extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-08-19 05:01:47 +02:00
Code Issues Packages Projects Releases Wiki Activity

Shorewall-1.4.7

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@756 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
2003-10-06 22:38:40 +00:00
parent acad75f82f
commit a30b326a4b
96 changed files with 26174 additions and 26168 deletions
Download Patch File Download Diff File Expand all files Collapse all files

334
Shorewall-docs/Documentation.htm
View File

@@ -105,6 +105,10 @@ packets for <a href="traffic_shaping.htm">Traffic Shaping/Control</a>.</li>
the firewall. This should be placed in /sbin or in /usr/sbin (the
install.sh
script and the rpm install this file in /sbin).</li>
<li><a href="Accounting.html"><span style="font-weight: bold;">accounting</span></a>
-- a parameter file in /etc/shorewall used to define traffic accounting
rules. This file was added in version 1.4.7.<br>
</li>
<li><b> version</b> -- a file created in /etc/shorewall/
(/var/lib/shorewall in version 1.3.2-1.3.8 and /usr/lib/shorewall
beginning in version 1.3.9) that describes the version of Shorewall
@@ -676,7 +680,10 @@ which TCP connection requests will be accepted followed by a colon
Example: <b> 10/sec:40</b> specifies that the maximum rate of TCP
connection requests allowed will be
10 per second and a burst of 40 connections will be tolerated.
Connection requests in excess of these limits will be dropped.</li>
Connection requests in excess of these limits will be dropped. See the <a
href="#Rules">rules file documentation</a> for an explaination of how
rate limiting works.<br>
</li>
</ol>
<p> In the SOURCE and DEST columns, you can enter "all" to indicate all
zones. </p>
@@ -940,6 +947,13 @@ PORT(S)</b></td>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">RATE<br>
LIMIT<br>
</span></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">USER<br>
SET</span></td>
</tr>
<tr>
<td>...</td>
@@ -955,6 +969,10 @@ DEST</b></td>
</td>
<td> <br>
</td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr>
<tr>
<td>DNAT</td>
@@ -965,6 +983,10 @@ DEST</b></td>
<td>-</td>
<td> <br>
</td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr>
<tr>
<td>DNAT</td>
@@ -975,6 +997,10 @@ DEST</b></td>
<td>-</td>
<td> <br>
</td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr>
<tr>
<td>...</td>
@@ -990,6 +1016,10 @@ DEST</b></td>
</td>
<td> <br>
</td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr>
</tbody>
</table>
@@ -1010,7 +1040,7 @@ requires two rules as follows:</p>
<p> </p>
<font face="Century Gothic, Arial, Helvetica"> </font><font
face="Century Gothic, Arial, Helvetica"> </font>
<table border="1" cellpadding="2" style="border-collapse: collapse;">
<table style="border-collapse: collapse;" cellpadding="2" border="1">
<tbody>
<tr>
<td><b>ACTION</b></td>
@@ -1023,6 +1053,13 @@ PORT(S)</b></td>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">RATE<br>
LIMIT<br>
</span></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">USER<br>
SET</span></td>
</tr>
<tr>
<td> <br>
@@ -1039,6 +1076,10 @@ DEST</b></td>
</td>
<td> <br>
</td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr>
<tr>
<td>...</td>
@@ -1054,6 +1095,10 @@ DEST</b></td>
</td>
<td> <br>
</td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr>
<tr>
<td>DNAT</td>
@@ -1064,6 +1109,10 @@ DEST</b></td>
<td>-</td>
<td> <br>
</td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr>
<tr>
<td>DNAT</td>
@@ -1074,6 +1123,10 @@ DEST</b></td>
<td>-</td>
<td> <br>
</td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr>
<tr>
<td>...</td>
@@ -1089,6 +1142,10 @@ DEST</b></td>
</td>
<td> <br>
</td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr>
</tbody>
</table>
@@ -1134,8 +1191,46 @@ header-rewriting rule.<br>
<li>LOG - Log the packet -- requires
a syslog level (see below).</li>
</ul>
<p>The ACTION may optionally be followed by ":" and a <a
href="shorewall_logging.html">syslog level</a> (example: REJECT:info).
<p>Beginning with Shorewall version 1.4.7, you may rate-limit the
rule by optionally following ACCEPT, DNAT[-], REDIRECT[-] or LOG with<br>
&nbsp;<br>
&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;
&lt; &lt;rate&gt;/&lt;interval&gt;[:&lt;burst&gt;] &gt;<br>
<br>
where<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&lt;rate&gt; is the number of connections per <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&lt;interval&gt; ("sec" or "min") and &lt;burst&gt; is the largest
burst permitted. If no burst value is given, a value of 5 is assumed.<br>
<br>
There may be no whitespace embedded in the
specification.&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp; <br>
<br>
Let's take an example:<br>
<br>
&nbsp;&nbsp;&nbsp; &nbsp;ACCEPT&lt;2/sec:4&gt;&nbsp;&nbsp;&nbsp;
net&nbsp;&nbsp;&nbsp; dmz&nbsp;&nbsp;&nbsp; tcp&nbsp;&nbsp;&nbsp; 80<br>
&nbsp;&nbsp; <br>
The first time this rule is reached, the packet will be accepted; in
fact, since the burst is 4, the first four packets will be accepted.
After this, it will be 500ms (1 second divided by the rate of 2) before
a packet will be accepted from this rule, regardless of how many
packets reach it. Also, every 500ms which passes without matching a
packet, one of the bursts will be regained; if no packets hit the rule
for 2 second, the burst will be fully recharged; back where we started.<br>
<br>
<span style="font-weight: bold;">Warning: </span>When rate
limiting is specified on a rule with "all" in the SOURCE or DEST fields
below, the limit will apply to each pair of zones individually rather
than as a single limit for all pairs of zones covered by the rule.<br>
<br>
Rate limiting may also be specified in the RATE LIMIT column below; in
that case, it must not be specified as part of the ACTION column.<br>
<br>
The ACTION (and rate limit) may optionally be followed by ":" and a <a
href="shorewall_logging.html">syslog level</a> (example: REJECT:info
or ACCEPT&lt;2/sec:4&gt;:debugging).
This
causes the packet to be logged at the specified level prior to being
processed according to the specified ACTION. Note: if the ACTION
@@ -1145,6 +1240,8 @@ The use of DNAT or REDIRECT requires that you have <a
href="#NatEnabled">NAT enabled</a>.<br>
</p>
</li>
<li> <br>
</li>
<li><b>SOURCE</b> - Describes the source hosts to which the rule
applies.. The contents of this field must begin with the name of a zone
defined in /etc/shorewall/zones, $FW or
@@ -1269,12 +1366,63 @@ scope of a rule by incoming interface. <br>
</b>If SNAT is not used (no ":" and second IP address), the
original source address is used. If you want any destination address to
match the rule but want to specify SNAT, simply use a colon followed by
the SNAT address.</li>
the SNAT address.<br>
<br>
</li>
<li><span style="font-weight: bold;">RATE LIMIT </span>- Beginning
with Shorewall version 1.4.7, you may rate-limit ACCEPT, DNAT[-],
REDIRECT[-] or LOG rules with an entry in this column. Entries have the
form<br>
&nbsp;<br>
&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;
&lt;rate&gt;/&lt;interval&gt;[:&lt;burst&gt;] <br>
<br>
where<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&lt;rate&gt; is the number of connections per <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&lt;interval&gt; ("sec" or "min") and &lt;burst&gt; is the largest
burst permitted. If no burst value is given, a value of 5 is assumed.<br>
<br>
There may be no whitespace embedded in the
specification.&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp; <br>
<br>
Let's take an example:<br>
<br>
&nbsp;&nbsp;&nbsp; &nbsp;ACCEPT&lt;2/sec:4&gt;&nbsp;&nbsp;&nbsp;
net&nbsp;&nbsp;&nbsp; dmz&nbsp;&nbsp;&nbsp; tcp&nbsp;&nbsp;&nbsp; 80<br>
&nbsp;&nbsp; <br>
The first time this rule is reached, the packet will be accepted; in
fact, since the burst is 4, the first four packets will be accepted.
After this, it will be 500ms (1 second divided by the rate of 2) before
a packet will be accepted from this rule, regardless of how many
packets reach it. Also, every 500ms which passes without matching a
packet, one of the bursts will be regained; if no packets hit the rule
for 2 second, the burst will be fully recharged; back where we started.<br>
<br>
<span style="font-weight: bold;">Warning: </span>When rate
limiting is specified on a rule with "all" in the SOURCE or DEST fields
below, the limit will apply to each pair of zones individually rather
than as a single limit for all pairs of zones covered by the rule.<br>
<br>
Rate limiting may also be specified in the ACTION column above; in that
case, it must not be specified as part of the RATE LIMIT column.<br>
<br>
If you want to specify any following columns but no rate limit, place
"-" in this column.<br>
<br>
</li>
<li><span style="font-weight: bold;">USER SET </span>- Beginning
with Shorewall release 1.4.7, output rules from the firewall itself may
be restricted to a particular set of users and/or user groups. See the <a
href="UserSets.html">User Set Documentation </a>for details.<br>
</li>
</ul>
<p><b> <font face="Century Gothic, Arial, Helvetica"> <a
name="PortForward"></a> </font>Example 1. </b> You wish to forward
all ssh connection requests from the internet to local system
192.168.1.3. </p>
192.168.1.3.&nbsp; You wish to limit the number of connections to
4/minute with a burst of 8 (Shorewall 1.4.7 and later only): </p>
<blockquote> <font face="Century Gothic, Arial, Helvetica"> </font>
<table border="1" cellpadding="2" style="border-collapse: collapse;">
<tbody>
@@ -1289,9 +1437,17 @@ PORT(S)</b></td>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">RATE<br>
LIMIT<br>
</span></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">USER<br>
SET<br>
</span></td>
</tr>
<tr>
<td>DNAT</td>
<td>DNAT&lt;4/min:8&gt;</td>
<td>net</td>
<td>loc:192.168.1.3</td>
<td>tcp</td>
@@ -1300,6 +1456,10 @@ DEST</b></td>
</td>
<td> <br>
</td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr>
</tbody>
</table>
@@ -1326,6 +1486,14 @@ PORT(S)</b></td>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">RATE<br>
LIMIT<br>
</span></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">USER<br>
SET<br>
</span></td>
</tr>
<tr>
<td>REDIRECT</td>
@@ -1336,6 +1504,10 @@ DEST</b></td>
<td> -<br>
</td>
<td>!206.124.146.177</td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr>
<tr>
<td>ACCEPT</td>
@@ -1347,6 +1519,10 @@ DEST</b></td>
</td>
<td> <br>
</td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr>
</tbody>
</table>
@@ -1369,6 +1545,13 @@ PORT(S)</b></td>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">RATE<br>
LIMIT<br>
</span></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">USER<br>
SET</span></td>
</tr>
<tr>
<td>ACCEPT</td>
@@ -1379,6 +1562,10 @@ DEST</b></td>
<td>-</td>
<td> <br>
</td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr>
<tr>
<td>ACCEPT</td>
@@ -1390,6 +1577,10 @@ DEST</b></td>
</td>
<td> <br>
</td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr>
</tbody>
</table>
@@ -1423,6 +1614,13 @@ PORT(S)</b></td>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">RATE<br>
LIMIT<br>
</span></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">USER<br>
SET</span></td>
</tr>
<tr>
<td>DNAT</td>
@@ -1434,6 +1632,10 @@ DEST</b></td>
</td>
<td> <br>
</td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr>
<tr>
<td>DNAT</td>
@@ -1443,6 +1645,10 @@ DEST</b></td>
<td>ftp</td>
<td>-</td>
<td>155.186.235.151</td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr>
</tbody>
</table>
@@ -1475,6 +1681,13 @@ PORT(S)</b></td>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">RATE<br>
LIMIT<br>
</span></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">USER<br>
SET</span></td>
</tr>
<tr>
<td>ACCEPT</td>
@@ -1487,6 +1700,10 @@ DEST</b></td>
</td>
<td> <br>
</td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr>
</tbody>
</table>
@@ -1511,9 +1728,16 @@ PORT(S)<br>
<td valign="top"><b>SOURCE<br>
PORT(S)<br>
</b></td>
<td valign="top"><b>ORIGINAL<br>
<td style="vertical-align: top;"><b>ORIGINAL<br>
DEST<br>
</b></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">RATE<br>
LIMIT<br>
</span></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">USER<br>
SET</span></td>
</tr>
<tr>
<td valign="top">ACCEPT<br>
@@ -1530,6 +1754,10 @@ DEST<br>
</td>
<td valign="top"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr>
</tbody>
</table>
@@ -1560,9 +1788,16 @@ PORT(S)<br>
<td valign="top"><b>SOURCE<br>
PORT(S)<br>
</b></td>
<td valign="top"><b>ORIGINAL<br>
<td style="vertical-align: top;"><b>ORIGINAL<br>
DEST<br>
</b></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">RATE<br>
LIMIT<br>
</span></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">USER<br>
SET</span></td>
</tr>
<tr>
<td valign="top">ACCEPT<br>
@@ -1579,6 +1814,10 @@ DEST<br>
</td>
<td valign="top"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr>
</tbody>
</table>
@@ -1606,9 +1845,16 @@ PORT(S)<br>
<td valign="top"><b>SOURCE<br>
PORT(S)<br>
</b></td>
<td valign="top"><b>ORIGINAL<br>
<td style="vertical-align: top;"><b>ORIGINAL<br>
DEST<br>
</b></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">RATE<br>
LIMIT<br>
</span></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">USER<br>
SET</span></td>
</tr>
<tr>
<td valign="top">DNAT-<br>
@@ -1625,6 +1871,10 @@ DEST<br>
</td>
<td valign="top">192.0.2.178<br>
</td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr>
<tr>
<td valign="top">DNAT-<br>
@@ -1641,6 +1891,10 @@ DEST<br>
</td>
<td valign="top">192.0.2.179<br>
</td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr>
<tr>
<td valign="top">ACCEPT<br>
@@ -1657,6 +1911,10 @@ DEST<br>
</td>
<td valign="top"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr>
</tbody>
</table>
@@ -1687,9 +1945,16 @@ PORT(S)<br>
<td valign="top"><b>SOURCE<br>
PORT(S)<br>
</b></td>
<td valign="top"><b>ORIGINAL<br>
<td style="vertical-align: top;"><b>ORIGINAL<br>
DEST<br>
</b></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">RATE<br>
LIMIT<br>
</span></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">USER<br>
SET</span></td>
</tr>
<tr>
<td valign="top">DNAT<br>
@@ -1706,6 +1971,10 @@ DEST<br>
</td>
<td valign="top"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr>
</tbody>
</table>
@@ -1765,9 +2034,15 @@ static IP on that interface, listing it here makes processing of output
packets a little less expensive for the firewall. If you specify an
address in this column, it must be an IP address configured on the
INTERFACE or you must have
ADD_SNAT_ALIASES enabled in <a href="#Conf">/etc/shorewall/shorewall.conf.</a></li>
ADD_SNAT_ALIASES enabled in <a href="#Conf">/etc/shorewall/shorewall.conf.</a>
Beginning with Shorewall version 1.4.6, you may include a range of IP
addresses in this column to indicate that Netfilter should use the
addresses in the range in round-robin fashion. Beginning with Shorewall
version 1.4.7, you may include a list of ranges and/or addresses in
this column; again, Netfilter will use all listed ranges/addresses in
rounde-robin fashion.</li>
</ul>
<p><b> Example 1: </b> You have eth0 connected to a cable modem and
<p><b>Example 1: </b> You have eth0 connected to a cable modem and
eth1 connected to your local subnetwork 192.168.9.0/24. Your
/etc/shorewall/masq file would look like: </p>
<blockquote>
@@ -1865,6 +2140,26 @@ name eth0:0. You must have ADD_SNAT_ALIASES=Yes in <a href="#Conf">/etc/shorewal
</tbody>
</table>
</blockquote>
<span style="font-weight: bold;">Example 6 (Shorewall version &gt;=
1.4.7): </span>You want to use both 206.124.146.177 and
206.124.146.179 for SNAT of the subnet 192.168.12.0/24. Each address
will be used on alternate outbound connections.<br>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b> INTERFACE</b></td>
<td><b> SUBNET</b></td>
<td><b>ADDRESS</b></td>
</tr>
<tr>
<td>eth0</td>
<td>192.168.12.0/24</td>
<td>206.124.146.177,206.124.146.179</td>
</tr>
</tbody>
</table>
</blockquote>
<h2><font color="#660066"><b><a name="ProxyArp"></a> </b></font>/etc/shorewall/proxyarp</h2>
<p>If you want to use proxy ARP on an entire sub-network, I suggest
that you look at <a
@@ -2009,8 +2304,10 @@ kernel compilation errors.</p>
may be found here,</a></b> <b><a href="IPIP.htm">instructions for IPIP
and GRE tunnels are here</a></b>, <b><a href="OPENVPN.html">instructions
for OpenVPN tunnels are here</a></b>, <b><a href="PPTP.htm">instructions
for PPTP tunnels are here</a> and <a href="6to4.htm">instructions for
6to4 tunnels</a> are here.</b></p>
for PPTP tunnels are here</a>, <a href="6to4.htm">instructions for
6to4 tunnels are here</a> and <a href="GenericTunnels.html">instructions
for integrating Shorewall with other types of tunnels are here</a>.<br>
</b></p>
<h2><a name="Conf"></a>/etc/shorewall/shorewall.conf</h2>
<p> This file is used to set the following firewall parameters:</p>
<ul>
@@ -2484,7 +2781,9 @@ blacklist capability.</a></p>
<p><font color="#cc6666"><b>IMPORTANT: The Shorewall blacklist file is <u>NOT</u>
designed to police your users' web browsing -- to do that, I suggest
that you install and configure Squid (<a
href="http://www.squid-cache.org">http://www.squid-cache.org</a>). </b></font></p>
href="http://www.squid-cache.org">http://www.squid-cache.org</a>) with
SquidGuard (<a href="http://www.squidguard.org/">http://www.squidguard.org/</a>).
</b></font></p>
<h2><a name="rfc1918"></a>/etc/shorewall/rfc1918 (Added in Version
1.3.1)</h2>
<p>This file lists the subnets affected by the <a href="#Interfaces"><i>norfc1918</i>
@@ -2543,7 +2842,8 @@ Validation Documentation</a>.<br>
<h2><a name="ECN"></a>/etc/shorewall/ecn (Added in Version 1.4.0)</h2>
This file is described in the <a href="ECN.html">ECN Control
Documentation</a>.<br>
<p><font size="-1"> Updated 8/8/2003 - <a href="support.htm">Tom Eastep</a>
<p><font size="-1"> Updated 8/21/2003 - <a href="support.htm">Tom
Eastep</a>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> <20> <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>

