7
usage() # $1 = exit status
{
@ -316,6 +316,14 @@ install_file_with_backup functions ${PREFIX}/usr/share/shorewall/functions 0444
echo
echo "Common functions installed in ${PREFIX}/usr/share/shorewall/functions"
#
# Install the Help file
#
install_file_with_backup help ${PREFIX}/usr/share/shorewall/help 0544
echo
echo "Help command executor installed in ${PREFIX}/usr/share/shorewall/help"
#
# Install the common.def file
#
@ -545,7 +553,37 @@ if [ -f ${PREFIX}/etc/shorewall/ecn ]; then
else
run_install -o $OWNER -g $GROUP -m 0600 ecn ${PREFIX}/etc/shorewall/ecn
echo
echo "ECN file installed as ${PREFIX}/etc/shorewall/ecn"
echo "ECN file installed as ${PREFIX}/etc/shorewall/ecn"
fi
#
# Install the Accounting file
#
if [ -f ${PREFIX}/etc/shorewall/accounting ]; then
backup_file /etc/shorewall/accounting
else
run_install -o $OWNER -g $GROUP -m 0600 accounting ${PREFIX}/etc/shorewall/accounting
echo
echo "Accounting file installed as ${PREFIX}/etc/shorewall/accounting"
fi
#
# Install the User Sets file
#
if [ -f ${PREFIX}/etc/shorewall/usersets ]; then
backup_file /etc/shorewall/usersets
else
run_install -o $OWNER -g $GROUP -m 0600 usersets ${PREFIX}/etc/shorewall/usersets
echo
echo "User Sets file installed as ${PREFIX}/etc/shorewall/usersets"
fi
#
# Install the User file
#
if [ -f ${PREFIX}/etc/shorewall/users ]; then
backup_file /etc/shorewall/users
else
run_install -o $OWNER -g $GROUP -m 0600 users ${PREFIX}/etc/shorewall/users
echo
echo "Users file installed as ${PREFIX}/etc/shorewall/users"
fi
#
# Backup the version file

9
STABLE/interfaces
View File

@ -103,6 +103,15 @@
# This option has no effect if
# NEWNOTSYN=Yes.
#
# arp_filter - If specified, this interface will only
# respond to ARP who-has requests for IP
# addresses configured on the interface.
# If not specified, the interface can
# respond to ARP who-has requests for
# IP addresses on any of the firewall's
# interface. The interface must be up
# when Shorewall is started.
#
# The order in which you list the options is not
# significant but the list should have no embedded white
# space.

3
STABLE/masq
View File

@ -49,6 +49,9 @@
# <first ip in range>-<last ip in range>.
#
# Example: 206.124.146.177-206.124.146.180
#
# Finally, you may also specify a comma-separated
# list of ranges and/or addresses in this column.
#
# This column may not contain DNS Names.
#

2
STABLE/modules
View File

@ -12,8 +12,10 @@
loadmodule iptable_filter
loadmodule ip_conntrack
loadmodule ip_conntrack_ftp
loadmodule ip_conntrack_tftp
loadmodule ip_conntrack_irc
loadmodule iptable_nat
loadmodule ip_nat_ftp
loadmodule ip_nat_tftp
loadmodule ip_nat_irc

3
STABLE/nat
View File

@ -32,5 +32,6 @@
# Yes or yes, NAT will be effective from the firewall
# system
##############################################################################
#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
#EXTERNAL INTERFACE INTERNAL ALL LOCAL
# INTERFACES
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

12
STABLE/policy
View File

@ -3,6 +3,8 @@
#
# /etc/shorewall/policy
#
# THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT
#
# This file determines what to do with a new connection request if we
# don't get a match from the /etc/shorewall/rules file or from the
# /etc/shorewall/common[.def] file. For each source/destination pair, the
@ -69,8 +71,12 @@
# d) All other connection requests are rejected and logged at level
# KERNEL.INFO.
###############################################################################
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
loc net ACCEPT
net all DROP info
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
#
# THE FOLLOWING POLICY MUST BE LAST
#
all all REJECT info
#LAST LINE -- DO NOT REMOVE

423
STABLE/releasenotes.txt
View File

@ -1,38 +1,20 @@
This is a minor release of Shorewall.
Problems Corrected:
Problems Corrected since version 1.4.6:
1) A problem seen on RH7.3 systems where Shorewall encountered start
errors when started using the "service" mechanism has been worked
around.
2) Where a list of IP addresses appears in the DEST column of a DNAT[-]
rule, Shorewall incorrectly created multiple DNAT rules in the nat
table (one for each element in the list). Shorewall now correctly
creates a single DNAT rule with multiple "--to-destination" clauses.
3) Corrected a problem in Beta 1 where DNS names containing a "-" were
mis-handled when they appeared in the DEST column of a rule.
4) The handling of z1!z2 in the SOURCE column of DNAT and REDIRECT
rules has been corrected.
5) The message "Adding rules for DHCP" is now suppressed if there are
no DHCP rules to add.
6) Corrected problem in 1.4.6 where the MANGLE_ENABLED variable was
1) Corrected problem in 1.4.6 where the MANGLE_ENABLED variable was
being tested before it was set.
7) Corrected handling of MAC addresses in the SOURCE column of the
2) Corrected handling of MAC addresses in the SOURCE column of the
tcrules file. Previously, these addresses resulted in an invalid
iptables command.
8) The "shorewall stop" command is now disabled when
3) The "shorewall stop" command is now disabled when
/etc/shorewall/startup_disabled exists. This prevents people from
shooting themselves in the foot prior to having configured
Shorewall.
9) A change introduced in version 1.4.6 caused error messages during
4) A change introduced in version 1.4.6 caused error messages during
"shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses were
being added to a PPP interface; the addresses were successfully
added in spite of the messages.
@ -40,172 +22,323 @@ Problems Corrected:
The firewall script has been modified to eliminate the error
messages.
10) When ADD_SNAT_ALIASES=Yes in shorewall.conf, the following entry in
/etc/shorewall/masq resulted in a startup error:
5) Interface-specific dynamic blacklisting chains are now displayed by
"shorewall monitor" on the "Dynamic Chains" page (previously named
"Dynamic Chain").
eth0 eth1 206.124.146.20-206.124.146.24
6) Thanks to Henry Yang, LOGRATE and LOGBURST now work again.
11) Shorewall previously choked over IPV6 addresses configured on
interfaces in contexts where Shorewall needed to detect something
about the interface (such as when "detect" appears in the BROADCAST
column of the /etc/shorewall/interfaces file).
7) The 'shorewall reject' and 'shorewall drop' commands now delete any
existing rules for the subject IP address before adding a new DROP
or REJECT rule. Previously, there could be many rules for the same
IP address in the dynamic chain so that multiple 'allow' commands
were required to re-enable traffic to/from the address.
8) When ADD_SNAT_ALIASES=Yes in shorewall.conf, the following entry in
/etc/shorewall/masq resulted in a startup error:
eth0 eth1 206.124.146.20-206.124.146.24
9) Shorewall previously choked over IPV6 addresses configured on
interfaces in contexts where Shorewall needed to detect something
about the interface (such as when "detect" appears in the BROADCAST
column of the /etc/shorewall/interfaces file).
10) Shorewall will now load module files that are formed from the
module name by appending ".o.gz".
11) When Shorewall adds a route to a proxy ARP host and such a route
already exists, two routes resulted previously. This has been
corrected so that the existing route is replaced if it already
exists.
12) The rfc1918 file has been updated to reflect recent allocations.
13) The documentation of the USERSETS column in the rules file has been
corrected.
14) If there is no policy defined for the zones specified in a rule,
the firewall script previously encountered a shell syntax error:
[: NONE: unexpected operator
Now, the absence of a policy generates an error message and the
firewall is stopped:
No policy defined from zone <source> to zone <dest>
15) Previously, if neither /etc/shorewall/common nor
/etc/shorewall/common.def existed, Shorewall would fail to start
and would not remove the lock file. Failure to remove the lock file
resulted in the following during subsequent attempts to start:
Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Giving up on lock file /var/lib/shorewall/lock
Shorewall Not Started
Shorewall now reports a fatal error if neither of these two files
exist and correctly removes the lock file.
16) The order of processing the various options has been changed such
that blacklist entries now take precedence over the 'dhcp'
interface setting.
17) The log message generated from the 'logunclean' interface option
has been changed to reflect a disposition of LOG rather than DROP.
18) When a user name and/or a group name was specified in the USER SET
column and the destination zone was qualified with a IP address,
the user and/or group name was not being used to qualify the rule.
Example:
ACCEPT fw net:192.0.2.12 tcp 23 - - - vladimir:
19) The /etc/shorewall/masq file has had the spurious "/" character at
the front removed.
Migration Issues:
1) In earlier versions, an undocumented feature allowed entries in
the host file as follows:
1) IP Traffic Accounting is changed from Snapshot 20030813.
z eth1:192.168.1.0/24,eth2:192.168.2.0/24
2) The Uset Set capability introduced in SnapShot 20030821 has
changed -- see the User Set page for details.
This capability was never documented and has been removed in 1.4.6
to allow entries of the following format:
z eth1:192.168.1.0/24,192.168.2.0/24
2) The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options have been
removed from /etc/shorewall/shorewall.conf. These capabilities are
now automatically detected by Shorewall (see below).
3) The per-interface dynamic blacklisting facility from previous 1.4.6
Snapshots has been removed. The implications of the facility for
users with dial-up internet connections were too complicated to
document adaquately. My apologies for unleashing this half-baked
idea on the user base.
New Features:
1) A 'newnotsyn' interface option has been added. This option may be
specified in /etc/shorewall/interfaces and overrides the setting
NEWNOTSYN=No for packets arriving on the associated interface.
1) The 2.6 series of Linux kernels will not support the 'unclean'
match extension except in Patch-O-Matic. In keeping with the
Shorewall policy of not supporting netfilter extensions that are
only available in Patch-O-Matic, the 'dropunclean' and
'logunclean' interface options will be removed in a future
release. In the 1.4.7 release, they are flagged with a warning.
2) The means for specifying a range of IP addresses in
/etc/shorewall/masq to use for SNAT is now
documented. ADD_SNAT_ALIASES=Yes is enabled for address ranges.
2) Thanks to Steve Herber, the help command can now give
command-specific help.
3) Shorewall can now add IP addresses to subnets other than the first
one on an interface.
3) A new option "ADMINISABSENTMINDED" has been added to
/etc/shorewall/shorewall.conf. This option has a default value of
"No" for existing Shorewall users who are upgrading to this release.
With this setting, Shorewall's 'stopped' state continues as it has
been; namely, in the stopped state only traffic to/from hosts listed
in /etc/shorewall/routestopped is accepted.
4) DNAT[-] rules may now be used to load balance (round-robin) over a
set of servers. Any number of servers may be specified in a range of
addresses given as <first address>-<last address> and multiple
ranges or individual servers may be specified in a comma-separated
list.
The default for new users installing Shorewall for the first time is
ADMINISABSENTMINDED=Yes.With that setting, in addition to traffic
to/from the hosts listed in /etc/shorewall/routestopped, Shorewall
will allow:
a) All traffic originating from the firewall itself; and
b) All traffic that is part of or related to an already-existing
connection.
In particular, with ADMINISABSENTMINDED=Yes, a "shorewall stop"
entered through an ssh session will not kill the session.
Note though that it is still possible for people to shoot themselves
in the foot.
Example:
DNAT net loc:192.168.10.2-192.168.10.5,192.168.10.44 tcp 80
/etc/shorewall/nat:
5) The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration options
have been removed and have been replaced by code that detects
whether these capabilities are present in the current kernel. The
output of the start, restart and check commands have been enhanced
to report the outcome:
206.124.146.178 eth0:0 192.168.1.5
Shorewall has detected the following iptables/netfilter capabilities:
NAT: Available
Packet Mangling: Available
Multi-port Match: Available
Verifying Configuration...
/etc/shorewall/rules:
6) Support for the Connection Tracking Match Extension has been
added. This extension is available in recent kernel/iptables
releases and allows for rules which match against elements in
netfilter's connection tracking table.
ACCEPT net loc:192.168.1.5 tcp 22
ACCEPT loc fw tcp 22
Shorewall automatically detects the availability of this extension
and reports its availability in the output of the start, restart and
check commands.
I ssh into 206.124.146.178 which establishes an SSH connection with
192.168.1.5. I then create a second SSH connection from that
computer to the firewall and confidently type "shorewall
stop". As part of stopping, Shorewall removes eth0:0 which kills my
SSH connection to 192.168.1.5!!!
Shorewall has detected the following iptables/netfilter capabilities:
NAT: Available
Packet Mangling: Available
Multi-port Match: Available
Connection Tracking Match: Available
Verifying Configuration...
4) Given the wide range of VPN software, I can never hope to add
specific support for all of it. I have therefore decided to add
"generic" tunnel support.
If this extension is available, the ruleset generated by Shorewall
is changed in the following ways:
Generic tunnels work pretty much like any of the other tunnel
types. You usually add a zone to represent the systems at the other
end of the tunnel and you add the appropriate rules/policies to
implement your security policy regarding traffic to/from those
systems.
a) To handle 'norfc1918' filtering, Shorewall will not create chains
in the mangle table but will rather do all 'norfc1918' filtering in
the filter table (rfc1918 chain).
In the /etc/shorewall/tunnels file, you can have entries of the
form:
b) Recall that Shorewall DNAT rules generate two netfilter rules;
one in the nat table and one in the filter table. If the Connection
Tracking Match Extension is available, the rule in the filter table
is extended to check that the original destination address was the
same as specified (or defaulted to) in the DNAT rule.
# TYPE ZONE GATEWAY GATEWAY ZONE
generic:<protocol>[:<port>] <zone> <ip address> <gateway zones>
7) The shell used to interpret the firewall script
(/usr/share/shorewall/firewall) may now be specified using the
SHOREWALL_SHELL parameter in shorewall.conf.
where:
8) An 'ipcalc' command has been added to /sbin/shorewall.
<protocol> is the protocol used by the tunnel
<port> if the protocol is 'udp' or 'tcp' then this
is the destination port number used by the
tunnel.
<zone> is the zone of the remote tunnel gateway
<ip address> is the IP address of the remote tunnel
gateway.
<gateway zone> Optional. A comma-separated list of zone names.
If specified, the remote gateway is to be
considered part of these zones.
ipcalc [ <address> <netmask> | <address>/<vlsm> ]
5) An 'arp_filter' option has been added to the
/etc/shorewall/interfaces file. This option causes
/proc/sys/net/ipv4/conf/<interface>/arp_filter to be set with the
result that this interface will only answer ARP 'who-has' requests
from hosts that are routed out of that interface. Setting this
option facilitates testing of your firewall where multiple firewall
interfaces are connected to the same HUB/Switch (all interfaces
connected to the single HUB/Switch should have this option
specified). Note that using such a configuration in a production
environment is strongly recommended against.
Examples:
6) The ADDRESS column in /etc/shorewall/masq may now include a
comma-separated list of addresses and/or address ranges. Netfilter
will use all listed addresses/ranges in round-robin fashion.
[root@wookie root]# shorewall ipcalc 192.168.1.0/24
CIDR=192.168.1.0/24
NETMASK=255.255.255.0
NETWORK=192.168.1.0
BROADCAST=192.168.1.255
[root@wookie root]#
7) An /etc/shorewall/accounting file has been added to allow for
traffic accounting..
[root@wookie root]# shorewall ipcalc 192.168.1.0 255.255.255.0
CIDR=192.168.1.0/24
NETMASK=255.255.255.0
NETWORK=192.168.1.0
BROADCAST=192.168.1.255
[root@wookie root]#
The accounting rules are placed in a chain called "accounting" and
can thus be displayed using "shorewall show accounting".
Warning:
The file has the following columns:
If your shell only supports 32-bit signed arithmatic (ash or
dash), then the ipcalc command produces incorrect information for
IP addresses 128.0.0.0-1 and for /1 networks. Bash should produce
correct information for all valid IP addresses.
ACTION - What to do when a match is found. Possible
values are:
9) An 'iprange' command has been added to /sbin/shorewall.
COUNT - Simply count the match and continue
trying to match the packet with the
following accounting rules.
iprange <address>-<address>
DONE - Count the match and don't attempt to
match any following accounting rules.
This command decomposes a range of IP addressses into a list of
network and host addresses. The command can be useful if you need to
construct an efficient set of rules that accept connections from a
range of network addresses.
<chain> - The name of a chain to jump to.
Shorewall will create the chain
automatically. If the name of the
chain is followed by ":COUNT" then
a COUNT rule matching this rule
will automatically be added to
<chain>
Note: If your shell only supports 32-bit signed arithmetic (ash or
dash) then the range may not span 128.0.0.0.
CHAIN - The name of the chain where the accounting
rule is to be added. If empty or "-" then
the "accounting" chain is assumed.
Example:
SOURCE - Packet Source
[root@gateway root]# shorewall iprange 192.168.1.4-192.168.12.9
192.168.1.4/30
192.168.1.8/29
192.168.1.16/28
192.168.1.32/27
192.168.1.64/26
192.168.1.128/25
192.168.2.0/23
192.168.4.0/22
192.168.8.0/22
192.168.12.0/29
192.168.12.8/31
[root@gateway root]#
The name of an interface, an address (host or
net) or an interface name followed by ":"
and a host or net address.
10) A list of host/net addresses is now allowed in an entry in
/etc/shorewall/hosts.
DESTINATION - Packet Destination
Example:
Format the same as the SOURCE column.
foo eth1:192.168.1.0/24,192.168.2.0/24
PROTOCOL A protocol name (from /etc/protocols), a
protocol number.
11) The "shorewall check" command now includes the chain name when
printing the applicable policy for each pair of zones.
DEST PORT Destination Port number
Example:
Service name from /etc/services or port
number. May only be specified if the protocol
is TCP or UDP (6 or 17).
Policy for dmz to net is REJECT using chain all2all
SOURCE PORT Source Port number
This means that the policy for connections from the dmz to the
internet is REJECT and the applicable entry in the
/etc/shorewall/policy was the all->all policy.
Service name from /etc/services or port
number. May only be specified if the protocol
is TCP or UDP (6 or 17).
12) Support for the 2.6 Kernel series has been added.
In all columns except ACTION and CHAIN, the values "-","any" and
"all" are treated as wild-cards.
The accounting rules are evaluated in the Netfilter 'filter'
table. This is the same environment where the 'rules' file rules are
evaluated and in this environment, DNAT has already occurred in
inbound packets and SNAT has not yet occurred on outbound ones.
The accounting rules are placed in a chain called "accounting" and
can thus be displayed using "shorewall show accounting".
See http://shorewall.net/Accounting.html for examples.
8) Bridge interfaces (br[0-9]) may now be used in /etc/shorewall/maclist.
9) ACCEPT, DNAT[-], REDIRECT[-] and LOG rules defined in
/etc/shorewall/rules may now be rate-limited. For DNAT and
REDIRECT rules, rate limiting occurs in the nat table DNAT rule; the
corresponding ACCEPT rule in the filter table is not rate
limited. If you want to limit the filter table rule, you will need
to create two rules; a DNAT- rule and an ACCEPT rule which can be
rate-limited separately.
To specify a rate limit, you can follow one of two approaches:
a) You may follow ACCEPT, DNAT[-], REDIRECT[-] or LOG with
< <rate>/<interval>[:<burst>] >
where
<rate> is the sustained rate per <interval>
<interval> is "sec" or "min"
<burst> is the largest burst accepted within an
<interval>. If not given, the default of 5 is
assumed.
There may be no white space between the ACTION and "<" nor there
may be any white space within the burst specification. If you want
to specify logging of a rate-limited rule, the ":" and log level
comes after the ">" (e.g., ACCEPT<2/sec:4>:info ).
b) There is a new RATE LIMIT column at the far right of the
file (beyond column 80). You may place the rate limit there in
the format:
<rate>/<interval>[:<burst>]
where <rate>, <interval> and <burst> are as above.
You may not place a rate limit in both the ACTION and RATE LIMIT
columns.
Let's take an example:
ACCEPT<2/sec:4> net dmz tcp 80
The first time this rule is reached, the packet will be accepted; in
fact, since the burst is 4, the first four packets will be
accepted. After this, it will be 500ms (1 second divided by the rate
of 2) before a packet will be accepted from this rule, regardless of
how many packets reach it. Also, every 500ms which passes without
matching a packet, one of the bursts will be regained; if no packets
hit the rule for 2 second, the burst will be fully recharged;
back where we started.
Warning: When rate limiting is specified on a rule with "all" in the
SOURCE or DEST fields, the limit will apply to each pair of
zones individually rather than as a single limit for all pairs of
zones covered by the rule.
10) Multiple chains may now be displayed in one "shorewall show"
command (e.g., shorewall show INPUT FORWARD OUTPUT).
11) Output rules (those with $FW as the SOURCE) may now be limited to
a set of local users and/or groups. See
http://shorewall.net/UserSets.html for details.
12) The RPM has been modified so that it no longer conflicts with
SuSE's bizarre kernel RPMs.

5
STABLE/rfc1918
View File

@ -22,7 +22,7 @@
255.255.255.255 RETURN # We need to allow limited broadcast
169.254.0.0/16 DROP # DHCP autoconfig
172.16.0.0/12 logdrop # RFC 1918
192.0.2.0/24 logdrop # Example addresses
192.0.2.0/24 logdrop # Example addresses (RFC 3330)
192.168.0.0/16 logdrop # RFC 1918
#
# The following are generated with the help of the Python program found at:
@ -46,7 +46,6 @@
49.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
50.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
58.0.0.0/7 logdrop # Reserved
60.0.0.0/8 logdrop # Reserved
70.0.0.0/7 logdrop # Reserved
72.0.0.0/5 logdrop # Reserved
83.0.0.0/8 logdrop # Reserved
@ -56,7 +55,7 @@
127.0.0.0/8 logdrop # Loopback
197.0.0.0/8 logdrop # Reserved
198.18.0.0/15 logdrop # Reserved
201.0.0.0/8 logdrop # Reserved - Central & South America
223.0.0.0/8 logdrop # Reserved - Returned by APNIC in 2003
240.0.0.0/4 logdrop # Reserved
#
# End of generated entries

72
STABLE/rules
View File

@ -47,10 +47,29 @@
# (those) zone(s).
# LOG -- Simply log the packet and continue.
#
# May optionally be followed by ":" and a syslog log
# level (e.g, REJECT:info). This causes the packet to be
# You may rate-limit the rule by optionally
# following ACCEPT, DNAT[-], REDIRECT[-] or LOG with
#
# < <rate>/<interval>[:<burst>] >
#
# where <rate> is the number of connections per
# <interval> ("sec" or "min") and <burst> is the
# largest burst permitted. If no <burst> is given,
# a value of 5 is assumed. There may be no
# no whitespace embedded in the specification.
#
# Example: ACCEPT<10/sec:20>
#
# The ACTION (and rate limit) may optionally be followed
# by ":" and a syslog log level (e.g, REJECT:info or
# DNAT<4/sec:8>:debugging). This causes the packet to be
# logged at the specified level.
#
# NOTE: For those of you who prefer to place the
# rate limit in a separate column, see the RATE LIMIT
# column below. If you specify a value in that column,
# you must not include a rate limit in the ACTION column
#
# You may also specify ULOG (must be in upper case) as a
# log level.This will log to the ULOG target for routing
# to a separate log through use of ulogd
@ -193,6 +212,39 @@
# If no source IP address is given, the original source
# address is not altered.
#
# RATE LIMIT You may rate-limit the rule by placing a value in
# this colume:
#
# <rate>/<interval>[:<burst>]
#
# where <rate> is the number of connections per
# <interval> ("sec" or "min") and <burst> is the
# largest burst permitted. If no <burst> is given,
# a value of 5 is assumed. There may be no
# no whitespace embedded in the specification.
#
# Example: 10/sec:20
#
# If you place a rate limit in this column, you may not
# place a similar limit in the ACTION column.
#
# USER SET This column may only be non-empty if the SOURCE is
# the firewall itself and the ACTION is ACCEPT, DROP or
# REJECT.
#
# The column may contain a user set name defined in the
# /etc/shorewall/usersets file or it may contain:
#
# [<user name or number>]:[<group name or number>]
#
# When this column is non-empty, the rule applies only
# if the program generating the output is running under
# the effective <user>(s) and/or <group>(s) specified.
# When a user set name is given, a log level may not be
# present in the ACTION column; logging for such rules is
# controlled by the user set's entry in
# /etc/shorewall/usersets.
#
# Example: Accept SMTP requests from the DMZ to the internet
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
@ -206,6 +258,14 @@
# # PORT PORT(S) DEST
# DNAT net loc:192.168.1.3 tcp ssh,http
#
# Example: Forward all http connection requests from the internet
# to local system 192.168.1.3 with a limit of 3 per second and
# a maximum burst of 10
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# DNAT<3/sec:10> net loc:192.168.1.3 tcp http
#
# Example: Redirect all locally-originating www connection requests to
# port 3128 on the firewall (Squid running on the firewall
# system) except when the destination address is 192.168.2.2
@ -226,9 +286,9 @@
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# ACCEPT net:130.252.100.69,130.252.100.70 \
# ACCEPT net:130.252.100.69,130.252.100.70 fw \
# tcp 22
##############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT PORT(S) DEST
####################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER
# PORT PORT(S) DEST LIMIT
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

89
STABLE/shorewall
View File

@ -51,7 +51,7 @@
# compensate for a change of
# broadcast address on any "detect"
# interface.
# shorewall show <chain> Display the rules in a <chain>
# shorewall show <chain> [ <chain> ... ] Display the rules in each <chain> listed
# shorewall show log Print the last 20 log messages
# shorewall show connections Show the kernel's connection
# tracking table
@ -517,6 +517,15 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
done
}
#
# Help information
#
help()
{
[ -x $HELP ] && { export version; exec $HELP $*; }
echo "Help subsystem is not installed at $HELP"
}
#
# Give Usage Information
#
@ -525,27 +534,28 @@ usage() # $1 = exit status
echo "Usage: `basename $0` [debug] [nolock] [-c <directory>] <command>"
echo "where <command> is one of:"
echo " add <interface>[:<host>] <zone>"
echo " delete <interface>[:<host>] <zone>"
echo " show [<chain>|classifiers|connections|log|nat|tc|tos]"
echo " start"
echo " stop"
echo " reset"
echo " restart"
echo " status"
echo " clear"
echo " refresh"
echo " hits"
echo " monitor [<refresh interval>]"
echo " version"
echo " check"
echo " try <directory> [ <timeout> ]"
echo " logwatch [<refresh interval>]"
echo " drop <address> ..."
echo " reject <address> ..."
echo " allow <address> ..."
echo " save"
echo " check"
echo " clear"
echo " delete <interface>[:<host>] <zone>"
echo " drop <address> ..."
echo " help [ <command > | host | address ]"
echo " hits"
echo " ipcalc [ <address>/<vlsm> | <address> <netmask> ]"
echo " iprange <address>-<address>"
echo " logwatch [<refresh interval>]"
echo " monitor [<refresh interval>]"
echo " refresh"
echo " reject <address> ..."
echo " reset"
echo " restart"
echo " save"
echo " show [<chain> [ <chain> ... ]|classifiers|connections|log|nat|tc|tos]"
echo " start"
echo " stop"
echo " status"
echo " try <directory> [ <timeout> ]"
echo " version"
exit $1
}
@ -611,12 +621,11 @@ fi
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
MUTEX_TIMEOUT=
[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
SHARED_DIR=/usr/share/shorewall
FIREWALL=$SHARED_DIR/firewall
FUNCTIONS=$SHARED_DIR/functions
VERSION_FILE=$SHARED_DIR/version
HELP=$SHARED_DIR/help
if [ -f $FUNCTIONS ]; then
. $FUNCTIONS
@ -634,6 +643,8 @@ else
exit 2
fi
[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
if [ ! -f $FIREWALL ]; then
echo "ERROR: Shorewall is not properly installed"
if [ -L $FIREWALL ]; then
@ -687,26 +698,29 @@ case "$1" in
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1 $2 $3
;;
show|list)
[ $# -gt 2 ] && usage 1
case "$2" in
connections)
[ $# -gt 2 ] && usage 1
echo "Shorewall-$version Connections at $HOSTNAME - `date`"
echo
cat /proc/net/ip_conntrack
;;
nat)
[ $# -gt 2 ] && usage 1
echo "Shorewall-$version NAT at $HOSTNAME - `date`"
echo
show_reset
iptables -t nat -L -n -v
;;
tos|mangle)
[ $# -gt 2 ] && usage 1
echo "Shorewall-$version TOS at $HOSTNAME - `date`"
echo
show_reset
iptables -t mangle -L -n -v
;;
log)
[ $# -gt 2 ] && usage 1
get_config
echo "Shorewall-$version Log at $HOSTNAME - `date`"
echo
@ -715,20 +729,30 @@ case "$1" in
packet_log 20
;;
tc)
[ $# -gt 2 ] && usage 1
echo "Shorewall-$version Traffic Control at $HOSTNAME - `date`"
echo
show_tc
;;
classifiers)
[ $# -gt 2 ] && usage 1
echo "Shorewall-$version Clasifiers at $HOSTNAME - `date`"
echo
show_classifiers
;;
*)
echo "Shorewall-$version Chain $2 at $HOSTNAME - `date`"
shift
echo "Shorewall-$version `[ $# -gt 1 ] && echo Chains || echo Chain` $* at $HOSTNAME - `date`"
echo
show_reset
iptables -L $2 -n -v
if [ $# -gt 0 ]; then
for chain in $*; do
iptables -L $chain -n -v
done
else
iptables -L -n -v
fi
;;
esac
;;
@ -837,6 +861,8 @@ case "$1" in
mutex_on
while [ $# -gt 1 ]; do
shift
qt iptables -D dynamic -s $1 -j reject
qt iptables -D dynamic -s $1 -j DROP
iptables -A dynamic -s $1 -j DROP || break 1
echo "$1 Dropped"
done
@ -847,6 +873,8 @@ case "$1" in
mutex_on
while [ $# -gt 1 ]; do
shift
qt iptables -D dynamic -s $1 -j reject
qt iptables -D dynamic -s $1 -j DROP
iptables -A dynamic -s $1 -j reject || break 1
echo "$1 Rejected"
done
@ -857,13 +885,7 @@ case "$1" in
mutex_on
while [ $# -gt 1 ]; do
shift
if qt iptables -D dynamic -s $1 -j reject; then
#
# Address was rejected -- silently remove any drop as well
#
qt iptables -D dynamic -s $1 -j DROP
echo "$1 Allowed"
elif qt iptables -D dynamic -s $1 -j DROP; then
if qt iptables -D dynamic -s $1 -j reject || qt iptables -D dynamic -s $1 -j DROP; then
echo "$1 Allowed"
else
echo "$1 Not Dropped or Rejected"
@ -927,6 +949,11 @@ case "$1" in
shift;
$@
;;
help)
shift
[ $# -ne 1 ] && usage 1
help $@
;;
*)
usage 1
;;