2372
Shorewall-docs/FAQ.htm
View File

File diff suppressed because it is too large Load Diff

368
Shorewall-docs/FTP.html
View File

@@ -1,234 +1,214 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall and FTP</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall and FTP</font></h1>
</td>
</tr>
</tbody>
</td>
</tr>
</tbody>
</table>
<h2></h2>
<blockquote> </blockquote>
<p>FTP transfers involve two TCP connections. The first <u>control</u> connection
goes from the FTP client to port 21 on the FTP server. This connection is
used for logon and to send commands and responses between the endpoints.
Data transfers (including the output of "ls" and "dir" commands) requires
a second <u>data</u> connection. The data connection is dependent on the <u>mode</u>
<blockquote> </blockquote>
<p>FTP transfers involve two TCP connections. The first <u>control</u>
connection goes from the FTP client to port 21 on the FTP server. This
connection is used for logon and to send commands and responses between
the endpoints. Data transfers (including the output of "ls" and "dir"
commands) requires a second <u>data</u> connection. The data
connection is dependent on the <u>mode</u>
that the client is operating in:<br>
</p>
</p>
<ul>
<li>Passive Mode (default for web browsers) -- The client issues a PASV
command. Upon receipt of this command, the server listens on a dynamically-allocated
port then sends a PASV reply to the client. The PASV reply gives the IP address
and port number that the server is listening on. The client then opens a
<li>Passive Mode (default for web browsers) -- The client issues a
PASV command. Upon receipt of this command, the server listens on a
dynamically-allocated port then sends a PASV reply to the client. The
PASV reply gives the IP address
and port number that the server is listening on. The client then opens
a
second connection to that IP address and port number.</li>
<li>Active Mode (often the default for line-mode clients) -- The client
listens on a dynamically-allocated port then sends a PORT command to the
server. The PORT command gives the IP address and port number that the client
is listening on. The server then opens a connection to that IP address and
port number; the <u>source port</u> for this connection is 20 (ftp-data in
/etc/services).</li>
<li>Active Mode (often the default for line-mode clients) -- The
client listens on a dynamically-allocated port then sends a PORT
command to the server. The PORT command gives the IP address and port
number that the client is listening on. The server then opens a
connection to that IP address and port number; the <u>source port</u>
for this connection is 20 (ftp-data in /etc/services).</li>
</ul>
You can see these commands in action using your linux ftp command-line
client in debugging mode. Note that my ftp client defaults to passive mode
and that I can toggle between passive and active mode by issuing a "passive"
command:<br>
<blockquote>
You can see these commands in action using your linux ftp command-line
client in debugging mode. Note that my ftp client defaults to passive
mode and that I can toggle between passive and active mode by issuing a
"passive" command:<br>
<blockquote>
<pre>[teastep@wookie Shorewall]$ <font color="#009900"><b>ftp ftp1.shorewall.net<br></b></font>Connected to lists.shorewall.net.<br>220-=(&lt;*&gt;)=-.:. (( Welcome to PureFTPd 1.0.12 )) .:.-=(&lt;*&gt;)=-<br>220-You are user number 1 of 50 allowed.<br>220-Local time is now 10:21 and the load is 0.14. Server port: 21.<br>220 You will be disconnected after 15 minutes of inactivity.<br>500 Security extensions not implemented<br>500 Security extensions not implemented<br>KERBEROS_V4 rejected as an authentication type<br>Name (ftp1.shorewall.net:teastep): ftp<br>331-Welcome to ftp.shorewall.net<br>331-<br>331 Any password will work<br>Password:<br>230 Any password will work<br>Remote system type is UNIX.<br>Using binary mode to transfer files.<br>ftp&gt; <font
color="#009900"><b>debug<br></b></font>Debugging on (debug=1).<br>ftp&gt; <font
color="#009900"><b>ls<br></b></font><b>---&gt; PASV</b><br><b>227 Entering Passive Mode (192,168,1,193,195,210)</b><br>---&gt; LIST<br>150 Accepted data connection<br>drwxr-xr-x 5 0 0 4096 Nov 9 2002 archives<br>drwxr-xr-x 2 0 0 4096 Feb 12 2002 etc<br>drwxr-sr-x 6 0 50 4096 Feb 19 15:24 pub<br>226-Options: -l<br>226 3 matches total<br>ftp&gt; <font
color="#009900"><b>passive<br></b></font>Passive mode off.<br>ftp&gt; <font
color="#009900"><b>ls<br></b></font><b>---&gt; PORT 192,168,1,3,142,58</b><br>200 PORT command successful<br>---&gt; LIST<br>150 Connecting to port 36410<br>drwxr-xr-x 5 0 0 4096 Nov 9 2002 archives<br>drwxr-xr-x 2 0 0 4096 Feb 12 2002 etc<br>drwxr-sr-x 6 0 50 4096 Feb 19 15:24 pub<br>226-Options: -l<br>226 3 matches total<br>ftp&gt;<br></pre>
</blockquote>
Things to notice:<br>
</blockquote>
Things to notice:<br>
<ol>
<li>The commands that I issued are in <b><font color="#009900">green.</font></b><br>
</li>
<li>Commands sent by the client to the server are preceded by <b>---&gt;</b></li>
<li>Command responses from the server over the control connection are
numbered.<br>
</li>
<li>FTP uses a comma as a separator between the bytes of the IP address;
and</li>
<li>When sending a port number, FTP sends the MSB then the LSB and separates
the two bytes by a comma. As shown in the PORT command, port 142,58 translates
<li>The commands that I issued are in <b><font color="#009900">green.</font></b><br>
</li>
<li>Commands sent by the client to the server are preceded by <b>---&gt;</b></li>
<li>Command responses from the server over the control connection are
numbered.<br>
</li>
<li>FTP uses a comma as a separator between the bytes of the IP
address; and</li>
<li>When sending a port number, FTP sends the MSB then the LSB and
separates the two bytes by a comma. As shown in the PORT command, port
142,58 translates
to 142*256+58 = 36410.<br>
</li>
</li>
</ol>
Given the normal loc-&gt;net policy of ACCEPT, passive mode access from
local clients to remote servers will always work but active mode requires
the firewall to dynamically open a "hole" for the server's connection back
to the client. Similarly, if you are running an FTP server in your local
zone then active mode should always work but passive mode requires the firewall
to dynamically open a "hole" for the client's second connection to the server.
This is the role of FTP connection-tracking support in the Linux kernel.
Given the normal loc-&gt;net policy of ACCEPT, passive mode access from
local clients to remote servers will always work but active mode
requires the firewall to dynamically open a "hole" for the server's
connection back to the client. Similarly, if you are running an FTP
server in your local
zone then active mode should always work but passive mode requires the
firewall to dynamically open a "hole" for the client's second
connection to the server. This is the role of FTP connection-tracking
support in the Linux kernel.
<div align="left"><br>
Where any form of NAT (SNAT, DNAT, Masquerading) on your firewall is involved,
the PORT commands and PASV responses may also need to be modified by the
firewall. This is the job of the FTP nat support kernel function.<br>
</div>
<p>Including FTP connection-tracking and NAT support normally means that the
modules "ip_conntrack_ftp" and "ip_nat_ftp" need to be loaded. Shorewall automatically
loads these "helper" modules from /lib/modules/&lt;<i>kernel-version&gt;</i>/kernel/net/ipv4/netfilter/
and you can determine if they are loaded using the 'lsmod' command:<br>
</p>
<blockquote>
Where any form of NAT (SNAT, DNAT, Masquerading) on your firewall is
involved, the PORT commands and PASV responses may also need to be
modified by the firewall. This is the job of the FTP nat support kernel
function.<br>
</div>
<p>Including FTP connection-tracking and NAT support normally means
that the
modules "ip_conntrack_ftp" and "ip_nat_ftp" need to be loaded.
Shorewall automatically
loads these "helper" modules from /lib/modules/&lt;<i>kernel-version&gt;</i>/kernel/net/ipv4/netfilter/
and you can determine if they are loaded using the 'lsmod' command:<br>
</p>
<blockquote>
<p>Example:<br>
</p>
<blockquote>
</p>
<blockquote>
<pre>[root@lists etc]# lsmod<br>Module Size Used by Not tainted<br>autofs 12148 0 (autoclean) (unused)<br>ipt_TOS 1560 12 (autoclean)<br>ipt_LOG 4120 5 (autoclean)<br>ipt_REDIRECT 1304 1 (autoclean)<br>ipt_REJECT 3736 4 (autoclean)<br>ipt_state 1048 13 (autoclean)<br>ip_nat_irc 3152 0 (unused)<br><b>ip_nat_ftp 3888 0 (unused)</b><br>ip_conntrack_irc 3984 1<br><b>ip_conntrack_ftp 5008 1</b><br>ipt_multiport 1144 2 (autoclean)<br>ipt_conntrack 1592 0 (autoclean)<br>iptable_filter 2316 1 (autoclean)<br>iptable_mangle 2680 1 (autoclean)<br>iptable_nat 20568 3 (autoclean) [ipt_REDIRECT ip_nat_irc ip_nat_ftp]<br>ip_conntrack 26088 5 (autoclean) [ipt_REDIRECT ipt_state ip_nat_irc ip_nat_ftp ip_conntrack_irc ip_conntrack_ftp ipt_conntrack iptable_nat]<br>ip_tables 14488 12 [ipt_TOS ipt_LOG ipt_REDIRECT ipt_REJECT ipt_state ipt_multiport ipt_conntrack iptable_filter iptable_mangle iptable_nat]<br>tulip 42464 0 (unused)<br>e100 50596 1<br>keybdev 2752 0 (unused)<br>mousedev 5236 0 (unused)<br>hid 20868 0 (unused)<br>input 5632 0 [keybdev mousedev hid]<br>usb-uhci 24684 0 (unused)<br>usbcore 73280 1 [hid usb-uhci]<br>ext3 64704 2<br>jbd 47860 2 [ext3]<br>[root@lists etc]#<br></pre>
</blockquote>
</blockquote>
<blockquote> </blockquote>
<p>If you want Shorewall to load these modules from an alternate directory,
you need to set the MODULESDIR variable in /etc/shorewall/shorewall.conf
to point to that directory.<br>
</p>
</blockquote>
</blockquote>
<blockquote> </blockquote>
<p>If you want Shorewall to load these modules from an alternate
directory, you need to set the MODULESDIR variable in
/etc/shorewall/shorewall.conf to point to that directory.<br>
</p>
<p>Server configuration is covered in <a href="Documentation.htm#Rules">the
/etc/shorewall/rules documentation</a>,<br>
</p>
<p>For a client, you must open outbound TCP port 21.<2E><br>
</p>
<p>The above discussion about commands and responses makes it clear that the
FTP connection-tracking and NAT helpers must scan the traffic on the control
connection looking for PASV and PORT commands as well as PASV responses. If
you run an FTP server on a nonstandard port or you need to access such
a server,<2C> you must therefore let the helpers know by specifying the port
in /etc/shorewall/modules entries for the helpers. For example, if you
run an FTP server that listens on port 49 then you would have:<br>
</p>
<blockquote>
/etc/shorewall/rules documentation</a>,<br>
</p>
<p>For a client, you must open outbound TCP port 21.&nbsp;<br>
</p>
<p>The above discussion about commands and responses makes it clear
that the
FTP connection-tracking and NAT helpers must scan the traffic on the
control
connection looking for PASV and PORT commands as well as PASV
responses. If
you run an FTP server on a nonstandard port or you need to access such
a server,&nbsp; you must therefore let the helpers know by specifying
the port
in /etc/shorewall/modules entries for the helpers. <span
style="font-weight: bold;">For example, if you
run an FTP server that listens on port 49 or you need to access a
server on the internet that listens on that port then you would have:</span><br>
</p>
<blockquote>
<p>loadmodule ip_conntrack_ftp ports=21,49<br>
loadmodule ip_nat_ftp ports=21,49<br>
</p>
</blockquote>
<p>Note that you MUST include port 21 in the <i>ports</i> list or you may
have problems accessing regular FTP servers.</p>
<p>If there is a possibility that these modules might be loaded before Shorewall
starts, then you should include the port list in /etc/modules.conf:<br>
</p>
<blockquote>
loadmodule ip_nat_ftp ports=21,49<br>
</p>
</blockquote>
<p>Note that you MUST include port 21 in the <i>ports</i> list or you
may have problems accessing regular FTP servers.</p>
<p>If there is a possibility that these modules might be loaded before
Shorewall starts, then you should include the port list in
/etc/modules.conf:<br>
</p>
<blockquote>
<p>options ip_conntrack_ftp ports=21,49<br>
options ip_nat_ftp ports=21,49<br>
</p>
</blockquote>
<p><b>IMPORTANT: </b>Once you have made these changes to /etc/shorewall/modules
and/or /etc/modules.conf, you must either:<br>
</p>
options ip_nat_ftp ports=21,49<br>
</p>
</blockquote>
<p><b>IMPORTANT: </b>Once you have made these changes to
/etc/shorewall/modules and/or /etc/modules.conf, you must either:<br>
</p>
<ol>
<li>Unload the modules and restart shorewall: (<b><font
color="#009900">rmmod ip_nat_ftp; rmmod ip_conntrack_ftp; shorewall restart</font></b>);
or</li>
<li>Reboot</li>
<li>Unload the modules and restart shorewall: (<b><font
color="#009900">rmmod ip_nat_ftp; rmmod ip_conntrack_ftp; shorewall
restart</font></b>); or</li>
<li>Reboot</li>
</ol>
One problem that I see occasionally involves active mode and the FTP server
in my DMZ. I see the active data connection <u>to certain client IP addresses</u>
being continuously rejected by my firewall. It is my conjecture that there
is some broken client out there that is sending a PORT command that is being
either missed or mis-interpreted by the FTP connection tracking helper yet
it is being accepted by my FTP server. My solution is to add the following
rule:<br>
<blockquote>
One problem that I see occasionally involves active mode and the FTP
server in my DMZ. I see the active data connection <u>to certain
client IP addresses</u> being continuously rejected by my firewall. It
is my conjecture that there is some broken client out there that is
sending a PORT command that is being either missed or mis-interpreted
by the FTP connection tracking helper yet it is being accepted by my
FTP server. My solution is to add the following rule:<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>ACTION<br>
</b></td>
<td valign="top"><b>SOURCE<br>
</b></td>
<td valign="top"><b>DESTINATION<br>
</b></td>
<td valign="top"><b>PROTOCOL<br>
</b></td>
<td valign="top"><b>PORT(S)<br>
</b></td>
<td valign="top"><b>SOURCE<br>
PORT(S)<br>
</b></td>
<td valign="top"><b>ORIGINAL<br>
DESTINATION<br>
</b></td>
</tr>
<tr>
<td valign="top">ACCEPT:info<br>
</td>
<td valign="top">dmz<br>
</td>
<td valign="top">net<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">-<br>
</td>
<td valign="top">20<br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
<tbody>
<tr>
<td valign="top"><b>ACTION<br>
</b></td>
<td valign="top"><b>SOURCE<br>
</b></td>
<td valign="top"><b>DESTINATION<br>
</b></td>
<td valign="top"><b>PROTOCOL<br>
</b></td>
<td valign="top"><b>PORT(S)<br>
</b></td>
<td valign="top"><b>SOURCE<br>
PORT(S)<br>
</b></td>
<td valign="top"><b>ORIGINAL<br>
DESTINATION<br>
</b></td>
</tr>
<tr>
<td valign="top">ACCEPT:info<br>
</td>
<td valign="top">dmz<br>
</td>
<td valign="top">net<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">-<br>
</td>
<td valign="top">20<br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
The above rule accepts and logs all active mode connections from my DMZ
to the net.<br>
<blockquote>
<p> </p>
</blockquote>
<blockquote> </blockquote>
<p><font size="2">Last updated 7/30/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<a href="copyright.htm"><font size="2">Copyright</font>
<20> <font size="2">2003 Thomas M. Eastep.</font></a><br>
<br>
<br>
<br>
</blockquote>
The above rule accepts and logs all active mode connections from my DMZ
to the net.<br>
<blockquote>
<p> </p>
</blockquote>
<blockquote> </blockquote>
<p><font size="2">Last updated 9/17/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<a href="copyright.htm"><font size="2">Copyright</font> <20> <font
size="2">2003 Thomas M. Eastep.</font></a><br>
<br>
<br>
<br>
</body>
</html>

1316
Shorewall-docs/IPSEC.htm
View File

File diff suppressed because it is too large Load Diff

1595
Shorewall-docs/News.htm
View File

File diff suppressed because it is too large Load Diff

4
Shorewall-docs/PPTP.htm
View File

@@ -932,7 +932,7 @@ ADSL modem.<br>
</table>
</blockquote>
<div style="margin-left: 40px;">You will of course modify the 'net'
entry in /etc/shorewall/interfaces to specify 'pppo' as the interface
entry in /etc/shorewall/interfaces to specify 'ppp0' as the interface
as described in the QuickStart Guide corresponding to your setup.<br>
</div>
<br>
@@ -968,7 +968,7 @@ as described in the QuickStart Guide corresponding to your setup.<br>
That entry allows a PPTP tunnel to be established between your
Shorewall system and the PPTP server in the modem.<br>
</div>
<p><font size="2">Last modified 8/8/2003 - <a href="support.htm">Tom
<p><font size="2">Last modified 8/11/2003 - <a href="support.htm">Tom
Eastep</a></font></p>
<p><a href="copyright.htm"> <font size="2">Copyright</font> <20> <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></p>

69
Shorewall-docs/Shorewall_Doesnt.html
View File

@@ -2,51 +2,52 @@
<html>
<head>
<title>What Shorewall Cannot Do</title>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep">
</head>
<body>
<small> </small><small>
</small><small>
</small><small>
</small><small>
</small> <small> </small>
<body>
<small> </small><small> </small><small> </small><small> </small><small>
</small> <small> </small>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%"><small> </small>
<h1 align="center"><small><font color="#ffffff">Some things that Shorewall
<b>Cannot</b> Do</font></small></h1>
<small>
</small></td>
</tr>
</tbody>
<tbody>
<tr>
<td width="100%"><small> </small>
<h1 align="center"><small><font color="#ffffff">Some things that
Shorewall <b>Cannot</b> Do</font></small></h1>
<small> </small></td>
</tr>
</tbody>
</table>
<small><br>
</small>Shorewall cannot:<br>
<small><br>
</small>Shorewall cannot:<br>
<ul>
<li>Be used on a Linux System that is functioning as a Layer 2 Bridge</li>
<li>Act as a "Personal Firewall" that allows internet access by application.</li>
<li>Do content filtering -- better to use <a
href="Shorewall_Squid_Usage.html">Squid</a> for that.<br>
</li>
<li>Be used to filter traffic through a Layer 2 Bridge</li>
<li>Act as a "Personal Firewall" that allows internet access by
application.</li>
<li>Be used with an Operating System other than Linux (version &gt;=
2.4.0)<br>
</li>
<li>Do content filtering -- better to use <a
href="Shorewall_Squid_Usage.html">Squid</a> for that.</li>
</ul>
<br>
<font size="2">Last updated 7/9/2003 - <a href="support.htm">Tom Eastep</a></font>
In addition:<br>
<ul>
<li>Shorewall does not contain any support for Netfilter <span
style="font-style: italic;">Patch-O-Matic</span> features -- Shorewall
only supports features from released kernels.<br>
</li>
</ul>
<br>
<font size="2">Last updated 9/28/2003 - <a href="support.htm">Tom
Eastep</a></font>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
<br>
<br>
</p>
<br>
<br>
<br>
</body>
</html>