29
STABLE/shorewall.conf
View File

@ -434,6 +434,35 @@ MUTEX_TIMEOUT=60
NEWNOTSYN=No
#
# FOR ADMINS THAT REPEATEDLY SHOOT THEMSELVES IN THE FOOT
#
# Normally, when a "shorewall stop" command is issued or an error occurs during
# the execution of another shorewall command, Shorewall puts the firewall into
# a state where only traffic to/from the hosts listed in
# /etc/shorewall/routestopped is accepted.
#
# When performing remote administration on a Shorewall firewall, it is
# therefore recommended that the IP address of the computer being used for
# administration be added to the firewall's /etc/shorewall/routestopped file.
#
# Some administrators have a hard time remembering to do this with the result
# that they get to drive across town in the middle of the night to restart
# a remote firewall (or worse, they have to get someone out of bed to drive
# across town to restart a very remote firewall).
#
# For those administrators, we offer ADMINISABSENTMINDED=Yes. With this setting,
# when the firewall enters the 'stopped' state:
#
# All traffic that is part of or related to established connections is still
# allowed and all OUTPUT traffic is allowed. This is in addition to traffic
# to and from hosts listed in /etc/shorewall/routestopped.
#
# If this variable is not set or it is set to the null value then
# ADMINISABSENTMINDED=No is assumed.
#
ADMINISABSENTMINDED=Yes
################################################################################
# P A C K E T D I S P O S I T I O N
################################################################################

43
STABLE/shorewall.spec
View File

@ -1,5 +1,5 @@
%define name shorewall
%define version 1.4.6c
%define version 1.4.7
%define release 1
%define prefix /usr
@ -16,7 +16,6 @@ URL: http://www.shorewall.net/
BuildArch: noarch
BuildRoot: %{_tmppath}/%{name}-%{version}-root
Requires: iptables iproute
Conflicts: kernel <= 2.2
%description
@ -98,19 +97,47 @@ fi
%attr(0600,root,root) %config(noreplace) /etc/shorewall/stop
%attr(0600,root,root) %config(noreplace) /etc/shorewall/stopped
%attr(0600,root,root) %config(noreplace) /etc/shorewall/ecn
%attr(0600,root,root) %config(noreplace) /etc/shorewall/accounting
%attr(0600,root,root) %config(noreplace) /etc/shorewall/usersets
%attr(0600,root,root) %config(noreplace) /etc/shorewall/users
%attr(0544,root,root) /sbin/shorewall
%attr(0444,root,root) /usr/share/shorewall/functions
%attr(0544,root,root) /usr/share/shorewall/firewall
%attr(0544,root,root) /usr/share/shorewall/help
%doc documentation
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog
* Wed Aug 27 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.6c-1
* Fri Aug 01 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.6b-1
* Tue Jul 22 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.6a-1
* Sat Oct 04 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.7-1
- Removed conflict with 2.2 Kernels
* Mon Sep 22 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.7-0RC2
* Thu Sep 18 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.7-0RC1
* Mon Sep 15 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.7-0Beta2
* Mon Aug 25 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.7-0Beta1
* Sat Aug 23 2003 Tom Eastep <tom@shorewall.net>
- Added /etc/shorewall/users
- Changed version to 1.4.6_20030823-1
* Thu Aug 21 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.6_20030821-1
- Added /etc/shorewall/usersets
* Wed Aug 13 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.6_20030813-1
* Sat Aug 09 2003 Tom Eastep <tom@shorewall.net>
- Added /etc/shorewall/accounting
* Sat Aug 09 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.6_20030809-1
* Thu Jul 31 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.6_20030731-1
* Sun Jul 27 2003 Tom Eastep <tom@shorewall.net>
- Added /usr/share/shorewall/help
- Changed version to 1.4.6_20030727-1
* Sat Jul 26 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.6_20030726-1
* Sat Jul 19 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.6-1
* Mon Jul 14 2003 Tom Eastep <tom@shorewall.net>

3
STABLE/tcrules
View File

@ -58,5 +58,6 @@
# separated list of port names, port numbers or port
# ranges.
##############################################################################
#MARK SOURCE DEST PROTO PORT(S) CLIENT PORT(S)
#MARK SOURCE DEST PROTO PORT(S) CLIENT
# PORT(S)
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

22
STABLE/tunnels
View File

@ -10,13 +10,20 @@
# The columns are:
#
# TYPE -- must start in column 1 and be "ipsec", "ipsecnat","ip"
# "gre", "6to4", "pptpclient", "pptpserver" or "openvpn".
# "gre", "6to4", "pptpclient", "pptpserver", "openvpn" or
# "generic"
#
# If type is "openvpn", it may optionally be followed
# by ":" and the port number used by the tunnel. if no
# ":" and port number are included, then the default port
# of 5000 will be used
#
# If type is "generic", it must be followed by ":" and
# a protocol name (from /etc/protocols) or a protocol
# number. If the protocol is "tcp" or "udp" (6 or 17),
# then it may optionally be followed by ":" and a
# port number.
#
# ZONE -- The zone of the physical interface through which
# tunnel traffic passes. This is normally your internet
# zone.
@ -30,7 +37,7 @@
# column is a standalone host then this column should
# contain a comma-separated list of the names of the
# zones that the host might be in. This column only
# applies to IPSEC tunnels.
# applies to IPSEC and generic tunnels.
#
# Example 1:
#
@ -85,5 +92,14 @@
#
# openvpn:7777 net 4.33.99.124
#
# TYPE ZONE GATEWAY GATEWAY ZONE PORT
# Example 8:
#
# You have a tunnel that is not one of the supported types.
# Your tunnel uses UDP port 4444. The other end of the
# tunnel is 4.3.99.124.
#
# generic:udp:4444 net 4.3.99.124
#
# TYPE ZONE GATEWAY GATEWAY
# ZONE
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

5
STABLE/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall
VERSION=1.4.6c
VERSION=1.4.7
usage() # $1 = exit status
{
@ -99,7 +99,8 @@ if [ -n "$FIREWALL" ]; then
rm -f ${FIREWALL}-*.bkout
fi
remove_file /sbin/shorewall
rm -f /sbin/shorewall
rm -f /sbin/shorewall-*.bkout
if [ -n "$VERSION" ]; then
restore_file /etc/rc.d/rc.local

5
STABLE/zones
View File

@ -7,6 +7,11 @@
# DISPLAY Display name of the zone
# COMMENTS Comments about the zone
#
# THE ORDER OF THE ENTRIES IN THIS FILE IS IMPORTANT IF YOU HAVE NESTED OR
# OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts.
#
# See http://www.shorewall.net/Documentation.htm#Nested
#
#ZONE DISPLAY COMMENTS
net Net Internet
loc Local Local networks

334
Shorewall-docs/Documentation.htm
View File

@ -105,6 +105,10 @@ packets for <a href="traffic_shaping.htm">Traffic Shaping/Control</a>.</li>
the firewall. This should be placed in /sbin or in /usr/sbin (the
install.sh
script and the rpm install this file in /sbin).</li>
<li><a href="Accounting.html"><span style="font-weight: bold;">accounting</span></a>
-- a parameter file in /etc/shorewall used to define traffic accounting
rules. This file was added in version 1.4.7.<br>
</li>
<li><b> version</b> -- a file created in /etc/shorewall/
(/var/lib/shorewall in version 1.3.2-1.3.8 and /usr/lib/shorewall
beginning in version 1.3.9) that describes the version of Shorewall
@ -676,7 +680,10 @@ which TCP connection requests will be accepted followed by a colon
Example: <b> 10/sec:40</b> specifies that the maximum rate of TCP
connection requests allowed will be
10 per second and a burst of 40 connections will be tolerated.
Connection requests in excess of these limits will be dropped.</li>
Connection requests in excess of these limits will be dropped. See the <a
href="#Rules">rules file documentation</a> for an explaination of how
rate limiting works.<br>
</li>
</ol>
<p> In the SOURCE and DEST columns, you can enter "all" to indicate all
zones. </p>
@ -940,6 +947,13 @@ PORT(S)</b></td>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">RATE<br>
LIMIT<br>
</span></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">USER<br>
SET</span></td>
</tr>
<tr>
<td>...</td>
@ -955,6 +969,10 @@ DEST</b></td>
</td>
<td> <br>
</td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr>
<tr>
<td>DNAT</td>
@ -965,6 +983,10 @@ DEST</b></td>
<td>-</td>
<td> <br>
</td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr>
<tr>
<td>DNAT</td>
@ -975,6 +997,10 @@ DEST</b></td>
<td>-</td>
<td> <br>
</td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr>
<tr>
<td>...</td>
@ -990,6 +1016,10 @@ DEST</b></td>
</td>
<td> <br>
</td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr>
</tbody>
</table>
@ -1010,7 +1040,7 @@ requires two rules as follows:</p>
<p> </p>
<font face="Century Gothic, Arial, Helvetica"> </font><font
face="Century Gothic, Arial, Helvetica"> </font>
<table border="1" cellpadding="2" style="border-collapse: collapse;">
<table style="border-collapse: collapse;" cellpadding="2" border="1">
<tbody>
<tr>
<td><b>ACTION</b></td>
@ -1023,6 +1053,13 @@ PORT(S)</b></td>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">RATE<br>
LIMIT<br>
</span></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">USER<br>
SET</span></td>
</tr>
<tr>
<td> <br>
@ -1039,6 +1076,10 @@ DEST</b></td>
</td>
<td> <br>
</td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr>
<tr>
<td>...</td>
@ -1054,6 +1095,10 @@ DEST</b></td>
</td>
<td> <br>
</td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr>
<tr>
<td>DNAT</td>
@ -1064,6 +1109,10 @@ DEST</b></td>
<td>-</td>
<td> <br>
</td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr>
<tr>
<td>DNAT</td>
@ -1074,6 +1123,10 @@ DEST</b></td>
<td>-</td>
<td> <br>
</td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr>
<tr>
<td>...</td>
@ -1089,6 +1142,10 @@ DEST</b></td>
</td>
<td> <br>
</td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr>
</tbody>
</table>
@ -1134,8 +1191,46 @@ header-rewriting rule.<br>
<li>LOG - Log the packet -- requires
a syslog level (see below).</li>
</ul>
<p>The ACTION may optionally be followed by ":" and a <a
href="shorewall_logging.html">syslog level</a> (example: REJECT:info).
<p>Beginning with Shorewall version 1.4.7, you may rate-limit the
rule by optionally following ACCEPT, DNAT[-], REDIRECT[-] or LOG with<br>
&nbsp;<br>
&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;
&lt; &lt;rate&gt;/&lt;interval&gt;[:&lt;burst&gt;] &gt;<br>
<br>
where<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&lt;rate&gt; is the number of connections per <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&lt;interval&gt; ("sec" or "min") and &lt;burst&gt; is the largest
burst permitted. If no burst value is given, a value of 5 is assumed.<br>
<br>
There may be no whitespace embedded in the
specification.&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp; <br>
<br>
Let's take an example:<br>
<br>
&nbsp;&nbsp;&nbsp; &nbsp;ACCEPT&lt;2/sec:4&gt;&nbsp;&nbsp;&nbsp;
net&nbsp;&nbsp;&nbsp; dmz&nbsp;&nbsp;&nbsp; tcp&nbsp;&nbsp;&nbsp; 80<br>
&nbsp;&nbsp; <br>
The first time this rule is reached, the packet will be accepted; in
fact, since the burst is 4, the first four packets will be accepted.
After this, it will be 500ms (1 second divided by the rate of 2) before
a packet will be accepted from this rule, regardless of how many
packets reach it. Also, every 500ms which passes without matching a
packet, one of the bursts will be regained; if no packets hit the rule
for 2 second, the burst will be fully recharged; back where we started.<br>
<br>
<span style="font-weight: bold;">Warning: </span>When rate
limiting is specified on a rule with "all" in the SOURCE or DEST fields
below, the limit will apply to each pair of zones individually rather
than as a single limit for all pairs of zones covered by the rule.<br>
<br>
Rate limiting may also be specified in the RATE LIMIT column below; in
that case, it must not be specified as part of the ACTION column.<br>
<br>
The ACTION (and rate limit) may optionally be followed by ":" and a <a
href="shorewall_logging.html">syslog level</a> (example: REJECT:info
or ACCEPT&lt;2/sec:4&gt;:debugging).
This
causes the packet to be logged at the specified level prior to being
processed according to the specified ACTION. Note: if the ACTION
@ -1145,6 +1240,8 @@ The use of DNAT or REDIRECT requires that you have <a
href="#NatEnabled">NAT enabled</a>.<br>
</p>
</li>
<li> <br>
</li>
<li><b>SOURCE</b> - Describes the source hosts to which the rule
applies.. The contents of this field must begin with the name of a zone
defined in /etc/shorewall/zones, $FW or
@ -1269,12 +1366,63 @@ scope of a rule by incoming interface. <br>
</b>If SNAT is not used (no ":" and second IP address), the
original source address is used. If you want any destination address to
match the rule but want to specify SNAT, simply use a colon followed by
the SNAT address.</li>
the SNAT address.<br>
<br>
</li>
<li><span style="font-weight: bold;">RATE LIMIT </span>- Beginning
with Shorewall version 1.4.7, you may rate-limit ACCEPT, DNAT[-],
REDIRECT[-] or LOG rules with an entry in this column. Entries have the
form<br>
&nbsp;<br>
&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;
&lt;rate&gt;/&lt;interval&gt;[:&lt;burst&gt;] <br>
<br>
where<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&lt;rate&gt; is the number of connections per <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&lt;interval&gt; ("sec" or "min") and &lt;burst&gt; is the largest
burst permitted. If no burst value is given, a value of 5 is assumed.<br>
<br>
There may be no whitespace embedded in the
specification.&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp; <br>
<br>
Let's take an example:<br>
<br>
&nbsp;&nbsp;&nbsp; &nbsp;ACCEPT&lt;2/sec:4&gt;&nbsp;&nbsp;&nbsp;
net&nbsp;&nbsp;&nbsp; dmz&nbsp;&nbsp;&nbsp; tcp&nbsp;&nbsp;&nbsp; 80<br>
&nbsp;&nbsp; <br>
The first time this rule is reached, the packet will be accepted; in
fact, since the burst is 4, the first four packets will be accepted.
After this, it will be 500ms (1 second divided by the rate of 2) before
a packet will be accepted from this rule, regardless of how many
packets reach it. Also, every 500ms which passes without matching a
packet, one of the bursts will be regained; if no packets hit the rule
for 2 second, the burst will be fully recharged; back where we started.<br>
<br>
<span style="font-weight: bold;">Warning: </span>When rate
limiting is specified on a rule with "all" in the SOURCE or DEST fields
below, the limit will apply to each pair of zones individually rather
than as a single limit for all pairs of zones covered by the rule.<br>
<br>
Rate limiting may also be specified in the ACTION column above; in that
case, it must not be specified as part of the RATE LIMIT column.<br>
<br>
If you want to specify any following columns but no rate limit, place
"-" in this column.<br>
<br>
</li>
<li><span style="font-weight: bold;">USER SET </span>- Beginning
with Shorewall release 1.4.7, output rules from the firewall itself may
be restricted to a particular set of users and/or user groups. See the <a
href="UserSets.html">User Set Documentation </a>for details.<br>
</li>
</ul>
<p><b> <font face="Century Gothic, Arial, Helvetica"> <a
name="PortForward"></a> </font>Example 1. </b> You wish to forward
all ssh connection requests from the internet to local system
192.168.1.3. </p>
192.168.1.3.&nbsp; You wish to limit the number of connections to
4/minute with a burst of 8 (Shorewall 1.4.7 and later only): </p>
<blockquote> <font face="Century Gothic, Arial, Helvetica"> </font>
<table border="1" cellpadding="2" style="border-collapse: collapse;">
<tbody>
@ -1289,9 +1437,17 @@ PORT(S)</b></td>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">RATE<br>
LIMIT<br>
</span></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">USER<br>
SET<br>
</span></td>
</tr>
<tr>
<td>DNAT</td>
<td>DNAT&lt;4/min:8&gt;</td>
<td>net</td>
<td>loc:192.168.1.3</td>
<td>tcp</td>
@ -1300,6 +1456,10 @@ DEST</b></td>
</td>
<td> <br>
</td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr>
</tbody>
</table>
@ -1326,6 +1486,14 @@ PORT(S)</b></td>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">RATE<br>
LIMIT<br>
</span></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">USER<br>
SET<br>
</span></td>
</tr>
<tr>
<td>REDIRECT</td>
@ -1336,6 +1504,10 @@ DEST</b></td>
<td> -<br>
</td>
<td>!206.124.146.177</td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr>
<tr>
<td>ACCEPT</td>
@ -1347,6 +1519,10 @@ DEST</b></td>
</td>
<td> <br>
</td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr>
</tbody>
</table>
@ -1369,6 +1545,13 @@ PORT(S)</b></td>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">RATE<br>
LIMIT<br>
</span></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">USER<br>
SET</span></td>
</tr>
<tr>
<td>ACCEPT</td>
@ -1379,6 +1562,10 @@ DEST</b></td>
<td>-</td>
<td> <br>
</td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr>
<tr>
<td>ACCEPT</td>
@ -1390,6 +1577,10 @@ DEST</b></td>
</td>
<td> <br>
</td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr>
</tbody>
</table>
@ -1423,6 +1614,13 @@ PORT(S)</b></td>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">RATE<br>
LIMIT<br>
</span></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">USER<br>
SET</span></td>
</tr>
<tr>
<td>DNAT</td>
@ -1434,6 +1632,10 @@ DEST</b></td>
</td>
<td> <br>
</td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr>
<tr>
<td>DNAT</td>
@ -1443,6 +1645,10 @@ DEST</b></td>
<td>ftp</td>
<td>-</td>
<td>155.186.235.151</td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr>
</tbody>
</table>
@ -1475,6 +1681,13 @@ PORT(S)</b></td>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">RATE<br>
LIMIT<br>
</span></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">USER<br>
SET</span></td>
</tr>
<tr>
<td>ACCEPT</td>
@ -1487,6 +1700,10 @@ DEST</b></td>
</td>
<td> <br>
</td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr>
</tbody>
</table>
@ -1511,9 +1728,16 @@ PORT(S)<br>
<td valign="top"><b>SOURCE<br>
PORT(S)<br>
</b></td>
<td valign="top"><b>ORIGINAL<br>
<td style="vertical-align: top;"><b>ORIGINAL<br>
DEST<br>
</b></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">RATE<br>
LIMIT<br>
</span></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">USER<br>
SET</span></td>
</tr>
<tr>
<td valign="top">ACCEPT<br>
@ -1530,6 +1754,10 @@ DEST<br>
</td>
<td valign="top"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr>
</tbody>
</table>
@ -1560,9 +1788,16 @@ PORT(S)<br>
<td valign="top"><b>SOURCE<br>
PORT(S)<br>
</b></td>
<td valign="top"><b>ORIGINAL<br>
<td style="vertical-align: top;"><b>ORIGINAL<br>
DEST<br>
</b></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">RATE<br>
LIMIT<br>
</span></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">USER<br>
SET</span></td>
</tr>
<tr>
<td valign="top">ACCEPT<br>
@ -1579,6 +1814,10 @@ DEST<br>
</td>
<td valign="top"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr>
</tbody>
</table>
@ -1606,9 +1845,16 @@ PORT(S)<br>
<td valign="top"><b>SOURCE<br>
PORT(S)<br>
</b></td>
<td valign="top"><b>ORIGINAL<br>
<td style="vertical-align: top;"><b>ORIGINAL<br>
DEST<br>
</b></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">RATE<br>
LIMIT<br>
</span></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">USER<br>
SET</span></td>
</tr>
<tr>
<td valign="top">DNAT-<br>
@ -1625,6 +1871,10 @@ DEST<br>
</td>
<td valign="top">192.0.2.178<br>
</td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr>
<tr>
<td valign="top">DNAT-<br>
@ -1641,6 +1891,10 @@ DEST<br>
</td>
<td valign="top">192.0.2.179<br>
</td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr>
<tr>
<td valign="top">ACCEPT<br>
@ -1657,6 +1911,10 @@ DEST<br>
</td>
<td valign="top"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr>
</tbody>
</table>
@ -1687,9 +1945,16 @@ PORT(S)<br>
<td valign="top"><b>SOURCE<br>
PORT(S)<br>
</b></td>
<td valign="top"><b>ORIGINAL<br>
<td style="vertical-align: top;"><b>ORIGINAL<br>
DEST<br>
</b></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">RATE<br>
LIMIT<br>
</span></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">USER<br>
SET</span></td>
</tr>
<tr>
<td valign="top">DNAT<br>
@ -1706,6 +1971,10 @@ DEST<br>
</td>
<td valign="top"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr>
</tbody>
</table>
@ -1765,9 +2034,15 @@ static IP on that interface, listing it here makes processing of output
packets a little less expensive for the firewall. If you specify an
address in this column, it must be an IP address configured on the
INTERFACE or you must have
ADD_SNAT_ALIASES enabled in <a href="#Conf">/etc/shorewall/shorewall.conf.</a></li>
ADD_SNAT_ALIASES enabled in <a href="#Conf">/etc/shorewall/shorewall.conf.</a>
Beginning with Shorewall version 1.4.6, you may include a range of IP
addresses in this column to indicate that Netfilter should use the
addresses in the range in round-robin fashion. Beginning with Shorewall
version 1.4.7, you may include a list of ranges and/or addresses in
this column; again, Netfilter will use all listed ranges/addresses in
rounde-robin fashion.</li>
</ul>
<p><b> Example 1: </b> You have eth0 connected to a cable modem and
<p><b>Example 1: </b> You have eth0 connected to a cable modem and
eth1 connected to your local subnetwork 192.168.9.0/24. Your
/etc/shorewall/masq file would look like: </p>
<blockquote>
@ -1865,6 +2140,26 @@ name eth0:0. You must have ADD_SNAT_ALIASES=Yes in <a href="#Conf">/etc/shorewal
</tbody>
</table>
</blockquote>
<span style="font-weight: bold;">Example 6 (Shorewall version &gt;=
1.4.7): </span>You want to use both 206.124.146.177 and
206.124.146.179 for SNAT of the subnet 192.168.12.0/24. Each address
will be used on alternate outbound connections.<br>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b> INTERFACE</b></td>
<td><b> SUBNET</b></td>
<td><b>ADDRESS</b></td>
</tr>
<tr>
<td>eth0</td>
<td>192.168.12.0/24</td>
<td>206.124.146.177,206.124.146.179</td>
</tr>
</tbody>
</table>
</blockquote>
<h2><font color="#660066"><b><a name="ProxyArp"></a> </b></font>/etc/shorewall/proxyarp</h2>
<p>If you want to use proxy ARP on an entire sub-network, I suggest
that you look at <a
@ -2009,8 +2304,10 @@ kernel compilation errors.</p>
may be found here,</a></b> <b><a href="IPIP.htm">instructions for IPIP
and GRE tunnels are here</a></b>, <b><a href="OPENVPN.html">instructions
for OpenVPN tunnels are here</a></b>, <b><a href="PPTP.htm">instructions
for PPTP tunnels are here</a> and <a href="6to4.htm">instructions for
6to4 tunnels</a> are here.</b></p>
for PPTP tunnels are here</a>, <a href="6to4.htm">instructions for
6to4 tunnels are here</a> and <a href="GenericTunnels.html">instructions
for integrating Shorewall with other types of tunnels are here</a>.<br>
</b></p>
<h2><a name="Conf"></a>/etc/shorewall/shorewall.conf</h2>
<p> This file is used to set the following firewall parameters:</p>
<ul>
@ -2484,7 +2781,9 @@ blacklist capability.</a></p>
<p><font color="#cc6666"><b>IMPORTANT: The Shorewall blacklist file is <u>NOT</u>
designed to police your users' web browsing -- to do that, I suggest
that you install and configure Squid (<a
href="http://www.squid-cache.org">http://www.squid-cache.org</a>). </b></font></p>
href="http://www.squid-cache.org">http://www.squid-cache.org</a>) with
SquidGuard (<a href="http://www.squidguard.org/">http://www.squidguard.org/</a>).
</b></font></p>
<h2><a name="rfc1918"></a>/etc/shorewall/rfc1918 (Added in Version
1.3.1)</h2>
<p>This file lists the subnets affected by the <a href="#Interfaces"><i>norfc1918</i>
@ -2543,7 +2842,8 @@ Validation Documentation</a>.<br>
<h2><a name="ECN"></a>/etc/shorewall/ecn (Added in Version 1.4.0)</h2>
This file is described in the <a href="ECN.html">ECN Control
Documentation</a>.<br>
<p><font size="-1"> Updated 8/8/2003 - <a href="support.htm">Tom Eastep</a>
<p><font size="-1"> Updated 8/21/2003 - <a href="support.htm">Tom
Eastep</a>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>

2372
Shorewall-docs/FAQ.htm
View File

File diff suppressed because it is too large Load Diff

368
Shorewall-docs/FTP.html
View File

@ -1,234 +1,214 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall and FTP</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall and FTP</font></h1>
</td>
</tr>
</tbody>
</td>
</tr>
</tbody>
</table>
<h2></h2>
<blockquote> </blockquote>
<p>FTP transfers involve two TCP connections. The first <u>control</u> connection
goes from the FTP client to port 21 on the FTP server. This connection is
used for logon and to send commands and responses between the endpoints.
Data transfers (including the output of "ls" and "dir" commands) requires
a second <u>data</u> connection. The data connection is dependent on the <u>mode</u>
<blockquote> </blockquote>
<p>FTP transfers involve two TCP connections. The first <u>control</u>
connection goes from the FTP client to port 21 on the FTP server. This
connection is used for logon and to send commands and responses between
the endpoints. Data transfers (including the output of "ls" and "dir"
commands) requires a second <u>data</u> connection. The data
connection is dependent on the <u>mode</u>
that the client is operating in:<br>
</p>
</p>
<ul>
<li>Passive Mode (default for web browsers) -- The client issues a PASV
command. Upon receipt of this command, the server listens on a dynamically-allocated
port then sends a PASV reply to the client. The PASV reply gives the IP address
and port number that the server is listening on. The client then opens a
<li>Passive Mode (default for web browsers) -- The client issues a
PASV command. Upon receipt of this command, the server listens on a
dynamically-allocated port then sends a PASV reply to the client. The
PASV reply gives the IP address
and port number that the server is listening on. The client then opens
a
second connection to that IP address and port number.</li>
<li>Active Mode (often the default for line-mode clients) -- The client
listens on a dynamically-allocated port then sends a PORT command to the
server. The PORT command gives the IP address and port number that the client
is listening on. The server then opens a connection to that IP address and
port number; the <u>source port</u> for this connection is 20 (ftp-data in
/etc/services).</li>
<li>Active Mode (often the default for line-mode clients) -- The
client listens on a dynamically-allocated port then sends a PORT
command to the server. The PORT command gives the IP address and port
number that the client is listening on. The server then opens a
connection to that IP address and port number; the <u>source port</u>
for this connection is 20 (ftp-data in /etc/services).</li>
</ul>
You can see these commands in action using your linux ftp command-line
client in debugging mode. Note that my ftp client defaults to passive mode
and that I can toggle between passive and active mode by issuing a "passive"
command:<br>
<blockquote>
You can see these commands in action using your linux ftp command-line
client in debugging mode. Note that my ftp client defaults to passive
mode and that I can toggle between passive and active mode by issuing a
"passive" command:<br>
<blockquote>
<pre>[teastep@wookie Shorewall]$ <font color="#009900"><b>ftp ftp1.shorewall.net<br></b></font>Connected to lists.shorewall.net.<br>220-=(&lt;*&gt;)=-.:. (( Welcome to PureFTPd 1.0.12 )) .:.-=(&lt;*&gt;)=-<br>220-You are user number 1 of 50 allowed.<br>220-Local time is now 10:21 and the load is 0.14. Server port: 21.<br>220 You will be disconnected after 15 minutes of inactivity.<br>500 Security extensions not implemented<br>500 Security extensions not implemented<br>KERBEROS_V4 rejected as an authentication type<br>Name (ftp1.shorewall.net:teastep): ftp<br>331-Welcome to ftp.shorewall.net<br>331-<br>331 Any password will work<br>Password:<br>230 Any password will work<br>Remote system type is UNIX.<br>Using binary mode to transfer files.<br>ftp&gt; <font
color="#009900"><b>debug<br></b></font>Debugging on (debug=1).<br>ftp&gt; <font
color="#009900"><b>ls<br></b></font><b>---&gt; PASV</b><br><b>227 Entering Passive Mode (192,168,1,193,195,210)</b><br>---&gt; LIST<br>150 Accepted data connection<br>drwxr-xr-x 5 0 0 4096 Nov 9 2002 archives<br>drwxr-xr-x 2 0 0 4096 Feb 12 2002 etc<br>drwxr-sr-x 6 0 50 4096 Feb 19 15:24 pub<br>226-Options: -l<br>226 3 matches total<br>ftp&gt; <font
color="#009900"><b>passive<br></b></font>Passive mode off.<br>ftp&gt; <font
color="#009900"><b>ls<br></b></font><b>---&gt; PORT 192,168,1,3,142,58</b><br>200 PORT command successful<br>---&gt; LIST<br>150 Connecting to port 36410<br>drwxr-xr-x 5 0 0 4096 Nov 9 2002 archives<br>drwxr-xr-x 2 0 0 4096 Feb 12 2002 etc<br>drwxr-sr-x 6 0 50 4096 Feb 19 15:24 pub<br>226-Options: -l<br>226 3 matches total<br>ftp&gt;<br></pre>
</blockquote>
Things to notice:<br>
</blockquote>
Things to notice:<br>
<ol>
<li>The commands that I issued are in <b><font color="#009900">green.</font></b><br>
</li>
<li>Commands sent by the client to the server are preceded by <b>---&gt;</b></li>
<li>Command responses from the server over the control connection are
numbered.<br>
</li>
<li>FTP uses a comma as a separator between the bytes of the IP address;
and</li>
<li>When sending a port number, FTP sends the MSB then the LSB and separates
the two bytes by a comma. As shown in the PORT command, port 142,58 translates
<li>The commands that I issued are in <b><font color="#009900">green.</font></b><br>
</li>
<li>Commands sent by the client to the server are preceded by <b>---&gt;</b></li>
<li>Command responses from the server over the control connection are
numbered.<br>
</li>
<li>FTP uses a comma as a separator between the bytes of the IP
address; and</li>
<li>When sending a port number, FTP sends the MSB then the LSB and
separates the two bytes by a comma. As shown in the PORT command, port
142,58 translates
to 142*256+58 = 36410.<br>
</li>
</li>
</ol>
Given the normal loc-&gt;net policy of ACCEPT, passive mode access from
local clients to remote servers will always work but active mode requires
the firewall to dynamically open a "hole" for the server's connection back
to the client. Similarly, if you are running an FTP server in your local
zone then active mode should always work but passive mode requires the firewall
to dynamically open a "hole" for the client's second connection to the server.
This is the role of FTP connection-tracking support in the Linux kernel.
Given the normal loc-&gt;net policy of ACCEPT, passive mode access from
local clients to remote servers will always work but active mode
requires the firewall to dynamically open a "hole" for the server's
connection back to the client. Similarly, if you are running an FTP
server in your local
zone then active mode should always work but passive mode requires the
firewall to dynamically open a "hole" for the client's second
connection to the server. This is the role of FTP connection-tracking
support in the Linux kernel.
<div align="left"><br>
Where any form of NAT (SNAT, DNAT, Masquerading) on your firewall is involved,
the PORT commands and PASV responses may also need to be modified by the
firewall. This is the job of the FTP nat support kernel function.<br>
</div>
<p>Including FTP connection-tracking and NAT support normally means that the
modules "ip_conntrack_ftp" and "ip_nat_ftp" need to be loaded. Shorewall automatically
loads these "helper" modules from /lib/modules/&lt;<i>kernel-version&gt;</i>/kernel/net/ipv4/netfilter/
and you can determine if they are loaded using the 'lsmod' command:<br>
</p>
<blockquote>
Where any form of NAT (SNAT, DNAT, Masquerading) on your firewall is
involved, the PORT commands and PASV responses may also need to be
modified by the firewall. This is the job of the FTP nat support kernel
function.<br>
</div>
<p>Including FTP connection-tracking and NAT support normally means
that the
modules "ip_conntrack_ftp" and "ip_nat_ftp" need to be loaded.
Shorewall automatically
loads these "helper" modules from /lib/modules/&lt;<i>kernel-version&gt;</i>/kernel/net/ipv4/netfilter/
and you can determine if they are loaded using the 'lsmod' command:<br>
</p>
<blockquote>
<p>Example:<br>
</p>
<blockquote>
</p>
<blockquote>
<pre>[root@lists etc]# lsmod<br>Module Size Used by Not tainted<br>autofs 12148 0 (autoclean) (unused)<br>ipt_TOS 1560 12 (autoclean)<br>ipt_LOG 4120 5 (autoclean)<br>ipt_REDIRECT 1304 1 (autoclean)<br>ipt_REJECT 3736 4 (autoclean)<br>ipt_state 1048 13 (autoclean)<br>ip_nat_irc 3152 0 (unused)<br><b>ip_nat_ftp 3888 0 (unused)</b><br>ip_conntrack_irc 3984 1<br><b>ip_conntrack_ftp 5008 1</b><br>ipt_multiport 1144 2 (autoclean)<br>ipt_conntrack 1592 0 (autoclean)<br>iptable_filter 2316 1 (autoclean)<br>iptable_mangle 2680 1 (autoclean)<br>iptable_nat 20568 3 (autoclean) [ipt_REDIRECT ip_nat_irc ip_nat_ftp]<br>ip_conntrack 26088 5 (autoclean) [ipt_REDIRECT ipt_state ip_nat_irc ip_nat_ftp ip_conntrack_irc ip_conntrack_ftp ipt_conntrack iptable_nat]<br>ip_tables 14488 12 [ipt_TOS ipt_LOG ipt_REDIRECT ipt_REJECT ipt_state ipt_multiport ipt_conntrack iptable_filter iptable_mangle iptable_nat]<br>tulip 42464 0 (unused)<br>e100 50596 1<br>keybdev 2752 0 (unused)<br>mousedev 5236 0 (unused)<br>hid 20868 0 (unused)<br>input 5632 0 [keybdev mousedev hid]<br>usb-uhci 24684 0 (unused)<br>usbcore 73280 1 [hid usb-uhci]<br>ext3 64704 2<br>jbd 47860 2 [ext3]<br>[root@lists etc]#<br></pre>
</blockquote>
</blockquote>
<blockquote> </blockquote>
<p>If you want Shorewall to load these modules from an alternate directory,
you need to set the MODULESDIR variable in /etc/shorewall/shorewall.conf
to point to that directory.<br>
</p>
</blockquote>
</blockquote>
<blockquote> </blockquote>
<p>If you want Shorewall to load these modules from an alternate
directory, you need to set the MODULESDIR variable in
/etc/shorewall/shorewall.conf to point to that directory.<br>
</p>
<p>Server configuration is covered in <a href="Documentation.htm#Rules">the
/etc/shorewall/rules documentation</a>,<br>
</p>
<p>For a client, you must open outbound TCP port 21. <br>
</p>
<p>The above discussion about commands and responses makes it clear that the
FTP connection-tracking and NAT helpers must scan the traffic on the control
connection looking for PASV and PORT commands as well as PASV responses. If
you run an FTP server on a nonstandard port or you need to access such
a server,  you must therefore let the helpers know by specifying the port
in /etc/shorewall/modules entries for the helpers. For example, if you
run an FTP server that listens on port 49 then you would have:<br>
</p>
<blockquote>
/etc/shorewall/rules documentation</a>,<br>
</p>
<p>For a client, you must open outbound TCP port 21.&nbsp;<br>
</p>
<p>The above discussion about commands and responses makes it clear
that the
FTP connection-tracking and NAT helpers must scan the traffic on the
control
connection looking for PASV and PORT commands as well as PASV
responses. If
you run an FTP server on a nonstandard port or you need to access such
a server,&nbsp; you must therefore let the helpers know by specifying
the port
in /etc/shorewall/modules entries for the helpers. <span
style="font-weight: bold;">For example, if you
run an FTP server that listens on port 49 or you need to access a
server on the internet that listens on that port then you would have:</span><br>
</p>
<blockquote>
<p>loadmodule ip_conntrack_ftp ports=21,49<br>
loadmodule ip_nat_ftp ports=21,49<br>
</p>
</blockquote>
<p>Note that you MUST include port 21 in the <i>ports</i> list or you may
have problems accessing regular FTP servers.</p>
<p>If there is a possibility that these modules might be loaded before Shorewall
starts, then you should include the port list in /etc/modules.conf:<br>
</p>
<blockquote>
loadmodule ip_nat_ftp ports=21,49<br>
</p>
</blockquote>
<p>Note that you MUST include port 21 in the <i>ports</i> list or you
may have problems accessing regular FTP servers.</p>
<p>If there is a possibility that these modules might be loaded before
Shorewall starts, then you should include the port list in
/etc/modules.conf:<br>
</p>
<blockquote>
<p>options ip_conntrack_ftp ports=21,49<br>
options ip_nat_ftp ports=21,49<br>
</p>
</blockquote>
<p><b>IMPORTANT: </b>Once you have made these changes to /etc/shorewall/modules
and/or /etc/modules.conf, you must either:<br>
</p>
options ip_nat_ftp ports=21,49<br>
</p>
</blockquote>
<p><b>IMPORTANT: </b>Once you have made these changes to
/etc/shorewall/modules and/or /etc/modules.conf, you must either:<br>
</p>
<ol>
<li>Unload the modules and restart shorewall: (<b><font
color="#009900">rmmod ip_nat_ftp; rmmod ip_conntrack_ftp; shorewall restart</font></b>);
or</li>
<li>Reboot</li>
<li>Unload the modules and restart shorewall: (<b><font
color="#009900">rmmod ip_nat_ftp; rmmod ip_conntrack_ftp; shorewall
restart</font></b>); or</li>
<li>Reboot</li>
</ol>
One problem that I see occasionally involves active mode and the FTP server
in my DMZ. I see the active data connection <u>to certain client IP addresses</u>
being continuously rejected by my firewall. It is my conjecture that there
is some broken client out there that is sending a PORT command that is being
either missed or mis-interpreted by the FTP connection tracking helper yet
it is being accepted by my FTP server. My solution is to add the following
rule:<br>
<blockquote>
One problem that I see occasionally involves active mode and the FTP
server in my DMZ. I see the active data connection <u>to certain
client IP addresses</u> being continuously rejected by my firewall. It
is my conjecture that there is some broken client out there that is
sending a PORT command that is being either missed or mis-interpreted
by the FTP connection tracking helper yet it is being accepted by my
FTP server. My solution is to add the following rule:<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>ACTION<br>
</b></td>
<td valign="top"><b>SOURCE<br>
</b></td>
<td valign="top"><b>DESTINATION<br>
</b></td>
<td valign="top"><b>PROTOCOL<br>
</b></td>
<td valign="top"><b>PORT(S)<br>
</b></td>
<td valign="top"><b>SOURCE<br>
PORT(S)<br>
</b></td>
<td valign="top"><b>ORIGINAL<br>
DESTINATION<br>
</b></td>
</tr>
<tr>
<td valign="top">ACCEPT:info<br>
</td>
<td valign="top">dmz<br>
</td>
<td valign="top">net<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">-<br>
</td>
<td valign="top">20<br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
<tbody>
<tr>
<td valign="top"><b>ACTION<br>
</b></td>
<td valign="top"><b>SOURCE<br>
</b></td>
<td valign="top"><b>DESTINATION<br>
</b></td>
<td valign="top"><b>PROTOCOL<br>
</b></td>
<td valign="top"><b>PORT(S)<br>
</b></td>
<td valign="top"><b>SOURCE<br>
PORT(S)<br>
</b></td>
<td valign="top"><b>ORIGINAL<br>
DESTINATION<br>
</b></td>
</tr>
<tr>
<td valign="top">ACCEPT:info<br>
</td>
<td valign="top">dmz<br>
</td>
<td valign="top">net<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">-<br>
</td>
<td valign="top">20<br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
The above rule accepts and logs all active mode connections from my DMZ
to the net.<br>
<blockquote>
<p> </p>
</blockquote>
<blockquote> </blockquote>
<p><font size="2">Last updated 7/30/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2003 Thomas M. Eastep.</font></a><br>
<br>
<br>
<br>
</blockquote>
The above rule accepts and logs all active mode connections from my DMZ
to the net.<br>
<blockquote>
<p> </p>
</blockquote>
<blockquote> </blockquote>
<p><font size="2">Last updated 9/17/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2003 Thomas M. Eastep.</font></a><br>
<br>
<br>
<br>
</body>
</html>

1316
Shorewall-docs/IPSEC.htm
View File

File diff suppressed because it is too large Load Diff

1595
Shorewall-docs/News.htm
View File

File diff suppressed because it is too large Load Diff

4
Shorewall-docs/PPTP.htm
View File

@ -932,7 +932,7 @@ ADSL modem.<br>
</table>
</blockquote>
<div style="margin-left: 40px;">You will of course modify the 'net'
entry in /etc/shorewall/interfaces to specify 'pppo' as the interface
entry in /etc/shorewall/interfaces to specify 'ppp0' as the interface
as described in the QuickStart Guide corresponding to your setup.<br>
</div>
<br>
@ -968,7 +968,7 @@ as described in the QuickStart Guide corresponding to your setup.<br>
That entry allows a PPTP tunnel to be established between your
Shorewall system and the PPTP server in the modem.<br>
</div>
<p><font size="2">Last modified 8/8/2003 - <a href="support.htm">Tom
<p><font size="2">Last modified 8/11/2003 - <a href="support.htm">Tom
Eastep</a></font></p>
<p><a href="copyright.htm"> <font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></p>

69
Shorewall-docs/Shorewall_Doesnt.html
View File

@ -2,51 +2,52 @@
<html>
<head>
<title>What Shorewall Cannot Do</title>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep">
</head>
<body>
<small> </small><small>
</small><small>
</small><small>
</small><small>
</small> <small> </small>
<body>
<small> </small><small> </small><small> </small><small> </small><small>
</small> <small> </small>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%"><small> </small>
<h1 align="center"><small><font color="#ffffff">Some things that Shorewall
<b>Cannot</b> Do</font></small></h1>
<small>
</small></td>
</tr>
</tbody>
<tbody>
<tr>
<td width="100%"><small> </small>
<h1 align="center"><small><font color="#ffffff">Some things that
Shorewall <b>Cannot</b> Do</font></small></h1>
<small> </small></td>
</tr>
</tbody>
</table>
<small><br>
</small>Shorewall cannot:<br>
<small><br>
</small>Shorewall cannot:<br>
<ul>
<li>Be used on a Linux System that is functioning as a Layer 2 Bridge</li>
<li>Act as a "Personal Firewall" that allows internet access by application.</li>
<li>Do content filtering -- better to use <a
href="Shorewall_Squid_Usage.html">Squid</a> for that.<br>
</li>
<li>Be used to filter traffic through a Layer 2 Bridge</li>
<li>Act as a "Personal Firewall" that allows internet access by
application.</li>
<li>Be used with an Operating System other than Linux (version &gt;=
2.4.0)<br>
</li>
<li>Do content filtering -- better to use <a
href="Shorewall_Squid_Usage.html">Squid</a> for that.</li>
</ul>
<br>
<font size="2">Last updated 7/9/2003 - <a href="support.htm">Tom Eastep</a></font>
In addition:<br>
<ul>
<li>Shorewall does not contain any support for Netfilter <span
style="font-style: italic;">Patch-O-Matic</span> features -- Shorewall
only supports features from released kernels.<br>
</li>
</ul>
<br>
<font size="2">Last updated 9/28/2003 - <a href="support.htm">Tom
Eastep</a></font>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
<br>
<br>
</p>
<br>
<br>
<br>
</body>
</html>

636
Shorewall-docs/configuration_file_basics.htm
View File

@ -1,409 +1,341 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Configuration File Basics</title>
</head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Configuration Files</font></h1>
</td>
</tr>
</tbody>
</td>
</tr>
</tbody>
</table>
<p><b><font color="#ff0000">Warning: </font>If you copy or edit your configuration
files on a system running Microsoft Windows, you <u>must</u>
run them through <a
href="http://www.megaloman.com/%7Ehany/software/hd2u/"> dos2unix</a>
before you use them with Shorewall.</b></p>
<p><b><font color="#ff0000">Warning: </font>If you copy or edit your
configuration files on a system running Microsoft Windows, you <u>must</u>
run them through <a
href="http://www.megaloman.com/%7Ehany/software/hd2u/"> dos2unix</a>
before you use them with Shorewall.</b></p>
<h2><a name="Files"></a>Files</h2>
<p>Shorewall's configuration files are in the directory /etc/shorewall.</p>
<ul>
<li>/etc/shorewall/shorewall.conf - used to
set several firewall parameters.</li>
<li>/etc/shorewall/params - use this file to
set shell variables that you will expand in other files.</li>
<li>/etc/shorewall/zones - partition the firewall's
view of the world into <i>zones.</i></li>
<li>/etc/shorewall/policy - establishes firewall
high-level policy.</li>
<li>/etc/shorewall/interfaces - describes the
interfaces on the firewall system.</li>
<li>/etc/shorewall/hosts - allows defining zones
in terms of individual hosts and subnetworks.</li>
<li>/etc/shorewall/masq - directs the firewall
where to use many-to-one (dynamic) Network Address Translation
(a.k.a. Masquerading) and Source Network Address Translation
(SNAT).</li>
<li>/etc/shorewall/modules - directs the firewall
to load kernel modules.</li>
<li>/etc/shorewall/rules - defines rules that
are exceptions to the overall policies established in /etc/shorewall/policy.</li>
<li>/etc/shorewall/nat - defines static NAT
<li>/etc/shorewall/shorewall.conf - used to
set several firewall parameters.</li>
<li>/etc/shorewall/params - use this file to set shell variables that
you will expand in other files.</li>
<li>/etc/shorewall/zones - partition the firewall's view of the world
into <i>zones.</i></li>
<li>/etc/shorewall/policy - establishes firewall high-level policy.</li>
<li>/etc/shorewall/interfaces - describes the interfaces on the
firewall system.</li>
<li>/etc/shorewall/hosts - allows defining zones in terms of
individual hosts and subnetworks.</li>
<li>/etc/shorewall/masq - directs the firewall where to use
many-to-one (dynamic) Network Address Translation (a.k.a. Masquerading)
and Source Network Address Translation (SNAT).</li>
<li>/etc/shorewall/modules - directs the firewall to load kernel
modules.</li>
<li>/etc/shorewall/rules - defines rules that are exceptions to the
overall policies established in /etc/shorewall/policy.</li>
<li>/etc/shorewall/nat - defines static NAT
rules.</li>
<li>/etc/shorewall/proxyarp - defines use of
Proxy ARP.</li>
<li>/etc/shorewall/routestopped (Shorewall 1.3.4
and later) - defines hosts accessible when Shorewall is stopped.</li>
<li>/etc/shorewall/tcrules - defines marking
of packets for later use by traffic control/shaping or policy
routing.</li>
<li>/etc/shorewall/tos - defines rules for setting
the TOS field in packet headers.</li>
<li>/etc/shorewall/tunnels - defines IPSEC,
GRE and IPIP tunnels with end-points on the firewall system.</li>
<li>/etc/shorewall/blacklist - lists blacklisted
IP/subnet/MAC addresses.</li>
<li>/etc/shorewall/init - commands that you wish to execute at
the beginning of a "shorewall start" or "shorewall restart".</li>
<li>/etc/shorewall/start - commands that you wish to execute at
the completion of a "shorewall start" or "shorewall restart"</li>
<li>/etc/shorewall/stop - commands that you wish to execute at
the beginning of a "shorewall stop".</li>
<li>/etc/shorewall/stopped - commands that you wish to execute
at the completion of a "shorewall stop".</li>
<li>/etc/shorewall/ecn - disable Explicit Congestion Notification (ECN
- RFC 3168) to remote hosts or networks.<br>
</li>
<li>/etc/shorewall/proxyarp - defines use of Proxy ARP.</li>
<li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines
hosts accessible when Shorewall is stopped.</li>
<li>/etc/shorewall/tcrules - defines marking of packets for later use
by traffic control/shaping or policy routing.</li>
<li>/etc/shorewall/tos - defines rules for setting the TOS field in
packet headers.</li>
<li>/etc/shorewall/tunnels - defines IPSEC,
GRE and IPIP tunnels with end-points on the firewall system.</li>
<li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC
addresses.</li>
<li>/etc/shorewall/init - commands that you wish to execute at
the beginning of a "shorewall start" or "shorewall restart".</li>
<li>/etc/shorewall/start - commands that you wish to execute at the
completion of a "shorewall start" or "shorewall restart"</li>
<li>/etc/shorewall/stop - commands that you wish to execute at
the beginning of a "shorewall stop".</li>
<li>/etc/shorewall/stopped - commands that you wish to execute
at the completion of a "shorewall stop".</li>
<li>/etc/shorewall/ecn - disable Explicit Congestion Notification
(ECN - RFC 3168) to remote hosts or networks.</li>
<li>/etc/shorewall/accounting - define IP traffic accounting rules</li>
<li>/etc/shorewall/usersets and /etc/shorewall/users - define sets of
users/groups with
similar access rights<br>
</li>
</ul>
<h2><a name="Comments"></a>Comments</h2>
<p>You may place comments in configuration files by making the first non-whitespace
character a pound sign ("#"). You may also place comments
at the end of any line, again by delimiting the comment from the
rest of the line with a pound sign.</p>
<h2>Comments</h2>
<p>You may place comments in configuration files by making the first
non-whitespace character a pound sign ("#"). You may also place
comments at the end of any line, again by delimiting the comment from
the
rest of the line with a pound sign.</p>
<p>Examples:</p>
<pre># This is a comment</pre>
<pre>ACCEPT net fw tcp www #This is an end-of-line comment</pre>
<h2><a name="Continuation"></a>Line Continuation</h2>
<p>You may continue lines in the configuration files using the usual backslash
("\") followed immediately by a new line character.</p>
<p>You may continue lines in the configuration files using the usual
backslash ("\") followed immediately by a new line character.</p>
<p>Example:</p>
<pre>ACCEPT net fw tcp \<br>smtp,www,pop3,imap #Services running on the firewall</pre>
<h2><a name="INCLUDE"></a>IN<small><small></small></small>CLUDE Directive</h2>
Beginning with Shorewall version 1.4.2, any file may contain INCLUDE directives.
An INCLUDE directive consists of the word INCLUDE followed by a file name
and causes the contents of the named file to be logically included into
the file containing the INCLUDE. File names given in an INCLUDE directive
are assumed to reside in /etc/shorewall or in an alternate configuration
directory if one has been specified for the command.<br>
<br>
INCLUDE's may be nested to a level of 3 -- further nested INCLUDE directives
are ignored with a warning message.<big><big><br>
<br>
</big></big> Examples:<big> </big> <br>
<blockquote>    shorewall/params.mgmt:<br>
<blockquote>    MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3<br>
   TIME_SERVERS=4.4.4.4<br>
   BACKUP_SERVERS=5.5.5.5<br>
</blockquote>
   ----- end params.mgmt -----<br>
</blockquote>
<blockquote>    shorewall/params:<br>
</blockquote>
<blockquote>
<blockquote>    # Shorewall 1.3 /etc/shorewall/params<br>
   [..]<br>
   #######################################<br>
 <br>
   INCLUDE params.mgmt    <br>
  <br>
   # params unique to this host here<br>
   #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE<br>
</blockquote>
</blockquote>
<blockquote>    ----- end params -----<br>
</blockquote>
<blockquote>    shorewall/rules.mgmt:<br>
</blockquote>
<blockquote>
<blockquote>    ACCEPT net:$MGMT_SERVERS          $FW    tcp    22<br>
   ACCEPT $FW          net:$TIME_SERVERS    udp    123<br>
   ACCEPT $FW          net:$BACKUP_SERVERS  tcp    22<br>
</blockquote>
</blockquote>
<blockquote>    ----- end rules.mgmt -----<br>
</blockquote>
<blockquote>    shorewall/rules:<br>
</blockquote>
<blockquote>
<blockquote>    # Shorewall version 1.3 - Rules File<br>
   [..]<br>
   #######################################<br>
 <br>
   INCLUDE rules.mgmt     <br>
  <br>
   # rules unique to this host here<br>
   #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE<br>
</blockquote>
</blockquote>
<blockquote>    ----- end rules -----<br>
</blockquote>
<h2><a name="INCLUDE"></a>IN<small><small></small></small>CLUDE
Directive</h2>
Beginning with Shorewall version 1.4.2, any file may contain INCLUDE
directives. An INCLUDE directive consists of the word INCLUDE followed
by a file name and causes the contents of the named file to be
logically included into the file containing the INCLUDE. File names
given in an INCLUDE directive are assumed to reside in /etc/shorewall
or in an alternate configuration directory if one has been specified
for the command.<br>
<br>
INCLUDE's may be nested to a level of 3 -- further nested INCLUDE
directives are ignored with a warning message.<big><big><br>
<br>
</big></big> Examples:<big> </big> <br>
<blockquote> &nbsp;&nbsp; shorewall/params.mgmt:<br>
<blockquote> &nbsp;&nbsp; MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3<br>
&nbsp;&nbsp; TIME_SERVERS=4.4.4.4<br>
&nbsp;&nbsp; BACKUP_SERVERS=5.5.5.5<br>
</blockquote>
&nbsp;&nbsp; ----- end params.mgmt -----<br>
</blockquote>
<blockquote> &nbsp;&nbsp; shorewall/params:<br>
</blockquote>
<blockquote>
<blockquote> &nbsp;&nbsp; # Shorewall 1.3 /etc/shorewall/params<br>
&nbsp;&nbsp; [..]<br>
&nbsp;&nbsp; #######################################<br>
&nbsp;<br>
&nbsp;&nbsp; INCLUDE params.mgmt&nbsp;&nbsp;&nbsp; <br>
&nbsp; <br>
&nbsp;&nbsp; # params unique to this host here<br>
&nbsp;&nbsp; #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT
REMOVE<br>
</blockquote>
</blockquote>
<blockquote> &nbsp;&nbsp; ----- end params -----<br>
</blockquote>
<blockquote> &nbsp;&nbsp; shorewall/rules.mgmt:<br>
</blockquote>
<blockquote>
<blockquote> &nbsp;&nbsp; ACCEPT
net:$MGMT_SERVERS&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
$FW&nbsp;&nbsp;&nbsp; tcp&nbsp;&nbsp;&nbsp; 22<br>
&nbsp;&nbsp; ACCEPT
$FW&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
net:$TIME_SERVERS&nbsp;&nbsp;&nbsp; udp&nbsp;&nbsp;&nbsp; 123<br>
&nbsp;&nbsp; ACCEPT
$FW&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
net:$BACKUP_SERVERS&nbsp; tcp&nbsp;&nbsp;&nbsp; 22<br>
</blockquote>
</blockquote>
<blockquote> &nbsp;&nbsp; ----- end rules.mgmt -----<br>
</blockquote>
<blockquote> &nbsp;&nbsp; shorewall/rules:<br>
</blockquote>
<blockquote>
<blockquote> &nbsp;&nbsp; # Shorewall version 1.3 - Rules File<br>
&nbsp;&nbsp; [..]<br>
&nbsp;&nbsp; #######################################<br>
&nbsp;<br>
&nbsp;&nbsp; INCLUDE rules.mgmt&nbsp;&nbsp;&nbsp;&nbsp; <br>
&nbsp; <br>
&nbsp;&nbsp; # rules unique to this host here<br>
&nbsp;&nbsp; #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT
REMOVE<br>
</blockquote>
</blockquote>
<blockquote> &nbsp;&nbsp; ----- end rules -----<br>
</blockquote>
<h2><a name="dnsnames"></a>Using DNS Names</h2>
<p align="left"> </p>
<p align="left"><b>WARNING: I personally recommend strongly <u>against</u>
using DNS names in Shorewall configuration files. If you use DNS
names and you are called out of bed at 2:00AM because Shorewall won't
start as a result of DNS problems then don't say that you were not forewarned.
<br>
</b></p>
<p align="left"><b>    -Tom<br>
</b></p>
<p align="left">Beginning with Shorewall 1.3.9, Host addresses in Shorewall
configuration files may be specified as either IP addresses or DNS
Names.<br>
<br>
DNS names in iptables rules aren't nearly as useful
as they first appear. When a DNS name appears in a rule, the iptables
utility resolves the name to one or more IP addresses and inserts
those addresses into the rule. So changes in the DNS-&gt;IP address
relationship that occur after the firewall has started have absolutely
no effect on the firewall's ruleset. </p>
<p align="left"> If your firewall rules include DNS names then:</p>
<p align="left"> </p>
<p align="left"><b>WARNING: I personally recommend strongly <u>against</u>
using DNS names in Shorewall configuration files. If you use DNS names
and you are called out of bed at 2:00AM because Shorewall won't start
as a result of DNS problems then don't say that you were not
forewarned. <br>
</b></p>
<p align="left"><b>&nbsp;&nbsp;&nbsp; -Tom<br>
</b></p>
<p align="left">Beginning with Shorewall 1.3.9, Host addresses in
Shorewall configuration files may be specified as either IP addresses
or DNS Names.<br>
<br>
DNS names in iptables rules aren't nearly as useful
as they first appear. When a DNS name appears in a rule, the iptables
utility resolves the name to one or more IP addresses and inserts those
addresses into the rule. So changes in the DNS-&gt;IP address
relationship that occur after the firewall has started have absolutely
no effect on the firewall's ruleset. </p>
<p align="left"> If your firewall rules include DNS names then:</p>
<ul>
<li>If your /etc/resolv.conf is wrong then your firewall
won't start.</li>
<li>If your /etc/nsswitch.conf is wrong then your firewall
won't start.</li>
<li>If your Name Server(s) is(are) down then your firewall
won't start.</li>
<li>If your startup scripts try to start your firewall
before starting your DNS server then your firewall won't start.<br>
</li>
<li>Factors totally outside your control (your ISP's
router is down for example), can prevent your firewall from starting.</li>
<li>You must bring up your network interfaces prior
to starting your firewall.<br>
</li>
<li>If your /etc/resolv.conf is wrong then your firewall won't start.</li>
<li>If your /etc/nsswitch.conf is wrong then your firewall won't
start.</li>
<li>If your Name Server(s) is(are) down then your firewall won't
start.</li>
<li>If your startup scripts try to start your firewall before
starting your DNS server then your firewall won't start.<br>
</li>
<li>Factors totally outside your control (your ISP's router is down
for example), can prevent your firewall from starting.</li>
<li>You must bring up your network interfaces prior
to starting your firewall.<br>
</li>
</ul>
<p align="left"> Each DNS name much be fully qualified and include a minumum
of two periods (although one may be trailing). This restriction is
imposed by Shorewall to insure backward compatibility with existing
configuration files.<br>
<br>
Examples of valid DNS names:<br>
</p>
<p align="left"> Each DNS name much be fully qualified and include a
minumum of two periods (although one may be trailing). This restriction
is imposed by Shorewall to insure backward compatibility with existing
configuration files.<br>
<br>
Examples of valid DNS names:<br>
</p>
<ul>
<li>mail.shorewall.net</li>
<li>shorewall.net. (note the trailing period).</li>
<li>mail.shorewall.net</li>
<li>shorewall.net. (note the trailing period).</li>
</ul>
Examples of invalid DNS names:<br>
Examples of invalid DNS names:<br>
<ul>
<li>mail (not fully qualified)</li>
<li>shorewall.net (only one period)</li>
<li>mail (not fully qualified)</li>
<li>shorewall.net (only one period)</li>
</ul>
DNS names may not be used as:<br>
DNS names may not be used as:<br>
<ul>
<li>The server address in a DNAT rule (/etc/shorewall/rules
file)</li>
<li>In the ADDRESS column of an entry in /etc/shorewall/masq.</li>
<li>In the /etc/shorewall/nat file.</li>
<li>The server address in a DNAT rule (/etc/shorewall/rules file)</li>
<li>In the ADDRESS column of an entry in /etc/shorewall/masq.</li>
<li>In the /etc/shorewall/nat file.</li>
</ul>
These restrictions are not imposed by Shorewall simply
for your inconvenience but are rather limitations of iptables.<br>
These restrictions are not imposed by Shorewall simply for your
inconvenience but are rather limitations of iptables.<br>
<h2><a name="Compliment"></a>Complementing an Address or Subnet</h2>
<p>Where specifying an IP address, a subnet or an interface, you can precede
the item with "!" to specify the complement of the item. For example,
!192.168.1.4 means "any host but 192.168.1.4". There must be no white space
following the "!".</p>
<p>Where specifying an IP address, a subnet or an interface, you can
precede the item with "!" to specify the complement of the item. For
example, !192.168.1.4 means "any host but 192.168.1.4". There must be
no white space following the "!".</p>
<h2><a name="Lists"></a>Comma-separated Lists</h2>
<p>Comma-separated lists are allowed in a number of contexts within the
configuration files. A comma separated list:</p>
<p>Comma-separated lists are allowed in a number of contexts within the
configuration files. A comma separated list:</p>
<ul>
<li>Must not have any embedded white space.<br>
Valid: routefilter,dhcp,norfc1918<br>
Invalid: routefilter,     dhcp,    
norfc1818</li>
<li>If you use line continuation to break a
comma-separated list, the continuation line(s) must begin
in column 1 (or there would be embedded white space)</li>
<li>Entries in a comma-separated list may appear
in any order.</li>
<li>Must not have any embedded white space.<br>
Valid: routefilter,dhcp,norfc1918<br>
Invalid: routefilter,&nbsp;&nbsp;&nbsp;&nbsp;
dhcp,&nbsp;&nbsp;&nbsp;&nbsp; norfc1818</li>
<li>If you use line continuation to break a
comma-separated list, the continuation line(s) must begin
in column 1 (or there would be embedded white space)</li>
<li>Entries in a comma-separated list may appear in any order.</li>
</ul>
<h2><a name="Ports"></a>Port Numbers/Service Names</h2>
<p>Unless otherwise specified, when giving a port number you can use either
an integer or a service name from /etc/services. </p>
<p>Unless otherwise specified, when giving a port number you can use
either an integer or a service name from /etc/services. </p>
<h2><a name="Ranges"></a>Port Ranges</h2>
<p>If you need to specify a range of ports, the proper syntax is &lt;<i>low
port number</i>&gt;:&lt;<i>high port number</i>&gt;. For example,
if you want to forward the range of tcp ports 4000 through 4100 to
local host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
</p>
<p>If you need to specify a range of ports, the proper syntax is &lt;<i>low
port number</i>&gt;:&lt;<i>high port number</i>&gt;. For example, if
you want to forward the range of tcp ports 4000 through 4100 to local
host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
</p>
<pre> DNAT net loc:192.168.1.3 tcp 4000:4100<br></pre>
If you omit the low port number, a value of zero is assumed; if you
omit the high port number, a value of 65535 is assumed.<br>
If you omit the low port number, a value of zero is assumed; if you
omit the high port number, a value of 65535 is assumed.<br>
<h2><a name="Variables"></a>Using Shell Variables</h2>
<p>You may use the /etc/shorewall/params file to set shell variables
that you can then use in some of the other configuration files.</p>
<p>You may use the /etc/shorewall/params file to set shell variables
that you can then use in some of the other configuration files.</p>
<p>It is suggested that variable names begin with an upper case letter<font
size="1"> </font>to distinguish them from variables used internally
within the Shorewall programs</p>
size="1"> </font>to distinguish them from variables used internally
within the Shorewall programs</p>
<p>Example:</p>
<blockquote>
<blockquote>
<pre>NET_IF=eth0<br>NET_BCAST=130.252.100.255<br>NET_OPTIONS=routefilter,norfc1918</pre>
</blockquote>
</blockquote>
<p><br>
Example (/etc/shorewall/interfaces record):</p>
<font
face="Century Gothic, Arial, Helvetica">
<blockquote>
Example (/etc/shorewall/interfaces record):</p>
<font face="Century Gothic, Arial, Helvetica">
<blockquote>
<pre><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></pre>
</blockquote>
</font>
</blockquote>
</font>
<p>The result will be the same as if the record had been written</p>
<font
face="Century Gothic, Arial, Helvetica">
<blockquote>
<font face="Century Gothic, Arial, Helvetica">
<blockquote>
<pre>net eth0 130.252.100.255 routefilter,norfc1918</pre>
</blockquote>
</font>
<p>Variables may be used anywhere in the other configuration
files.</p>
</blockquote>
</font>
<p>Variables may be used anywhere in the other configuration files.</p>
<h2><a name="MAC"></a>Using MAC Addresses</h2>
<p>Media Access Control (MAC) addresses can be used to specify packet
source in several of the configuration files. To use this
feature, your kernel must have MAC Address Match support
(CONFIG_IP_NF_MATCH_MAC) included.</p>
<p>MAC addresses are 48 bits wide and each Ethernet Controller has a unique
MAC address.<br>
<br>
In GNU/Linux, MAC addresses are usually written
as a series of 6 hex numbers separated by colons. Example:<br>
<br>
     [root@gateway root]# ifconfig eth0<br>
     eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>
     inet addr:206.124.146.176 Bcast:206.124.146.255
Mask:255.255.255.0<br>
     UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br>
     RX packets:2398102 errors:0 dropped:0 overruns:0
frame:0<br>
     TX packets:3044698 errors:0 dropped:0 overruns:0
carrier:0<br>
     collisions:30394 txqueuelen:100<br>
     RX bytes:419871805 (400.4 Mb) TX bytes:1659782221
(1582.8 Mb)<br>
     Interrupt:11 Base address:0x1800<br>
<br>
Because Shorewall uses colons as a separator for
address fields, Shorewall requires MAC addresses to be written
in another way. In Shorewall, MAC addresses begin with a tilde
("~") and consist of 6 hex numbers separated by hyphens. In Shorewall,
the MAC address in the example above would be written "~02-00-08-E3-FA-55".<br>
</p>
<p><b>Note: </b>It is not necessary to use the special Shorewall notation
in the <a href="MAC_Validation.html">/etc/shorewall/maclist</a> file.<br>
</p>
<p>Media Access Control (MAC) addresses can be used to specify packet
source in several of the configuration files. To use this feature, your
kernel must have MAC Address Match support
(CONFIG_IP_NF_MATCH_MAC) included.</p>
<p>MAC addresses are 48 bits wide and each Ethernet Controller has a
unique MAC address.<br>
<br>
In GNU/Linux, MAC addresses are usually written as a series of 6 hex
numbers separated by colons. Example:<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp; [root@gateway root]# ifconfig eth0<br>
&nbsp;&nbsp;&nbsp;&nbsp; eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>
&nbsp;&nbsp;&nbsp;&nbsp; inet addr:206.124.146.176
Bcast:206.124.146.255 Mask:255.255.255.0<br>
&nbsp;&nbsp;&nbsp;&nbsp; UP BROADCAST RUNNING MULTICAST MTU:1500
Metric:1<br>
&nbsp;&nbsp;&nbsp;&nbsp; RX packets:2398102 errors:0 dropped:0
overruns:0 frame:0<br>
&nbsp;&nbsp;&nbsp;&nbsp; TX packets:3044698 errors:0 dropped:0
overruns:0 carrier:0<br>
&nbsp;&nbsp;&nbsp;&nbsp; collisions:30394 txqueuelen:100<br>
&nbsp;&nbsp;&nbsp;&nbsp; RX bytes:419871805 (400.4 Mb) TX
bytes:1659782221 (1582.8 Mb)<br>
&nbsp;&nbsp;&nbsp;&nbsp; Interrupt:11 Base address:0x1800<br>
<br>
Because Shorewall uses colons as a separator for address fields,
Shorewall requires MAC addresses to be written in another way. In
Shorewall, MAC addresses begin with a tilde ("~") and consist of 6 hex
numbers separated by hyphens. In Shorewall, the MAC address in the
example above would be written "~02-00-08-E3-FA-55".<br>
</p>
<p><b>Note: </b>It is not necessary to use the special Shorewall
notation in the <a href="MAC_Validation.html">/etc/shorewall/maclist</a>
file.<br>
</p>
<h2><a name="Levels"></a>Shorewall Configurations</h2>
<p> Shorewall allows you to have configuration directories other than /etc/shorewall.
The <a href="starting_and_stopping_shorewall.htm">shorewall check,
start and restart</a> commands allow you to specify an alternate
configuration directory and Shorewall will use the files in the alternate
directory rather than the corresponding files in /etc/shorewall. The
alternate directory need not contain a complete configuration; those
files not in the alternate directory will be read from /etc/shorewall.</p>
<p> This facility permits you to easily create a test or temporary configuration
by:</p>
<p> Shorewall allows you to have configuration directories other than
/etc/shorewall. The <a href="starting_and_stopping_shorewall.htm">shorewall
check, start and restart</a> commands allow you to specify an alternate
configuration directory and Shorewall will use the files in the
alternate directory rather than the corresponding files in
/etc/shorewall. The alternate directory need not contain a complete
configuration; those files not in the alternate directory will be read
from /etc/shorewall.</p>
<p> This facility permits you to easily create a test or temporary
configuration by:</p>
<ol>
<li> copying the files that need modification
from /etc/shorewall to a separate directory;</li>
<li> modify those files in the separate directory;
and</li>
<li> specifying the separate directory in a
shorewall start or shorewall restart command (e.g., <i><b>shorewall
-c /etc/testconfig restart</b></i> )</li>
<li> copying the files that need modification from /etc/shorewall to
a separate directory;</li>
<li> modify those files in the separate directory; and</li>
<li> specifying the separate directory in a shorewall start or
shorewall restart command (e.g., <i><b>shorewall -c /etc/testconfig
restart</b></i> )</li>
</ol>
The <a href="starting_and_stopping_shorewall.htm"><b>try</b> command</a>
allows you to attempt to restart using an alternate configuration and if an
The <a href="starting_and_stopping_shorewall.htm"><b>try</b> command</a>
allows you to attempt to restart using an alternate configuration and
if an
error occurs to automatically restart the standard configuration.<br>
<p><font size="2"> Updated 6/29/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
<p><font size="2"> Updated 8/22/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
</body>
</html>