636
Shorewall-docs/configuration_file_basics.htm
View File

@@ -1,409 +1,341 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Configuration File Basics</title>
</head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Configuration Files</font></h1>
</td>
</tr>
</tbody>
</td>
</tr>
</tbody>
</table>
<p><b><font color="#ff0000">Warning: </font>If you copy or edit your configuration
files on a system running Microsoft Windows, you <u>must</u>
run them through <a
href="http://www.megaloman.com/%7Ehany/software/hd2u/"> dos2unix</a>
before you use them with Shorewall.</b></p>
<p><b><font color="#ff0000">Warning: </font>If you copy or edit your
configuration files on a system running Microsoft Windows, you <u>must</u>
run them through <a
href="http://www.megaloman.com/%7Ehany/software/hd2u/"> dos2unix</a>
before you use them with Shorewall.</b></p>
<h2><a name="Files"></a>Files</h2>
<p>Shorewall's configuration files are in the directory /etc/shorewall.</p>
<ul>
<li>/etc/shorewall/shorewall.conf - used to
set several firewall parameters.</li>
<li>/etc/shorewall/params - use this file to
set shell variables that you will expand in other files.</li>
<li>/etc/shorewall/zones - partition the firewall's
view of the world into <i>zones.</i></li>
<li>/etc/shorewall/policy - establishes firewall
high-level policy.</li>
<li>/etc/shorewall/interfaces - describes the
interfaces on the firewall system.</li>
<li>/etc/shorewall/hosts - allows defining zones
in terms of individual hosts and subnetworks.</li>
<li>/etc/shorewall/masq - directs the firewall
where to use many-to-one (dynamic) Network Address Translation
(a.k.a. Masquerading) and Source Network Address Translation
(SNAT).</li>
<li>/etc/shorewall/modules - directs the firewall
to load kernel modules.</li>
<li>/etc/shorewall/rules - defines rules that
are exceptions to the overall policies established in /etc/shorewall/policy.</li>
<li>/etc/shorewall/nat - defines static NAT
<li>/etc/shorewall/shorewall.conf - used to
set several firewall parameters.</li>
<li>/etc/shorewall/params - use this file to set shell variables that
you will expand in other files.</li>
<li>/etc/shorewall/zones - partition the firewall's view of the world
into <i>zones.</i></li>
<li>/etc/shorewall/policy - establishes firewall high-level policy.</li>
<li>/etc/shorewall/interfaces - describes the interfaces on the
firewall system.</li>
<li>/etc/shorewall/hosts - allows defining zones in terms of
individual hosts and subnetworks.</li>
<li>/etc/shorewall/masq - directs the firewall where to use
many-to-one (dynamic) Network Address Translation (a.k.a. Masquerading)
and Source Network Address Translation (SNAT).</li>
<li>/etc/shorewall/modules - directs the firewall to load kernel
modules.</li>
<li>/etc/shorewall/rules - defines rules that are exceptions to the
overall policies established in /etc/shorewall/policy.</li>
<li>/etc/shorewall/nat - defines static NAT
rules.</li>
<li>/etc/shorewall/proxyarp - defines use of
Proxy ARP.</li>
<li>/etc/shorewall/routestopped (Shorewall 1.3.4
and later) - defines hosts accessible when Shorewall is stopped.</li>
<li>/etc/shorewall/tcrules - defines marking
of packets for later use by traffic control/shaping or policy
routing.</li>
<li>/etc/shorewall/tos - defines rules for setting
the TOS field in packet headers.</li>
<li>/etc/shorewall/tunnels - defines IPSEC,
GRE and IPIP tunnels with end-points on the firewall system.</li>
<li>/etc/shorewall/blacklist - lists blacklisted
IP/subnet/MAC addresses.</li>
<li>/etc/shorewall/init - commands that you wish to execute at
the beginning of a "shorewall start" or "shorewall restart".</li>
<li>/etc/shorewall/start - commands that you wish to execute at
the completion of a "shorewall start" or "shorewall restart"</li>
<li>/etc/shorewall/stop - commands that you wish to execute at
the beginning of a "shorewall stop".</li>
<li>/etc/shorewall/stopped - commands that you wish to execute
at the completion of a "shorewall stop".</li>
<li>/etc/shorewall/ecn - disable Explicit Congestion Notification (ECN
- RFC 3168) to remote hosts or networks.<br>
</li>
<li>/etc/shorewall/proxyarp - defines use of Proxy ARP.</li>
<li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines
hosts accessible when Shorewall is stopped.</li>
<li>/etc/shorewall/tcrules - defines marking of packets for later use
by traffic control/shaping or policy routing.</li>
<li>/etc/shorewall/tos - defines rules for setting the TOS field in
packet headers.</li>
<li>/etc/shorewall/tunnels - defines IPSEC,
GRE and IPIP tunnels with end-points on the firewall system.</li>
<li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC
addresses.</li>
<li>/etc/shorewall/init - commands that you wish to execute at
the beginning of a "shorewall start" or "shorewall restart".</li>
<li>/etc/shorewall/start - commands that you wish to execute at the
completion of a "shorewall start" or "shorewall restart"</li>
<li>/etc/shorewall/stop - commands that you wish to execute at
the beginning of a "shorewall stop".</li>
<li>/etc/shorewall/stopped - commands that you wish to execute
at the completion of a "shorewall stop".</li>
<li>/etc/shorewall/ecn - disable Explicit Congestion Notification
(ECN - RFC 3168) to remote hosts or networks.</li>
<li>/etc/shorewall/accounting - define IP traffic accounting rules</li>
<li>/etc/shorewall/usersets and /etc/shorewall/users - define sets of
users/groups with
similar access rights<br>
</li>
</ul>
<h2><a name="Comments"></a>Comments</h2>
<p>You may place comments in configuration files by making the first non-whitespace
character a pound sign ("#"). You may also place comments
at the end of any line, again by delimiting the comment from the
rest of the line with a pound sign.</p>
<h2>Comments</h2>
<p>You may place comments in configuration files by making the first
non-whitespace character a pound sign ("#"). You may also place
comments at the end of any line, again by delimiting the comment from
the
rest of the line with a pound sign.</p>
<p>Examples:</p>
<pre># This is a comment</pre>
<pre>ACCEPT net fw tcp www #This is an end-of-line comment</pre>
<h2><a name="Continuation"></a>Line Continuation</h2>
<p>You may continue lines in the configuration files using the usual backslash
("\") followed immediately by a new line character.</p>
<p>You may continue lines in the configuration files using the usual
backslash ("\") followed immediately by a new line character.</p>
<p>Example:</p>
<pre>ACCEPT net fw tcp \<br>smtp,www,pop3,imap #Services running on the firewall</pre>
<h2><a name="INCLUDE"></a>IN<small><small></small></small>CLUDE Directive</h2>
Beginning with Shorewall version 1.4.2, any file may contain INCLUDE directives.
An INCLUDE directive consists of the word INCLUDE followed by a file name
and causes the contents of the named file to be logically included into
the file containing the INCLUDE. File names given in an INCLUDE directive
are assumed to reside in /etc/shorewall or in an alternate configuration
directory if one has been specified for the command.<br>
<br>
INCLUDE's may be nested to a level of 3 -- further nested INCLUDE directives
are ignored with a warning message.<big><big><br>
<br>
</big></big> Examples:<big> </big> <br>
<blockquote> <20><> shorewall/params.mgmt:<br>
<blockquote> <20><> MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3<br>
<20><> TIME_SERVERS=4.4.4.4<br>
<20><> BACKUP_SERVERS=5.5.5.5<br>
</blockquote>
<20><> ----- end params.mgmt -----<br>
</blockquote>
<blockquote> <20><> shorewall/params:<br>
</blockquote>
<blockquote>
<blockquote> <20><> # Shorewall 1.3 /etc/shorewall/params<br>
<20><> [..]<br>
<20><> #######################################<br>
<20><br>
<20><> INCLUDE params.mgmt<6D><74><EFBFBD> <br>
<20> <br>
<20><> # params unique to this host here<br>
<20><> #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE<br>
</blockquote>
</blockquote>
<blockquote> <20><> ----- end params -----<br>
</blockquote>
<blockquote> <20><> shorewall/rules.mgmt:<br>
</blockquote>
<blockquote>
<blockquote> <20><> ACCEPT net:$MGMT_SERVERS<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> $FW<46><57><EFBFBD> tcp<63><70><EFBFBD> 22<br>
<20><> ACCEPT $FW<46><57><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> net:$TIME_SERVERS<52><53><EFBFBD> udp<64><70><EFBFBD> 123<br>
<20><> ACCEPT $FW<46><57><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> net:$BACKUP_SERVERS<52> tcp<63><70><EFBFBD> 22<br>
</blockquote>
</blockquote>
<blockquote> <20><> ----- end rules.mgmt -----<br>
</blockquote>
<blockquote> <20><> shorewall/rules:<br>
</blockquote>
<blockquote>
<blockquote> <20><> # Shorewall version 1.3 - Rules File<br>
<20><> [..]<br>
<20><> #######################################<br>
<20><br>
<20><> INCLUDE rules.mgmt<6D><74><EFBFBD><EFBFBD> <br>
<20> <br>
<20><> # rules unique to this host here<br>
<20><> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE<br>
</blockquote>
</blockquote>
<blockquote> <20><> ----- end rules -----<br>
</blockquote>
<h2><a name="INCLUDE"></a>IN<small><small></small></small>CLUDE
Directive</h2>
Beginning with Shorewall version 1.4.2, any file may contain INCLUDE
directives. An INCLUDE directive consists of the word INCLUDE followed
by a file name and causes the contents of the named file to be
logically included into the file containing the INCLUDE. File names
given in an INCLUDE directive are assumed to reside in /etc/shorewall
or in an alternate configuration directory if one has been specified
for the command.<br>
<br>
INCLUDE's may be nested to a level of 3 -- further nested INCLUDE
directives are ignored with a warning message.<big><big><br>
<br>
</big></big> Examples:<big> </big> <br>
<blockquote> &nbsp;&nbsp; shorewall/params.mgmt:<br>
<blockquote> &nbsp;&nbsp; MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3<br>
&nbsp;&nbsp; TIME_SERVERS=4.4.4.4<br>
&nbsp;&nbsp; BACKUP_SERVERS=5.5.5.5<br>
</blockquote>
&nbsp;&nbsp; ----- end params.mgmt -----<br>
</blockquote>
<blockquote> &nbsp;&nbsp; shorewall/params:<br>
</blockquote>
<blockquote>
<blockquote> &nbsp;&nbsp; # Shorewall 1.3 /etc/shorewall/params<br>
&nbsp;&nbsp; [..]<br>
&nbsp;&nbsp; #######################################<br>
&nbsp;<br>
&nbsp;&nbsp; INCLUDE params.mgmt&nbsp;&nbsp;&nbsp; <br>
&nbsp; <br>
&nbsp;&nbsp; # params unique to this host here<br>
&nbsp;&nbsp; #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT
REMOVE<br>
</blockquote>
</blockquote>
<blockquote> &nbsp;&nbsp; ----- end params -----<br>
</blockquote>
<blockquote> &nbsp;&nbsp; shorewall/rules.mgmt:<br>
</blockquote>
<blockquote>
<blockquote> &nbsp;&nbsp; ACCEPT
net:$MGMT_SERVERS&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
$FW&nbsp;&nbsp;&nbsp; tcp&nbsp;&nbsp;&nbsp; 22<br>
&nbsp;&nbsp; ACCEPT
$FW&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
net:$TIME_SERVERS&nbsp;&nbsp;&nbsp; udp&nbsp;&nbsp;&nbsp; 123<br>
&nbsp;&nbsp; ACCEPT
$FW&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
net:$BACKUP_SERVERS&nbsp; tcp&nbsp;&nbsp;&nbsp; 22<br>
</blockquote>
</blockquote>
<blockquote> &nbsp;&nbsp; ----- end rules.mgmt -----<br>
</blockquote>
<blockquote> &nbsp;&nbsp; shorewall/rules:<br>
</blockquote>
<blockquote>
<blockquote> &nbsp;&nbsp; # Shorewall version 1.3 - Rules File<br>
&nbsp;&nbsp; [..]<br>
&nbsp;&nbsp; #######################################<br>
&nbsp;<br>
&nbsp;&nbsp; INCLUDE rules.mgmt&nbsp;&nbsp;&nbsp;&nbsp; <br>
&nbsp; <br>
&nbsp;&nbsp; # rules unique to this host here<br>
&nbsp;&nbsp; #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT
REMOVE<br>
</blockquote>
</blockquote>
<blockquote> &nbsp;&nbsp; ----- end rules -----<br>
</blockquote>
<h2><a name="dnsnames"></a>Using DNS Names</h2>
<p align="left"> </p>
<p align="left"><b>WARNING: I personally recommend strongly <u>against</u>
using DNS names in Shorewall configuration files. If you use DNS
names and you are called out of bed at 2:00AM because Shorewall won't
start as a result of DNS problems then don't say that you were not forewarned.
<br>
</b></p>
<p align="left"><b><EFBFBD><EFBFBD><EFBFBD> -Tom<br>
</b></p>
<p align="left">Beginning with Shorewall 1.3.9, Host addresses in Shorewall
configuration files may be specified as either IP addresses or DNS
Names.<br>
<br>
DNS names in iptables rules aren't nearly as useful
as they first appear. When a DNS name appears in a rule, the iptables
utility resolves the name to one or more IP addresses and inserts
those addresses into the rule. So changes in the DNS-&gt;IP address
relationship that occur after the firewall has started have absolutely
no effect on the firewall's ruleset. </p>
<p align="left"> If your firewall rules include DNS names then:</p>
<p align="left"> </p>
<p align="left"><b>WARNING: I personally recommend strongly <u>against</u>
using DNS names in Shorewall configuration files. If you use DNS names
and you are called out of bed at 2:00AM because Shorewall won't start
as a result of DNS problems then don't say that you were not
forewarned. <br>
</b></p>
<p align="left"><b>&nbsp;&nbsp;&nbsp; -Tom<br>
</b></p>
<p align="left">Beginning with Shorewall 1.3.9, Host addresses in
Shorewall configuration files may be specified as either IP addresses
or DNS Names.<br>
<br>
DNS names in iptables rules aren't nearly as useful
as they first appear. When a DNS name appears in a rule, the iptables
utility resolves the name to one or more IP addresses and inserts those
addresses into the rule. So changes in the DNS-&gt;IP address
relationship that occur after the firewall has started have absolutely
no effect on the firewall's ruleset. </p>
<p align="left"> If your firewall rules include DNS names then:</p>
<ul>
<li>If your /etc/resolv.conf is wrong then your firewall
won't start.</li>
<li>If your /etc/nsswitch.conf is wrong then your firewall
won't start.</li>
<li>If your Name Server(s) is(are) down then your firewall
won't start.</li>
<li>If your startup scripts try to start your firewall
before starting your DNS server then your firewall won't start.<br>
</li>
<li>Factors totally outside your control (your ISP's
router is down for example), can prevent your firewall from starting.</li>
<li>You must bring up your network interfaces prior
to starting your firewall.<br>
</li>
<li>If your /etc/resolv.conf is wrong then your firewall won't start.</li>
<li>If your /etc/nsswitch.conf is wrong then your firewall won't
start.</li>
<li>If your Name Server(s) is(are) down then your firewall won't
start.</li>
<li>If your startup scripts try to start your firewall before
starting your DNS server then your firewall won't start.<br>
</li>
<li>Factors totally outside your control (your ISP's router is down
for example), can prevent your firewall from starting.</li>
<li>You must bring up your network interfaces prior
to starting your firewall.<br>
</li>
</ul>
<p align="left"> Each DNS name much be fully qualified and include a minumum
of two periods (although one may be trailing). This restriction is
imposed by Shorewall to insure backward compatibility with existing
configuration files.<br>
<br>
Examples of valid DNS names:<br>
</p>
<p align="left"> Each DNS name much be fully qualified and include a
minumum of two periods (although one may be trailing). This restriction
is imposed by Shorewall to insure backward compatibility with existing
configuration files.<br>
<br>
Examples of valid DNS names:<br>
</p>
<ul>
<li>mail.shorewall.net</li>
<li>shorewall.net. (note the trailing period).</li>
<li>mail.shorewall.net</li>
<li>shorewall.net. (note the trailing period).</li>
</ul>
Examples of invalid DNS names:<br>
Examples of invalid DNS names:<br>
<ul>
<li>mail (not fully qualified)</li>
<li>shorewall.net (only one period)</li>
<li>mail (not fully qualified)</li>
<li>shorewall.net (only one period)</li>
</ul>
DNS names may not be used as:<br>
DNS names may not be used as:<br>
<ul>
<li>The server address in a DNAT rule (/etc/shorewall/rules
file)</li>
<li>In the ADDRESS column of an entry in /etc/shorewall/masq.</li>
<li>In the /etc/shorewall/nat file.</li>
<li>The server address in a DNAT rule (/etc/shorewall/rules file)</li>
<li>In the ADDRESS column of an entry in /etc/shorewall/masq.</li>
<li>In the /etc/shorewall/nat file.</li>
</ul>
These restrictions are not imposed by Shorewall simply
for your inconvenience but are rather limitations of iptables.<br>
These restrictions are not imposed by Shorewall simply for your
inconvenience but are rather limitations of iptables.<br>
<h2><a name="Compliment"></a>Complementing an Address or Subnet</h2>
<p>Where specifying an IP address, a subnet or an interface, you can precede
the item with "!" to specify the complement of the item. For example,
!192.168.1.4 means "any host but 192.168.1.4". There must be no white space
following the "!".</p>
<p>Where specifying an IP address, a subnet or an interface, you can
precede the item with "!" to specify the complement of the item. For
example, !192.168.1.4 means "any host but 192.168.1.4". There must be
no white space following the "!".</p>
<h2><a name="Lists"></a>Comma-separated Lists</h2>
<p>Comma-separated lists are allowed in a number of contexts within the
configuration files. A comma separated list:</p>
<p>Comma-separated lists are allowed in a number of contexts within the
configuration files. A comma separated list:</p>
<ul>
<li>Must not have any embedded white space.<br>
Valid: routefilter,dhcp,norfc1918<br>
Invalid: routefilter,<2C><><EFBFBD><EFBFBD> dhcp,<2C><><EFBFBD><EFBFBD>
norfc1818</li>
<li>If you use line continuation to break a
comma-separated list, the continuation line(s) must begin
in column 1 (or there would be embedded white space)</li>
<li>Entries in a comma-separated list may appear
in any order.</li>
<li>Must not have any embedded white space.<br>
Valid: routefilter,dhcp,norfc1918<br>
Invalid: routefilter,&nbsp;&nbsp;&nbsp;&nbsp;
dhcp,&nbsp;&nbsp;&nbsp;&nbsp; norfc1818</li>
<li>If you use line continuation to break a
comma-separated list, the continuation line(s) must begin
in column 1 (or there would be embedded white space)</li>
<li>Entries in a comma-separated list may appear in any order.</li>
</ul>
<h2><a name="Ports"></a>Port Numbers/Service Names</h2>
<p>Unless otherwise specified, when giving a port number you can use either
an integer or a service name from /etc/services. </p>
<p>Unless otherwise specified, when giving a port number you can use
either an integer or a service name from /etc/services. </p>
<h2><a name="Ranges"></a>Port Ranges</h2>
<p>If you need to specify a range of ports, the proper syntax is &lt;<i>low
port number</i>&gt;:&lt;<i>high port number</i>&gt;. For example,
if you want to forward the range of tcp ports 4000 through 4100 to
local host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
</p>
<p>If you need to specify a range of ports, the proper syntax is &lt;<i>low
port number</i>&gt;:&lt;<i>high port number</i>&gt;. For example, if
you want to forward the range of tcp ports 4000 through 4100 to local
host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
</p>
<pre> DNAT net loc:192.168.1.3 tcp 4000:4100<br></pre>
If you omit the low port number, a value of zero is assumed; if you
omit the high port number, a value of 65535 is assumed.<br>
If you omit the low port number, a value of zero is assumed; if you
omit the high port number, a value of 65535 is assumed.<br>
<h2><a name="Variables"></a>Using Shell Variables</h2>
<p>You may use the /etc/shorewall/params file to set shell variables
that you can then use in some of the other configuration files.</p>
<p>You may use the /etc/shorewall/params file to set shell variables
that you can then use in some of the other configuration files.</p>
<p>It is suggested that variable names begin with an upper case letter<font
size="1"> </font>to distinguish them from variables used internally
within the Shorewall programs</p>
size="1"> </font>to distinguish them from variables used internally
within the Shorewall programs</p>
<p>Example:</p>
<blockquote>
<blockquote>
<pre>NET_IF=eth0<br>NET_BCAST=130.252.100.255<br>NET_OPTIONS=routefilter,norfc1918</pre>
</blockquote>
</blockquote>
<p><br>
Example (/etc/shorewall/interfaces record):</p>
<font
face="Century Gothic, Arial, Helvetica">
<blockquote>
Example (/etc/shorewall/interfaces record):</p>
<font face="Century Gothic, Arial, Helvetica">
<blockquote>
<pre><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></pre>
</blockquote>
</font>
</blockquote>
</font>
<p>The result will be the same as if the record had been written</p>
<font
face="Century Gothic, Arial, Helvetica">
<blockquote>
<font face="Century Gothic, Arial, Helvetica">
<blockquote>
<pre>net eth0 130.252.100.255 routefilter,norfc1918</pre>
</blockquote>
</font>
<p>Variables may be used anywhere in the other configuration
files.</p>
</blockquote>
</font>
<p>Variables may be used anywhere in the other configuration files.</p>
<h2><a name="MAC"></a>Using MAC Addresses</h2>
<p>Media Access Control (MAC) addresses can be used to specify packet
source in several of the configuration files. To use this
feature, your kernel must have MAC Address Match support
(CONFIG_IP_NF_MATCH_MAC) included.</p>
<p>MAC addresses are 48 bits wide and each Ethernet Controller has a unique
MAC address.<br>
<br>
In GNU/Linux, MAC addresses are usually written
as a series of 6 hex numbers separated by colons. Example:<br>
<br>
<20><><EFBFBD><EFBFBD> [root@gateway root]# ifconfig eth0<br>
<20><><EFBFBD><EFBFBD> eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>
<20><><EFBFBD><EFBFBD> inet addr:206.124.146.176 Bcast:206.124.146.255
Mask:255.255.255.0<br>
<20><><EFBFBD><EFBFBD> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br>
<20><><EFBFBD><EFBFBD> RX packets:2398102 errors:0 dropped:0 overruns:0
frame:0<br>
<20><><EFBFBD><EFBFBD> TX packets:3044698 errors:0 dropped:0 overruns:0
carrier:0<br>
<20><><EFBFBD><EFBFBD> collisions:30394 txqueuelen:100<br>
<20><><EFBFBD><EFBFBD> RX bytes:419871805 (400.4 Mb) TX bytes:1659782221
(1582.8 Mb)<br>
<20><><EFBFBD><EFBFBD> Interrupt:11 Base address:0x1800<br>
<br>
Because Shorewall uses colons as a separator for
address fields, Shorewall requires MAC addresses to be written
in another way. In Shorewall, MAC addresses begin with a tilde
("~") and consist of 6 hex numbers separated by hyphens. In Shorewall,
the MAC address in the example above would be written "~02-00-08-E3-FA-55".<br>
</p>
<p><b>Note: </b>It is not necessary to use the special Shorewall notation
in the <a href="MAC_Validation.html">/etc/shorewall/maclist</a> file.<br>
</p>
<p>Media Access Control (MAC) addresses can be used to specify packet
source in several of the configuration files. To use this feature, your
kernel must have MAC Address Match support
(CONFIG_IP_NF_MATCH_MAC) included.</p>
<p>MAC addresses are 48 bits wide and each Ethernet Controller has a
unique MAC address.<br>
<br>
In GNU/Linux, MAC addresses are usually written as a series of 6 hex
numbers separated by colons. Example:<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp; [root@gateway root]# ifconfig eth0<br>
&nbsp;&nbsp;&nbsp;&nbsp; eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>
&nbsp;&nbsp;&nbsp;&nbsp; inet addr:206.124.146.176
Bcast:206.124.146.255 Mask:255.255.255.0<br>
&nbsp;&nbsp;&nbsp;&nbsp; UP BROADCAST RUNNING MULTICAST MTU:1500
Metric:1<br>
&nbsp;&nbsp;&nbsp;&nbsp; RX packets:2398102 errors:0 dropped:0
overruns:0 frame:0<br>
&nbsp;&nbsp;&nbsp;&nbsp; TX packets:3044698 errors:0 dropped:0
overruns:0 carrier:0<br>
&nbsp;&nbsp;&nbsp;&nbsp; collisions:30394 txqueuelen:100<br>
&nbsp;&nbsp;&nbsp;&nbsp; RX bytes:419871805 (400.4 Mb) TX
bytes:1659782221 (1582.8 Mb)<br>
&nbsp;&nbsp;&nbsp;&nbsp; Interrupt:11 Base address:0x1800<br>
<br>
Because Shorewall uses colons as a separator for address fields,
Shorewall requires MAC addresses to be written in another way. In
Shorewall, MAC addresses begin with a tilde ("~") and consist of 6 hex
numbers separated by hyphens. In Shorewall, the MAC address in the
example above would be written "~02-00-08-E3-FA-55".<br>
</p>
<p><b>Note: </b>It is not necessary to use the special Shorewall
notation in the <a href="MAC_Validation.html">/etc/shorewall/maclist</a>
file.<br>
</p>
<h2><a name="Levels"></a>Shorewall Configurations</h2>
<p> Shorewall allows you to have configuration directories other than /etc/shorewall.
The <a href="starting_and_stopping_shorewall.htm">shorewall check,
start and restart</a> commands allow you to specify an alternate
configuration directory and Shorewall will use the files in the alternate
directory rather than the corresponding files in /etc/shorewall. The
alternate directory need not contain a complete configuration; those
files not in the alternate directory will be read from /etc/shorewall.</p>
<p> This facility permits you to easily create a test or temporary configuration
by:</p>
<p> Shorewall allows you to have configuration directories other than
/etc/shorewall. The <a href="starting_and_stopping_shorewall.htm">shorewall
check, start and restart</a> commands allow you to specify an alternate
configuration directory and Shorewall will use the files in the
alternate directory rather than the corresponding files in
/etc/shorewall. The alternate directory need not contain a complete
configuration; those files not in the alternate directory will be read
from /etc/shorewall.</p>
<p> This facility permits you to easily create a test or temporary
configuration by:</p>
<ol>
<li> copying the files that need modification
from /etc/shorewall to a separate directory;</li>
<li> modify those files in the separate directory;
and</li>
<li> specifying the separate directory in a
shorewall start or shorewall restart command (e.g., <i><b>shorewall
-c /etc/testconfig restart</b></i> )</li>
<li> copying the files that need modification from /etc/shorewall to
a separate directory;</li>
<li> modify those files in the separate directory; and</li>
<li> specifying the separate directory in a shorewall start or
shorewall restart command (e.g., <i><b>shorewall -c /etc/testconfig
restart</b></i> )</li>
</ol>
The <a href="starting_and_stopping_shorewall.htm"><b>try</b> command</a>
allows you to attempt to restart using an alternate configuration and if an
The <a href="starting_and_stopping_shorewall.htm"><b>try</b> command</a>
allows you to attempt to restart using an alternate configuration and
if an
error occurs to automatically restart the standard configuration.<br>
<p><font size="2"> Updated 6/29/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
<20> <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
<p><font size="2"> Updated 8/22/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
<EFBFBD> <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
</body>
</html>