348
Shorewall-docs/download.htm
View File

@ -1,234 +1,196 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Download</title>
</head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Download</font></h1>
</td>
</tr>
</tbody>
</td>
</tr>
</tbody>
</table>
<p><b>I strongly urge you to read and print a copy of the <a
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
for the configuration that most closely matches your own.<br>
</b></p>
<p>The entire set of Shorewall documentation is available in PDF format at:</p>
<p>    <a href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a
<p><b>I strongly urge you to read and print a copy of the <a
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
for the configuration that most closely matches your own.<br>
</b></p>
<p>The entire set of Shorewall documentation is available in PDF format
at:</p>
<p>&nbsp;&nbsp;&nbsp; <a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
&nbsp;&nbsp;&nbsp; <a
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
    <a
href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>
</p>
<p>The documentation in HTML format is included in the .rpm and in the .tgz
&nbsp;&nbsp;&nbsp; <a
href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>
</p>
<p>The documentation in HTML format is included in the .rpm and in the
.tgz
packages below.</p>
<p> Once you've printed the appropriate QuickStart Guide, download <u>
one</u> of the modules:</p>
<p> Once you've printed the appropriate QuickStart Guide, download <u>
one</u> of the modules:</p>
<ul>
<li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>,
<b> Linux PPC</b> or <b> TurboLinux</b> distribution
with a 2.4 kernel, you can use the RPM version (note: the
RPM should also work with other distributions that store
init scripts in /etc/init.d and that include chkconfig
or insserv). If you find that it works in other cases, let <a
href="mailto:teastep@shorewall.net"> me</a> know so that
I can mention them here. See the <a href="Install.htm">Installation
Instructions</a> if you have problems installing the RPM.</li>
<li>If you are running LRP, download the .lrp
file (you might also want to download the .tgz so you will
have a copy of the documentation).</li>
<li>If you run <a
href="http://www.debian.org"><b>Debian</b></a> and would
like a .deb package, Shorewall is included in both the <a
href="http://packages.debian.org/testing/net/shorewall.html">Debian
Testing Branch</a> and the <a
href="http://packages.debian.org/unstable/net/shorewall.html">Debian Unstable
Branch</a>.</li>
<li>Otherwise, download the <i>shorewall</i>
module (.tgz)</li>
<li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <b> Linux
PPC</b>, <span style="font-weight: bold;">Trustix</span> or <b>
TurboLinux</b> distribution with a 2.4 kernel, you can
use the RPM version (note: the RPM should also work with other
distributions that store init scripts in /etc/init.d and that include
chkconfig or insserv). If you find that it works in other cases, let <a
href="mailto:teastep@shorewall.net"> me</a> know so that I can mention
them here. See the <a href="Install.htm">Installation Instructions</a>
if you have problems installing the RPM.</li>
<li>If you are running LRP, download the .lrp file (you might also
want to download the .tgz so you will have a copy of the documentation).</li>
<li>If you run <a href="http://www.debian.org"><b>Debian</b></a> and
would like a .deb package, Shorewall is included in both the <a
href="http://packages.debian.org/testing/net/shorewall.html">Debian
Testing Branch</a> and the <a
href="http://packages.debian.org/unstable/net/shorewall.html">Debian
Unstable Branch</a>.</li>
<li>Otherwise, download the <i>shorewall</i> module (.tgz)</li>
</ul>
<p>The documentation in HTML format is included in the .tgz and .rpm files
and there is an documentation .deb that also contains the documentation.  The
.rpm will install the documentation in your default document directory
which can be obtained using the following command:<br>
</p>
<blockquote>
<p><font color="#009900"><b>rpm --eval '%{defaultdocdir}'</b></font></p>
</blockquote>
<p>Please check the <font color="#ff0000"> <a href="errata.htm"> errata</a></font>
to see if there are updates that apply to the version
that you have downloaded.</p>
<p><font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY INSTALL
THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed configuration
of your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.</b></font></p>
<p>The documentation in HTML format is included in the .tgz and .rpm
files and there is an documentation .deb that also contains the
documentation.&nbsp;&nbsp;The .rpm will install the documentation in
your default document directory which can be obtained using the
following command:<br>
</p>
<blockquote>
<p><font color="#009900"><b>rpm --eval '%{_defaultdocdir}'</b></font></p>
</blockquote>
<p>Please check the <font color="#ff0000"> <a href="errata.htm">
errata</a></font> to see if there are updates that apply to the version
that you have downloaded.</p>
<p><font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY
INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME
CONFIGURATION IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have
completed configuration of your firewall, you can enable startup by
removing the file /etc/shorewall/startup_disabled.</b></font></p>
<p><b></b></p>
<p><b>Download Sites:</b></p>
<blockquote>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>SERVER LOCATION</b></td>
<td><b>DOMAIN</b></td>
<td><b>HTTP</b></td>
<td><b>FTP</b></td>
</tr>
<tr>
<td>SourceForge<br>
</td>
<td>sf.net</td>
<td><a
<tbody>
<tr>
<td><b>SERVER LOCATION</b></td>
<td><b>DOMAIN</b></td>
<td><b>HTTP</b></td>
<td><b>FTP</b></td>
</tr>
<tr>
<td>SourceForge<br>
</td>
<td>sf.net</td>
<td><a
href="http://sourceforge.net/project/showfiles.php?group_id=22587">Browse</a></td>
<td>N/A</td>
</tr>
<tr>
<td>Slovak Republic</td>
<td>Shorewall.net</td>
<td><a
href="http://slovakia.shorewall.net/pub/shorewall/">Browse</a></td>
<td> <a target="_blank"
<td>N/A</td>
</tr>
<tr>
<td>Slovak Republic</td>
<td>Shorewall.net</td>
<td><a href="http://slovakia.shorewall.net/pub/shorewall/">Browse</a></td>
<td> <a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/">Browse</a></td>
</tr>
<tr>
<td>Texas, USA</td>
<td>Infohiiway.com</td>
<td><a
href="http://shorewall.infohiiway.com/pub/shorewall">Browse</a></td>
<td><a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/">Browse (Temporarily Unavailable)</a></td>
</tr>
<tr>
<td>Hamburg, Germany</td>
<td>Shorewall.net</td>
<td><a
href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a target="_blank"
</tr>
<tr>
<td>Texas, USA</td>
<td>Infohiiway.com</td>
<td><a href="http://shorewall.infohiiway.com/pub/shorewall">Browse</a></td>
<td><a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/">Browse (Temporarily
Unavailable)</a></td>
</tr>
<tr>
<td>Hamburg, Germany</td>
<td>Shorewall.net</td>
<td><a href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall">Browse</a></td>
</tr>
<tr>
<td>France</td>
<td>Shorewall.net</td>
<td><a
</tr>
<tr>
<td>France</td>
<td>Shorewall.net</td>
<td><a
href="http://france.shorewall.net/pub/shorewall/LATEST.lrp">Browse</a></td>
<td> <a target="_blank"
<td> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/">Browse</a></td>
</tr>
<tr>
<td valign="top">Taiwan<br>
</td>
<td valign="top">Greshko.com<br>
</td>
<td valign="top"><a
</tr>
<tr>
<td valign="top">Taiwan<br>
</td>
<td valign="top">Greshko.com<br>
</td>
<td valign="top"><a
href="http://shorewall.greshko.com/pub/shorewall/">Browse<br>
</a></td>
<td valign="top"><a
</a></td>
<td valign="top"><a
href="ftp://shorewall.greshko.com/pub/shorewall/" target="_top">Browse</a><br>
</td>
</tr>
<tr>
<td valign="top">Argentina<br>
</td>
<td valign="top">Shorewall.net<br>
</td>
<td valign="top"><a
</td>
</tr>
<tr>
<td valign="top">Argentina<br>
</td>
<td valign="top">Shorewall.net<br>
</td>
<td valign="top"><a
href="http://argentina.shorewall.net/pub/shorewall/shorewall">Browse</a><br>
</td>
<td valign="top">N/A<br>
</td>
</tr>
<tr>
<td valign="top">Brazil<br>
</td>
<td valign="top">securityopensource.org.br<br>
</td>
<td valign="top"><a
</td>
<td valign="top">N/A<br>
</td>
</tr>
<tr>
<td valign="top">Brazil<br>
</td>
<td valign="top">securityopensource.org.br<br>
</td>
<td valign="top"><a
href="http://shorewall.securityopensource.org.br/pub/shorewall/">Browse</a><br>
</td>
<td valign="top">N/A<br>
</td>
</tr>
<tr>
<td>Washington State, USA</td>
<td>Shorewall.net</td>
<td><a
href="http://www.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a
href="ftp://ftp.shorewall.net/pub/shorewall/" target="_blank">Browse</a></td>
</tr>
</tbody>
</td>
<td valign="top">N/A<br>
</td>
</tr>
<tr>
<td>Washington State, USA</td>
<td>Shorewall.net</td>
<td><a href="http://www.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a href="ftp://ftp.shorewall.net/pub/shorewall/"
target="_blank">Browse</a></td>
</tr>
</tbody>
</table>
</blockquote>
</blockquote>
<p align="left"><b>CVS:</b></p>
<blockquote>
<blockquote>
<p align="left">The <a target="_top"
href="http://cvs.shorewall.net/Shorewall_CVS_Access.html">CVS repository
at cvs.shorewall.net</a> contains the latest snapshots of the
each Shorewall component. There's no guarantee that what you find
there will work at all.<br>
</p>
</blockquote>
href="http://cvs.shorewall.net/Shorewall_CVS_Access.html">CVS
repository at cvs.shorewall.net</a> contains the latest snapshots of
the each Shorewall component. There's no guarantee that what you find
there will work at all.<br>
</p>
</blockquote>
<p align="left"><b>Shapshots:<br>
</b></p>
<blockquote>
</b></p>
<blockquote>
<p align="left">Periodic snapshots from CVS may be found at <a
href="http://shorewall.net/pub/shorewall/Snapshots/">http://shorewall.net/pub/shorewall/Snapshots</a>
(<a href="ftp://shorewall.net/pub/shorewall/Snapshots/" target="_top">FTP</a>).
These snapshots have undergone initial testing and will have been installed
and run at shorewall.net.<br>
</p>
</blockquote>
<p align="left"><font size="2">Last Updated 8/4/2003 - <a
(<a href="ftp://shorewall.net/pub/shorewall/Snapshots/" target="_top">FTP</a>).
These snapshots have undergone initial testing and will have been
installed and run at shorewall.net.<br>
</p>
</blockquote>
<p align="left"><font size="2">Last Updated 9/25/2003 - <a
href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</p>
</body>
</html>

530
Shorewall-docs/errata.htm
View File

@ -1,391 +1,319 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall 1.4 Errata</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none">
<meta name="author" content="Tom Eastep">
</head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1>
</td>
</tr>
</tbody>
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade
Issues</font></h1>
</td>
</tr>
</tbody>
</table>
<p align="center"> <b><u>IMPORTANT</u></b></p>
<p align="center"> <b><u>IMPORTANT</u></b></p>
<ol>
<li>
<p align="left"> <b><u>I</u>f you use a Windows system to download
a corrected script, be sure to run the script through
<u> <a
<li>
<p align="left"> <b><u>I</u>f you use a Windows system to download
a corrected script, be sure to run the script through <u> <a
href="http://www.megaloman.com/%7Ehany/software/hd2u/"
style="text-decoration: none;"> dos2unix</a></u> after you have moved
it to your Linux system.</b></p>
</li>
<li>
<p align="left"> <b>If you are installing Shorewall for the first
time and plan to use the .tgz and install.sh script, you can untar
the archive, replace the 'firewall' script in the untarred directory
with the one you downloaded below, and then run install.sh.</b></p>
</li>
<li>
<p align="left"> <b>When the instructions say to install a corrected
firewall script in /usr/share/shorewall/firewall,
you may rename the existing file before copying in the new file.</b></p>
</li>
<li>
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER
BELOW. For example, do NOT install the 1.3.9a firewall script
if you are running 1.3.7c.</font></b><br>
</p>
</li>
style="text-decoration: none;"> dos2unix</a></u> after you have moved
it to your Linux system.</b></p>
</li>
<li>
<p align="left"> <b>If you are installing Shorewall for the first
time and plan to use the .tgz and install.sh script, you can untar
the archive, replace the 'firewall' script in the untarred directory
with the one you downloaded below, and then run install.sh.</b></p>
</li>
<li>
<p align="left"> <b>When the instructions say to install a
corrected firewall script in /usr/share/shorewall/firewall,
you may rename the existing file before copying in the new file.</b></p>
</li>
<li>
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED
COMPONENTS ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER
BELOW. For example, do NOT install the 1.3.9a firewall script
if you are running 1.3.7c.</font></b><br>
</p>
</li>
</ol>
<ul>
<li><b><a
href="upgrade_issues.htm">Upgrade Issues</a></b></li>
<li><b><a href="#V1.4">Problems in Version 1.4</a></b><br>
</li>
<li> <b><a
href="errata_3.html">Problems in Version 1.3</a></b></li>
<li> <b><a
href="errata_2.htm">Problems in Version 1.2</a></b></li>
<li> <b><font
color="#660066"> <a href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
<li> <b><font
color="#660066"><a href="#iptables"> Problem with iptables version 1.2.3
on RH7.2</a></font></b></li>
<li> <b><a
href="#Debug">Problems with kernels &gt;= 2.4.18 and RedHat
<li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
<li><b><a href="#V1.4">Problems in Version 1.4</a></b><br>
</li>
<li> <b><a href="errata_3.html">Problems in Version 1.3</a></b></li>
<li> <b><a href="errata_2.htm">Problems in Version 1.2</a></b></li>
<li> <b><font color="#660066"> <a href="errata_1.htm">Problems in
Version 1.1</a></font></b></li>
<li> <b><font color="#660066"><a href="#iptables"> Problem with
iptables version 1.2.3 on RH7.2</a></font></b></li>
<li> <b><a href="#Debug">Problems with kernels &gt;= 2.4.18 and
RedHat
iptables</a></b></li>
<li><b><a href="#SuSE">Problems installing/upgrading
RPM on SuSE</a></b></li>
<li><b><a href="#Multiport">Problems
with iptables version 1.2.7 and MULTIPORT=Yes</a></b></li>
<li><b><a href="#NAT">Problems with RH Kernel
2.4.18-10 and NAT</a></b></li>
<li><b><a href="#REJECT">Problems with RH Kernels after 2.4.20-9 and
REJECT (also applies to 2.4.21-RC1) <img src="images/new10.gif"
alt="(New)" width="28" height="12" border="0">
</a><br>
</b></li>
<li><b><a href="#SuSE">Problems installing/upgrading RPM on SuSE</a></b></li>
<li><b><a href="#Multiport">Problems with iptables version 1.2.7 and
MULTIPORT=Yes</a></b></li>
<li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10 and NAT</a></b></li>
<li><b><a href="#REJECT">Problems with RH Kernels after 2.4.20-9 and
REJECT (also applies to 2.4.21-RC1) <img src="images/new10.gif"
alt="(New)" width="28" height="12" border="0"> </a><br>
</b></li>
</ul>
<hr>
<hr>
<h2 align="left"><a name="V1.4"></a>Problems in Version 1.4</h2>
<h3></h3>
<h3>1.4.6</h3>
<ul>
<li>If TC_ENABLED is set to yes in shorewall.conf then Shorewall would
fail to start with the error "ERROR:  Traffic Control requires Mangle";
that problem has been corrected in <a
href="http://shorewall.net/pub/shorewall/errata/1.4.6/firewall">this firewall
script</a> which may be installed in /var/share/shorewall/firewall as described
above. This problem is also corrected in bugfix release 1.4.6a.</li>
<li>This problem occurs in all versions supporting traffic control. If
a MAC address is used in the SOURCE column, an error occurs as follows:<br>
<br>
     <font size="3"><tt>iptables v1.2.8: Bad mac adress `00:08:B5:35:52:E7-d`</tt></font><br>
<br>
For Shorewall 1.4.6 and 1.4.6a users, this problem has been corrected in
<a href="http://shorewall.net/pub/shorewall/errata/1.4.6/firewall">this
firewall script</a> which may be installed in /var/share/shorewall/firewall
as described above. For all other versions, you will have to edit your 'firewall'
script (in versions 1.4.*, it is located in /usr/share/shorewall/firewall).
Locate the function add_tcrule_() and in that function, replace this line:<br>
<br>
    r=`mac_match $source` <br>
<br>
with<br>
<br>
     r="`mac_match $source` "<br>
<br>
Note that there must be a space before the ending quote!<br>
</li>
<li>If TC_ENABLED is set to yes in shorewall.conf then Shorewall
would fail to start with the error "ERROR:&nbsp; Traffic Control
requires Mangle";
that problem has been corrected in <a
href="http://shorewall.net/pub/shorewall/errata/1.4.6/firewall">this
firewall script</a> which may be installed in
/var/share/shorewall/firewall as described above. This problem is also
corrected in bugfix release 1.4.6a.</li>
<li>This problem occurs in all versions supporting traffic control.
If a MAC address is used in the SOURCE column, an error occurs as
follows:<br>
<br>
&nbsp; &nbsp; &nbsp;<font size="3"><tt>iptables v1.2.8: Bad mac adress
`00:08:B5:35:52:E7-d`</tt></font><br>
<br>
For Shorewall 1.4.6 and 1.4.6a users, this problem has been corrected
in <a href="http://shorewall.net/pub/shorewall/errata/1.4.6/firewall">this
firewall script</a> which may be installed in
/var/share/shorewall/firewall
as described above. For all other versions, you will have to edit your
'firewall'
script (in versions 1.4.*, it is located in
/usr/share/shorewall/firewall).
Locate the function add_tcrule_() and in that function, replace this
line:<br>
<br>
&nbsp; &nbsp; <span style="font-family: monospace;">r=`mac_match
$source`&nbsp;</span><br>
<br>
with<br>
<br>
&nbsp; &nbsp; &nbsp;<span style="font-family: monospace;">r="`mac_match
$source` "</span><br>
<br>
Note that there must be a space before the ending quote!<br>
</li>
</ul>
<h3>1.4.4b</h3>
<ul>
<li>Shorewall is ignoring records in /etc/shorewall/routestopped
that have an empty second column (HOSTS). This problem may be corrected
by installing <a
<li>Shorewall is ignoring records in /etc/shorewall/routestopped
that have an empty second column (HOSTS). This problem may be corrected
by installing <a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4b/firewall"
target="_top">this firewall script</a> in /usr/share/shorewall/firewall as
target="_top">this firewall script</a> in
/usr/share/shorewall/firewall as
described above.</li>
<li>The INCLUDE directive doesn't work when placed in the /etc/shorewall/zones
file. This problem may be corrected by installing <a
<li>The INCLUDE directive doesn't work when placed in the
/etc/shorewall/zones file. This problem may be corrected by installing <a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4b/functions"
target="_top">this functions script</a> in /usr/share/shorewall/functions.<br>
</li>
target="_top">this functions script</a> in
/usr/share/shorewall/functions.<br>
</li>
</ul>
<h3>1.4.4-1.4.4a</h3>
<ul>
<li>Log messages are being displayed on the system console even
though the log level for the console is set properly according to <a
href="FAQ.htm#faq16">FAQ 16</a>. This problem may be corrected by installing
<a
<li>Log messages are being displayed on the system console even
though the log level for the console is set properly according to <a
href="FAQ.htm#faq16">FAQ 16</a>. This problem may be corrected by
installing <a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4a/firewall"
target="_top">this firewall script</a> in /usr/share/shorewall/firewall as
target="_top">this firewall script</a> in
/usr/share/shorewall/firewall as
described above.<br>
</li>
</li>
</ul>
<h3>1.4.4<br>
</h3>
</h3>
<ul>
<li> If you have zone names that are 5 characters long, you may
experience problems starting Shorewall because the --log-prefix in a logging
rule is too long. Upgrade to Version 1.4.4a to fix this problem..</li>
<li> If you have zone names that are 5 characters long, you may
experience problems starting Shorewall because the --log-prefix in a
logging rule is too long. Upgrade to Version 1.4.4a to fix this
problem..</li>
</ul>
<h3>1.4.3</h3>
<ul>
<li>The LOGMARKER variable introduced in version 1.4.3 was intended
to allow integration of Shorewall with Fireparse (http://www.firewparse.com).
Unfortunately, LOGMARKER only solved part of the integration problem.
I have implimented a new LOGFORMAT variable which will replace LOGMARKER
which has completely solved this problem and is currently in production
with fireparse here at shorewall.net. The updated files may be found at
<a
<li>The LOGMARKER variable introduced in version 1.4.3 was intended
to allow integration of Shorewall with Fireparse
(http://www.firewparse.com). Unfortunately, LOGMARKER only solved part
of the integration problem. I have implimented a new LOGFORMAT variable
which will replace LOGMARKER which has completely solved this problem
and is currently in production with fireparse here at shorewall.net.
The updated files may be found at <a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/"
target="_top">ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/</a>.
See the 0README.txt file for details.<br>
</li>
target="_top">ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/</a>.
See the 0README.txt file for details.<br>
</li>
</ul>
<h3>1.4.2</h3>
<ul>
<li>When an 'add' or 'delete' command is executed, a temporary
directory created in /tmp is not being removed. This problem may be corrected
by installing <a
<li>When an 'add' or 'delete' command is executed, a temporary
directory created in /tmp is not being removed. This problem may be
corrected by installing <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.2/firewall"
target="_top">this firewall script</a> in /usr/share/shorewall/firewall as
target="_top">this firewall script</a> in
/usr/share/shorewall/firewall as
described above. <br>
</li>
</li>
</ul>
<h3>1.4.1a, 1.4.1 and 1.4.0</h3>
<ul>
<li>Some TCP requests are rejected in the 'common' chain with
an ICMP port-unreachable response rather than the more appropriate TCP
RST response. This problem is corrected in <a
<li>Some TCP requests are rejected in the 'common' chain with an ICMP
port-unreachable response rather than the more appropriate TCP RST
response. This problem is corrected in <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1a/common.def"
target="_top">this updated common.def file</a> which may be installed in
/etc/shorewall/common.def.<br>
</li>
target="_top">this updated common.def file</a> which may be installed
in /etc/shorewall/common.def.<br>
</li>
</ul>
<h3>1.4.1</h3>
<ul>
<li>When a "shorewall check" command is executed, each "rule"
produces the harmless additional message:<br>
<br>
     /usr/share/shorewall/firewall: line 2174: [: =: unary operator
expected<br>
<br>
You may correct the problem by installing <a
<li>When a "shorewall check" command is executed, each "rule"
produces the harmless additional message:<br>
<br>
&nbsp; &nbsp; &nbsp;/usr/share/shorewall/firewall: line 2174: [: =:
unary operator expected<br>
<br>
You may correct the problem by installing <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1/firewall"
target="_top">this corrected script</a> in /usr/share/shorewall/firewall
as described above.<br>
</li>
target="_top">this corrected script</a> in
/usr/share/shorewall/firewall as described above.<br>
</li>
</ul>
<h3>1.4.0</h3>
<ul>
<li>When running under certain shells Shorewall will attempt
to create ECN rules even when /etc/shorewall/ecn is empty. You may
either just remove /etc/shorewall/ecn or you can install <a
<li>When running under certain shells Shorewall will attempt to
create ECN rules even when /etc/shorewall/ecn is empty. You may
either just remove /etc/shorewall/ecn or you can install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.4.0/firewall">this
correct script</a> in /usr/share/shorewall/firewall as described above.<br>
</li>
correct script</a> in /usr/share/shorewall/firewall as described above.<br>
</li>
</ul>
<hr width="100%" size="2">
<hr width="100%" size="2">
<h2 align="left"><a name="Upgrade"></a>Upgrade Issues</h2>
<p align="left">The upgrade issues have moved to <a
<p align="left">The upgrade issues have moved to <a
href="upgrade_issues.htm">a separate page</a>.</p>
<hr>
<h3 align="left"><a name="iptables"></a><font color="#660066"> Problem with
iptables version 1.2.3</font></h3>
<blockquote>
<p align="left">There are a couple of serious bugs in iptables 1.2.3 that
prevent it from working with Shorewall. Regrettably,
RedHat released this buggy iptables in RedHat 7.2. </p>
<hr>
<h3 align="left"><a name="iptables"></a><font color="#660066"> Problem
with iptables version 1.2.3</font></h3>
<blockquote>
<p align="left">There are a couple of serious bugs in iptables 1.2.3
that prevent it from working with Shorewall. Regrettably, RedHat
released this buggy iptables in RedHat 7.2.&nbsp;</p>
<p align="left"> I have built a <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
corrected 1.2.3 rpm which you can download here</a>  and
I have also built an <a
corrected 1.2.3 rpm which you can download here</a>&nbsp; and I have
also built an <a
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
iptables-1.2.4 rpm which you can download here</a>. If you are currently
running RedHat 7.1, you can install either of these RPMs
<b><u>before</u> </b>you upgrade to RedHat 7.2.</p>
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
has released an iptables-1.2.4 RPM of their own which
you can download from<font color="#ff6633"> <a
iptables-1.2.4 rpm which you can download here</a>. If you are
currently running RedHat 7.1, you can install either of these RPMs <b><u>before</u>
</b>you upgrade to RedHat 7.2.</p>
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
has released an iptables-1.2.4 RPM of their own which
you can download from<font color="#ff6633"> <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
</font>I have installed this RPM on my firewall and
it works fine.</p>
<p align="left">If you would like to patch iptables 1.2.3 yourself,
the patches are available for download. This <a
</font>I have installed this RPM on my firewall and
it works fine.</p>
<p align="left">If you would like to patch iptables 1.2.3 yourself,
the patches are available for download. This <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
which corrects a problem with parsing of the --log-level
specification while this <a
which corrects a problem with parsing of the --log-level specification
while this <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
corrects a problem in handling the  TOS target.</p>
corrects a problem in handling the&nbsp; TOS target.</p>
<p align="left">To install one of the above patches:</p>
<ul>
<li>cd iptables-1.2.3/extensions</li>
<li>patch -p0 &lt; <i>the-patch-file</i></li>
<li>cd iptables-1.2.3/extensions</li>
<li>patch -p0 &lt; <i>the-patch-file</i></li>
</ul>
</blockquote>
<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18 and
</blockquote>
<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18 and
RedHat iptables</h3>
<blockquote>
<p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19
may experience the following:</p>
<blockquote>
<blockquote>
<p>Users who use RedHat iptables RPMs and who upgrade to kernel
2.4.18/19 may experience the following:</p>
<blockquote>
<pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre>
</blockquote>
<p>The RedHat iptables RPM is compiled with debugging enabled but the
user-space debugging code was not updated to reflect recent changes in
the Netfilter 'mangle' table. You can correct the problem by
installing <a
</blockquote>
<p>The RedHat iptables RPM is compiled with debugging enabled but the
user-space debugging code was not updated to reflect recent changes in
the Netfilter 'mangle' table. You can correct the problem by installing
<a
href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
this iptables RPM</a>. If you are already running a
1.2.5 version of iptables, you will need to specify the
--oldpackage option to rpm (e.g., "iptables -Uvh --oldpackage
this iptables RPM</a>. If you are already running a
1.2.5 version of iptables, you will need to specify the
--oldpackage option to rpm (e.g., "iptables -Uvh --oldpackage
iptables-1.2.5-1.i386.rpm").</p>
</blockquote>
<h3><a name="SuSE"></a>Problems installing/upgrading
RPM on SuSE</h3>
<p>If you find that rpm complains about a conflict with kernel &lt;=
2.2 yet you have a 2.4 kernel installed, simply use the
"--nodeps" option to rpm.</p>
</blockquote>
<h3><a name="SuSE"></a>Problems installing/upgrading RPM on SuSE</h3>
<p>If you find that rpm complains about a conflict with kernel &lt;=
2.2 yet you have a 2.4 kernel installed, simply use the "--nodeps"
option to rpm.</p>
<p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<h3><a name="Multiport"></a><b>Problems with iptables version 1.2.7 and
MULTIPORT=Yes</b></h3>
<p>The iptables 1.2.7 release of iptables has made an incompatible
change to the syntax used to specify multiport match rules;
as a consequence, if you install iptables 1.2.7 you
must be running Shorewall 1.3.7a or later or:</p>
<h3><a name="Multiport"></a><b>Problems with iptables version 1.2.7 and
MULTIPORT=Yes</b></h3>
<p>The iptables 1.2.7 release of iptables has made an incompatible
change to the syntax used to specify multiport match rules; as a
consequence, if you install iptables 1.2.7 you must be running
Shorewall 1.3.7a or later or:</p>
<ul>
<li>set
MULTIPORT=No in /etc/shorewall/shorewall.conf;
or </li>
<li>if
you are running Shorewall 1.3.6 you may
install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this firewall script</a> in /var/lib/shorewall/firewall
as described above.</li>
<li>set MULTIPORT=No in /etc/shorewall/shorewall.conf; or </li>
<li>if you are running Shorewall 1.3.6 you may install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this firewall script</a> in /var/lib/shorewall/firewall as described
above.</li>
</ul>
<h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br>
</h3>
/etc/shorewall/nat entries of the following
form will result in Shorewall being unable to start:<br>
<br>
<pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22    eth0    192.168.9.22   yes     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
Error message is:<br>
</h3>
/etc/shorewall/nat entries of the following form will result in
Shorewall being unable to start:<br>
<br>
<pre>#EXTERNAL&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; INTERFACE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; INTERNAL&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ALL INTERFACES&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LOCAL<br>192.0.2.22&nbsp;&nbsp;&nbsp; eth0&nbsp;&nbsp;&nbsp; 192.168.9.22&nbsp;&nbsp; yes&nbsp;&nbsp;&nbsp;&nbsp; yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
Error message is:<br>
<pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
The solution is to put "no" in the LOCAL column.
Kernel support for LOCAL=yes has never worked properly and 2.4.18-10
has disabled it. The 2.4.19 kernel contains corrected support
under a new kernel configuraiton option; see <a
The solution is to put "no" in the LOCAL column. Kernel support for
LOCAL=yes has never worked properly and 2.4.18-10 has disabled it. The
2.4.19 kernel contains corrected support
under a new kernel configuraiton option; see <a
href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
<br>
<h3><a name="REJECT"></a><b> Problems with RH Kernels after 2.4.20-9 and REJECT
<br>
<h3><a name="REJECT"></a><b> Problems with RH Kernels after 2.4.20-9
and REJECT
(also applies to 2.4.21-RC1)</b></h3>
Beginning with errata kernel 2.4.20-13.9, "REJECT --reject-with tcp-reset"
is broken. The symptom most commonly seen is that REJECT rules act just
like DROP rules when dealing with TCP. A kernel patch and precompiled modules
to fix this problem are available at <a
Beginning with errata kernel 2.4.20-13.9, "REJECT --reject-with
tcp-reset" is broken. The symptom most commonly seen is that REJECT
rules act just like DROP rules when dealing with TCP. A kernel patch
and precompiled modules to fix this problem are available at <a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel"
target="_top">ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel</a>.<br>
<hr>
<p><font size="2"> Last updated 7/23/2003 - <a href="support.htm">Tom Eastep</a></font>
<hr>
<p><font size="2"> Last updated 7/23/2003 - <a href="support.htm">Tom
Eastep</a></font>
</p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
<br>
</p>
<br>
<br>
</body>
</html>