348
Shorewall-docs/download.htm
View File

@@ -1,234 +1,196 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Download</title>
</head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Download</font></h1>
</td>
</tr>
</tbody>
</td>
</tr>
</tbody>
</table>
<p><b>I strongly urge you to read and print a copy of the <a
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
for the configuration that most closely matches your own.<br>
</b></p>
<p>The entire set of Shorewall documentation is available in PDF format at:</p>
<p><EFBFBD><EFBFBD><EFBFBD> <a href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
<20><><EFBFBD> <a
<p><b>I strongly urge you to read and print a copy of the <a
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
for the configuration that most closely matches your own.<br>
</b></p>
<p>The entire set of Shorewall documentation is available in PDF format
at:</p>
<p>&nbsp;&nbsp;&nbsp; <a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
&nbsp;&nbsp;&nbsp; <a
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
<20><><EFBFBD> <a
href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>
</p>
<p>The documentation in HTML format is included in the .rpm and in the .tgz
&nbsp;&nbsp;&nbsp; <a
href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>
</p>
<p>The documentation in HTML format is included in the .rpm and in the
.tgz
packages below.</p>
<p> Once you've printed the appropriate QuickStart Guide, download <u>
one</u> of the modules:</p>
<p> Once you've printed the appropriate QuickStart Guide, download <u>
one</u> of the modules:</p>
<ul>
<li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>,
<b> Linux PPC</b> or <b> TurboLinux</b> distribution
with a 2.4 kernel, you can use the RPM version (note: the
RPM should also work with other distributions that store
init scripts in /etc/init.d and that include chkconfig
or insserv). If you find that it works in other cases, let <a
href="mailto:teastep@shorewall.net"> me</a> know so that
I can mention them here. See the <a href="Install.htm">Installation
Instructions</a> if you have problems installing the RPM.</li>
<li>If you are running LRP, download the .lrp
file (you might also want to download the .tgz so you will
have a copy of the documentation).</li>
<li>If you run <a
href="http://www.debian.org"><b>Debian</b></a> and would
like a .deb package, Shorewall is included in both the <a
href="http://packages.debian.org/testing/net/shorewall.html">Debian
Testing Branch</a> and the <a
href="http://packages.debian.org/unstable/net/shorewall.html">Debian Unstable
Branch</a>.</li>
<li>Otherwise, download the <i>shorewall</i>
module (.tgz)</li>
<li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <b> Linux
PPC</b>, <span style="font-weight: bold;">Trustix</span> or <b>
TurboLinux</b> distribution with a 2.4 kernel, you can
use the RPM version (note: the RPM should also work with other
distributions that store init scripts in /etc/init.d and that include
chkconfig or insserv). If you find that it works in other cases, let <a
href="mailto:teastep@shorewall.net"> me</a> know so that I can mention
them here. See the <a href="Install.htm">Installation Instructions</a>
if you have problems installing the RPM.</li>
<li>If you are running LRP, download the .lrp file (you might also
want to download the .tgz so you will have a copy of the documentation).</li>
<li>If you run <a href="http://www.debian.org"><b>Debian</b></a> and
would like a .deb package, Shorewall is included in both the <a
href="http://packages.debian.org/testing/net/shorewall.html">Debian
Testing Branch</a> and the <a
href="http://packages.debian.org/unstable/net/shorewall.html">Debian
Unstable Branch</a>.</li>
<li>Otherwise, download the <i>shorewall</i> module (.tgz)</li>
</ul>
<p>The documentation in HTML format is included in the .tgz and .rpm files
and there is an documentation .deb that also contains the documentation.<2E><>The
.rpm will install the documentation in your default document directory
which can be obtained using the following command:<br>
</p>
<blockquote>
<p><font color="#009900"><b>rpm --eval '%{defaultdocdir}'</b></font></p>
</blockquote>
<p>Please check the <font color="#ff0000"> <a href="errata.htm"> errata</a></font>
to see if there are updates that apply to the version
that you have downloaded.</p>
<p><font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY INSTALL
THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed configuration
of your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.</b></font></p>
<p>The documentation in HTML format is included in the .tgz and .rpm
files and there is an documentation .deb that also contains the
documentation.&nbsp;&nbsp;The .rpm will install the documentation in
your default document directory which can be obtained using the
following command:<br>
</p>
<blockquote>
<p><font color="#009900"><b>rpm --eval '%{_defaultdocdir}'</b></font></p>
</blockquote>
<p>Please check the <font color="#ff0000"> <a href="errata.htm">
errata</a></font> to see if there are updates that apply to the version
that you have downloaded.</p>
<p><font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY
INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME
CONFIGURATION IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have
completed configuration of your firewall, you can enable startup by
removing the file /etc/shorewall/startup_disabled.</b></font></p>
<p><b></b></p>
<p><b>Download Sites:</b></p>
<blockquote>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>SERVER LOCATION</b></td>
<td><b>DOMAIN</b></td>
<td><b>HTTP</b></td>
<td><b>FTP</b></td>
</tr>
<tr>
<td>SourceForge<br>
</td>
<td>sf.net</td>
<td><a
<tbody>
<tr>
<td><b>SERVER LOCATION</b></td>
<td><b>DOMAIN</b></td>
<td><b>HTTP</b></td>
<td><b>FTP</b></td>
</tr>
<tr>
<td>SourceForge<br>
</td>
<td>sf.net</td>
<td><a
href="http://sourceforge.net/project/showfiles.php?group_id=22587">Browse</a></td>
<td>N/A</td>
</tr>
<tr>
<td>Slovak Republic</td>
<td>Shorewall.net</td>
<td><a
href="http://slovakia.shorewall.net/pub/shorewall/">Browse</a></td>
<td> <a target="_blank"
<td>N/A</td>
</tr>
<tr>
<td>Slovak Republic</td>
<td>Shorewall.net</td>
<td><a href="http://slovakia.shorewall.net/pub/shorewall/">Browse</a></td>
<td> <a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/">Browse</a></td>
</tr>
<tr>
<td>Texas, USA</td>
<td>Infohiiway.com</td>
<td><a
href="http://shorewall.infohiiway.com/pub/shorewall">Browse</a></td>
<td><a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/">Browse (Temporarily Unavailable)</a></td>
</tr>
<tr>
<td>Hamburg, Germany</td>
<td>Shorewall.net</td>
<td><a
href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a target="_blank"
</tr>
<tr>
<td>Texas, USA</td>
<td>Infohiiway.com</td>
<td><a href="http://shorewall.infohiiway.com/pub/shorewall">Browse</a></td>
<td><a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/">Browse (Temporarily
Unavailable)</a></td>
</tr>
<tr>
<td>Hamburg, Germany</td>
<td>Shorewall.net</td>
<td><a href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall">Browse</a></td>
</tr>
<tr>
<td>France</td>
<td>Shorewall.net</td>
<td><a
</tr>
<tr>
<td>France</td>
<td>Shorewall.net</td>
<td><a
href="http://france.shorewall.net/pub/shorewall/LATEST.lrp">Browse</a></td>
<td> <a target="_blank"
<td> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/">Browse</a></td>
</tr>
<tr>
<td valign="top">Taiwan<br>
</td>
<td valign="top">Greshko.com<br>
</td>
<td valign="top"><a
</tr>
<tr>
<td valign="top">Taiwan<br>
</td>
<td valign="top">Greshko.com<br>
</td>
<td valign="top"><a
href="http://shorewall.greshko.com/pub/shorewall/">Browse<br>
</a></td>
<td valign="top"><a
</a></td>
<td valign="top"><a
href="ftp://shorewall.greshko.com/pub/shorewall/" target="_top">Browse</a><br>
</td>
</tr>
<tr>
<td valign="top">Argentina<br>
</td>
<td valign="top">Shorewall.net<br>
</td>
<td valign="top"><a
</td>
</tr>
<tr>
<td valign="top">Argentina<br>
</td>
<td valign="top">Shorewall.net<br>
</td>
<td valign="top"><a
href="http://argentina.shorewall.net/pub/shorewall/shorewall">Browse</a><br>
</td>
<td valign="top">N/A<br>
</td>
</tr>
<tr>
<td valign="top">Brazil<br>
</td>
<td valign="top">securityopensource.org.br<br>
</td>
<td valign="top"><a
</td>
<td valign="top">N/A<br>
</td>
</tr>
<tr>
<td valign="top">Brazil<br>
</td>
<td valign="top">securityopensource.org.br<br>
</td>
<td valign="top"><a
href="http://shorewall.securityopensource.org.br/pub/shorewall/">Browse</a><br>
</td>
<td valign="top">N/A<br>
</td>
</tr>
<tr>
<td>Washington State, USA</td>
<td>Shorewall.net</td>
<td><a
href="http://www.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a
href="ftp://ftp.shorewall.net/pub/shorewall/" target="_blank">Browse</a></td>
</tr>
</tbody>
</td>
<td valign="top">N/A<br>
</td>
</tr>
<tr>
<td>Washington State, USA</td>
<td>Shorewall.net</td>
<td><a href="http://www.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a href="ftp://ftp.shorewall.net/pub/shorewall/"
target="_blank">Browse</a></td>
</tr>
</tbody>
</table>
</blockquote>
</blockquote>
<p align="left"><b>CVS:</b></p>
<blockquote>
<blockquote>
<p align="left">The <a target="_top"
href="http://cvs.shorewall.net/Shorewall_CVS_Access.html">CVS repository
at cvs.shorewall.net</a> contains the latest snapshots of the
each Shorewall component. There's no guarantee that what you find
there will work at all.<br>
</p>
</blockquote>
href="http://cvs.shorewall.net/Shorewall_CVS_Access.html">CVS
repository at cvs.shorewall.net</a> contains the latest snapshots of
the each Shorewall component. There's no guarantee that what you find
there will work at all.<br>
</p>
</blockquote>
<p align="left"><b>Shapshots:<br>
</b></p>
<blockquote>
</b></p>
<blockquote>
<p align="left">Periodic snapshots from CVS may be found at <a
href="http://shorewall.net/pub/shorewall/Snapshots/">http://shorewall.net/pub/shorewall/Snapshots</a>
(<a href="ftp://shorewall.net/pub/shorewall/Snapshots/" target="_top">FTP</a>).
These snapshots have undergone initial testing and will have been installed
and run at shorewall.net.<br>
</p>
</blockquote>
<p align="left"><font size="2">Last Updated 8/4/2003 - <a
(<a href="ftp://shorewall.net/pub/shorewall/Snapshots/" target="_top">FTP</a>).
These snapshots have undergone initial testing and will have been
installed and run at shorewall.net.<br>
</p>
</blockquote>
<p align="left"><font size="2">Last Updated 9/25/2003 - <a
href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> <20> <font
<p><a href="copyright.htm"><font size="2">Copyright</font> <20> <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</p>
</body>
</html>