BIN
Shorewall-docs/images/network.png
View File

Binary file not shown.

BIN
Shorewall-docs/images/network.vsd
View File

Binary file not shown.

381
Shorewall-docs/mailing_list.htm
View File

@ -1,147 +1,117 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Mailing Lists</title>
<meta name="Microsoft Theme" content="none">
</head>
<body>
<body>
<table height="90" bgcolor="#3366ff" id="AutoNumber1" width="100%"
style="border-collapse: collapse;" cellspacing="0" cellpadding="0"
border="0">
<tbody>
<tr>
<td width="33%" valign="middle"
align="left">
<tbody>
<tr>
<td width="33%" valign="middle" align="left">
<h1 align="center"><a
href="http://www.centralcommand.com/linux_products.html"><img
src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78"
height="79" align="left">
</a></h1>
<a
href="http://www.gnu.org/software/mailman/mailman.html"> <img
height="79" align="left"> </a></h1>
<a href="http://www.gnu.org/software/mailman/mailman.html"> <img
border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110"
height="35" alt="">
</a>
<p align="right"><font color="#ffffff"><b>  </b></font><a
height="35" alt=""> </a>
<p align="right"><font color="#ffffff"><b>&nbsp; </b></font><a
href="http://razor.sourceforge.net/"><img src="images/razor.gif"
alt="(Razor Logo)" width="100" height="22" align="left" border="0">
</a> </p>
</td>
<td valign="middle" width="34%" align="center">
alt="(Razor Logo)" width="100" height="22" align="left" border="0"> </a>
</p>
</td>
<td valign="middle" width="34%" align="center">
<h1 align="center"><font color="#ffffff">Shorewall Mailing Lists</font></h1>
</td>
<td valign="middle" width="33%">
<a href="http://www.postfix.org/"> <img
src="images/postfix-white.gif" align="right" border="0" width="158"
height="84" alt="(Postfix Logo)">
</a><br>
</td>
<td valign="middle" width="33%"> <a
href="http://www.postfix.org/"> <img src="images/postfix-white.gif"
align="right" border="0" width="158" height="84" alt="(Postfix Logo)">
</a><br>
<div align="left"><a href="http://www.spamassassin.org"><img
src="images/ninjalogo.png" alt="" width="110" height="42" align="right"
border="0">
</a> </div>
<br>
border="0"> </a> </div>
<br>
<div align="right"><b><font color="#ffffff"><br>
</font></b><br>
</div>
</td>
</tr>
</tbody>
</font></b><br>
</div>
</td>
</tr>
</tbody>
</table>
If you experience problems with any of these lists,
please let <a href="mailto:postmaster@shorewall.net">me</a>
know
<br>
<big><span style="color: rgb(255, 0, 0);"><span
style="font-weight: bold;">If you are reporting a problem or asking a
question, you are at the wrong place -- please see the <a
href="http://www.shorewall.net/support.htm">Shorewall Support Guide</a>.</span></span></big><br>
<br>
If you experience problems with any of these lists,
please let <a href="mailto:postmaster@shorewall.net">me</a>
know
<h2 align="left">Not able to Post Mail to shorewall.net?</h2>
<p align="left">You can report such problems by sending mail to tmeastep at
<p align="left">You can report such problems by sending mail to
tmeastep at
hotmail dot com.</p>
<h2>A Word about the SPAM Filters at Shorewall.net <a
<h2>A Word about the SPAM Filters at Shorewall.net&nbsp;<a
href="http://osirusoft.com/"> </a></h2>
<p>Please note that the mail server at shorewall.net checks
<p>Please note that the mail server at shorewall.net checks
incoming mail:<br>
</p>
</p>
<ol>
<li>against <a
href="http://spamassassin.org">Spamassassin</a> (including <a
href="http://razor.sourceforge.net/">Vipul's Razor</a>).<br>
</li>
<li>to ensure that the sender address is
fully qualified.</li>
<li>to verify that the sender's domain has
an A or MX record in DNS.</li>
<li>to ensure that the host name in the HELO/EHLO
command is a valid fully-qualified DNS name.</li>
<li>against <a href="http://spamassassin.org">Spamassassin</a>
(including <a href="http://razor.sourceforge.net/">Vipul's Razor</a>).<br>
</li>
<li>to ensure that the sender address is
fully qualified.</li>
<li>to verify that the sender's domain has an A or MX record in DNS.</li>
<li>to ensure that the host name in the HELO/EHLO command is a valid
fully-qualified DNS name.</li>
</ol>
<h2>Please post in plain text</h2>
A growing number of MTAs serving list subscribers
are rejecting all HTML traffic. At least one MTA has gone so far
as to blacklist shorewall.net "for continuous abuse" because it has
been my policy to allow HTML in list posts!!<br>
<br>
I think that blocking all HTML is a Draconian way
to control spam and that the ultimate losers here are not the spammers
but the list subscribers whose MTAs are bouncing all shorewall.net
mail. As one list subscriber wrote to me privately "These e-mail admin's
need to get a <i>(explitive deleted)</i> life instead of trying to
rid the planet of HTML based e-mail". Nevertheless, to allow subscribers
to receive list posts as must as possible, I have now configured the
list server at shorewall.net to strip all HTML from outgoing posts.
This means that HTML-only posts will be bounced by the list server.<br>
A growing number of MTAs serving list subscribers are rejecting all
HTML traffic. At least one MTA has gone so far as to blacklist
shorewall.net "for continuous abuse" because it has been my policy to
allow HTML in list posts!!<br>
<br>
I think that blocking all HTML is a Draconian way to control spam and
that the ultimate losers here are not the spammers but the list
subscribers whose MTAs are bouncing all shorewall.net mail. As one list
subscriber wrote to me privately "These e-mail admin's need to get a <i>(explitive
deleted)</i> life instead of trying to
rid the planet of HTML based e-mail". Nevertheless, to allow
subscribers to receive list posts as must as possible, I have now
configured the list server at shorewall.net to strip all HTML from
outgoing posts.
This means that HTML-only posts will be bounced by the list server.<br>
<p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br>
</p>
</p>
<h2>Other Mail Delivery Problems</h2>
If you find that you are missing an occasional list
post, your e-mail admin may be blocking mail whose <i>Received:</i>
headers contain the names of certain ISPs. Again, I believe that such
policies hurt more than they help but I'm not prepared to go so far
as to start stripping <i>Received:</i> headers to circumvent those
policies.<br>
If you find that you are missing an occasional list post, your e-mail
admin may be blocking mail whose <i>Received:</i> headers contain the
names of certain ISPs. Again, I believe that such policies hurt more
than they help but I'm not prepared to go so far as to start stripping <i>Received:</i>
headers to circumvent those policies.<br>
<h2 align="left">Mailing Lists Archive Search</h2>
<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
<p> <font size="-1"> Match:
<p> <font size="-1"> Match:
<select name="method">
<option value="and">All </option>
<option value="or">Any </option>
<option value="boolean">Boolean </option>
</select>
Format:
Format:
<select name="format">
<option value="builtin-long">Long </option>
<option value="builtin-short">Short </option>
</select>
Sort by:
Sort by:
<select name="sort">
<option value="score">Score </option>
<option value="time">Time </option>
@ -150,135 +120,122 @@ policies.<br>
<option value="revtime">Reverse Time </option>
<option value="revtitle">Reverse Title </option>
</select>
</font> <input type="hidden"
name="config" value="htdig"> <input type="hidden" name="restrict"
value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden"
name="exclude" value=""> <br>
Search: <input type="text" size="30"
name="words" value=""> <input type="submit" value="Search"> </p>
</form>
<h2 align="left"><font color="#ff0000">Please do not try to download the entire
Archive -- it is 75MB (and growing daily) and my slow DSL line simply won't
</font> <input type="hidden" name="config" value="htdig"> <input
type="hidden" name="restrict"
value="[http://lists.shorewall.net/pipermail/.*]"> <input
type="hidden" name="exclude" value=""> <br>
Search: <input type="text" size="30" name="words" value=""> <input
type="submit" value="Search"> </p>
</form>
<h2 align="left"><font color="#ff0000">Please do not try to download
the entire
Archive -- it is 164MB (and growing daily) and my slow DSL line simply
won't
stand the traffic. If I catch you, you will be blacklisted.<br>
</font></h2>
</font></h2>
<h2 align="left">Shorewall CA Certificate</h2>
If you want to trust X.509 certificates issued
by Shoreline Firewall (such as the one used on my web site),
you may <a href="Shorewall_CA_html.html">download and install my CA certificate</a>
in your browser. If you don't wish to trust my certificates
then you can either use unencrypted access when subscribing to
Shorewall mailing lists or you can use secure access (SSL) and
accept the server's certificate when prompted by your browser.<br>
If you want to trust X.509 certificates issued by Shoreline Firewall
(such as the one used on my web site), you may <a
href="Shorewall_CA_html.html">download and install my CA certificate</a>
in your browser. If you don't wish to trust my certificates then you
can either use unencrypted access when subscribing to Shorewall mailing
lists or you can use secure access (SSL) and
accept the server's certificate when prompted by your browser.<br>
<h2 align="left">Shorewall Users Mailing List</h2>
<p align="left">The Shorewall Users Mailing list provides a way for users
to get answers to questions and to report problems. Information
of general interest to the Shorewall user community is also
posted to this list.</p>
<p align="left"><b>To post a problem report to this list or to subscribe to
the list, please see the <a
href="http://www.shorewall.net/support.htm">problem reporting guidelines</a>.</b></p>
<p align="left">The Shorewall Users Mailing list provides a way for
users to get answers to questions and to report problems. Information
of general interest to the Shorewall user community is also posted to
this list.</p>
<p align="left" style="color: rgb(255, 0, 0);"><big><b>Before posting
to this list, please see the <a
href="http://www.shorewall.net/support.htm">problem
reporting guidelines</a>.<br>
</b></big></p>
<p align="left">To subscribe: <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-users"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-users</a></p>
<ul>
</ul>
<p align="left"> To post to the list, post to <a
href="mailto:shorewall-users@lists.shorewall.net">shorewall-users@lists.shorewall.net</a>.
<br>
</p>
<p align="left">The list archives are at <a
href="http://lists.shorewall.net/pipermail/shorewall-users/index.html">http://lists.shorewall.net/pipermail/shorewall-users</a>.</p>
<p align="left">Note that prior to 1/1/2002, the mailing list was hosted
at <a href="http://sourceforge.net">Sourceforge</a>. The archives from that
<p align="left">Note that prior to 1/1/2002, the mailing list was
hosted
at <a href="http://sourceforge.net">Sourceforge</a>. The archives from
that
list may be found at <a
href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p>
<h2 align="left">Shorewall Announce Mailing List</h2>
<p align="left">This list is for announcements of general interest to the
Shorewall community. To subscribe:<br>
</p>
<p align="left"></p>
<ul>
<li><b>Insecure:</b> <a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-announce">http://lists.shorewall.net/mailman/listinfo/shorewall-announce</a></li>
<li><b>SSL</b>: <a
<p align="left">This list is for announcements of general interest to
the Shorewall community. <big><span style="color: rgb(255, 0, 0);"><span
style="font-weight: bold;">DO NOT USE THIS LIST FOR REPORTING PROBLEMS
OR ASKING FOR HELP.</span></span></big><br>
</p>
<p align="left">To subscribe: <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-announce"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-announce.</a></li>
</ul>
<p align="left"><br>
The list archives are at <a
href="http://lists.shorewall.net/pipermail/shorewall-announce">http://lists.shorewall.net/pipermail/shorewall-announce</a>.</p>
<h2 align="left">Shorewall Development Mailing List</h2>
<p align="left">The Shorewall Development Mailing list provides a forum for
the exchange of ideas about the future of Shorewall and
for coordinating ongoing Shorewall Development.</p>
<p align="left">To subscribe to the mailing list:<br>
</p>
target="_top">https://lists.shorewall.net/mailman/listinfo/shorewall-announce</a>.
<br>
</p>
<a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-announce"
target="_top"></a>
<ul>
<li><b>Insecure: </b><a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-devel">http://lists.shorewall.net/mailman/listinfo/shorewall-devel</a></li>
<li><b>SSL:</b> <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-devel"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-devel.</a></li>
</ul>
<p align="left"> To post to the list, post to <a
href="mailto:shorewall-devel@lists.shorewall.net">shorewall-devel@lists.shorewall.net</a>. </p>
The list archives are at <a
href="http://lists.shorewall.net/pipermail/shorewall-announce">http://lists.shorewall.net/pipermail/shorewall-announce</a>.
<h2 align="left">Shorewall Development Mailing List</h2>
<p align="left">The Shorewall Development Mailing list provides a forum
for the exchange of ideas about the future of Shorewall and
for coordinating ongoing Shorewall Development. <big><span
style="color: rgb(255, 0, 0);"><span style="font-weight: bold;">DO NOT
USE THIS LIST FOR REPORTING PROBLEMS OR ASKING FOR HELP.</span></span></big></p>
<p align="left">To subscribe to the mailing list: <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-devel"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-devel.</a></p>
<ul>
</ul>
<p align="left"> To post to the list, post to <a
href="mailto:shorewall-devel@lists.shorewall.net">shorewall-devel@lists.shorewall.net</a>.&nbsp;</p>
<p align="left">The list archives are at <a
href="http://lists.shorewall.net/pipermail/shorewall-devel">http://lists.shorewall.net/pipermail/shorewall-devel</a>.</p>
<h2 align="left"><a name="Unsubscribe"></a>How to Unsubscribe from one of
the Mailing Lists</h2>
<p align="left">There seems to be near-universal confusion about unsubscribing
from Mailman-managed lists although Mailman 2.1 has attempted
to make this less confusing. To unsubscribe:</p>
<h2 align="left"><a name="Unsubscribe"></a>How to Unsubscribe from one
of the Mailing Lists</h2>
<p align="left">There seems to be near-universal confusion about
unsubscribing from Mailman-managed lists although Mailman 2.1 has
attempted to make this less confusing. To unsubscribe:</p>
<ul>
<li>
<p align="left">Follow the same link above that you used to subscribe
to the list.</p>
</li>
<li>
<p align="left">Down at the bottom of that page is the following text:
" To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>,
get a password reminder, or change your subscription options
enter your subscription email address:". Enter your email
address in the box and click on the "<b>Unsubscribe</b> or edit
options" button.</p>
</li>
<li>
<p align="left">There will now be a box where you can enter your password
and click on "Unsubscribe"; if you have forgotten your
password, there is another button that will cause your password
to be emailed to you.</p>
</li>
<li>
<p align="left">Follow the same link above that you used to
subscribe to the list.</p>
</li>
<li>
<p align="left">Down at the bottom of that page is the following
text: " To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>,
get a password reminder, or change your subscription options
enter your subscription email address:". Enter your email address in
the box and click on the "<b>Unsubscribe</b> or edit
options" button.</p>
</li>
<li>
<p align="left">There will now be a box where you can enter your
password and click on "Unsubscribe"; if you have forgotten your
password, there is another button that will cause your password
to be emailed to you.</p>
</li>
</ul>
<hr>
<h2 align="left">Frustrated by having to Rebuild Mailman to use it with Postfix?</h2>
<hr>
<h2 align="left">Frustrated by having to Rebuild Mailman to use it with
Postfix?</h2>
<p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p>
<p align="left"><font size="2">Last updated 8/7/2003 - <a
<p align="left"><font size="2">Last updated 9/17/2003 - <a
href="http://www.shorewall.net/support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font> ©
<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font>
©
<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
</p>
<br>
</body>
</html>

403
Shorewall-docs/myfiles.htm
View File

File diff suppressed because one or more lines are too long

300
Shorewall-docs/ping.html
View File

@ -2,190 +2,170 @@
<html>
<head>
<title>ICMP Echo-request (Ping)</title>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep">
</head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">ICMP Echo-request (Ping)</font></h1>
</td>
</tr>
</tbody>
</td>
</tr>
</tbody>
</table>
<br>
Shorewall 'Ping' management has evolved over time with the latest
change coming in Shorewall version 1.4.0. To find out which version of
Shorewall you are running, at a shell prompt type "<font color="#009900"><b>/sbin/shorewall
version</b></font>". If that command gives you an error, it's time to upgrade
since you have a very old version of Shorewall installed (1.2.4 or earlier).<br>
<br>
Shorewall 'Ping' management has evolved over time with the latest
change coming in Shorewall version 1.4.0. To find out which version of
Shorewall you are running, at a shell prompt type "<font color="#009900"><b>/sbin/shorewall
version</b></font>". If that command gives you an error, it's time to
upgrade since you have a very old version of Shorewall installed (1.2.4
or earlier).<br>
<h2>Shorewall Versions &gt;= 1.4.0</h2>
In Shoreall 1.4.0 and later version, ICMP echo-request's are treated just
like any other connection request.<br>
<br>
In order to accept ping requests from zone z1 to zone z2 where the policy
for z1 to z2 is not ACCEPT, you need a rule in /etc/shoreall/rules of the
form:<br>
<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp;
</i>icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
Example: <br>
<br>
To permit ping from the local zone to the firewall:<br>
<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;
icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
If you would like to accept 'ping' by default even when the relevant
policy is DROP or REJECT, create <b>/etc/shorewall/icmpdef </b>if it doesn't
already exist and in that file place the following command:<br>
<blockquote>
In Shoreall 1.4.0 and later version, ICMP echo-request's are treated
just like any other connection request.<br>
<br>
In order to accept ping requests from zone z1 to zone z2 where the
policy for z1 to z2 is not ACCEPT, you need a rule in
/etc/shoreall/rules of the form:<br>
<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp;
z2&nbsp;&nbsp;&nbsp; </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
Example: <br>
<br>
To permit ping from the local zone to the firewall:<br>
<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
fw&nbsp;&nbsp;&nbsp; icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
If you would like to accept 'ping' by default even when the relevant
policy is DROP or REJECT, create <b>/etc/shorewall/icmpdef </b>if it
doesn't already exist and in that file place the following command:<br>
<blockquote>
<pre><b><font color="#009900">run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT<br></font></b></pre>
</blockquote>
With that rule in place, if you want to ignore 'ping' from z1 to z2
then you need a rule of the form:<br>
<blockquote>DROP&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp;
</i>icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
Example:<br>
<br>
To drop ping from the internet, you would need this rule in /etc/shorewall/rules:<br>
<br>
<blockquote>DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;
icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
<h2>Shorewall Versions &gt;= 1.3.14 &nbsp;and &lt; 1.4.0 with OLD_PING_HANDLING=No
in /etc/shorewall/shorewall.conf</h2>
In 1.3.14, Ping handling was put under control of the rules and policies
just like any other connection request. In order to accept ping requests
from zone z1 to zone z2 where the policy for z1 to z2 is not ACCEPT, you
need a rule in /etc/shoreall/rules of the form:<br>
<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp;
</i>icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
Example: <br>
<br>
To permit ping from the local zone to the firewall:<br>
<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;
icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
If you would like to accept 'ping' by default even when the relevant
policy is DROP or REJECT, create <b>/etc/shorewall/icmpdef </b>if it doesn't
already exist and in that file place the following command:<br>
<blockquote>
</blockquote>
With that rule in place, if you want to ignore 'ping' from z1 to z2
then you need a rule of the form:<br>
<blockquote>DROP&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp;
z2&nbsp;&nbsp;&nbsp; </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
Example:<br>
<br>
To drop ping from the internet, you would need this rule in
/etc/shorewall/rules:<br>
<br>
<blockquote>DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp;
fw&nbsp;&nbsp;&nbsp; icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
<h2>Shorewall Versions &gt;= 1.3.14 &nbsp;and &lt; 1.4.0 with
OLD_PING_HANDLING=No in /etc/shorewall/shorewall.conf</h2>
In 1.3.14, Ping handling was put under control of the rules and
policies just like any other connection request. In order to accept
ping requests from zone z1 to zone z2 where the policy for z1 to z2 is
not ACCEPT, you need a rule in /etc/shoreall/rules of the form:<br>
<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp;
z2&nbsp;&nbsp;&nbsp; </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
Example: <br>
<br>
To permit ping from the local zone to the firewall:<br>
<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
fw&nbsp;&nbsp;&nbsp; icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
If you would like to accept 'ping' by default even when the relevant
policy is DROP or REJECT, create <b>/etc/shorewall/icmpdef </b>if it
doesn't already exist and in that file place the following command:<br>
<blockquote>
<pre><b><font color="#009900">run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT<br></font></b></pre>
</blockquote>
With that rule in place, if you want to ignore 'ping' from z1 to z2
then you need a rule of the form:<br>
<blockquote>DROP&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp;
</i>icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
Example:<br>
<br>
To drop ping from the internet, you would need this rule in /etc/shorewall/rules:<br>
<blockquote>DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;
icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
<blockquote> </blockquote>
<h2>Shorewall Versions &lt; 1.3.14 or with OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf<br>
</h2>
There are several aspects to the old Shorewall Ping management:<br>
</blockquote>
With that rule in place, if you want to ignore 'ping' from z1 to z2
then you need a rule of the form:<br>
<blockquote>DROP&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp;
z2&nbsp;&nbsp;&nbsp; </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
Example:<br>
<br>
To drop ping from the internet, you would need this rule in
/etc/shorewall/rules:<br>
<blockquote>DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp;
fw&nbsp;&nbsp;&nbsp; icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
<span style="font-weight: bold;">NOTE:&nbsp; </span>There is one
exception to the above description. In 1.3.14 and 1.3.14a, ping from
the firewall itself is enabled unconditionally. This suprising
"feature" was removed in version 1.4.0.<br>
<blockquote> </blockquote>
<blockquote> </blockquote>
<h2>Shorewall Versions &lt; 1.3.14 or with OLD_PING_HANDLING=Yes in
/etc/shorewall/shorewall.conf<br>
</h2>
There are several aspects to the old Shorewall Ping management:<br>
<ol>
<li>The <b>noping</b> and <b>filterping </b>interface options in
<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
<li>The <b>FORWARDPING</b> option in<a
href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf</a>.</li>
<li>Explicit rules in <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
<li>The <b>noping</b> and <b>filterping </b>interface options in <a
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
<li>The <b>FORWARDPING</b> option in<a href="Documentation.htm#Conf">
/etc/shorewall/shorewall.conf</a>.</li>
<li>Explicit rules in <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
</ol>
There are two cases to consider:<br>
There are two cases to consider:<br>
<ol>
<li>Ping requests addressed to the firewall itself; and</li>
<li>Ping requests being forwarded to another system. Included here
are all cases of packet forwarding including NAT, DNAT rule, Proxy ARP
and simple routing.</li>
<li>Ping requests addressed to the firewall itself; and</li>
<li>Ping requests being forwarded to another system. Included here
are all cases of packet forwarding including NAT, DNAT rule, Proxy ARP
and simple routing.</li>
</ol>
These cases will be covered separately.<br>
These cases will be covered separately.<br>
<h3>Ping Requests Addressed to the Firewall Itself</h3>
For ping requests addressed to the firewall, the sequence is as follows:<br>
For ping requests addressed to the firewall, the sequence is as follows:<br>
<ol>
<li>If neither <b>noping</b> nor <b>filterping </b>are specified
for the interface that receives the ping request then the request will
be responded to with an ICMP echo-reply.</li>
<li>If <b>noping</b> is specified for the interface that receives
the ping request then the request is ignored.</li>
<li>If <b>filterping </b>is specified for the interface then the
request is passed to the rules/policy evaluation.</li>
<li>If neither <b>noping</b> nor <b>filterping </b>are specified
for the interface that receives the ping request then the request will
be responded to with an ICMP echo-reply.</li>
<li>If <b>noping</b> is specified for the interface that receives
the ping request then the request is ignored.</li>
<li>If <b>filterping </b>is specified for the interface then the
request is passed to the rules/policy evaluation.</li>
</ol>
<h3>Ping Requests Forwarded by the Firewall</h3>
These requests are <b>always</b> passed to rules/policy evaluation.<br>
These requests are <b>always</b> passed to rules/policy evaluation.<br>
<h3>Rules Evaluation</h3>
Ping requests are ICMP type 8. So the general rule format is:<br>
<br>
&nbsp;&nbsp;&nbsp; <i>Target&nbsp;&nbsp;&nbsp; Source&nbsp;&nbsp;&nbsp;
Destination&nbsp;&nbsp;&nbsp; </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
<br>
Example 1. Accept pings from the net to the dmz (pings are responded
to with an ICMP echo-reply):<br>
<br>
&nbsp;&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp;
dmz&nbsp;&nbsp;&nbsp; icmp&nbsp;&nbsp;&nbsp; 8<br>
<br>
Example 2. Drop pings from the net to the firewall<br>
<br>
&nbsp;&nbsp;&nbsp; DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;
icmp&nbsp;&nbsp;&nbsp; 8<br>
Ping requests are ICMP type 8. So the general rule format is:<br>
<br>
&nbsp;&nbsp;&nbsp; <i>Target&nbsp;&nbsp;&nbsp;
Source&nbsp;&nbsp;&nbsp; Destination&nbsp;&nbsp;&nbsp; </i>icmp&nbsp;&nbsp;&nbsp;
8<br>
<br>
Example 1. Accept pings from the net to the dmz (pings are responded to
with an ICMP echo-reply):<br>
<br>
&nbsp;&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp;
dmz&nbsp;&nbsp;&nbsp; icmp&nbsp;&nbsp;&nbsp; 8<br>
<br>
Example 2. Drop pings from the net to the firewall<br>
<br>
&nbsp;&nbsp;&nbsp; DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp;
fw&nbsp;&nbsp;&nbsp; icmp&nbsp;&nbsp;&nbsp; 8<br>
<h3>Policy Evaluation</h3>
If no applicable rule is found, then the policy for the source to
the destination is applied.<br>
If no applicable rule is found, then the policy for the source to
the destination is applied.<br>
<ol>
<li>If the relevant policy is ACCEPT then the request is responded
to with an ICMP echo-reply.</li>
<li>If <b>FORWARDPING</b> is set to Yes in /etc/shorewall/shorewall.conf
then the request is responded to with an ICMP echo-reply.</li>
<li>Otherwise, the relevant REJECT or DROP policy is used and the
request is either rejected or simply ignored.</li>
<li>If the relevant policy is ACCEPT then the request is responded to
with an ICMP echo-reply.</li>
<li>If <b>FORWARDPING</b> is set to Yes in
/etc/shorewall/shorewall.conf then the request is responded to with an
ICMP echo-reply.</li>
<li>Otherwise, the relevant REJECT or DROP policy is used and the
request is either rejected or simply ignored.</li>
</ol>
<p><font size="2">Updated 7/7/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
<div style="text-align: justify;"><font size="2">Updated 8/23/2003 - <a
href="support.htm">Tom Eastep</a></font></div>
<p><font size="2"> </font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
</p>
<br>
</body>
</html>