530
Shorewall-docs/errata.htm
View File

@@ -1,391 +1,319 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall 1.4 Errata</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none">
<meta name="author" content="Tom Eastep">
</head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1>
</td>
</tr>
</tbody>
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade
Issues</font></h1>
</td>
</tr>
</tbody>
</table>
<p align="center"> <b><u>IMPORTANT</u></b></p>
<p align="center"> <b><u>IMPORTANT</u></b></p>
<ol>
<li>
<p align="left"> <b><u>I</u>f you use a Windows system to download
a corrected script, be sure to run the script through
<u> <a
<li>
<p align="left"> <b><u>I</u>f you use a Windows system to download
a corrected script, be sure to run the script through <u> <a
href="http://www.megaloman.com/%7Ehany/software/hd2u/"
style="text-decoration: none;"> dos2unix</a></u> after you have moved
it to your Linux system.</b></p>
</li>
<li>
<p align="left"> <b>If you are installing Shorewall for the first
time and plan to use the .tgz and install.sh script, you can untar
the archive, replace the 'firewall' script in the untarred directory
with the one you downloaded below, and then run install.sh.</b></p>
</li>
<li>
<p align="left"> <b>When the instructions say to install a corrected
firewall script in /usr/share/shorewall/firewall,
you may rename the existing file before copying in the new file.</b></p>
</li>
<li>
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER
BELOW. For example, do NOT install the 1.3.9a firewall script
if you are running 1.3.7c.</font></b><br>
</p>
</li>
style="text-decoration: none;"> dos2unix</a></u> after you have moved
it to your Linux system.</b></p>
</li>
<li>
<p align="left"> <b>If you are installing Shorewall for the first
time and plan to use the .tgz and install.sh script, you can untar
the archive, replace the 'firewall' script in the untarred directory
with the one you downloaded below, and then run install.sh.</b></p>
</li>
<li>
<p align="left"> <b>When the instructions say to install a
corrected firewall script in /usr/share/shorewall/firewall,
you may rename the existing file before copying in the new file.</b></p>
</li>
<li>
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED
COMPONENTS ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER
BELOW. For example, do NOT install the 1.3.9a firewall script
if you are running 1.3.7c.</font></b><br>
</p>
</li>
</ol>
<ul>
<li><b><a
href="upgrade_issues.htm">Upgrade Issues</a></b></li>
<li><b><a href="#V1.4">Problems in Version 1.4</a></b><br>
</li>
<li> <b><a
href="errata_3.html">Problems in Version 1.3</a></b></li>
<li> <b><a
href="errata_2.htm">Problems in Version 1.2</a></b></li>
<li> <b><font
color="#660066"> <a href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
<li> <b><font
color="#660066"><a href="#iptables"> Problem with iptables version 1.2.3
on RH7.2</a></font></b></li>
<li> <b><a
href="#Debug">Problems with kernels &gt;= 2.4.18 and RedHat
<li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
<li><b><a href="#V1.4">Problems in Version 1.4</a></b><br>
</li>
<li> <b><a href="errata_3.html">Problems in Version 1.3</a></b></li>
<li> <b><a href="errata_2.htm">Problems in Version 1.2</a></b></li>
<li> <b><font color="#660066"> <a href="errata_1.htm">Problems in
Version 1.1</a></font></b></li>
<li> <b><font color="#660066"><a href="#iptables"> Problem with
iptables version 1.2.3 on RH7.2</a></font></b></li>
<li> <b><a href="#Debug">Problems with kernels &gt;= 2.4.18 and
RedHat
iptables</a></b></li>
<li><b><a href="#SuSE">Problems installing/upgrading
RPM on SuSE</a></b></li>
<li><b><a href="#Multiport">Problems
with iptables version 1.2.7 and MULTIPORT=Yes</a></b></li>
<li><b><a href="#NAT">Problems with RH Kernel
2.4.18-10 and NAT</a></b></li>
<li><b><a href="#REJECT">Problems with RH Kernels after 2.4.20-9 and
REJECT (also applies to 2.4.21-RC1) <img src="images/new10.gif"
alt="(New)" width="28" height="12" border="0">
</a><br>
</b></li>
<li><b><a href="#SuSE">Problems installing/upgrading RPM on SuSE</a></b></li>
<li><b><a href="#Multiport">Problems with iptables version 1.2.7 and
MULTIPORT=Yes</a></b></li>
<li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10 and NAT</a></b></li>
<li><b><a href="#REJECT">Problems with RH Kernels after 2.4.20-9 and
REJECT (also applies to 2.4.21-RC1) <img src="images/new10.gif"
alt="(New)" width="28" height="12" border="0"> </a><br>
</b></li>
</ul>
<hr>
<hr>
<h2 align="left"><a name="V1.4"></a>Problems in Version 1.4</h2>
<h3></h3>
<h3>1.4.6</h3>
<ul>
<li>If TC_ENABLED is set to yes in shorewall.conf then Shorewall would
fail to start with the error "ERROR:<EFBFBD> Traffic Control requires Mangle";
that problem has been corrected in <a
href="http://shorewall.net/pub/shorewall/errata/1.4.6/firewall">this firewall
script</a> which may be installed in /var/share/shorewall/firewall as described
above. This problem is also corrected in bugfix release 1.4.6a.</li>
<li>This problem occurs in all versions supporting traffic control. If
a MAC address is used in the SOURCE column, an error occurs as follows:<br>
<br>
<20> <20> <20><font size="3"><tt>iptables v1.2.8: Bad mac adress `00:08:B5:35:52:E7-d`</tt></font><br>
<br>
For Shorewall 1.4.6 and 1.4.6a users, this problem has been corrected in
<a href="http://shorewall.net/pub/shorewall/errata/1.4.6/firewall">this
firewall script</a> which may be installed in /var/share/shorewall/firewall
as described above. For all other versions, you will have to edit your 'firewall'
script (in versions 1.4.*, it is located in /usr/share/shorewall/firewall).
Locate the function add_tcrule_() and in that function, replace this line:<br>
<br>
<20> <20> r=`mac_match $source`<60><br>
<br>
with<br>
<br>
<20> <20> <20>r="`mac_match $source` "<br>
<br>
Note that there must be a space before the ending quote!<br>
</li>
<li>If TC_ENABLED is set to yes in shorewall.conf then Shorewall
would fail to start with the error "ERROR:&nbsp; Traffic Control
requires Mangle";
that problem has been corrected in <a
href="http://shorewall.net/pub/shorewall/errata/1.4.6/firewall">this
firewall script</a> which may be installed in
/var/share/shorewall/firewall as described above. This problem is also
corrected in bugfix release 1.4.6a.</li>
<li>This problem occurs in all versions supporting traffic control.
If a MAC address is used in the SOURCE column, an error occurs as
follows:<br>
<br>
&nbsp; &nbsp; &nbsp;<font size="3"><tt>iptables v1.2.8: Bad mac adress
`00:08:B5:35:52:E7-d`</tt></font><br>
<br>
For Shorewall 1.4.6 and 1.4.6a users, this problem has been corrected
in <a href="http://shorewall.net/pub/shorewall/errata/1.4.6/firewall">this
firewall script</a> which may be installed in
/var/share/shorewall/firewall
as described above. For all other versions, you will have to edit your
'firewall'
script (in versions 1.4.*, it is located in
/usr/share/shorewall/firewall).
Locate the function add_tcrule_() and in that function, replace this
line:<br>
<br>
&nbsp; &nbsp; <span style="font-family: monospace;">r=`mac_match
$source`&nbsp;</span><br>
<br>
with<br>
<br>
&nbsp; &nbsp; &nbsp;<span style="font-family: monospace;">r="`mac_match
$source` "</span><br>
<br>
Note that there must be a space before the ending quote!<br>
</li>
</ul>
<h3>1.4.4b</h3>
<ul>
<li>Shorewall is ignoring records in /etc/shorewall/routestopped
that have an empty second column (HOSTS). This problem may be corrected
by installing <a
<li>Shorewall is ignoring records in /etc/shorewall/routestopped
that have an empty second column (HOSTS). This problem may be corrected
by installing <a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4b/firewall"
target="_top">this firewall script</a> in /usr/share/shorewall/firewall as
target="_top">this firewall script</a> in
/usr/share/shorewall/firewall as
described above.</li>
<li>The INCLUDE directive doesn't work when placed in the /etc/shorewall/zones
file. This problem may be corrected by installing <a
<li>The INCLUDE directive doesn't work when placed in the
/etc/shorewall/zones file. This problem may be corrected by installing <a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4b/functions"
target="_top">this functions script</a> in /usr/share/shorewall/functions.<br>
</li>
target="_top">this functions script</a> in
/usr/share/shorewall/functions.<br>
</li>
</ul>
<h3>1.4.4-1.4.4a</h3>
<ul>
<li>Log messages are being displayed on the system console even
though the log level for the console is set properly according to <a
href="FAQ.htm#faq16">FAQ 16</a>. This problem may be corrected by installing
<a
<li>Log messages are being displayed on the system console even
though the log level for the console is set properly according to <a
href="FAQ.htm#faq16">FAQ 16</a>. This problem may be corrected by
installing <a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4a/firewall"
target="_top">this firewall script</a> in /usr/share/shorewall/firewall as
target="_top">this firewall script</a> in
/usr/share/shorewall/firewall as
described above.<br>
</li>
</li>
</ul>
<h3>1.4.4<br>
</h3>
</h3>
<ul>
<li> If you have zone names that are 5 characters long, you may
experience problems starting Shorewall because the --log-prefix in a logging
rule is too long. Upgrade to Version 1.4.4a to fix this problem..</li>
<li> If you have zone names that are 5 characters long, you may
experience problems starting Shorewall because the --log-prefix in a
logging rule is too long. Upgrade to Version 1.4.4a to fix this
problem..</li>
</ul>
<h3>1.4.3</h3>
<ul>
<li>The LOGMARKER variable introduced in version 1.4.3 was intended
to allow integration of Shorewall with Fireparse (http://www.firewparse.com).
Unfortunately, LOGMARKER only solved part of the integration problem.
I have implimented a new LOGFORMAT variable which will replace LOGMARKER
which has completely solved this problem and is currently in production
with fireparse here at shorewall.net. The updated files may be found at
<a
<li>The LOGMARKER variable introduced in version 1.4.3 was intended
to allow integration of Shorewall with Fireparse
(http://www.firewparse.com). Unfortunately, LOGMARKER only solved part
of the integration problem. I have implimented a new LOGFORMAT variable
which will replace LOGMARKER which has completely solved this problem
and is currently in production with fireparse here at shorewall.net.
The updated files may be found at <a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/"
target="_top">ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/</a>.
See the 0README.txt file for details.<br>
</li>
target="_top">ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/</a>.
See the 0README.txt file for details.<br>
</li>
</ul>
<h3>1.4.2</h3>
<ul>
<li>When an 'add' or 'delete' command is executed, a temporary
directory created in /tmp is not being removed. This problem may be corrected
by installing <a
<li>When an 'add' or 'delete' command is executed, a temporary
directory created in /tmp is not being removed. This problem may be
corrected by installing <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.2/firewall"
target="_top">this firewall script</a> in /usr/share/shorewall/firewall as
target="_top">this firewall script</a> in
/usr/share/shorewall/firewall as
described above. <br>
</li>
</li>
</ul>
<h3>1.4.1a, 1.4.1 and 1.4.0</h3>
<ul>
<li>Some TCP requests are rejected in the 'common' chain with
an ICMP port-unreachable response rather than the more appropriate TCP
RST response. This problem is corrected in <a
<li>Some TCP requests are rejected in the 'common' chain with an ICMP
port-unreachable response rather than the more appropriate TCP RST
response. This problem is corrected in <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1a/common.def"
target="_top">this updated common.def file</a> which may be installed in
/etc/shorewall/common.def.<br>
</li>
target="_top">this updated common.def file</a> which may be installed
in /etc/shorewall/common.def.<br>
</li>
</ul>
<h3>1.4.1</h3>
<ul>
<li>When a "shorewall check" command is executed, each "rule"
produces the harmless additional message:<br>
<br>
<20> <20> <20>/usr/share/shorewall/firewall: line 2174: [: =: unary operator
expected<br>
<br>
You may correct the problem by installing <a
<li>When a "shorewall check" command is executed, each "rule"
produces the harmless additional message:<br>
<br>
&nbsp; &nbsp; &nbsp;/usr/share/shorewall/firewall: line 2174: [: =:
unary operator expected<br>
<br>
You may correct the problem by installing <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1/firewall"
target="_top">this corrected script</a> in /usr/share/shorewall/firewall
as described above.<br>
</li>
target="_top">this corrected script</a> in
/usr/share/shorewall/firewall as described above.<br>
</li>
</ul>
<h3>1.4.0</h3>
<ul>
<li>When running under certain shells Shorewall will attempt
to create ECN rules even when /etc/shorewall/ecn is empty. You may
either just remove /etc/shorewall/ecn or you can install <a
<li>When running under certain shells Shorewall will attempt to
create ECN rules even when /etc/shorewall/ecn is empty. You may
either just remove /etc/shorewall/ecn or you can install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.4.0/firewall">this
correct script</a> in /usr/share/shorewall/firewall as described above.<br>
</li>
correct script</a> in /usr/share/shorewall/firewall as described above.<br>
</li>
</ul>
<hr width="100%" size="2">
<hr width="100%" size="2">
<h2 align="left"><a name="Upgrade"></a>Upgrade Issues</h2>
<p align="left">The upgrade issues have moved to <a
<p align="left">The upgrade issues have moved to <a
href="upgrade_issues.htm">a separate page</a>.</p>
<hr>
<h3 align="left"><a name="iptables"></a><font color="#660066"> Problem with
iptables version 1.2.3</font></h3>
<blockquote>
<p align="left">There are a couple of serious bugs in iptables 1.2.3 that
prevent it from working with Shorewall. Regrettably,
RedHat released this buggy iptables in RedHat 7.2.<2E></p>
<hr>
<h3 align="left"><a name="iptables"></a><font color="#660066"> Problem
with iptables version 1.2.3</font></h3>
<blockquote>
<p align="left">There are a couple of serious bugs in iptables 1.2.3
that prevent it from working with Shorewall. Regrettably, RedHat
released this buggy iptables in RedHat 7.2.&nbsp;</p>
<p align="left"> I have built a <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
corrected 1.2.3 rpm which you can download here</a><EFBFBD> and
I have also built an <a
corrected 1.2.3 rpm which you can download here</a>&nbsp; and I have
also built an <a
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
iptables-1.2.4 rpm which you can download here</a>. If you are currently
running RedHat 7.1, you can install either of these RPMs
<b><u>before</u> </b>you upgrade to RedHat 7.2.</p>
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
has released an iptables-1.2.4 RPM of their own which
you can download from<font color="#ff6633"> <a
iptables-1.2.4 rpm which you can download here</a>. If you are
currently running RedHat 7.1, you can install either of these RPMs <b><u>before</u>
</b>you upgrade to RedHat 7.2.</p>
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
has released an iptables-1.2.4 RPM of their own which
you can download from<font color="#ff6633"> <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
</font>I have installed this RPM on my firewall and
it works fine.</p>
<p align="left">If you would like to patch iptables 1.2.3 yourself,
the patches are available for download. This <a
</font>I have installed this RPM on my firewall and
it works fine.</p>
<p align="left">If you would like to patch iptables 1.2.3 yourself,
the patches are available for download. This <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
which corrects a problem with parsing of the --log-level
specification while this <a
which corrects a problem with parsing of the --log-level specification
while this <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
corrects a problem in handling the<EFBFBD> TOS target.</p>
corrects a problem in handling the&nbsp; TOS target.</p>
<p align="left">To install one of the above patches:</p>
<ul>
<li>cd iptables-1.2.3/extensions</li>
<li>patch -p0 &lt; <i>the-patch-file</i></li>
<li>cd iptables-1.2.3/extensions</li>
<li>patch -p0 &lt; <i>the-patch-file</i></li>
</ul>
</blockquote>
<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18 and
</blockquote>
<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18 and
RedHat iptables</h3>
<blockquote>
<p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19
may experience the following:</p>
<blockquote>
<blockquote>
<p>Users who use RedHat iptables RPMs and who upgrade to kernel
2.4.18/19 may experience the following:</p>
<blockquote>
<pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre>
</blockquote>
<p>The RedHat iptables RPM is compiled with debugging enabled but the
user-space debugging code was not updated to reflect recent changes in
the Netfilter 'mangle' table. You can correct the problem by
installing <a
</blockquote>
<p>The RedHat iptables RPM is compiled with debugging enabled but the
user-space debugging code was not updated to reflect recent changes in
the Netfilter 'mangle' table. You can correct the problem by installing
<a
href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
this iptables RPM</a>. If you are already running a
1.2.5 version of iptables, you will need to specify the
--oldpackage option to rpm (e.g., "iptables -Uvh --oldpackage
this iptables RPM</a>. If you are already running a
1.2.5 version of iptables, you will need to specify the
--oldpackage option to rpm (e.g., "iptables -Uvh --oldpackage
iptables-1.2.5-1.i386.rpm").</p>
</blockquote>
<h3><a name="SuSE"></a>Problems installing/upgrading
RPM on SuSE</h3>
<p>If you find that rpm complains about a conflict with kernel &lt;=
2.2 yet you have a 2.4 kernel installed, simply use the
"--nodeps" option to rpm.</p>
</blockquote>
<h3><a name="SuSE"></a>Problems installing/upgrading RPM on SuSE</h3>
<p>If you find that rpm complains about a conflict with kernel &lt;=
2.2 yet you have a 2.4 kernel installed, simply use the "--nodeps"
option to rpm.</p>
<p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<h3><a name="Multiport"></a><b>Problems with iptables version 1.2.7 and
MULTIPORT=Yes</b></h3>
<p>The iptables 1.2.7 release of iptables has made an incompatible
change to the syntax used to specify multiport match rules;
as a consequence, if you install iptables 1.2.7 you
must be running Shorewall 1.3.7a or later or:</p>
<h3><a name="Multiport"></a><b>Problems with iptables version 1.2.7 and
MULTIPORT=Yes</b></h3>
<p>The iptables 1.2.7 release of iptables has made an incompatible
change to the syntax used to specify multiport match rules; as a
consequence, if you install iptables 1.2.7 you must be running
Shorewall 1.3.7a or later or:</p>
<ul>
<li>set
MULTIPORT=No in /etc/shorewall/shorewall.conf;
or </li>
<li>if
you are running Shorewall 1.3.6 you may
install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this firewall script</a> in /var/lib/shorewall/firewall
as described above.</li>
<li>set MULTIPORT=No in /etc/shorewall/shorewall.conf; or </li>
<li>if you are running Shorewall 1.3.6 you may install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this firewall script</a> in /var/lib/shorewall/firewall as described
above.</li>
</ul>
<h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br>
</h3>
/etc/shorewall/nat entries of the following
form will result in Shorewall being unable to start:<br>
<br>
<pre>#EXTERNAL<41><4C><EFBFBD><EFBFBD><EFBFBD><EFBFBD> INTERFACE<43><45><EFBFBD><EFBFBD><EFBFBD><EFBFBD> INTERNAL<41><4C><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> ALL INTERFACES<45><53><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> LOCAL<br>192.0.2.22<EFBFBD><EFBFBD><EFBFBD> eth0<68><30><EFBFBD> 192.168.9.22<EFBFBD><EFBFBD> yes<65><73><EFBFBD><EFBFBD> yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
Error message is:<br>
</h3>
/etc/shorewall/nat entries of the following form will result in
Shorewall being unable to start:<br>
<br>
<pre>#EXTERNAL&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; INTERFACE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; INTERNAL&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ALL INTERFACES&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LOCAL<br>192.0.2.22&nbsp;&nbsp;&nbsp; eth0&nbsp;&nbsp;&nbsp; 192.168.9.22&nbsp;&nbsp; yes&nbsp;&nbsp;&nbsp;&nbsp; yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
Error message is:<br>
<pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
The solution is to put "no" in the LOCAL column.
Kernel support for LOCAL=yes has never worked properly and 2.4.18-10
has disabled it. The 2.4.19 kernel contains corrected support
under a new kernel configuraiton option; see <a
The solution is to put "no" in the LOCAL column. Kernel support for
LOCAL=yes has never worked properly and 2.4.18-10 has disabled it. The
2.4.19 kernel contains corrected support
under a new kernel configuraiton option; see <a
href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
<br>
<h3><a name="REJECT"></a><b> Problems with RH Kernels after 2.4.20-9 and REJECT
<br>
<h3><a name="REJECT"></a><b> Problems with RH Kernels after 2.4.20-9
and REJECT
(also applies to 2.4.21-RC1)</b></h3>
Beginning with errata kernel 2.4.20-13.9, "REJECT --reject-with tcp-reset"
is broken. The symptom most commonly seen is that REJECT rules act just
like DROP rules when dealing with TCP. A kernel patch and precompiled modules
to fix this problem are available at <a
Beginning with errata kernel 2.4.20-13.9, "REJECT --reject-with
tcp-reset" is broken. The symptom most commonly seen is that REJECT
rules act just like DROP rules when dealing with TCP. A kernel patch
and precompiled modules to fix this problem are available at <a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel"
target="_top">ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel</a>.<br>
<hr>
<p><font size="2"> Last updated 7/23/2003 - <a href="support.htm">Tom Eastep</a></font>
<hr>
<p><font size="2"> Last updated 7/23/2003 - <a href="support.htm">Tom
Eastep</a></font>
</p>
<p><a href="copyright.htm"><font size="2">Copyright</font> <20> <font
<p><a href="copyright.htm"><font size="2">Copyright</font> <20> <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
<br>
</p>
<br>
<br>
</body>
</html>

BIN
Shorewall-docs/images/network.png
View File

Binary file not shown.

BIN
Shorewall-docs/images/network.vsd
View File

Binary file not shown.

381
Shorewall-docs/mailing_list.htm
View File

@@ -1,147 +1,117 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Mailing Lists</title>
<meta name="Microsoft Theme" content="none">
</head>
<body>
<body>
<table height="90" bgcolor="#3366ff" id="AutoNumber1" width="100%"
style="border-collapse: collapse;" cellspacing="0" cellpadding="0"
border="0">
<tbody>
<tr>
<td width="33%" valign="middle"
align="left">
<tbody>
<tr>
<td width="33%" valign="middle" align="left">
<h1 align="center"><a
href="http://www.centralcommand.com/linux_products.html"><img
src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78"
height="79" align="left">
</a></h1>
<a
href="http://www.gnu.org/software/mailman/mailman.html"> <img
height="79" align="left"> </a></h1>
<a href="http://www.gnu.org/software/mailman/mailman.html"> <img
border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110"
height="35" alt="">
</a>
<p align="right"><font color="#ffffff"><b><EFBFBD> </b></font><a
height="35" alt=""> </a>
<p align="right"><font color="#ffffff"><b>&nbsp; </b></font><a
href="http://razor.sourceforge.net/"><img src="images/razor.gif"
alt="(Razor Logo)" width="100" height="22" align="left" border="0">
</a> </p>
</td>
<td valign="middle" width="34%" align="center">
alt="(Razor Logo)" width="100" height="22" align="left" border="0"> </a>
</p>
</td>
<td valign="middle" width="34%" align="center">
<h1 align="center"><font color="#ffffff">Shorewall Mailing Lists</font></h1>
</td>
<td valign="middle" width="33%">
<a href="http://www.postfix.org/"> <img
src="images/postfix-white.gif" align="right" border="0" width="158"
height="84" alt="(Postfix Logo)">
</a><br>
</td>
<td valign="middle" width="33%"> <a
href="http://www.postfix.org/"> <img src="images/postfix-white.gif"
align="right" border="0" width="158" height="84" alt="(Postfix Logo)">
</a><br>
<div align="left"><a href="http://www.spamassassin.org"><img
src="images/ninjalogo.png" alt="" width="110" height="42" align="right"
border="0">
</a> </div>
<br>
border="0"> </a> </div>
<br>
<div align="right"><b><font color="#ffffff"><br>
</font></b><br>
</div>
</td>
</tr>
</tbody>
</font></b><br>
</div>
</td>
</tr>
</tbody>
</table>
If you experience problems with any of these lists,
please let <a href="mailto:postmaster@shorewall.net">me</a>
know
<br>
<big><span style="color: rgb(255, 0, 0);"><span
style="font-weight: bold;">If you are reporting a problem or asking a
question, you are at the wrong place -- please see the <a
href="http://www.shorewall.net/support.htm">Shorewall Support Guide</a>.</span></span></big><br>
<br>
If you experience problems with any of these lists,
please let <a href="mailto:postmaster@shorewall.net">me</a>
know
<h2 align="left">Not able to Post Mail to shorewall.net?</h2>
<p align="left">You can report such problems by sending mail to tmeastep at
<p align="left">You can report such problems by sending mail to
tmeastep at
hotmail dot com.</p>
<h2>A Word about the SPAM Filters at Shorewall.net<65><a
<h2>A Word about the SPAM Filters at Shorewall.net&nbsp;<a
href="http://osirusoft.com/"> </a></h2>
<p>Please note that the mail server at shorewall.net checks
<p>Please note that the mail server at shorewall.net checks
incoming mail:<br>
</p>
</p>
<ol>
<li>against <a
href="http://spamassassin.org">Spamassassin</a> (including <a
href="http://razor.sourceforge.net/">Vipul's Razor</a>).<br>
</li>
<li>to ensure that the sender address is
fully qualified.</li>
<li>to verify that the sender's domain has
an A or MX record in DNS.</li>
<li>to ensure that the host name in the HELO/EHLO
command is a valid fully-qualified DNS name.</li>
<li>against <a href="http://spamassassin.org">Spamassassin</a>
(including <a href="http://razor.sourceforge.net/">Vipul's Razor</a>).<br>
</li>
<li>to ensure that the sender address is
fully qualified.</li>
<li>to verify that the sender's domain has an A or MX record in DNS.</li>
<li>to ensure that the host name in the HELO/EHLO command is a valid
fully-qualified DNS name.</li>
</ol>
<h2>Please post in plain text</h2>
A growing number of MTAs serving list subscribers
are rejecting all HTML traffic. At least one MTA has gone so far
as to blacklist shorewall.net "for continuous abuse" because it has
been my policy to allow HTML in list posts!!<br>
<br>
I think that blocking all HTML is a Draconian way
to control spam and that the ultimate losers here are not the spammers
but the list subscribers whose MTAs are bouncing all shorewall.net
mail. As one list subscriber wrote to me privately "These e-mail admin's
need to get a <i>(explitive deleted)</i> life instead of trying to
rid the planet of HTML based e-mail". Nevertheless, to allow subscribers
to receive list posts as must as possible, I have now configured the
list server at shorewall.net to strip all HTML from outgoing posts.
This means that HTML-only posts will be bounced by the list server.<br>
A growing number of MTAs serving list subscribers are rejecting all
HTML traffic. At least one MTA has gone so far as to blacklist
shorewall.net "for continuous abuse" because it has been my policy to
allow HTML in list posts!!<br>
<br>
I think that blocking all HTML is a Draconian way to control spam and
that the ultimate losers here are not the spammers but the list
subscribers whose MTAs are bouncing all shorewall.net mail. As one list
subscriber wrote to me privately "These e-mail admin's need to get a <i>(explitive
deleted)</i> life instead of trying to
rid the planet of HTML based e-mail". Nevertheless, to allow
subscribers to receive list posts as must as possible, I have now
configured the list server at shorewall.net to strip all HTML from
outgoing posts.
This means that HTML-only posts will be bounced by the list server.<br>
<p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br>
</p>
</p>
<h2>Other Mail Delivery Problems</h2>
If you find that you are missing an occasional list
post, your e-mail admin may be blocking mail whose <i>Received:</i>
headers contain the names of certain ISPs. Again, I believe that such
policies hurt more than they help but I'm not prepared to go so far
as to start stripping <i>Received:</i> headers to circumvent those
policies.<br>
If you find that you are missing an occasional list post, your e-mail
admin may be blocking mail whose <i>Received:</i> headers contain the
names of certain ISPs. Again, I believe that such policies hurt more
than they help but I'm not prepared to go so far as to start stripping <i>Received:</i>
headers to circumvent those policies.<br>
<h2 align="left">Mailing Lists Archive Search</h2>
<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
<p> <font size="-1"> Match:
<p> <font size="-1"> Match:
<select name="method">
<option value="and">All </option>
<option value="or">Any </option>
<option value="boolean">Boolean </option>
</select>
Format:
Format:
<select name="format">
<option value="builtin-long">Long </option>
<option value="builtin-short">Short </option>
</select>
Sort by:
Sort by:
<select name="sort">
<option value="score">Score </option>
<option value="time">Time </option>
@@ -150,135 +120,122 @@ policies.<br>
<option value="revtime">Reverse Time </option>
<option value="revtitle">Reverse Title </option>
</select>
</font> <input type="hidden"
name="config" value="htdig"> <input type="hidden" name="restrict"
value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden"
name="exclude" value=""> <br>
Search: <input type="text" size="30"
name="words" value=""> <input type="submit" value="Search"> </p>
</form>
<h2 align="left"><font color="#ff0000">Please do not try to download the entire
Archive -- it is 75MB (and growing daily) and my slow DSL line simply won't
</font> <input type="hidden" name="config" value="htdig"> <input
type="hidden" name="restrict"
value="[http://lists.shorewall.net/pipermail/.*]"> <input
type="hidden" name="exclude" value=""> <br>
Search: <input type="text" size="30" name="words" value=""> <input
type="submit" value="Search"> </p>
</form>
<h2 align="left"><font color="#ff0000">Please do not try to download
the entire
Archive -- it is 164MB (and growing daily) and my slow DSL line simply
won't
stand the traffic. If I catch you, you will be blacklisted.<br>
</font></h2>
</font></h2>
<h2 align="left">Shorewall CA Certificate</h2>
If you want to trust X.509 certificates issued
by Shoreline Firewall (such as the one used on my web site),
you may <a href="Shorewall_CA_html.html">download and install my CA certificate</a>
in your browser. If you don't wish to trust my certificates
then you can either use unencrypted access when subscribing to
Shorewall mailing lists or you can use secure access (SSL) and
accept the server's certificate when prompted by your browser.<br>
If you want to trust X.509 certificates issued by Shoreline Firewall
(such as the one used on my web site), you may <a
href="Shorewall_CA_html.html">download and install my CA certificate</a>
in your browser. If you don't wish to trust my certificates then you
can either use unencrypted access when subscribing to Shorewall mailing
lists or you can use secure access (SSL) and
accept the server's certificate when prompted by your browser.<br>
<h2 align="left">Shorewall Users Mailing List</h2>
<p align="left">The Shorewall Users Mailing list provides a way for users
to get answers to questions and to report problems. Information
of general interest to the Shorewall user community is also
posted to this list.</p>
<p align="left"><b>To post a problem report to this list or to subscribe to
the list, please see the <a
href="http://www.shorewall.net/support.htm">problem reporting guidelines</a>.</b></p>
<p align="left">The Shorewall Users Mailing list provides a way for
users to get answers to questions and to report problems. Information
of general interest to the Shorewall user community is also posted to
this list.</p>
<p align="left" style="color: rgb(255, 0, 0);"><big><b>Before posting
to this list, please see the <a
href="http://www.shorewall.net/support.htm">problem
reporting guidelines</a>.<br>
</b></big></p>
<p align="left">To subscribe: <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-users"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-users</a></p>
<ul>
</ul>
<p align="left"> To post to the list, post to <a
href="mailto:shorewall-users@lists.shorewall.net">shorewall-users@lists.shorewall.net</a>.
<br>
</p>
<p align="left">The list archives are at <a
href="http://lists.shorewall.net/pipermail/shorewall-users/index.html">http://lists.shorewall.net/pipermail/shorewall-users</a>.</p>
<p align="left">Note that prior to 1/1/2002, the mailing list was hosted
at <a href="http://sourceforge.net">Sourceforge</a>. The archives from that
<p align="left">Note that prior to 1/1/2002, the mailing list was
hosted
at <a href="http://sourceforge.net">Sourceforge</a>. The archives from
that
list may be found at <a
href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p>
<h2 align="left">Shorewall Announce Mailing List</h2>
<p align="left">This list is for announcements of general interest to the
Shorewall community. To subscribe:<br>
</p>
<p align="left"></p>
<ul>
<li><b>Insecure:</b> <a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-announce">http://lists.shorewall.net/mailman/listinfo/shorewall-announce</a></li>
<li><b>SSL</b>: <a
<p align="left">This list is for announcements of general interest to
the Shorewall community. <big><span style="color: rgb(255, 0, 0);"><span
style="font-weight: bold;">DO NOT USE THIS LIST FOR REPORTING PROBLEMS
OR ASKING FOR HELP.</span></span></big><br>
</p>
<p align="left">To subscribe: <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-announce"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-announce.</a></li>
</ul>
<p align="left"><br>
The list archives are at <a
href="http://lists.shorewall.net/pipermail/shorewall-announce">http://lists.shorewall.net/pipermail/shorewall-announce</a>.</p>
<h2 align="left">Shorewall Development Mailing List</h2>
<p align="left">The Shorewall Development Mailing list provides a forum for
the exchange of ideas about the future of Shorewall and
for coordinating ongoing Shorewall Development.</p>
<p align="left">To subscribe to the mailing list:<br>
</p>
target="_top">https://lists.shorewall.net/mailman/listinfo/shorewall-announce</a>.
<br>
</p>
<a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-announce"
target="_top"></a>
<ul>
<li><b>Insecure: </b><a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-devel">http://lists.shorewall.net/mailman/listinfo/shorewall-devel</a></li>
<li><b>SSL:</b> <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-devel"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-devel.</a></li>
</ul>
<p align="left"> To post to the list, post to <a
href="mailto:shorewall-devel@lists.shorewall.net">shorewall-devel@lists.shorewall.net</a>.<2E></p>
The list archives are at <a
href="http://lists.shorewall.net/pipermail/shorewall-announce">http://lists.shorewall.net/pipermail/shorewall-announce</a>.
<h2 align="left">Shorewall Development Mailing List</h2>
<p align="left">The Shorewall Development Mailing list provides a forum
for the exchange of ideas about the future of Shorewall and
for coordinating ongoing Shorewall Development. <big><span
style="color: rgb(255, 0, 0);"><span style="font-weight: bold;">DO NOT
USE THIS LIST FOR REPORTING PROBLEMS OR ASKING FOR HELP.</span></span></big></p>
<p align="left">To subscribe to the mailing list: <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-devel"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-devel.</a></p>
<ul>
</ul>
<p align="left"> To post to the list, post to <a
href="mailto:shorewall-devel@lists.shorewall.net">shorewall-devel@lists.shorewall.net</a>.&nbsp;</p>
<p align="left">The list archives are at <a
href="http://lists.shorewall.net/pipermail/shorewall-devel">http://lists.shorewall.net/pipermail/shorewall-devel</a>.</p>
<h2 align="left"><a name="Unsubscribe"></a>How to Unsubscribe from one of
the Mailing Lists</h2>
<p align="left">There seems to be near-universal confusion about unsubscribing
from Mailman-managed lists although Mailman 2.1 has attempted
to make this less confusing. To unsubscribe:</p>
<h2 align="left"><a name="Unsubscribe"></a>How to Unsubscribe from one
of the Mailing Lists</h2>
<p align="left">There seems to be near-universal confusion about
unsubscribing from Mailman-managed lists although Mailman 2.1 has
attempted to make this less confusing. To unsubscribe:</p>
<ul>
<li>
<p align="left">Follow the same link above that you used to subscribe
to the list.</p>
</li>
<li>
<p align="left">Down at the bottom of that page is the following text:
" To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>,
get a password reminder, or change your subscription options
enter your subscription email address:". Enter your email
address in the box and click on the "<b>Unsubscribe</b> or edit
options" button.</p>
</li>
<li>
<p align="left">There will now be a box where you can enter your password
and click on "Unsubscribe"; if you have forgotten your
password, there is another button that will cause your password
to be emailed to you.</p>
</li>
<li>
<p align="left">Follow the same link above that you used to
subscribe to the list.</p>
</li>
<li>
<p align="left">Down at the bottom of that page is the following
text: " To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>,
get a password reminder, or change your subscription options
enter your subscription email address:". Enter your email address in
the box and click on the "<b>Unsubscribe</b> or edit
options" button.</p>
</li>
<li>
<p align="left">There will now be a box where you can enter your
password and click on "Unsubscribe"; if you have forgotten your
password, there is another button that will cause your password
to be emailed to you.</p>
</li>
</ul>
<hr>
<h2 align="left">Frustrated by having to Rebuild Mailman to use it with Postfix?</h2>
<hr>
<h2 align="left">Frustrated by having to Rebuild Mailman to use it with
Postfix?</h2>
<p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p>
<p align="left"><font size="2">Last updated 8/7/2003 - <a
<p align="left"><font size="2">Last updated 9/17/2003 - <a
href="http://www.shorewall.net/support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font> <EFBFBD>
<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font>
<EFBFBD>
<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
</p>
<br>
</body>
</html>