164
Shorewall-docs/samba.htm
View File

@ -1,112 +1,102 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Samba</title>
</head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tbody>
<tr>
<td width="100%">
<td width="100%">
<h1 align="center"><font color="#ffffff">Samba</font></h1>
</td>
</tr>
</td>
</tr>
</tbody>
</table>
<p>If you wish to run Samba on your firewall and access shares between the
firewall and local hosts, you need the following rules:</p>
<p>If you wish to run Samba on your firewall and access shares between
the firewall and local hosts, you need the following rules:</p>
<h4>/etc/shorewall/rules:</h4>
<blockquote> <font face="Century Gothic, Arial, Helvetica"> </font>
<blockquote> <font face="Century Gothic, Arial, Helvetica"> </font>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tbody>
<tr>
<td><b>ACTION</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b> PROTO</b></td>
<td><b>DEST<br>
PORT(S)</b></td>
<td><b>SOURCE<br>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
</tr>
<tr>
<td>ACCEPT</td>
<td>fw</td>
<td>loc</td>
<td>udp</td>
<td>137:139</td>
<td> </td>
<td> </td>
</tr>
<tr>
<td>ACCEPT</td>
<td>fw</td>
<td>loc</td>
<td>tcp</td>
<td>137,139</td>
<td> </td>
<td> </td>
</tr>
<tr>
<td>ACCEPT</td>
<td>fw</td>
<td>loc</td>
<td>udp</td>
<td>1024:</td>
<td>137</td>
<td> </td>
</tr>
<tr>
<td>ACCEPT</td>
<td>loc</td>
<td>fw</td>
<td>udp</td>
<td>137:139</td>
<td> </td>
<td> </td>
</tr>
<tr>
<td>ACCEPT</td>
<td>loc</td>
<td>fw</td>
<td>tcp</td>
<td>137,139</td>
<td> </td>
<td> </td>
</tr>
<tr>
<td>ACCEPT</td>
<td>loc</td>
<td>fw</td>
<td>udp</td>
<td>1024:</td>
<td>137</td>
<td> </td>
</tr>
<td><b>ACTION</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b> PROTO</b></td>
<td><b>DEST<br>
PORT(S)</b></td>
<td><b>SOURCE<br>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
</tr>
<tr>
<td>ACCEPT</td>
<td>fw</td>
<td>loc</td>
<td>udp</td>
<td>137:139</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>fw</td>
<td>loc</td>
<td>tcp</td>
<td>137,139,445</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>fw</td>
<td>loc</td>
<td>udp</td>
<td>1024:</td>
<td>137</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>loc</td>
<td>fw</td>
<td>udp</td>
<td>137:139</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>loc</td>
<td>fw</td>
<td>tcp</td>
<td>137,139,445</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>loc</td>
<td>fw</td>
<td>udp</td>
<td>1024:</td>
<td>137</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<p><font size="2">Last modified 5/29/2002 - <a href="support.htm">Tom Eastep</a></font></p>
</blockquote>
<p><font size="2">Last modified 8/17/2002 - <a href="support.htm">Tom
Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"> <font size="2">Copyright</font>
© <font size="2">2002 Thomas M. Eastep.</font></a></font></p>
<br>

218
Shorewall-docs/seattlefirewall_index.htm
View File

@ -98,15 +98,12 @@ uninstalling what you have and installing a setup that matches the
documentation on this site. See the <a href="two-interface.htm">Two-interface
QuickStart Guide</a> for details.<br>
<h2>News</h2>
<p><b>8/9/2003 - Snapshot 1.4.6_20030809</b><b> <img
<p><b>10/06/2003 - Shorewall 1.4.7</b><b> <img
style="border: 0px solid ; width: 28px; height: 12px;"
src="images/new10.gif" alt="(New)" title=""></b><b> </b></p>
<blockquote>
<p><a href="http://shorewall.net/pub/shorewall/Snapshots/">http://shorewall.net/pub/shorewall/Snapshots/</a><br>
<a href="ftp://shorewall.net/pub/shorewall/Snapshots/"
target="_top">ftp://shorewall.net/pub/shorewall/Snapshots/</a></p>
</blockquote>
<b>Problems Corrected since version 1.4.6</b><br>
src="images/new10.gif" alt="(New)" title=""><br>
</b></p>
<b>Problems Corrected since version 1.4.6 (Those in bold font
were corrected since 1.4.7 RC2)</b><br>
<ol>
<li>Corrected problem in 1.4.6 where the MANGLE_ENABLED
variable was being tested before it was set.</li>
@ -121,29 +118,108 @@ during "shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses
were being added to a PPP interface; the addresses were successfully
added in spite of the messages.<br>
&nbsp;&nbsp;&nbsp; <br>
The firewall script has been modified to eliminate the error messages<br>
The firewall script has been modified to eliminate the error messages</li>
<li>Interface-specific dynamic blacklisting chains are
now displayed by "shorewall monitor" on the "Dynamic Chains" page
(previously named "Dynamic Chain").</li>
<li>Thanks to Henry Yang, LOGRATE and LOGBURST now work again.</li>
<li>The 'shorewall reject' and
'shorewall drop' commands now delete any existing rules for the subject
IP address before adding a new DROP or REJECT rule. Previously, there
could be many rules for the same IP address in the dynamic chain so
that multiple 'allow' commands were required to re-enable traffic
to/from the address.</li>
<li>When ADD_SNAT_ALIASES=Yes in
shorewall.conf, the following entry in /etc/shorewall/masq resulted in
a startup error:<br>
&nbsp;<br>
&nbsp;&nbsp; eth0 eth1&nbsp;&nbsp;&nbsp;&nbsp;
206.124.146.20-206.124.146.24<br>
<br>
</li>
<li>Shorewall previously choked over
IPV6 addresses configured on interfaces in contexts where Shorewall
needed to detect something about the interface (such as when "detect"
appears in the BROADCAST column of the /etc/shorewall/interfaces file).</li>
<li>Shorewall will now load
module files that are formed from the module name by appending ".o.gz".</li>
<li>When Shorewall adds a route to a
proxy ARP host and such a route already exists, two routes resulted
previously. This has been corrected so that the existing route is
replaced if it already exists.</li>
<li>The rfc1918 file has been
updated to reflect recent allocations.</li>
<li>The documentation of the
USER SET column in the rules file has been corrected.</li>
<li>If there is no policy
defined for
the zones specified in a rule, the firewall script previously
encountered a shell syntax error:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [: NONE: unexpected operator<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<br>
Now, the absence of a policy generates an error message and the
firewall is stopped:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; No policy defined from zone
&lt;source&gt; to zone &lt;dest&gt;<br>
<br>
</li>
<li>Previously, if neither
/etc/shorewall/common nor /etc/shorewall/common.def existed, Shorewall
would fail to start and would not remove the lock file. Failure to
remove the lock file resulted in the following during subsequent
attempts to start:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<br>
&nbsp;&nbsp;&nbsp; Loading /usr/share/shorewall/functions...<br>
&nbsp;&nbsp;&nbsp; Processing /etc/shorewall/params ...<br>
&nbsp;&nbsp;&nbsp; Processing /etc/shorewall/shorewall.conf...<br>
&nbsp;&nbsp;&nbsp; Giving up on lock file /var/lib/shorewall/lock<br>
&nbsp;&nbsp;&nbsp; Shorewall Not Started<br>
<br>
Shorewall now reports a fatal error if neither of these two files exist
and correctly removes the lock fille.</li>
<li>The order of processing
the
various options has been changed such that blacklist entries now take
precedence over the 'dhcp' interface setting.</li>
<li>The log message generated
from the
'logunclean' interface option has been changed to reflect a disposition
of LOG rather than DROP.</li>
<li><span style="font-weight: bold;">When a user name and/or a
group
name was specified in the USER SET column and the destination zone was
qualified with a IP address, the user and/or group name was not being
used to qualify the rule.<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp; Example:<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp; ACCEPT fw&nbsp; net:192.0.2.12 tcp 23 - - - vladimir:<br>
<br>
</span></li>
<li><span style="font-weight: bold;">The /etc/shorewall/masq
file has had the spurious "/" character at the front removed.</span></li>
</ol>
<b>Migration Issues:</b><br>
<ol>
<li>Once you have installed this version of Shorewall, you must
restart Shorewall before you may use the 'drop', 'reject', 'allow' or
'save' commands.</li>
<li>To maintain strict compatibility with previous versions,
current uses of "shorewall drop" and "shorewall reject" should be
replaced with "shorewall dropall" and "shorewall rejectall" </li>
<li>Shorewall IP Traffic Accounting has changed since snapshot
20030813 -- see the <a href="Accounting.html">Accounting Page</a> for
details.</li>
<li>The Uset Set capability introduced in SnapShot 20030821 has
changed -- see the <a href="UserSets.html">User Set page</a> for
details.</li>
<li>The per-interface Dynamic Blacklisting facility introduced
in the first post-1.4.6 Snapshot has been removed. The facility had too
many idiosyncrasies for dial-up users to be a viable part of Shorewall.<br>
</li>
</ol>
<b>New Features:</b><br>
<ol>
<li>Shorewall now creates a dynamic blacklisting chain for each
interface defined in /etc/shorewall/interfaces. The 'drop' and 'reject'
commands use the routing table to determine which of these chains is to
be used for blacklisting the specified IP address(es).<br>
<br>
Two new commands ('dropall' and 'rejectall') have been introduced that
do what 'drop' and 'reject' used to do; namely, when an address is
blacklisted using these new commands, it will be blacklisted on all of
your firewall's interfaces.</li>
<li>Thanks to Steve Herber, the 'help' command can now give
command-specific help (e.g., shorewall help &lt;command&gt;).</li>
<li>A new option "ADMINISABSENTMINDED" has been added to
@ -225,11 +301,97 @@ facilitates testing of your firewall where multiple firewall interfaces
are connected to the same HUB/Switch (all interfaces connected to the
single HUB/Switch should have this option specified). Note that using
such a configuration in a production environment is strongly
recommended against.<br>
recommended against.</li>
<li>The ADDRESS column in /etc/shorewall/masq may now include a
comma-separated list of addresses and/or address ranges. Netfilter will
use all listed addresses/ranges in round-robin fashion. \</li>
<li>An /etc/shorewall/accounting file has been added to allow
for traffic accounting.&nbsp; See the <a href="Accounting.html">accounting
documentation</a> for a description of this facility.</li>
<li>Bridge interfaces (br[0-9]) may now be used in
/etc/shorewall/maclist.</li>
<li>ACCEPT, DNAT[-], REDIRECT[-] and LOG rules defined in
/etc/shorewall/rules may now be rate-limited. For DNAT and REDIRECT
rules, rate limiting occurs in the nat table DNAT rule; the
corresponding ACCEPT rule in the filter table is not rate limited. If
you want to limit the filter table rule, you will need o create two
rules; a DNAT- rule and an ACCEPT rule which can be rate-limited
separately.<br>
&nbsp;<br>
<span style="font-weight: bold;">Warning: </span>When rate
limiting is specified on a rule with "all" in the SOURCE or DEST
fields, the limit will apply to each pair of zones individually rather
than as a single limit for all pairs of covered by the rule.<br>
&nbsp;<br>
To specify a rate limit, <br>
<br>
a) Follow ACCEPT, DNAT[-], REDIRECT[-] or LOG with<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;
&lt;rate&gt;/&lt;interval&gt;[:&lt;burst&gt;] &gt;<br>
&nbsp;<br>
&nbsp;
where<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;rate&gt; is the sustained rate per
&lt;interval&gt;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;interval&gt; is "sec" or "min"<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;burst&gt; is the largest burst
accepted within an &lt;interval&gt;. If not given, the default of 5 is
assumed.<br>
&nbsp;<br>
There may be no white space between the ACTION and "&lt;" nor there may
be any white space within the burst specification. If you want to
specify logging of a rate-limited rule, the ":" and log level comes
after the "&gt;" (e.g., ACCEPT&lt;2/sec:4&gt;:info ).<br>
<br>
b) A new RATE LIMIT column has been added to the /etc/shorewall/rules
file. You may specify the rate limit there in the format:<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&lt;rate&gt;/&lt;interval&gt;[:&lt;burst&gt;]<br>
&nbsp;<br>
Let's take an example:<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
ACCEPT&lt;2/sec:4&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
net&nbsp;&nbsp;&nbsp;&nbsp; dmz&nbsp;&nbsp;&nbsp;&nbsp;
tcp&nbsp;&nbsp;&nbsp;&nbsp; 80<br>
&nbsp;&nbsp;&nbsp; <br>
The first time this rule is reached, the packet will be accepted; in
fact, since the burst is 4, the first four packets will be accepted.
After this, it will be 500ms (1 second divided by the rate<br>
of 2) before a packet will be accepted from this rule, regardless of
how many packets reach it. Also, every 500ms which passes without
matching a packet, one of the bursts will be regained; if no packets
hit the rule for 2 second, the burst will be fully recharged; back
where we started.<br>
</li>
<li>Multiple chains may now be displayed in one "shorewall
show" command (e.g., shorewall show INPUT FORWARD OUTPUT).</li>
<li>Output rules (those with $FW as the SOURCE) may now be
limited to a set of local users and/or groups. See <a
href="UserSets.html">http://shorewall.net/UserSets.html</a>
for details.<br>
<br>
</li>
</ol>
<p><b>8/5/2003 - Shorewall-1.4.6b</b><b> <img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)"> <br>
<p><b>8/27/2003 - Shorewall Mirror in Australia&nbsp;</b></p>
<p>Thanks to Dave Kempe and Solutions First (<a
href="http://www.solutionsfirst.com.au"><font size="3">http://www.solutionsfirst.com.au</font></a>),
there is now a Shorewall Mirror in Australia:</p>
<p style="margin-left: 40px;"><a
href="http://www.shorewall.com.au" target="_top"><font size="3">http://www.shorewall.com.au</font></a><font
size="3"><br>
<a href="ftp://ftp.shorewall.com.au">ftp://ftp.shorewall.com.au</a></font><br>
</p>
<p><b>8/26/2003 - French Version of the Shorewall Setup
Guide&nbsp;</b></p>
Thanks to Fabien <font size="3">Demassieux, there is now a <a
href="shorewall_setup_guide_fr.htm">French translation of the
Shorewall Setup Guide</a>. Merci Beacoup, Fabien!<br>
</font>
<p><b>8/5/2003 - Shorewall-1.4.6b</b><b>&nbsp; <br>
</b></p>
<b>Problems Corrected since version 1.4.6:</b><br>
<ol>
@ -317,7 +479,7 @@ Children's Foundation.</font></a> Thanks!</font></font></p>
</tr>
</tbody>
</table>
<p><font size="2">Updated 8/9/2003 - <a href="support.htm">Tom Eastep</a></font>
<p><font size="2">Updated 10/06/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
<br>

140
Shorewall-docs/shoreline.htm
View File

@ -1,119 +1,67 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>About the Shorewall Author</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none">
</head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Tom Eastep</font></h1>
</td>
</tr>
</tbody>
</td>
</tr>
</tbody>
</table>
<p align="center"> <img border="3" src="images/Tom.jpg"
alt="Aging Geek - June 2003" width="320" height="240">
</p>
<p align="center">Tom -- June 2003<br>
<br>
</p>
<p align="center"> <img border="3" src="images/Tom.jpg"
alt="Aging Geek - June 2003" width="320" height="240"> </p>
<p align="center">"The Aging Geek" -- June 2003<br>
<br>
</p>
<ul>
<li>Born 1945 in <a
href="http://www.experiencewashington.com">Washington State</a> .</li>
<li>BA Mathematics from <a
href="http://www.wsu.edu">Washington State University</a> 1967</li>
<li>MA Mathematics from <a
href="http://www.washington.edu">University of Washington</a> 1969</li>
<li>Burroughs Corporation (now <a
href="http://www.unisys.com">Unisys</a> ) 1969 - 1980</li>
<li><a href="http://www.tandem.com">Tandem
Computers, Incorporated</a> (now part of the <a
href="http://www.hp.com">The New HP</a>) 1980 - present</li>
<li>Married 1969 - no children.</li>
<li>Born 1945 in <a href="http://www.experiencewashington.com">Washington
State</a> .</li>
<li>BA Mathematics from <a href="http://www.wsu.edu">Washington
State University</a> 1967</li>
<li>MA Mathematics from <a href="http://www.washington.edu">University
of Washington</a> 1969</li>
<li>Burroughs Corporation (now <a href="http://www.unisys.com">Unisys</a>
) 1969 - 1980</li>
<li><a href="http://www.tandem.com">Tandem Computers, Incorporated</a>
(now part of the <a href="http://www.hp.com">The New HP</a>) 1980 -
present</li>
<li>Married 1969 - no children.</li>
</ul>
<p>I am currently a member of the design team for the next-generation operating
system from the NonStop Enterprise Division of HP. </p>
<p>I became interested in Internet Security when I established a home office
in 1999 and had DSL service installed in our home. I
investigated ipchains and developed the scripts which are now
collectively known as <a href="http://seawall.sourceforge.net"> Seattle
Firewall</a>. Expanding on what I learned from Seattle
Firewall, I then designed and wrote Shorewall. </p>
<p>I am currently a member of the design team for the next-generation
operating system from the NonStop Enterprise Division of HP. </p>
<p>I became interested in Internet Security when I established a home
office in 1999 and had DSL service installed in our home. I
investigated ipchains and developed the scripts which are now
collectively known as <a href="http://seawall.sourceforge.net">
Seattle Firewall</a>. Expanding on what I learned from Seattle
Firewall, I then designed and wrote Shorewall. </p>
<p>I telework from our <a
href="http://lists.shorewall.net/SeattleInTheSpring.html">home</a> in <a
href="http://www.cityofshoreline.com">Shoreline, Washington</a> where
I live with my wife Tarry.  </p>
href="http://lists.shorewall.net/SeattleInTheSpring.html">home</a>
in&nbsp;<a href="http://www.cityofshoreline.com">Shoreline, Washington</a>
where
I live with my wife Tarry.&nbsp; </p>
<p></p>
<ul>
</ul>
<p>For information about our home network see <a href="myfiles.htm">my Shorewall
Configuration files.</a></p>
<p>All of our other systems are made by <a
href="http://www.compaq.com">Compaq</a> (part of the new <a
href="http://www.hp.com/">HP</a>).</p>
<p><a href="http://www.redhat.com"><img border="0"
src="images/poweredby.png" width="88" height="31">
</a><a href="http://www.compaq.com"><img
border="0" src="images/poweredbycompaqlog0.gif" hspace="3" width="83"
height="25">
</a><a href="http://www.pureftpd.org"><img
border="0" src="images/pure.jpg" width="88" height="31">
</a><font size="4"><a
href="http://www.apache.org"><img border="0"
src="images/apache_pb1.gif" hspace="2" width="170" height="20">
</a><a href="http://www.mandrakelinux.com"><img
src="images/medbutton.png" alt="Powered by Mandrake" width="90"
height="32">
</a><img src="images/ProtectedBy.png"
alt="Protected by Shorewall" width="200" height="42" hspace="4">
<a href="http://www.opera.com"><img src="images/opera.png"
alt="(Opera Logo)" width="102" height="39" border="0">
</a>  <a href="http://www.hp.com"><img
src="images/penquin_in_blue_racer_sm2.gif" alt="" width="120"
height="75" border="0">
</a><a href="http://www.opera.com"> </a> </font></p>
<p><font size="2">Last updated 7/20/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<font face="Trebuchet MS"><a
href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<p>For information about our home network see <a href="myfiles.htm">my
Shorewall Configuration files.</a></p>
<p>All of our other systems are made by <a href="http://www.compaq.com">Compaq</a>
(part of the new <a href="http://www.hp.com/">HP</a>).</p>
<p><font size="2">Last updated 7/20/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</body>
</html>

262
Shorewall-docs/shorewall_logging.html
View File

@ -2,155 +2,159 @@
<html>
<head>
<title>Shorewall Logging</title>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep">
</head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Logging</font></h1>
</td>
</tr>
</tbody>
</td>
</tr>
</tbody>
</table>
<br>
By default, Shorewall directs NetFilter to log using syslog (8). Syslog
classifies log messages by a <i>facility</i> and a <i>priority</i> (using
the notation <i>facility.priority</i>). <br>
<br>
The facilities defined by syslog are <i>auth, authpriv, cron, daemon,
kern, lpr, mail, mark, news, syslog, user, uucp</i> and <i>local0</i>
through <i>local7</i>.<br>
<br>
Throughout the Shorewall documentation, I will use the term <i>level</i>
rather than <i>priority</i> since <i>level</i> is the term used by NetFilter.
The syslog documentation uses the term <i>priority</i>.<br>
<br>
By default, Shorewall directs NetFilter to log using syslog (8). Syslog
classifies log messages by a <i>facility</i> and a <i>priority</i>
(using the notation <i>facility.priority</i>). <br>
<br>
The facilities defined by syslog are <i>auth, authpriv, cron, daemon,
kern, lpr, mail, mark, news, syslog, user, uucp</i> and <i>local0</i>
through <i>local7</i>.<br>
<br>
Throughout the Shorewall documentation, I will use the term <i>level</i>
rather than <i>priority</i> since <i>level</i> is the term used by
NetFilter. The syslog documentation uses the term <i>priority</i>.<br>
<h3>Syslog Levels<br>
</h3>
Syslog levels are a method of describing to syslog (8) the importance
of a message and a number of Shorewall parameters have a syslog level
as their value.<br>
<br>
Valid levels are:<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 7&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
debug<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 6&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
info<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 5&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
notice<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 4&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
warning<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 3&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
err<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
crit<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
alert<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
emerg<br>
<br>
For most Shorewall logging, a level of 6 (info) is appropriate.
Shorewall log messages are generated by NetFilter and are logged using
the <i>kern</i> facility and the level that you specify. If you are
unsure of the level to choose, 6 (info) is a safe bet. You may specify
levels by name or by number.<br>
<br>
Syslogd writes log messages to files (typically in /var/log/*)
based on their facility and level. The mapping of these facility/level
pairs to log files is done in /etc/syslog.conf (5). If you make changes
to this file, you must restart syslogd before the changes can take effect.<br>
</h3>
Syslog levels are a method of describing to syslog (8) the importance
of a message and a number of Shorewall parameters have a syslog level
as their value.<br>
<br>
Valid levels are:<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
7&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="font-weight: bold;">debug</span>
(Debug-level messages)<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
6&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="font-weight: bold;">info</span>
(Informational)<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
5&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="font-weight: bold;">notice</span>
(Normal but significant Condition)<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
4&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<span style="font-weight: bold;">
warning</span> (Warning Conditions)<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
3&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="font-weight: bold;">err</span>
(Error Conditions)<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
2&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="font-weight: bold;">crit</span>
(Critical Conditions)<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="font-weight: bold;">alert</span>
(Must be handled immediately)<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="font-weight: bold;">emerg</span>
(System is unusable)<br>
<br>
For most Shorewall logging, a level of 6 (info) is appropriate.
Shorewall log messages are generated by NetFilter and are logged using
the <i>kern</i> facility and the level that you specify. If you are
unsure of the level to choose, 6 (info) is a safe bet. You may specify
levels by name or by number.<br>
<br>
Syslogd writes log messages to files (typically in /var/log/*)
based on their facility and level. The mapping of these facility/level
pairs to log files is done in /etc/syslog.conf (5). If you make changes
to this file, you must restart syslogd before the changes can take
effect.<br>
<h3>Configuring a Separate Log for Shorewall Messages</h3>
There are a couple of limitations to syslogd-based logging:<br>
There are a couple of limitations to syslogd-based logging:<br>
<ol>
<li>If you give, for example, kern.info it's own log destination then
that destination will also receive all kernel messages of levels 5 (notice)
through 0 (emerg).</li>
<li>All kernel.info messages will go to that destination and not just
those from NetFilter.<br>
</li>
<li>If you give, for example, kern.info it's own log destination then
that destination will also receive all kernel messages of levels 5
(notice) through 0 (emerg).</li>
<li>All kernel.info messages will go to that destination and not just
those from NetFilter.<br>
</li>
</ol>
Beginning with Shorewall version 1.3.12, if your kernel has ULOG
target support (and most vendor-supplied kernels do), you may also specify
a log level of ULOG (must be all caps). When ULOG is used, Shorewall will
direct netfilter to log the related messages via the ULOG target which
will send them to a process called 'ulogd'. The ulogd program is available
from http://www.gnumonks.org/projects/ulogd and can be configured to log
all Shorewall message to their own log file.<br>
<br>
<b>Note: </b>The ULOG logging mechanism is <u>completely separate</u>
from syslog. Once you switch to ULOG, the settings in /etc/syslog.conf have
absolutely no effect on your Shorewall logging (except for Shorewall status
messages which still go to syslog).<br>
<br>
You will need to have the kernel source available to compile ulogd.<br>
<br>
Download the ulod tar file and:<br>
Beginning with Shorewall version 1.3.12, if your kernel has ULOG target
support (and most vendor-supplied kernels do), you may also specify a
log level of ULOG (must be all caps). When ULOG is used, Shorewall will
direct netfilter to log the related messages via the ULOG target which
will send them to a process called 'ulogd'. The ulogd program is
available from http://www.gnumonks.org/projects/ulogd and can be
configured to log all Shorewall message to their own log file.<br>
<br>
<b>Note: </b>The ULOG logging mechanism is <u>completely separate</u>
from syslog. Once you switch to ULOG, the settings in /etc/syslog.conf
have
absolutely no effect on your Shorewall logging (except for Shorewall
status
messages which still go to syslog).<br>
<br>
You will need to have the kernel source available to compile ulogd.<br>
<br>
Download the ulod tar file and:<br>
<ol>
<li>Be sure that /usr/src/linux is linked to your kernel source tree<br>
</li>
<li>cd /usr/local/src (or wherever you do your builds)</li>
<li>tar -zxf <i>source-tarball-that-you-downloaded</i></li>
<li>cd ulogd-<i>version</i><br>
</li>
<li>./configure</li>
<li>make</li>
<li>make install<br>
</li>
<li>Be sure that /usr/src/linux is linked to your kernel source tree<br>
</li>
<li>cd /usr/local/src (or wherever you do your builds)</li>
<li>tar -zxf <i>source-tarball-that-you-downloaded</i></li>
<li>cd ulogd-<i>version</i><br>
</li>
<li>./configure</li>
<li>make</li>
<li>make install<br>
</li>
</ol>
If you are like me and don't have a development environment on your
firewall, you can do the first six steps on another system then either NFS
mount your /usr/local/src directory or tar up the /usr/local/src/ulogd-<i>version</i>
directory and move it to your firewall system.<br>
<br>
Now on the firewall system, edit /usr/local/etc/ulogd.conf and set:<br>
If you are like me and don't have a development environment on your
firewall, you can do the first six steps on another system then either
NFS
mount your /usr/local/src directory or tar up the /usr/local/src/ulogd-<i>version</i>
directory and move it to your firewall system.<br>
<br>
Now on the firewall system, edit /usr/local/etc/ulogd.conf and set:<br>
<ol>
<li>syslogfile <i>&lt;file that you wish to log to&gt;</i></li>
<li>syslogsync 1</li>
<li>syslogfile <i>&lt;file that you wish to log to&gt;</i></li>
<li>syslogsync 1</li>
</ol>
Also on the firewall system:<br>
<blockquote>touch &lt;<i>file that you wish to log to</i>&gt;<br>
</blockquote>
I also copied the file /usr/local/src/ulogd-<i>version</i>/ulogd.init
to /etc/init.d/ulogd. I had to edit the line that read "daemon /usr/local/sbin/ulogd"
to read daemon /usr/local/sbin/ulogd -d". On a RedHat system, a simple
"chkconfig --level 3 ulogd on" starts ulogd during boot up. Your init system
may need something else done to activate the script.<br>
<br>
You will need to change all instances of log levels (usually 'info') in
your configuration files to 'ULOG' - this includes entries in the policy,
rules and shorewall.conf files. Here's what I have:<br>
I also copied the file /usr/local/src/ulogd-<i>version</i>/ulogd.init
to /etc/init.d/ulogd. I had to edit the line that read "daemon
/usr/local/sbin/ulogd" to read daemon /usr/local/sbin/ulogd -d". On a
RedHat system, a simple
"chkconfig --level 3 ulogd on" starts ulogd during boot up. Your init
system
may need something else done to activate the script.<br>
<br>
You will need to change all instances of log levels (usually 'info') in
your configuration files to 'ULOG' - this includes entries in the
policy, rules and shorewall.conf files. Here's what I have:<br>
<pre> [root@gateway shorewall]# grep ULOG *<br> policy:loc&nbsp; fw&nbsp;&nbsp; REJECT&nbsp; ULOG<br> policy:net&nbsp; all&nbsp; DROP&nbsp;&nbsp;&nbsp; ULOG&nbsp;&nbsp;&nbsp;10/sec:40<br> policy:all&nbsp; all&nbsp; REJECT&nbsp; ULOG<br> rules:REJECT:ULOG loc net tcp 6667<br> shorewall.conf:TCP_FLAGS_LOG_LEVEL=ULOG<br> shorewall.conf:RFC1918_LOG_LEVEL=ULOG<br> [root@gateway shorewall]#<br></pre>
Finally edit /etc/shorewall/shorewall.conf and set LOGFILE=<i>&lt;file
that you wish to log to&gt;</i>. This tells the /sbin/shorewall program
where to look for the log when processing its "show log", "logwatch" and
"monitor" commands.<br>
<p><font size="2"> Updated 7/25/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy;
<font size="2">2001, 2002, 2003 Thomas M. Eastep</font></a><br>
</p>
<br>
<br>
Finally edit /etc/shorewall/shorewall.conf and set LOGFILE=<i>&lt;file
that you wish to log to&gt;</i>. This tells the /sbin/shorewall program
where to look for the log when processing its "show log", "logwatch"
and
"monitor" commands.<br>
<h2>Syslog-ng</h2>
<a
href="http://marc.theaimsgroup.com/?l=gentoo-security&amp;m=106040714910563&amp;w=2">Here</a>
is a post describing configuring syslog-ng to work with Shorewall.<br>
<p><font size="2"> Updated 9/29/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
size="2">2001, 2002, 2003 Thomas M. Eastep</font></a><br>
</p>
<br>
<br>
</body>
</html>

135
Shorewall-docs/shorewall_mirrors.htm
View File

@ -1,98 +1,89 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Mirrors</title>
</head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Mirrors</font></h1>
</td>
</tr>
</tbody>
</td>
</tr>
</tbody>
</table>
<p align="left"><b>Remember that updates to the mirrors are often delayed
for 6-12 hours after an update to the primary rsync site. For HTML content,
the main web site (<a href="http://shorewall.sf.net">http://shorewall.sf.net</a>)
is updated at the same time as the rsync site.</b></p>
<p align="left"><b>Remember that updates to the mirrors are often
delayed for 6-12 hours after an update to the primary rsync site. For
HTML content, the main web site (<a href="http://shorewall.sf.net">http://shorewall.sf.net</a>)
is updated at the same time as the rsync site.</b></p>
<p align="left">The main Shorewall Web Site is <a
href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>
and is located in California, USA. It is mirrored at:</p>
href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>
and is located in California, USA. It is mirrored at:</p>
<ul>
<li><a target="_top" href="http://slovakia.shorewall.net">
http://slovakia.shorewall.net</a> (Slovak Republic).</li>
<li> <a href="http://www.infohiiway.com/shorewall"
target="_top"> http://shorewall.infohiiway.com</a> (Texas, USA).</li>
<li><a target="_top" href="http://germany.shorewall.net">
http://germany.shorewall.net</a> (Hamburg, Germany)</li>
<li><a target="_top"
href="http://france.shorewall.net">http://france.shorewall.net</a>
<li><a target="_top" href="http://slovakia.shorewall.net">http://slovakia.shorewall.net</a>
(Slovak Republic).</li>
<li> <a href="http://www.infohiiway.com/shorewall" target="_top">http://shorewall.infohiiway.com</a>
(Texas, USA).</li>
<li><a target="_top" href="http://germany.shorewall.net">http://germany.shorewall.net</a>
- Also accessible as <a href="http://www.shorewall.de" target="_top">http://www.shorewall.de</a>
(Hamburg, Germany)</li>
<li><a target="_top" href="http://france.shorewall.net">http://france.shorewall.net</a>
(Paris, France)</li>
<li><a href="http://shorewall.syachile.cl" target="_top">http://shorewall.syachile.cl
</a>(Santiago Chile)</li>
<li><a href="http://shorewall.greshko.com" target="_top">http://shorewall.greshko.com</a>
(Taipei, Taiwan)</li>
<li><a href="http://argentina.shorewall.net" target="_top">http://argentina.shorewall.net</a>
(Argentina)</li>
<li><a href="http://shorewall.securityopensource.org.br"
target="_top">http://shorewall.securityopensource.org.br</a> (Brazil)<br>
</li>
<li><a href="http://www.shorewall.net" target="_top">http://www.shorewall.net</a>
(Washington State, USA)<br>
</li>
<li><a href="http://shorewall.syachile.cl" target="_top">http://shorewall.syachile.cl
</a>(Santiago Chile)</li>
<li><a href="http://shorewall.greshko.com" target="_top">http://shorewall.greshko.com</a>
(Taipei, Taiwan)</li>
<li><a href="http://argentina.shorewall.net" target="_top">http://argentina.shorewall.net</a>
(Argentina)</li>
<li><a href="http://shorewall.securityopensource.org.br" target="_top">http://shorewall.securityopensource.org.br</a>
(Brazil)</li>
<li><a href="http://www.shorewall.com.au" target="_top">http://www.shorewall.com.au</a>
(Australia)<br>
</li>
<li><a href="http://www.shorewall.net" target="_top">http://www.shorewall.net</a>
(Washington State, USA)<br>
</li>
</ul>
<p align="left">The rsync site is mirrored via FTP at:</p>
<ul>
<li><a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/">ftp://slovakia.shorewall.net/mirror/shorewall</a>
(Slovak Republic).</li>
<li> <a
href="ftp://ftp.infohiiway.com/pub/mirrors/shorewall/" target="_blank">ftp://ftp.infohiiway.com/pub/shorewall</a>
(Texas, USA -- temporarily unavailable).</li>
<li><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall"> ftp://germany.shorewall.net/pub/shorewall</a>
(Hamburg, Germany)</li>
<li> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall</a>
(Paris, France)</li>
<li><a href="ftp://shorewall.greshko.com/pub/shorewall"
target="_top">ftp://shorewall.greshko.com</a> (Taipei, Taiwan)</li>
<li><a href="ftp://ftp.shorewall.net/pub/shorewall"
target="_blank">ftp://ftp.shorewall.net </a>(Washington State, USA)<br>
</li>
<li><a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/">ftp://slovakia.shorewall.net/mirror/shorewall</a>
(Slovak Republic).</li>
<li> <a href="ftp://ftp.infohiiway.com/pub/mirrors/shorewall/"
target="_blank">ftp://ftp.infohiiway.com/pub/shorewall</a> (Texas, USA
-- temporarily unavailable).</li>
<li><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall">ftp://germany.shorewall.net/pub/shorewall</a>
AKA <a href="ftp://www.shorewall.de/pub/shorewall" target="_top">ftp://www.shorewall.de/pub/shorewall</a>
(Hamburg, Germany)</li>
<li> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall</a>
(Paris, France)</li>
<li><a href="ftp://shorewall.greshko.com/pub/shorewall" target="_top">ftp://shorewall.greshko.com</a>
(Taipei, Taiwan)</li>
<li><a href="ftp://ftp.shorewall.com.au" target="_top">ftp://ftp.shorewall.com.au</a>
(Australia)<br>
</li>
<li><a href="ftp://ftp.shorewall.net/pub/shorewall" target="_blank">ftp://ftp.shorewall.net
</a>(Washington State, USA)<br>
</li>
</ul>
Search results and the mailing list archives are always fetched
from the site in Washington State.<br>
<p align="left"><font size="2">Last Updated 8/4/2003 - <a
Search results and the mailing list archives are always fetched from
the site in Washington State.<br>
<p align="left"><font size="2">Last Updated 8/27/2003 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep</font></a></font><br>
</p>
<br>
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M.
Eastep</font></a></font><br>
</p>
<br>
</body>
</html>

24
Shorewall-docs/shorewall_quickstart_guide.htm
View File

@ -26,7 +26,10 @@ Guides (HOWTO's)<br>
<p align="center">With thanks to Richard who reminded me once again
that we
must all first walk before we can run.<br>
The French Translations are courtesy of Patrice Vetsel<br>
The French Translations of the single-IP guides are courtesy of Patrice
Vetsel<br>
The French Translation of the Shorewall Setup Guide is courtesy of
Fabien Demassieux.<br>
</p>
<h2>The Guides</h2>
<p>These guides provide step-by-step instructions for configuring
@ -55,10 +58,11 @@ IP address</b></big></big></font>:<br>
</p>
<blockquote>The <a href="shorewall_setup_guide.htm">Shorewall Setup
Guide</a> (See Index Below) outlines the steps necessary to set up a
firewall where there are <small><small><big><big>multiple public IP
addresses</big></big></small></small> involved or if you
firewall where there are multiple public IP
addresses involved or if you
want to learn more about Shorewall than is explained in the
single-address guides above.</blockquote>
single-address guides above (<a href="shorewall_setup_guide_fr.htm">Version
Française</a>).</blockquote>
<ul>
</ul>
<h2><b><a name="Documentation"></a></b>Documentation Index</h2>
@ -67,6 +71,8 @@ the <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a>
described above</b>. Please review the appropriate guide before trying
to use this documentation directly.</p>
<ul>
<li><a href="Accounting.html">Accounting</a><br>
</li>
<li><a href="Shorewall_and_Aliased_Interfaces.html">Aliased (virtual)
Interfaces (e.g., eth0:0)</a><br>
</li>
@ -122,6 +128,9 @@ in Shorewall</a> </li>
<li><a href="Documentation.htm#Blacklist">blacklist</a></li>
<li><a href="Documentation.htm#rfc1918">rfc1918</a></li>
<li><a href="Documentation.htm#Routestopped">routestopped</a></li>
<li><a href="Accounting.html">accounting</a></li>
<li><a href="UserSets.html">usersets and users</a><br>
</li>
</ul>
</li>
<li><a href="CorpNetwork.htm">Corporate Network Example</a>
@ -234,9 +243,12 @@ commands</li>
<li><font color="#000099"><a href="NAT.htm">Static NAT</a></font></li>
<li><a href="Shorewall_Squid_Usage.html">Squid as a Transparent Proxy
with Shorewall</a></li>
<li><a href="Accounting.html">Traffic Accounting</a><br>
</li>
<li><a href="traffic_shaping.htm">Traffic Shaping/QOS</a></li>
<li><a href="troubleshoot.htm">Troubleshooting (Things to try if it
doesn't work)</a><br>
doesn't work)</a></li>
<li><a href="UserSets.html">UID/GID Based Rules</a><br>
</li>
<li><a href="upgrade_issues.htm">Upgrade Issues</a><br>
</li>
@ -260,7 +272,7 @@ firewall to a remote network.</li>
</ul>
<p>If you use one of these guides and have a suggestion for improvement
<a href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
<p><font size="2">Last modified 8/9/2003 - <a href="support.htm">Tom
<p><font size="2">Last modified 9/23/2003 - <a href="support.htm">Tom
Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright 2002, 2003 Thomas
M. Eastep</font></a><br>

232
Shorewall-docs/sourceforge_index.htm
View File

@ -99,44 +99,131 @@ QuickStart Guide</a> for
details.
<h2></h2>
<h2><b>News</b></h2>
<p><b>8/9/2003 - Snapshot 1.4.6_20030809</b><b> <img
<b>10/06/2003 - Shorewall 1.4.7</b><b> <img
style="border: 0px solid ; width: 28px; height: 12px;"
src="images/new10.gif" alt="(New)" title=""></b><b> </b></p>
<blockquote>
<p><a href="http://shorewall.net/pub/shorewall/Snapshots/">http://shorewall.net/pub/shorewall/Snapshots/</a><br>
<a href="ftp://shorewall.net/pub/shorewall/Snapshots/"
target="_top">ftp://shorewall.net/pub/shorewall/Snapshots/</a></p>
</blockquote>
<b>Problems Corrected since version 1.4.6</b><br>
src="images/new10.gif" alt="(New)" title=""></b><br>
<b><br>
Problems Corrected since version 1.4.6 (Those in bold font
were corrected since 1.4.7 RC2).</b><br>
<ol>
<li>Corrected problem in 1.4.6 where the MANGLE_ENABLED
variable was being tested before it was set.</li>
<li>Corrected handling of MAC addresses in the SOURCE column of
the tcrules file. Previously, these addresses resulted in an invalid
iptables command.</li>
<li>The
"shorewall stop" command is now disabled when
<li>The "shorewall stop" command is now disabled when
/etc/shorewall/startup_disabled exists. This prevents people from
shooting themselves in the foot prior to having configured Shorewall.</li>
<li>A change introduced in version 1.4.6 caused error messages
during
"shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses were
being added to a PPP interface; the addresses were successfully added
in spite of the messages.<br>
during "shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses
were being added to a PPP interface; the addresses were successfully
added in spite of the messages.<br>
&nbsp;&nbsp;&nbsp; <br>
The firewall script has been modified to eliminate the error messages<br>
The firewall script has been modified to eliminate the error messages</li>
<li>Interface-specific dynamic blacklisting chains are
now displayed by "shorewall monitor" on the "Dynamic Chains" page
(previously named "Dynamic Chain").</li>
<li>Thanks to Henry Yang, LOGRATE and LOGBURST now work again.</li>
<li value="7">The 'shorewall reject'
and
'shorewall drop' commands now delete any existing rules for the subject
IP address before adding a new DROP or REJECT rule. Previously, there
could be many rules for the same IP address in the dynamic chain so
that multiple 'allow' commands were required to re-enable traffic
to/from the address.</li>
<li>When ADD_SNAT_ALIASES=Yes in
shorewall.conf, the following entry in /etc/shorewall/masq resulted in
a startup error:<br>
&nbsp;<br>
&nbsp;&nbsp; eth0 eth1&nbsp;&nbsp;&nbsp;&nbsp;
206.124.146.20-206.124.146.24<br>
<br>
</li>
<li>Shorewall previously choked over
IPV6
addresses configured on interfaces in contexts where Shorewall needed
to detect something about the interface (such as when "detect" appears
in the BROADCAST column of the /etc/shorewall/interfaces file).</li>
<li>Shorewall will now load
module files that are formed from the module name by appending ".o.gz".</li>
<li>When Shorewall adds a route to a
proxy
ARP host and such a route already exists, two routes resulted
previously. This has been corrected so that the existing route is
replaced if it already exists.</li>
<li>The rfc1918 file has been
updated to reflect recent allocations.</li>
<li>The documentation of the
USER SET column in the rules file has been corrected.</li>
<li>If there is no policy
defined for
the zones specified in a rule, the firewall script previously
encountered a shell syntax error:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [: NONE: unexpected operator<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<br>
Now, the absence of a policy generates an error message and the
firewall is stopped:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; No policy defined from zone
&lt;source&gt; to zone &lt;dest&gt;<br>
<br>
</li>
<li>Previously, if neither
/etc/shorewall/common nor /etc/shorewall/common.def existed, Shorewall
would fail to start and would not remove the lock file. Failure to
remove the lock file resulted in the following during subsequent
attempts to start:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<br>
&nbsp;&nbsp;&nbsp; Loading /usr/share/shorewall/functions...<br>
&nbsp;&nbsp;&nbsp; Processing /etc/shorewall/params ...<br>
&nbsp;&nbsp;&nbsp; Processing /etc/shorewall/shorewall.conf...<br>
&nbsp;&nbsp;&nbsp; Giving up on lock file /var/lib/shorewall/lock<br>
&nbsp;&nbsp;&nbsp; Shorewall Not Started<br>
<br>
Shorewall now reports a fatal error if neither of these two files exist
and correctly removes the lock fille.</li>
<li>The order of processing
the
various options has been changed such that blacklist entries now take
precedence over the 'dhcp' interface setting.</li>
<li>The log message generated
from the
'logunclean' interface option has been changed to reflect a disposition
of LOG rather than DROP.</li>
<li><span style="font-weight: bold;">When a user name and/or a
group
name was specified in the USER SET column and the destination zone was
qualified with a IP address, the user and/or group name was not being
used to qualify the rule.<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp; Example:<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp; ACCEPT fw&nbsp; net:192.0.2.12 tcp 23 - - - vladimir:<br>
<br>
</span></li>
<li><span style="font-weight: bold;">The /etc/shorewall/masq
file has had the spurious "/" character at the front removed.</span></li>
</ol>
<b>Migration Issues:</b><br>
<ol>
<li>Once you have installed this version of Shorewall, you must
restart Shorewall before you may use the 'drop', 'reject', 'allow' or
'save' commands.</li>
<li>To maintain strict compatibility with previous versions,
current uses of "shorewall drop" and "shorewall reject" should be
replaced with "shorewall dropall" and "shorewall rejectall" </li>
<li>Shorewall IP Traffic Accounting has changed since snapshot
20030813 -- see the <a href="Accounting.html">Accounting Page</a> for
details.</li>
<li>The Uset Set capability introduced in SnapShot 20030821 has
changed -- see the <a href="UserSets.html">User Set page</a> for
details.</li>
<li>The
per-interface Dynamic Blacklisting facility introduced in the first
post-1.4.6 Snapshot has been removed. The facility had too many
idiosyncrasies for dial-up users to be a viable part of Shorewall.<br>
</li>
</ol>
<b>New Features:</b><br>
<b></b><b>New Features:</b><br>
<ol>
<li>Shorewall now creates a dynamic blacklisting chain for each
interface defined in /etc/shorewall/interfaces. The 'drop' and 'reject'
@ -191,10 +278,9 @@ stop".
As part of its stop processing, Shorewall removes eth0:0 which kills my
SSH
connection to 192.168.1.5!!!</li>
<li>Given
the wide range of VPN software, I can never hope to add specific
support for all of it. I have therefore decided to add "generic" tunnel
support.<br>
<li>Given the wide range of VPN software, I can never hope to
add specific support for all of it. I have therefore decided to add
"generic" tunnel support.<br>
&nbsp;<br>
Generic tunnels work pretty much like any of the other tunnel types.
You usually add a zone to represent the systems at the other end of the
@ -218,9 +304,8 @@ the remote tunnel gateway<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;ip address&gt; is the IP
address of the remote tunnel gateway.<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;gateway zone&gt;&nbsp;&nbsp;
Optional. A comma-separated list of zone
names. If specified, the remote gateway is to be considered part of
these zones.</li>
Optional. A comma-separated list of zone names. If specified, the
remote gateway is to be considered part of these zones.</li>
<li>An 'arp_filter' option has been added to the
/etc/shorewall/interfaces file. This option causes
/proc/sys/net/ipv4/conf/&lt;interface&gt;/arp_filter to be set with the
@ -230,9 +315,94 @@ facilitates testing of your firewall where multiple firewall interfaces
are connected to the same HUB/Switch (all interfaces connected to the
single HUB/Switch should have this option specified). Note that using
such a configuration in a production environment is strongly
recommended against.<br>
recommended against.</li>
<li>The ADDRESS column in /etc/shorewall/masq may now include a
comma-separated list of addresses and/or address ranges. Netfilter will
use all listed addresses/ranges in round-robin fashion. \</li>
<li>An /etc/shorewall/accounting file has been added to allow
for traffic accounting.&nbsp; See the <a href="Accounting.html">accounting
documentation</a> for a description of this facility.</li>
<li>Bridge interfaces (br[0-9]) may now be used in
/etc/shorewall/maclist.</li>
<li>ACCEPT, DNAT[-], REDIRECT[-] and LOG rules defined in
/etc/shorewall/rules may now be rate-limited. For DNAT and REDIRECT
rules, rate limiting occurs in the nat table DNAT rule; the
corresponding ACCEPT rule in the filter table is not rate limited. If
you want to limit the filter table rule, you will need o create two
rules; a DNAT- rule and an ACCEPT rule which can be rate-limited
separately.<br>
&nbsp;<br>
<span style="font-weight: bold;">Warning: </span>When rate
limiting is specified on a rule with "all" in the SOURCE or DEST
fields, the limit will apply to each pair of zones individually rather
than as a single limit for all pairs of covered by the rule.<br>
&nbsp;<br>
To specify a rate limit, <br>
<br>
a) Follow ACCEPT, DNAT[-], REDIRECT[-] or LOG with<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;
&lt;rate&gt;/&lt;interval&gt;[:&lt;burst&gt;] &gt;<br>
&nbsp;<br>
&nbsp;
where<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;rate&gt; is the sustained rate per
&lt;interval&gt;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;interval&gt; is "sec" or "min"<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;burst&gt; is the largest burst
accepted within an &lt;interval&gt;. If not given, the default of 5 is
assumed.<br>
&nbsp;<br>
There may be no white space between the ACTION and "&lt;" nor there may
be any white space within the burst specification. If you want to
specify logging of a rate-limited rule, the ":" and log level comes
after the "&gt;" (e.g., ACCEPT&lt;2/sec:4&gt;:info ).<br>
<br>
b) A new RATE LIMIT column has been added to the /etc/shorewall/rules
file. You may specify the rate limit there in the format:<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&lt;rate&gt;/&lt;interval&gt;[:&lt;burst&gt;]<br>
&nbsp;<br>
Let's take an example:<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
ACCEPT&lt;2/sec:4&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
net&nbsp;&nbsp;&nbsp;&nbsp; dmz&nbsp;&nbsp;&nbsp;&nbsp;
tcp&nbsp;&nbsp;&nbsp;&nbsp; 80<br>
&nbsp;&nbsp;&nbsp; <br>
The first time this rule is reached, the packet will be accepted; in
fact, since the burst is 4, the first four packets will be accepted.
After this, it will be 500ms (1 second divided by the rate<br>
of 2) before a packet will be accepted from this rule, regardless of
how many packets reach it. Also, every 500ms which passes without
matching a packet, one of the bursts will be regained; if no packets
hit the rule for 2 second, the burst will be fully recharged; back
where we started.<br>
</li>
<li>Multiple chains may now be displayed in one "shorewall
show" command (e.g., shorewall show INPUT FORWARD OUTPUT).</li>
<li>Output rules (those with $FW as the SOURCE) may now be
limited to a set of local users and/or groups. See <a
href="UserSets.html">http://shorewall.net/UserSets.html</a> for
details.</li>
</ol>
<p><b>8/27/2003 - Shorewall Mirror in Australia&nbsp;</b></p>
<p>Thanks to Dave Kempe and Solutions First (<a
href="http://www.solutionsfirst.com.au"><font size="3">http://www.solutionsfirst.com.au</font></a>),
there is now a Shorewall Mirror in Australia:</p>
<div style="margin-left: 40px;"><a
href="http://www.shorewall.com.au" target="_top"><font size="3">http://www.shorewall.com.au</font></a><br>
<font size="3"><a href="ftp://ftp.shorewall.com.au">ftp://ftp.shorewall.com.au</a></font></div>
<p><b>8/26/2003 - French Version of the Shorewall Setup
Guide&nbsp;</b></p>
Thanks to Fabien <font size="3">Demassieux, there is now a <a
href="shorewall_setup_guide_fr.htm">French translation of the
Shorewall Setup Guide</a>. Merci Beacoup, Fabien!</font> <b>9/15/2003
- Shorewall 1.4.7 Beta 2</b><b> <img
style="border: 0px solid ; width: 28px; height: 12px;"
src="file:///vfat/Shorewall-docs/images/new10.gif" alt="(New)" title=""></b>
<p><b>8/5/2003 - Shorewall-1.4.6b</b><b> <img
style="border: 0px solid ; width: 28px; height: 12px;"
src="images/new10.gif" alt="(New)" title=""> <br>
@ -333,7 +503,7 @@ Children's Foundation.</font></a> Thanks!</font></font></p>
</tr>
</tbody>
</table>
<p><font size="2">Updated 8/9/2003 - <a href="support.htm">Tom Eastep</a></font>
<p><font size="2">Updated 10/06/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
</body>

596
Shorewall-docs/starting_and_stopping_shorewall.htm
View File

@ -1,368 +1,326 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Starting and Stopping Shorewall</title>
</head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Starting/Stopping and Monitoring
the Firewall</font></h1>
</td>
</tr>
</tbody>
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Starting/Stopping and
Monitoring the Firewall</font></h1>
</td>
</tr>
</tbody>
</table>
<p> If you have a permanent internet connection such as DSL or Cable,
I recommend that you start the firewall automatically at boot.
Once you have installed "firewall" in your init.d directory, simply
type "chkconfig --add firewall". This will start the firewall
in run levels 2-5 and stop it in run levels 1 and 6. If you want
to configure your firewall differently from this default, you can
use the "--level" option in chkconfig (see "man chkconfig") or using
your favorite graphical run-level editor.</p>
<p><strong><u> <font color="#000099"> Important Notes:</font></u></strong><br>
</p>
<p> If you have a permanent internet connection such as DSL or Cable, I
recommend that you start the firewall automatically at boot. Once you
have installed "firewall" in your init.d directory, simply type
"chkconfig --add firewall". This will start the firewall in run levels
2-5 and stop it in run levels 1 and 6. If you want to configure your
firewall differently from this default, you can
use the "--level" option in chkconfig (see "man chkconfig") or using
your favorite graphical run-level editor.</p>
<p><strong><u> <font color="#000099"> Important Notes:</font></u></strong><br>
</p>
<ol>
<li>Shorewall startup is disabled by default. Once you
have configured your firewall, you can enable startup by removing the
file /etc/shorewall/startup_disabled. Note: Users of the .deb package
must edit /etc/default/shorewall and set 'startup=1'.<br>
</li>
<li>If you use dialup, you may want to start the firewall
in your /etc/ppp/ip-up.local script. I recommend just placing "shorewall
restart" in that script.</li>
<li>Shorewall startup is disabled by default. Once you have
configured your firewall, you can enable startup by removing the
file /etc/shorewall/startup_disabled. Note: Users of the .deb package
must edit /etc/default/shorewall and set 'startup=1'.<br>
</li>
<li>If you use dialup, you may want to start the firewall in your
/etc/ppp/ip-up.local script. I recommend just placing "shorewall
restart" in that script.</li>
</ol>
<p> </p>
<p> You can manually start and stop Shoreline Firewall using the "shorewall"
shell program. Please refer to the <a
<p> </p>
<p> You can manually start and stop Shoreline Firewall using the
"shorewall" shell program. Please refer to the <a
href="file:///vfat/Shorewall-docs/starting_and_stopping_shorewall.htm#StateDiagram">Shorewall
State Diagram</a> is shown at the bottom of this page. </p>
State Diagram</a> is shown at the bottom of this page. </p>
<ul>
<li>shorewall start - starts the firewall</li>
<li>shorewall stop - stops the firewall; the only traffic
permitted through the firewall is from systems listed in /etc/shorewall/routestopped
(Beginning with version 1.4.7, if ADMINISABSENTMINDED=Yes in /etc/shorewall/shorewall.conf
then in addition, all existing connections are permitted and any new connections
<li>shorewall start - starts the firewall</li>
<li>shorewall stop - stops the firewall; the only traffic permitted
through the firewall is from systems listed in
/etc/shorewall/routestopped
(Beginning with version 1.4.7, if ADMINISABSENTMINDED=Yes in
/etc/shorewall/shorewall.conf
then in addition, all existing connections are permitted and any new
connections
originating from the firewall itself are allowed).</li>
<li>shorewall restart - stops the firewall (if it's
running) and then starts it again</li>
<li>shorewall reset - reset the packet and byte counters
in the firewall</li>
<li>shorewall clear - remove all rules and chains
installed by Shoreline Firewall. The firewall is "wide open"</li>
<li>shorewall refresh - refresh the rules involving
the broadcast addresses of firewall interfaces, <a
<li>shorewall restart - stops the firewall (if it's running) and then
starts it again</li>
<li>shorewall reset - reset the packet and byte counters in the
firewall</li>
<li>shorewall clear - remove all rules and chains installed by
Shoreline Firewall. The firewall is "wide open"</li>
<li>shorewall refresh - refresh the rules involving
the broadcast addresses of firewall interfaces, <a
href="blacklisting_support.htm">the black list</a>, <a
href="traffic_shaping.htm">traffic control rules</a> and <a
href="ECN.html">ECN control rules</a>.</li>
</ul>
If you include the keyword <i>debug</i> as the first argument,
then a shell trace of the command is produced as in:<br>
If you include the keyword <i>debug</i> as the first argument, then a
shell trace of the command is produced as in:<br>
<pre> <font color="#009900"><b>shorewall debug start 2&gt; /tmp/trace</b></font><br></pre>
<p>The above command would trace the 'start' command and place the trace information
<p>The above command would trace the 'start' command and place the
trace information
in the file /tmp/trace<br>
</p>
<p>Beginning with version 1.4.7, shorewall can give detailed help about each
of its commands:<br>
</p>
</p>
<p>Beginning with version 1.4.7, shorewall can give detailed help about
each of its commands:<br>
</p>
<ul>
<li>shorewall help [ <i>command</i> | host | address ]<br>
</li>
<li>shorewall help [ <i>command</i> | host | address ]<br>
</li>
</ul>
<p>The "shorewall" program may also be used to monitor the firewall.</p>
<p>The "shorewall" program may also be used to monitor the firewall.</p>
<ul>
<li>shorewall status - produce a verbose report about
the firewall (iptables -L -n -v)</li>
<li>shorewall show <i>chain</i> - produce a verbose
report about <i>chain </i>(iptables -L <i>chain</i>
-n -v)</li>
<li>shorewall show nat - produce a verbose report about
the nat table (iptables -t nat -L -n -v)</li>
<li>shorewall show tos - produce a verbose report about
the mangle table (iptables -t mangle -L -n -v)</li>
<li>shorewall show log - display the last 20 packet
log entries.</li>
<li>shorewall show connections - displays the IP connections
currently being tracked by the firewall.</li>
<li>shorewall
show tc
- displays information about the traffic control/shaping configuration.</li>
<li>shorewall monitor [ delay ] - Continuously display
the firewall status, last 20 log entries and nat. When the
log entry display changes, an audible alarm is sounded.</li>
<li>shorewall hits - Produces several reports about
the Shorewall packet log messages in the current /var/log/messages
file.</li>
<li>shorewall version - Displays the installed
version number.</li>
<li>shorewall check - Performs a <u>cursory</u> validation of
the zones, interfaces, hosts, rules and policy files.<br>
<br>
<font size="4" color="#ff6666"><b>The "check" command is totally
unsuppored and does not parse and validate the generated iptables
commands. Even though the "check" command completes successfully,
the configuration may fail to start. Problem reports that complain about
errors that the 'check' command does not detect will not be accepted.<br>
<br>
See the recommended way to make configuration changes described
below.</b></font><br>
<br>
</li>
<li>shorewall try<i> configuration-directory</i> [<i>
timeout</i> ] - Restart shorewall using the specified configuration
and if an error occurs or if the<i> timeout </i> option is given
and the new configuration has been up for that many seconds then
shorewall is restarted using the standard configuration.</li>
<li>shorewall deny, shorewall reject, shorewall accept
and shorewall save implement <a
href="blacklisting_support.htm">dynamic blacklisting</a>.</li>
<li>shorewall logwatch (added in version 1.3.2) - Monitors
the <a href="#Conf">LOGFILE </a>and produces an audible alarm
when new Shorewall messages are logged.</li>
<li>shorewall status - produce a verbose report about the firewall
(iptables -L -n -v)</li>
<li>shorewall show <i>chain</i>1 [ <span style="font-style: italic;">chain2
... </span>] - produce a verbose
report about the listed <i>chains </i>(iptables -L <i>chain</i>
-n -v) <span style="font-weight: bold;">Note: </span>You may only
list one chain in the <span style="font-weight: bold;">show</span>
command when running Shorewall version 1.4.6 and earlier.&nbsp; Version
1.4.7 and later allow you to list multiple chains in one command.<br>
</li>
<li>shorewall show nat - produce a verbose report about the nat table
(iptables -t nat -L -n -v)</li>
<li>shorewall show tos - produce a verbose report about the mangle
table (iptables -t mangle -L -n -v)</li>
<li>shorewall show log - display the last 20 packet
log entries.</li>
<li>shorewall show connections - displays the IP connections
currently being tracked by the firewall.</li>
<li>shorewall show tc - displays information about the traffic
control/shaping configuration.</li>
<li>shorewall monitor [ delay ] - Continuously display the firewall
status, last 20 log entries and nat. When the log entry display
changes, an audible alarm is sounded.</li>
<li>shorewall hits - Produces several reports about
the Shorewall packet log messages in the current /var/log/messages file.</li>
<li>shorewall version - Displays the installed version number.</li>
<li>shorewall check - Performs a <u>cursory</u> validation of the
zones, interfaces, hosts, rules and policy files.<br>
<br>
<font size="4" color="#ff6666"><b>The "check" command is totally
unsuppored and does not parse and validate the generated iptables
commands. Even though the "check" command completes successfully,
the configuration may fail to start. Problem reports that complain
about
errors that the 'check' command does not detect will not be accepted.<br>
<br>
See the recommended way to make configuration changes described below.</b></font><br>
<br>
</li>
<li>shorewall try<i> configuration-directory</i> [<i> timeout</i> ] -
Restart shorewall using the specified configuration and if an error
occurs or if the<i> timeout </i> option is given
and the new configuration has been up for that many seconds then
shorewall is restarted using the standard configuration.</li>
<li>shorewall logwatch (added in version 1.3.2) - Monitors the <a
href="#Conf">LOGFILE </a>and produces an audible alarm when new
Shorewall messages are logged.</li>
</ul>
Beginning with Shorewall 1.4.6, /sbin/shorewall supports a couple of
commands for dealing with IP addresses and IP address ranges:<br>
Beginning with Shorewall 1.4.6, /sbin/shorewall supports a couple of
commands for dealing with IP addresses and IP address ranges:<br>
<ul>
<li>shorewall ipcalc [ <i>address mask </i>| <i>address/vlsm</i> ]
- displays the network address, broadcast address, network in CIDR notation
and netmask corresponding to the input[s].</li>
<li>shorewall iprange <i>address1-address2</i> - Decomposes the specified
range of IP addresses into the equivalent list of network/host addresses.
<br>
</li>
<li>shorewall ipcalc [ <i>address mask </i>| <i>address/vlsm</i> ]
- displays the network address, broadcast address, network in CIDR
notation and netmask corresponding to the input[s].</li>
<li>shorewall iprange <i>address1-address2</i> - Decomposes the
specified range of IP addresses into the equivalent list of
network/host addresses. <br>
</li>
</ul>
There is a set of commands dealing with <a
There is a set of commands dealing with <a
href="blacklisting_support.htm">dynamic blacklisting</a>:<br>
<ul>
<li>shorewall drop <i>&lt;ip address list&gt; </i>- causes packets from
the listed IP addresses to be silently dropped by the firewall.</li>
<li>shorewall reject <i>&lt;ip address list&gt; </i>- causes packets from
the listed IP addresses to be rejected by the firewall.</li>
<li>shorewall allow <i>&lt;ip address list&gt; </i>- re-enables receipt
of packets from hosts previously blacklisted by a <i>drop</i> or <i>reject</i>
command.</li>
<li>shorewall save - save the dynamic blacklisting configuration so that
it will be automatically restored the next time that the firewall is
restarted.</li>
<li>show dynamic - displays the dynamic blacklisting chain.<br>
</li>
<li>shorewall drop <i>&lt;ip address list&gt; </i>- causes packets
from the listed IP addresses to be silently dropped by the firewall.</li>
<li>shorewall reject <i>&lt;ip address list&gt; </i>- causes
packets from the listed IP addresses to be rejected by the firewall.</li>
<li>shorewall allow <i>&lt;ip address list&gt; </i>- re-enables
receipt of packets from hosts previously blacklisted by a <i>drop</i>
or <i>reject</i> command.</li>
<li>shorewall save - save the dynamic blacklisting configuration so
that it will be automatically restored the next time that the firewall
is restarted.</li>
<li>show dynamic - displays the dynamic blacklisting chain.<br>
</li>
</ul>
Finally, the "shorewall" program may be used to dynamically alter the
contents of a zone.<br>
Finally, the "shorewall" program may be used to dynamically alter the
contents of a zone.<br>
<ul>
<li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone
</i>- Adds the specified interface (and host if included) to the
specified zone.</li>
<li>shorewall delete <i>interface</i>[:<i>host]</i> <i>zone
</i>- Deletes the specified interface (and host if included) from
the specified zone.</li>
<li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone </i>-
Adds the specified interface (and host if included) to the specified
zone.</li>
<li>shorewall delete <i>interface</i>[:<i>host]</i> <i>zone </i>-
Deletes the specified interface (and host if included) from the
specified zone.</li>
</ul>
<blockquote>Examples:<br>
<blockquote><font color="#009900"><b>shorewall add ipsec0:192.0.2.24 vpn1</b></font>
-- adds the address 192.0.2.24 from interface ipsec0 to the zone vpn1<br>
<font color="#009900"><b> shorewall delete ipsec0:192.0.2.24
vpn1</b></font> -- deletes the address 192.0.2.24 from interface ipsec0
from zone vpn1<br>
</blockquote>
</blockquote>
<p> The <b>shorewall start</b>, <b>shorewall restart, shorewall check, </b>and
<b>shorewall try </b>commands allow you to specify which <a
href="configuration_file_basics.htm#Configs"> Shorewall configuration</a>
to use:</p>
<blockquote>
<p> shorewall [ -c <i>configuration-directory</i> ] {start|restart|check}<br>
shorewall try <i>configuration-directory</i></p>
</blockquote>
<p> If a <i>configuration-directory</i> is specified, each time that Shorewall
is going to use a file in /etc/shorewall it will first look in the
<i>configuration-directory</i> . If the file is present in the <i>configuration-directory</i>,
that file will be used; otherwise, the file in /etc/shorewall will
be used.</p>
<p> When changing the configuration of a production firewall, I recommend
the following:</p>
<blockquote><font color="#009900"><b>shorewall add ipsec0:192.0.2.24
vpn1</b></font> -- adds the address 192.0.2.24 from interface ipsec0 to
the zone vpn1<br>
<font color="#009900"><b> shorewall delete ipsec0:192.0.2.24 vpn1</b></font>
-- deletes the address 192.0.2.24 from interface ipsec0 from zone vpn1<br>
</blockquote>
</blockquote>
<p> The <b>shorewall start</b>, <b>shorewall restart, shorewall
check, </b>and <b>shorewall try </b>commands allow you to specify
which <a href="configuration_file_basics.htm#Configs"> Shorewall
configuration</a> to use:</p>
<blockquote>
<p> shorewall [ -c <i>configuration-directory</i> ]
{start|restart|check}<br>
shorewall try <i>configuration-directory</i></p>
</blockquote>
<p> If a <i>configuration-directory</i> is specified, each time that
Shorewall is going to use a file in /etc/shorewall it will first look
in the <i>configuration-directory</i> . If the file is present in the <i>configuration-directory</i>,
that file will be used; otherwise, the file in /etc/shorewall will be
used.</p>
<p> When changing the configuration of a production firewall, I
recommend the following:</p>
<ul>
<li><font color="#009900"><b>mkdir /etc/test</b></font></li>
<li><font color="#009900"><b>cd /etc/test</b></font></li>
<li>&lt;copy any files that you need to change
from /etc/shorewall to . and change them here&gt;</li>
<li><font color="#009900"><b>shorewall -c . check</b></font></li>
<li>&lt;correct any errors found by check and check again&gt;</li>
<li><font
color="#009900"><b>/sbin/shorewall try .</b></font></li>
<li><font color="#009900"><b>mkdir /etc/test</b></font></li>
<li><font color="#009900"><b>cd /etc/test</b></font></li>
<li>&lt;copy any files that you need to change from /etc/shorewall to
. and change them here&gt;</li>
<li><font color="#009900"><b>shorewall -c . check</b></font></li>
<li>&lt;correct any errors found by check and check again&gt;</li>
<li><font color="#009900"><b>/sbin/shorewall try .</b></font></li>
</ul>
<p> If the configuration starts but doesn't work, just "shorewall restart"
to restore the old configuration. If the new configuration fails
to start, the "try" command will automatically start the old one for
you.</p>
<p> When the new configuration works then just </p>
<p> If the configuration starts but doesn't work, just "shorewall
restart" to restore the old configuration. If the new configuration
fails to start, the "try" command will automatically start the old one
for you.</p>
<p> When the new configuration works then just </p>
<ul>
<li><font color="#009900"><b>cp * /etc/shorewall</b></font></li>
<li><font color="#009900"><b>cd</b></font></li>
<li><font color="#009900"><b>rm -rf /etc/test</b></font></li>
<li><font color="#009900"><b>cp * /etc/shorewall</b></font></li>
<li><font color="#009900"><b>cd</b></font></li>
<li><font color="#009900"><b>rm -rf /etc/test</b></font></li>
</ul>
<p><a name="StateDiagram"></a>The Shorewall State Diargram is depicted below.<br>
</p>
<p><a name="StateDiagram"></a>The Shorewall State Diargram is depicted
below.<br>
</p>
<div align="center"><img src="images/State_Diagram.png"
alt="(State Diagram)" width="747" height="714" align="middle">
<br>
</div>
<p>  <br>
</p>
You will note that the commands that result in state transitions
use the word "firewall" rather than "shorewall". That is because the
actual transitions are done by /usr/share/shorewall/firewall; /sbin/shorewall
runs 'firewall" according to the following table:<br>
<br>
alt="(State Diagram)" width="747" height="714" align="middle"> <br>
</div>
<p>&nbsp; <br>
</p>
You will note that the commands that result in state transitions use
the word "firewall" rather than "shorewall". That is because the actual
transitions are done by /usr/share/shorewall/firewall; /sbin/shorewall
runs 'firewall" according to the following table:<br>
<br>
<table cellpadding="2" cellspacing="2" border="1">
<tbody>
<tr>
<td valign="top"><u><b>/sbin/shorewall Command</b><br>
</u></td>
<td valign="top"><u><b>Resulting /usr/share/shorewall/firewall Command</b><br>
</u></td>
<td valign="top"><u><b>Effect if the Command Succeeds</b><br>
</u></td>
</tr>
<tr>
<td valign="top">shorewall start<br>
</td>
<td valign="top">firewall start<br>
</td>
<td valign="top">The system filters packets based on your current
<tbody>
<tr>
<td valign="top"><u><b>/sbin/shorewall Command</b><br>
</u></td>
<td valign="top"><u><b>Resulting /usr/share/shorewall/firewall
Command</b><br>
</u></td>
<td valign="top"><u><b>Effect if the Command Succeeds</b><br>
</u></td>
</tr>
<tr>
<td valign="top">shorewall start<br>
</td>
<td valign="top">firewall start<br>
</td>
<td valign="top">The system filters packets based on your current
Shorewall Configuration<br>
</td>
</tr>
<tr>
<td valign="top">shorewall stop<br>
</td>
<td valign="top">firewall stop<br>
</td>
<td valign="top">Only traffic to/from hosts listed in /etc/shorewall/hosts
is passed to/from/through the firewall. For Shorewall versions beginning
with 1.4.7, if ADMINISABSENTMINDED=Yes in /etc/shorewall/shorewall.conf then
in addition, all existing connections are retained and all connection requests
</td>
</tr>
<tr>
<td valign="top">shorewall stop<br>
</td>
<td valign="top">firewall stop<br>
</td>
<td valign="top">Only traffic to/from hosts listed in
/etc/shorewall/hosts is passed to/from/through the firewall. For
Shorewall versions beginning
with 1.4.7, if ADMINISABSENTMINDED=Yes in /etc/shorewall/shorewall.conf
then
in addition, all existing connections are retained and all connection
requests
from the firewall are accepted.<br>
</td>
</tr>
<tr>
<td valign="top">shorewall restart<br>
</td>
<td valign="top">firewall restart<br>
</td>
<td valign="top">Logically equivalent to "firewall stop;firewall
</td>
</tr>
<tr>
<td valign="top">shorewall restart<br>
</td>
<td valign="top">firewall restart<br>
</td>
<td valign="top">Logically equivalent to "firewall stop;firewall
start"<br>
</td>
</tr>
<tr>
<td valign="top">shorewall add<br>
</td>
<td valign="top">firewall add<br>
</td>
<td valign="top">Adds a host or subnet to a dynamic zone<br>
</td>
</tr>
<tr>
<td valign="top">shorewall delete<br>
</td>
<td valign="top">firewall delete<br>
</td>
<td valign="top">Deletes a host or subnet from a dynamic zone<br>
</td>
</tr>
<tr>
<td valign="top">shorewall refresh<br>
</td>
<td valign="top">firewall refresh<br>
</td>
<td valign="top">Reloads rules dealing with static blacklisting,
traffic control and ECN.<br>
</td>
</tr>
<tr>
<td valign="top">shorewall clear<br>
</td>
<td valign="top">firewall clear<br>
</td>
<td valign="top">Removes all Shorewall rules, chains, addresses,
routes and ARP entries.<br>
</td>
</tr>
<tr>
<td valign="top">shorewall try<br>
</td>
<td valign="top">firewall -c &lt;new configuration&gt;
restart<br>
If unsuccessful then firewall start (standard configuration)<br>
If timeout then firewall restart (standard configuration)<br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</td>
</tr>
<tr>
<td valign="top">shorewall add<br>
</td>
<td valign="top">firewall add<br>
</td>
<td valign="top">Adds a host or subnet to a dynamic zone<br>
</td>
</tr>
<tr>
<td valign="top">shorewall delete<br>
</td>
<td valign="top">firewall delete<br>
</td>
<td valign="top">Deletes a host or subnet from a dynamic zone<br>
</td>
</tr>
<tr>
<td valign="top">shorewall refresh<br>
</td>
<td valign="top">firewall refresh<br>
</td>
<td valign="top">Reloads rules dealing with static blacklisting,
traffic control and ECN.<br>
</td>
</tr>
<tr>
<td valign="top">shorewall clear<br>
</td>
<td valign="top">firewall clear<br>
</td>
<td valign="top">Removes all Shorewall rules, chains, addresses,
routes and ARP entries.<br>
</td>
</tr>
<tr>
<td valign="top">shorewall try<br>
</td>
<td valign="top">firewall -c &lt;new configuration&gt; restart<br>
If unsuccessful then firewall start (standard configuration)<br>
If timeout then firewall restart (standard configuration)<br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
<p><font size="2"> Updated 7/31/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
<br>
<p><font size="2"> Updated 8/25/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
</body>
</html>

445
Shorewall-docs/support.htm
View File

@ -1,92 +1,62 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall Support Guide</title>
</head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Support Guide<img
src="images/obrasinf.gif" alt="" width="90" height="90" align="middle">
</font></h1>
</td>
</font></h1>
</td>
</tr>
</tbody>
</tbody>
</table>
<h2>Before Reporting a Problem or Asking a Question<br>
</h2>
There are a number of sources of Shorewall information. Please
try these before you post.
</h2>
There are a number of sources of Shorewall information. Please try
these before you post.
<ul>
<li>Shorewall versions
earlier that 1.3.0 are no longer supported.<br>
</li>
<li>More than half of the questions posted on the support
list have answers directly accessible from the <a
href="http://www.shorewall.net/shorewall_quickstart_guide.htm#Documentation">Documentation
Index</a><br>
</li>
<li>
The <a href="http://www.shorewall.net/FAQ.htm">FAQ</a>
has solutions to more than 20 common problems.
</li>
<li>
The <a href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a>
Information contains a number of tips
to help you solve common problems. </li>
<li>
The <a href="http://www.shorewall.net/errata.htm"> Errata</a>
has links to download updated components. </li>
<li>
The Site and Mailing List Archives search facility
can locate documents and posts about similar problems:
</li>
<li>Shorewall versions earlier that 1.3.0 are no longer supported.<br>
</li>
<li>More than half of the questions posted on the support list have
answers directly accessible from the <a
href="http://www.shorewall.net/shorewall_quickstart_guide.htm#Documentation">Documentation
Index</a><br>
</li>
<li> The <a href="http://www.shorewall.net/FAQ.htm">FAQ</a> has
solutions to more than 20 common problems. </li>
<li> The <a href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a>
Information contains a number of tips
to help you solve common problems. </li>
<li> The <a href="http://www.shorewall.net/errata.htm"> Errata</a>
has links to download updated components. </li>
<li> The Site and Mailing List Archives search facility can locate
documents and posts about similar problems: </li>
</ul>
<h2>Site and Mailing List Archive Search</h2>
<blockquote>
<blockquote>
<form method="post"
action="http://lists.shorewall.net/cgi-bin/htsearch"> <font size="-1"> Match:
action="http://lists.shorewall.net/cgi-bin/htsearch"> <font size="-1">Match:
<select name="method">
<option value="and">All </option>
<option value="or">Any </option>
<option value="boolean">Boolean </option>
</select>
Format:
Format:
<select name="format">
<option value="builtin-long">Long </option>
<option value="builtin-short">Short </option>
</select>
Sort by:
Sort by:
<select name="sort">
<option value="score">Score </option>
<option value="time">Time </option>
@ -95,250 +65,193 @@ can locate documents and posts about similar problems:
<option value="revtime">Reverse Time </option>
<option value="revtitle">Reverse Title </option>
</select>
</font><input type="hidden" name="config"
value="htdig"><input type="hidden" name="restrict" value=""><font
size="-1"> Include Mailing List Archives:
</font><input type="hidden" name="config" value="htdig"><input
type="hidden" name="restrict" value=""><font size="-1"> Include
Mailing List Archives:
<select size="1" name="exclude">
<option value="">Yes</option>
<option value="[http://lists.shorewall.net/pipermail/.*]">No</option>
</select>
</font><br>
Search: <input type="text" size="30"
name="words" value=""> <input type="submit" value="Search"><br>
</form>
</blockquote>
</font><br>
Search: <input type="text" size="30" name="words" value=""> <input
type="submit" value="Search"><br>
</form>
</blockquote>
<h2>Problem Reporting Guidelines<br>
</h2>
</h2>
<ul>
<li>Please remember we only
know what is posted in your message. Do not leave out
any information that appears to be correct, or was mentioned
in a previous post. There have been countless posts by people
who were sure that some part of their configuration was correct
when it actually contained a small error. We tend to be skeptics
where detail is lacking.<br>
<br>
</li>
<li>Please keep in mind that
you're asking for <strong>free</strong> technical
support. Any help we offer is an act of generosity, not an obligation.
Try to make it easy for us to help you. Follow good, courteous
practices in writing and formatting your e-mail. Provide details
that we need if you expect good answers. <em>Exact quoting </em>
of error messages, log entries, command output, and other output is
better than a paraphrase or summary.<br>
<br>
</li>
<li>
Please don't describe your environment and then
ask us to send you custom configuration files.
We're here to answer your questions but we can't
do your job for you.<br>
<br>
</li>
<li>When reporting a problem,
<strong>ALWAYS</strong> include this information:</li>
<li>Please remember we only know what is posted in your message. Do
not leave out
any information that appears to be correct, or was mentioned in a
previous post. There have been countless posts by people who were sure
that some part of their configuration was correct when it actually
contained a small error. We tend to be skeptics where detail is lacking.<br>
<br>
</li>
<li>Please keep in mind that you're asking for <strong>free</strong>
technical support. Any help we offer is an act of generosity, not an
obligation. Try to make it easy for us to help you. Follow good,
courteous practices in writing and formatting your e-mail. Provide
details
that we need if you expect good answers. <em>Exact quoting </em> of
error messages, log entries, command output, and other output is
better than a paraphrase or summary.<br>
<br>
</li>
<li> Please don't describe your environment and then ask us to send
you custom configuration files. We're here to answer your questions but
we can't do your job for you.<br>
<br>
</li>
<li>When reporting a problem, <strong>ALWAYS</strong> include this
information:</li>
</ul>
<ul>
<ul>
<li>the exact version of
Shorewall you are running.<br>
<br>
<b><font
color="#009900">shorewall version</font><br>
</b> <br>
</li>
<li>the exact version of Shorewall you are running.<br>
<br>
<b><font color="#009900">shorewall version</font><br>
</b> <br>
</li>
</ul>
<ul>
</ul>
<ul>
<li>the complete, exact
output of<br>
<br>
<font color="#009900"><b>ip
addr show<br>
<br>
</b></font></li>
<li>the complete, exact
output of<br>
<br>
<font color="#009900"><b>ip addr show<br>
<br>
</b></font></li>
</ul>
<ul>
<li>the complete, exact
output of<br>
<br>
<font color="#009900"><b>ip
route show<br>
</b></font></li>
<li>the complete, exact
output of<br>
<br>
<font color="#009900"><b>ip route show<br>
</b></font></li>
</ul>
<ul>
</ul>
</ul>
<ul>
<ul>
<li><small><small><font color="#ff0000"><u><i><big><b>THIS
IS IMPORTANT!</b></big></i></u></font></small></small><big> </big>If your
problem is that some type of connection to/from or through your firewall
isn't working then please perform the following four steps:<br>
<br>
1. <b><font color="#009900">/sbin/shorewall reset</font></b><br>
<br>
2. Try making the connection that is failing.<br>
<br>
3.<b><font color="#009900"> /sbin/shorewall
status &gt; /tmp/status.txt</font></b><br>
<br>
4. Post the /tmp/status.txt file as an
attachment (you may compress it if you like).<br>
<br>
</li>
<li>the exact wording of any <code
<li><small><small><font color="#ff0000"><u><i><big><b>THIS
IS IMPORTANT!</b></big></i></u></font></small></small><big> </big>If
your
problem is that some type of connection to/from or through your
firewall
isn't working then please perform the following four steps:<br>
<br>
1. <b><font color="#009900">/sbin/shorewall reset</font></b><br>
<br>
2. Try making the connection that is failing.<br>
<br>
3.<b><font color="#009900"> /sbin/shorewall status &gt; /tmp/status.txt</font></b><br>
<br>
4. Post the /tmp/status.txt file as an
attachment (you may compress it if you like).<br>
<br>
</li>
<li>the exact wording of any <code
style="color: green; font-weight: bold;">ping</code> failure responses<br>
<br>
</li>
<li>If you installed Shorewall using one of the QuickStart
Guides, please indicate which one. <br>
<br>
</li>
<li><b>If you are running Shorewall under Mandrake
using the Mandrake installation of Shorewall, please say so.<br>
<br>
</b></li>
<br>
</li>
<li>If you installed Shorewall using one of the QuickStart Guides,
please indicate which one. <br>
<br>
</li>
<li><b>If you are running Shorewall under Mandrake
using the Mandrake installation of Shorewall, please say so.<br>
<br>
</b></li>
</ul>
<li>As a general matter, please <strong>do not edit the
diagnostic information</strong> in an attempt to conceal
your IP address, netmask, nameserver addresses, domain name,
etc. These aren't secrets, and concealing them often misleads
us (and 80% of the time, a hacker could derive them anyway
from information contained in the SMTP headers of your post).<br>
<br>
<strong></strong></li>
<li>Do you see any "Shorewall" messages
("<b><font color="#009900">/sbin/shorewall show log</font></b>")
when you exercise the function that is giving you problems?
If so, include the message(s) in your post along with a copy of
your /etc/shorewall/interfaces file.<br>
<br>
</li>
<li>Please include any of the Shorewall configuration
files (especially the /etc/shorewall/hosts file
if you have modified that file) that you think are
relevant. If you include /etc/shorewall/rules, please include
/etc/shorewall/policy as well (rules are meaningless unless
one also knows the policies).<br>
<br>
</li>
<li>If an error occurs when you try
to "<font color="#009900"><b>shorewall start</b></font>", include
a trace (See the <a
href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a>
section for instructions).<br>
<br>
</li>
<li><b>The list server limits posts to 120kb
so don't post GIFs of your network
layout, etc. to the Mailing List -- your post will be
<li>As a general matter, please <strong>do not edit the diagnostic
information</strong> in an attempt to conceal your IP address, netmask,
nameserver addresses, domain name, etc. These aren't secrets, and
concealing them often misleads us (and 80% of the time, a hacker could
derive them anyway from information contained in the SMTP headers of
your post).<br>
<br>
<strong></strong></li>
<li>Do you see any "Shorewall" messages ("<b><font color="#009900">/sbin/shorewall
show log</font></b>") when you exercise the function that is giving you
problems? If so, include the message(s) in your post along with a copy
of your /etc/shorewall/interfaces file.<br>
<br>
</li>
<li>Please include any of the Shorewall configuration files
(especially the /etc/shorewall/hosts file if you have modified that
file) that you think are relevant. If you include /etc/shorewall/rules,
please include /etc/shorewall/policy as well (rules are meaningless
unless one also knows the policies).<br>
<br>
</li>
<li>If an error occurs when you try to "<font color="#009900"><b>shorewall
start</b></font>", include a trace (See the <a
href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a>
section for instructions).<br>
<br>
</li>
<li><b>The list server limits posts to 120kb so don't post GIFs of
your network
layout, etc. to the Mailing List -- your post will be
rejected.</b></li>
</ul>
<blockquote> The author gratefully acknowleges that the above list was
heavily plagiarized from the excellent LEAF document by <i>Ray</i>
<em>Olszewski</em> found at <a
<blockquote> The author gratefully acknowleges that the above list was
heavily plagiarized from the excellent LEAF document by <i>Ray</i> <em>Olszewski</em>
found at <a
href="http://leaf-project.org/pub/doc/docmanager/docid_1891.html">http://leaf-project.org/pub/doc/docmanager/docid_1891.html</a>.<br>
</blockquote>
</blockquote>
<h2>When using the mailing list, please post in plain text</h2>
<blockquote> A growing number of MTAs serving list subscribers are
rejecting all HTML traffic. At least one MTA has gone so far as to
blacklist shorewall.net "for continuous abuse" because it has been
my policy to allow HTML in list posts!!<br>
<br>
I think that blocking all
HTML is a Draconian way to control spam and that the
ultimate losers here are not the spammers but the list subscribers
whose MTAs are bouncing all shorewall.net mail. As one list
subscriber wrote to me privately "These e-mail admin's need
to get a <i>(expletive deleted)</i> life instead of trying to
rid the planet of HTML based e-mail". Nevertheless, to allow
subscribers to receive list posts as must as possible, I have now
configured the list server at shorewall.net to strip all HTML from
outgoing posts.<br>
</blockquote>
<blockquote> A growing number of MTAs serving list subscribers are
rejecting all HTML traffic. At least one MTA has gone so far as to
blacklist shorewall.net "for continuous abuse" because it has been
my policy to allow HTML in list posts!!<br>
<br>
I think that blocking all HTML is a Draconian way to control spam and
that the ultimate losers here are not the spammers but the list
subscribers whose MTAs are bouncing all shorewall.net mail. As one list
subscriber wrote to me privately "These e-mail admin's need to get a <i>(expletive
deleted)</i> life instead of trying to rid the planet of HTML based
e-mail". Nevertheless, to allow
subscribers to receive list posts as must as possible, I have now
configured the list server at shorewall.net to convert all HTML to
plain text. These converted posts are difficult to read so all of us
will appreciate it if you just post in plain text to begin with.<br>
</blockquote>
<h2>Where to Send your Problem Report or to Ask for Help</h2>
<blockquote>
<blockquote>
<h4>If you run Shorewall under Bering -- <span
style="font-weight: 400;">please post your question or problem
to the <a
href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing
list</a>.</span></h4>
<b>If you run Shorewall
under MandrakeSoft Multi Network Firewall (MNF) and
you have not purchased an MNF license from MandrakeSoft then
you can post non MNF-specific Shorewall questions to the </b><a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
list</a>. <b>Do not expect to get free MNF support on the list</b>
style="font-weight: 400;">please post your question or problem to the <a
href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing list</a>.</span></h4>
<b>If you run Shorewall under MandrakeSoft Multi Network Firewall
(MNF) and you have not purchased an MNF license from MandrakeSoft then
you can post non MNF-specific Shorewall questions to the </b><a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users
mailing list</a>. <b>Do not expect to get free MNF support on the list</b>
<p>Otherwise, please post your question or problem to the <a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
list.</a> </p>
</blockquote>
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users
mailing list.</a> </p>
</blockquote>
<h2>Subscribing to the Users Mailing List<br>
</h2>
<blockquote>
<p> To Subscribe to the mailing list go to <a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a>
<br>
Secure: <a
<p> To Subscribe to the mailing list go to <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-users"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-users</a>.<br>
</p>
</blockquote>
</p>
</blockquote>
<p>For information on other Shorewall mailing lists, go to <a
href="http://lists.shorewall.net">http://lists.shorewall.net</a><br>
</p>
<p align="left"><font size="2">Last Updated 8/1/2003 - Tom Eastep</font></p>
</p>
<p align="left"><font size="2">Last Updated 9/17/2003 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
<br>
<br>
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M.
Eastep.</font></a></font><br>
</p>
<br>
<br>
<br>
</body>
</html>

7
Shorewall-docs/troubleshoot.htm
View File

@ -21,6 +21,11 @@
</tr>
</tbody>
</table>
<h3 style="text-align: center;"><span style="font-style: italic;">"If
you think you can you can; if you think you can't you're right.<br>
If you don't believe that you can, why should someone else?" -- Gunnar
Tapper<br>
</span></h3>
<h3 align="left">Check the Errata</h3>
<p align="left">Check the <a href="errata.htm">Shorewall Errata</a> to
be sure that there isn't an update that you are missing for your
@ -194,7 +199,7 @@ in /etc/shorewall/shorewall.conf.</li>
<font face="Century Gothic, Arial, Helvetica">
<blockquote> </blockquote>
</font>
<p><font size="2">Last updated 8/8/2003 - Tom Eastep</font> </p>
<p><font size="2">Last updated 8/29/2003 - Tom Eastep</font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
</p>