403
Shorewall-docs/myfiles.htm
View File

File diff suppressed because one or more lines are too long

300
Shorewall-docs/ping.html
View File

@@ -2,190 +2,170 @@
<html>
<head>
<title>ICMP Echo-request (Ping)</title>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep">
</head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">ICMP Echo-request (Ping)</font></h1>
</td>
</tr>
</tbody>
</td>
</tr>
</tbody>
</table>
<br>
Shorewall 'Ping' management has evolved over time with the latest
change coming in Shorewall version 1.4.0. To find out which version of
Shorewall you are running, at a shell prompt type "<font color="#009900"><b>/sbin/shorewall
version</b></font>". If that command gives you an error, it's time to upgrade
since you have a very old version of Shorewall installed (1.2.4 or earlier).<br>
<br>
Shorewall 'Ping' management has evolved over time with the latest
change coming in Shorewall version 1.4.0. To find out which version of
Shorewall you are running, at a shell prompt type "<font color="#009900"><b>/sbin/shorewall
version</b></font>". If that command gives you an error, it's time to
upgrade since you have a very old version of Shorewall installed (1.2.4
or earlier).<br>
<h2>Shorewall Versions &gt;= 1.4.0</h2>
In Shoreall 1.4.0 and later version, ICMP echo-request's are treated just
like any other connection request.<br>
<br>
In order to accept ping requests from zone z1 to zone z2 where the policy
for z1 to z2 is not ACCEPT, you need a rule in /etc/shoreall/rules of the
form:<br>
<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp;
</i>icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
Example: <br>
<br>
To permit ping from the local zone to the firewall:<br>
<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;
icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
If you would like to accept 'ping' by default even when the relevant
policy is DROP or REJECT, create <b>/etc/shorewall/icmpdef </b>if it doesn't
already exist and in that file place the following command:<br>
<blockquote>
In Shoreall 1.4.0 and later version, ICMP echo-request's are treated
just like any other connection request.<br>
<br>
In order to accept ping requests from zone z1 to zone z2 where the
policy for z1 to z2 is not ACCEPT, you need a rule in
/etc/shoreall/rules of the form:<br>
<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp;
z2&nbsp;&nbsp;&nbsp; </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
Example: <br>
<br>
To permit ping from the local zone to the firewall:<br>
<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
fw&nbsp;&nbsp;&nbsp; icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
If you would like to accept 'ping' by default even when the relevant
policy is DROP or REJECT, create <b>/etc/shorewall/icmpdef </b>if it
doesn't already exist and in that file place the following command:<br>
<blockquote>
<pre><b><font color="#009900">run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT<br></font></b></pre>
</blockquote>
With that rule in place, if you want to ignore 'ping' from z1 to z2
then you need a rule of the form:<br>
<blockquote>DROP&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp;
</i>icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
Example:<br>
<br>
To drop ping from the internet, you would need this rule in /etc/shorewall/rules:<br>
<br>
<blockquote>DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;
icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
<h2>Shorewall Versions &gt;= 1.3.14 &nbsp;and &lt; 1.4.0 with OLD_PING_HANDLING=No
in /etc/shorewall/shorewall.conf</h2>
In 1.3.14, Ping handling was put under control of the rules and policies
just like any other connection request. In order to accept ping requests
from zone z1 to zone z2 where the policy for z1 to z2 is not ACCEPT, you
need a rule in /etc/shoreall/rules of the form:<br>
<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp;
</i>icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
Example: <br>
<br>
To permit ping from the local zone to the firewall:<br>
<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;
icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
If you would like to accept 'ping' by default even when the relevant
policy is DROP or REJECT, create <b>/etc/shorewall/icmpdef </b>if it doesn't
already exist and in that file place the following command:<br>
<blockquote>
</blockquote>
With that rule in place, if you want to ignore 'ping' from z1 to z2
then you need a rule of the form:<br>
<blockquote>DROP&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp;
z2&nbsp;&nbsp;&nbsp; </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
Example:<br>
<br>
To drop ping from the internet, you would need this rule in
/etc/shorewall/rules:<br>
<br>
<blockquote>DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp;
fw&nbsp;&nbsp;&nbsp; icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
<h2>Shorewall Versions &gt;= 1.3.14 &nbsp;and &lt; 1.4.0 with
OLD_PING_HANDLING=No in /etc/shorewall/shorewall.conf</h2>
In 1.3.14, Ping handling was put under control of the rules and
policies just like any other connection request. In order to accept
ping requests from zone z1 to zone z2 where the policy for z1 to z2 is
not ACCEPT, you need a rule in /etc/shoreall/rules of the form:<br>
<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp;
z2&nbsp;&nbsp;&nbsp; </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
Example: <br>
<br>
To permit ping from the local zone to the firewall:<br>
<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
fw&nbsp;&nbsp;&nbsp; icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
If you would like to accept 'ping' by default even when the relevant
policy is DROP or REJECT, create <b>/etc/shorewall/icmpdef </b>if it
doesn't already exist and in that file place the following command:<br>
<blockquote>
<pre><b><font color="#009900">run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT<br></font></b></pre>
</blockquote>
With that rule in place, if you want to ignore 'ping' from z1 to z2
then you need a rule of the form:<br>
<blockquote>DROP&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp;
</i>icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
Example:<br>
<br>
To drop ping from the internet, you would need this rule in /etc/shorewall/rules:<br>
<blockquote>DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;
icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
<blockquote> </blockquote>
<h2>Shorewall Versions &lt; 1.3.14 or with OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf<br>
</h2>
There are several aspects to the old Shorewall Ping management:<br>
</blockquote>
With that rule in place, if you want to ignore 'ping' from z1 to z2
then you need a rule of the form:<br>
<blockquote>DROP&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp;
z2&nbsp;&nbsp;&nbsp; </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
Example:<br>
<br>
To drop ping from the internet, you would need this rule in
/etc/shorewall/rules:<br>
<blockquote>DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp;
fw&nbsp;&nbsp;&nbsp; icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
<span style="font-weight: bold;">NOTE:&nbsp; </span>There is one
exception to the above description. In 1.3.14 and 1.3.14a, ping from
the firewall itself is enabled unconditionally. This suprising
"feature" was removed in version 1.4.0.<br>
<blockquote> </blockquote>
<blockquote> </blockquote>
<h2>Shorewall Versions &lt; 1.3.14 or with OLD_PING_HANDLING=Yes in
/etc/shorewall/shorewall.conf<br>
</h2>
There are several aspects to the old Shorewall Ping management:<br>
<ol>
<li>The <b>noping</b> and <b>filterping </b>interface options in
<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
<li>The <b>FORWARDPING</b> option in<a
href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf</a>.</li>
<li>Explicit rules in <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
<li>The <b>noping</b> and <b>filterping </b>interface options in <a
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
<li>The <b>FORWARDPING</b> option in<a href="Documentation.htm#Conf">
/etc/shorewall/shorewall.conf</a>.</li>
<li>Explicit rules in <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
</ol>
There are two cases to consider:<br>
There are two cases to consider:<br>
<ol>
<li>Ping requests addressed to the firewall itself; and</li>
<li>Ping requests being forwarded to another system. Included here
are all cases of packet forwarding including NAT, DNAT rule, Proxy ARP
and simple routing.</li>
<li>Ping requests addressed to the firewall itself; and</li>
<li>Ping requests being forwarded to another system. Included here
are all cases of packet forwarding including NAT, DNAT rule, Proxy ARP
and simple routing.</li>
</ol>
These cases will be covered separately.<br>
These cases will be covered separately.<br>
<h3>Ping Requests Addressed to the Firewall Itself</h3>
For ping requests addressed to the firewall, the sequence is as follows:<br>
For ping requests addressed to the firewall, the sequence is as follows:<br>
<ol>
<li>If neither <b>noping</b> nor <b>filterping </b>are specified
for the interface that receives the ping request then the request will
be responded to with an ICMP echo-reply.</li>
<li>If <b>noping</b> is specified for the interface that receives
the ping request then the request is ignored.</li>
<li>If <b>filterping </b>is specified for the interface then the
request is passed to the rules/policy evaluation.</li>
<li>If neither <b>noping</b> nor <b>filterping </b>are specified
for the interface that receives the ping request then the request will
be responded to with an ICMP echo-reply.</li>
<li>If <b>noping</b> is specified for the interface that receives
the ping request then the request is ignored.</li>
<li>If <b>filterping </b>is specified for the interface then the
request is passed to the rules/policy evaluation.</li>
</ol>
<h3>Ping Requests Forwarded by the Firewall</h3>
These requests are <b>always</b> passed to rules/policy evaluation.<br>
These requests are <b>always</b> passed to rules/policy evaluation.<br>
<h3>Rules Evaluation</h3>
Ping requests are ICMP type 8. So the general rule format is:<br>
<br>
&nbsp;&nbsp;&nbsp; <i>Target&nbsp;&nbsp;&nbsp; Source&nbsp;&nbsp;&nbsp;
Destination&nbsp;&nbsp;&nbsp; </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
<br>
Example 1. Accept pings from the net to the dmz (pings are responded
to with an ICMP echo-reply):<br>
<br>
&nbsp;&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp;
dmz&nbsp;&nbsp;&nbsp; icmp&nbsp;&nbsp;&nbsp; 8<br>
<br>
Example 2. Drop pings from the net to the firewall<br>
<br>
&nbsp;&nbsp;&nbsp; DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;
icmp&nbsp;&nbsp;&nbsp; 8<br>
Ping requests are ICMP type 8. So the general rule format is:<br>
<br>
&nbsp;&nbsp;&nbsp; <i>Target&nbsp;&nbsp;&nbsp;
Source&nbsp;&nbsp;&nbsp; Destination&nbsp;&nbsp;&nbsp; </i>icmp&nbsp;&nbsp;&nbsp;
8<br>
<br>
Example 1. Accept pings from the net to the dmz (pings are responded to
with an ICMP echo-reply):<br>
<br>
&nbsp;&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp;
dmz&nbsp;&nbsp;&nbsp; icmp&nbsp;&nbsp;&nbsp; 8<br>
<br>
Example 2. Drop pings from the net to the firewall<br>
<br>
&nbsp;&nbsp;&nbsp; DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp;
fw&nbsp;&nbsp;&nbsp; icmp&nbsp;&nbsp;&nbsp; 8<br>
<h3>Policy Evaluation</h3>
If no applicable rule is found, then the policy for the source to
the destination is applied.<br>
If no applicable rule is found, then the policy for the source to
the destination is applied.<br>
<ol>
<li>If the relevant policy is ACCEPT then the request is responded
to with an ICMP echo-reply.</li>
<li>If <b>FORWARDPING</b> is set to Yes in /etc/shorewall/shorewall.conf
then the request is responded to with an ICMP echo-reply.</li>
<li>Otherwise, the relevant REJECT or DROP policy is used and the
request is either rejected or simply ignored.</li>
<li>If the relevant policy is ACCEPT then the request is responded to
with an ICMP echo-reply.</li>
<li>If <b>FORWARDPING</b> is set to Yes in
/etc/shorewall/shorewall.conf then the request is responded to with an
ICMP echo-reply.</li>
<li>Otherwise, the relevant REJECT or DROP policy is used and the
request is either rejected or simply ignored.</li>
</ol>
<p><font size="2">Updated 7/7/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
<div style="text-align: justify;"><font size="2">Updated 8/23/2003 - <a
href="support.htm">Tom Eastep</a></font></div>
<p><font size="2"> </font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
</p>
<br>
</body>
</html>

164
Shorewall-docs/samba.htm
View File

@@ -1,112 +1,102 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Samba</title>
</head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tbody>
<tr>
<td width="100%">
<td width="100%">
<h1 align="center"><font color="#ffffff">Samba</font></h1>
</td>
</tr>
</td>
</tr>
</tbody>
</table>
<p>If you wish to run Samba on your firewall and access shares between the
firewall and local hosts, you need the following rules:</p>
<p>If you wish to run Samba on your firewall and access shares between
the firewall and local hosts, you need the following rules:</p>
<h4>/etc/shorewall/rules:</h4>
<blockquote> <font face="Century Gothic, Arial, Helvetica"> </font>
<blockquote> <font face="Century Gothic, Arial, Helvetica"> </font>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tbody>
<tr>
<td><b>ACTION</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b> PROTO</b></td>
<td><b>DEST<br>
PORT(S)</b></td>
<td><b>SOURCE<br>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
</tr>
<tr>
<td>ACCEPT</td>
<td>fw</td>
<td>loc</td>
<td>udp</td>
<td>137:139</td>
<td><EFBFBD></td>
<td><EFBFBD></td>
</tr>
<tr>
<td>ACCEPT</td>
<td>fw</td>
<td>loc</td>
<td>tcp</td>
<td>137,139</td>
<td><EFBFBD></td>
<td><EFBFBD></td>
</tr>
<tr>
<td>ACCEPT</td>
<td>fw</td>
<td>loc</td>
<td>udp</td>
<td>1024:</td>
<td>137</td>
<td><EFBFBD></td>
</tr>
<tr>
<td>ACCEPT</td>
<td>loc</td>
<td>fw</td>
<td>udp</td>
<td>137:139</td>
<td><EFBFBD></td>
<td><EFBFBD></td>
</tr>
<tr>
<td>ACCEPT</td>
<td>loc</td>
<td>fw</td>
<td>tcp</td>
<td>137,139</td>
<td><EFBFBD></td>
<td><EFBFBD></td>
</tr>
<tr>
<td>ACCEPT</td>
<td>loc</td>
<td>fw</td>
<td>udp</td>
<td>1024:</td>
<td>137</td>
<td><EFBFBD></td>
</tr>
<td><b>ACTION</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b> PROTO</b></td>
<td><b>DEST<br>
PORT(S)</b></td>
<td><b>SOURCE<br>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
</tr>
<tr>
<td>ACCEPT</td>
<td>fw</td>
<td>loc</td>
<td>udp</td>
<td>137:139</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>fw</td>
<td>loc</td>
<td>tcp</td>
<td>137,139,445</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>fw</td>
<td>loc</td>
<td>udp</td>
<td>1024:</td>
<td>137</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>loc</td>
<td>fw</td>
<td>udp</td>
<td>137:139</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>loc</td>
<td>fw</td>
<td>tcp</td>
<td>137,139,445</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>loc</td>
<td>fw</td>
<td>udp</td>
<td>1024:</td>
<td>137</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<p><font size="2">Last modified 5/29/2002 - <a href="support.htm">Tom Eastep</a></font></p>
</blockquote>
<p><font size="2">Last modified 8/17/2002 - <a href="support.htm">Tom
Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"> <font size="2">Copyright</font>
<EFBFBD> <font size="2">2002 Thomas M. Eastep.</font></a></font></p>
<br>

218
Shorewall-docs/seattlefirewall_index.htm
View File

@@ -98,15 +98,12 @@ uninstalling what you have and installing a setup that matches the
documentation on this site. See the <a href="two-interface.htm">Two-interface
QuickStart Guide</a> for details.<br>
<h2>News</h2>
<p><b>8/9/2003 - Snapshot 1.4.6_20030809</b><b> <img
<p><b>10/06/2003 - Shorewall 1.4.7</b><b> <img
style="border: 0px solid ; width: 28px; height: 12px;"
src="images/new10.gif" alt="(New)" title=""></b><b> </b></p>
<blockquote>
<p><a href="http://shorewall.net/pub/shorewall/Snapshots/">http://shorewall.net/pub/shorewall/Snapshots/</a><br>
<a href="ftp://shorewall.net/pub/shorewall/Snapshots/"
target="_top">ftp://shorewall.net/pub/shorewall/Snapshots/</a></p>
</blockquote>
<b>Problems Corrected since version 1.4.6</b><br>
src="images/new10.gif" alt="(New)" title=""><br>
</b></p>
<b>Problems Corrected since version 1.4.6 (Those in bold font
were corrected since 1.4.7 RC2)</b><br>
<ol>
<li>Corrected problem in 1.4.6 where the MANGLE_ENABLED
variable was being tested before it was set.</li>
@@ -121,29 +118,108 @@ during "shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses
were being added to a PPP interface; the addresses were successfully
added in spite of the messages.<br>
&nbsp;&nbsp;&nbsp; <br>
The firewall script has been modified to eliminate the error messages<br>
The firewall script has been modified to eliminate the error messages</li>
<li>Interface-specific dynamic blacklisting chains are
now displayed by "shorewall monitor" on the "Dynamic Chains" page
(previously named "Dynamic Chain").</li>
<li>Thanks to Henry Yang, LOGRATE and LOGBURST now work again.</li>
<li>The 'shorewall reject' and
'shorewall drop' commands now delete any existing rules for the subject
IP address before adding a new DROP or REJECT rule. Previously, there
could be many rules for the same IP address in the dynamic chain so
that multiple 'allow' commands were required to re-enable traffic
to/from the address.</li>
<li>When ADD_SNAT_ALIASES=Yes in
shorewall.conf, the following entry in /etc/shorewall/masq resulted in
a startup error:<br>
&nbsp;<br>
&nbsp;&nbsp; eth0 eth1&nbsp;&nbsp;&nbsp;&nbsp;
206.124.146.20-206.124.146.24<br>
<br>
</li>
<li>Shorewall previously choked over
IPV6 addresses configured on interfaces in contexts where Shorewall
needed to detect something about the interface (such as when "detect"
appears in the BROADCAST column of the /etc/shorewall/interfaces file).</li>
<li>Shorewall will now load
module files that are formed from the module name by appending ".o.gz".</li>
<li>When Shorewall adds a route to a
proxy ARP host and such a route already exists, two routes resulted
previously. This has been corrected so that the existing route is
replaced if it already exists.</li>
<li>The rfc1918 file has been
updated to reflect recent allocations.</li>
<li>The documentation of the
USER SET column in the rules file has been corrected.</li>
<li>If there is no policy
defined for
the zones specified in a rule, the firewall script previously
encountered a shell syntax error:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [: NONE: unexpected operator<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<br>
Now, the absence of a policy generates an error message and the
firewall is stopped:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; No policy defined from zone
&lt;source&gt; to zone &lt;dest&gt;<br>
<br>
</li>
<li>Previously, if neither
/etc/shorewall/common nor /etc/shorewall/common.def existed, Shorewall
would fail to start and would not remove the lock file. Failure to
remove the lock file resulted in the following during subsequent
attempts to start:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<br>
&nbsp;&nbsp;&nbsp; Loading /usr/share/shorewall/functions...<br>
&nbsp;&nbsp;&nbsp; Processing /etc/shorewall/params ...<br>
&nbsp;&nbsp;&nbsp; Processing /etc/shorewall/shorewall.conf...<br>
&nbsp;&nbsp;&nbsp; Giving up on lock file /var/lib/shorewall/lock<br>
&nbsp;&nbsp;&nbsp; Shorewall Not Started<br>
<br>
Shorewall now reports a fatal error if neither of these two files exist
and correctly removes the lock fille.</li>
<li>The order of processing
the
various options has been changed such that blacklist entries now take
precedence over the 'dhcp' interface setting.</li>
<li>The log message generated
from the
'logunclean' interface option has been changed to reflect a disposition
of LOG rather than DROP.</li>
<li><span style="font-weight: bold;">When a user name and/or a
group
name was specified in the USER SET column and the destination zone was
qualified with a IP address, the user and/or group name was not being
used to qualify the rule.<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp; Example:<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp; ACCEPT fw&nbsp; net:192.0.2.12 tcp 23 - - - vladimir:<br>
<br>
</span></li>
<li><span style="font-weight: bold;">The /etc/shorewall/masq
file has had the spurious "/" character at the front removed.</span></li>
</ol>
<b>Migration Issues:</b><br>
<ol>
<li>Once you have installed this version of Shorewall, you must
restart Shorewall before you may use the 'drop', 'reject', 'allow' or
'save' commands.</li>
<li>To maintain strict compatibility with previous versions,
current uses of "shorewall drop" and "shorewall reject" should be
replaced with "shorewall dropall" and "shorewall rejectall" </li>
<li>Shorewall IP Traffic Accounting has changed since snapshot
20030813 -- see the <a href="Accounting.html">Accounting Page</a> for
details.</li>
<li>The Uset Set capability introduced in SnapShot 20030821 has
changed -- see the <a href="UserSets.html">User Set page</a> for
details.</li>
<li>The per-interface Dynamic Blacklisting facility introduced
in the first post-1.4.6 Snapshot has been removed. The facility had too
many idiosyncrasies for dial-up users to be a viable part of Shorewall.<br>
</li>
</ol>
<b>New Features:</b><br>
<ol>
<li>Shorewall now creates a dynamic blacklisting chain for each
interface defined in /etc/shorewall/interfaces. The 'drop' and 'reject'
commands use the routing table to determine which of these chains is to
be used for blacklisting the specified IP address(es).<br>
<br>
Two new commands ('dropall' and 'rejectall') have been introduced that
do what 'drop' and 'reject' used to do; namely, when an address is
blacklisted using these new commands, it will be blacklisted on all of
your firewall's interfaces.</li>
<li>Thanks to Steve Herber, the 'help' command can now give
command-specific help (e.g., shorewall help &lt;command&gt;).</li>
<li>A new option "ADMINISABSENTMINDED" has been added to
@@ -225,11 +301,97 @@ facilitates testing of your firewall where multiple firewall interfaces
are connected to the same HUB/Switch (all interfaces connected to the
single HUB/Switch should have this option specified). Note that using
such a configuration in a production environment is strongly
recommended against.<br>
recommended against.</li>
<li>The ADDRESS column in /etc/shorewall/masq may now include a
comma-separated list of addresses and/or address ranges. Netfilter will
use all listed addresses/ranges in round-robin fashion. \</li>
<li>An /etc/shorewall/accounting file has been added to allow
for traffic accounting.&nbsp; See the <a href="Accounting.html">accounting
documentation</a> for a description of this facility.</li>
<li>Bridge interfaces (br[0-9]) may now be used in
/etc/shorewall/maclist.</li>
<li>ACCEPT, DNAT[-], REDIRECT[-] and LOG rules defined in
/etc/shorewall/rules may now be rate-limited. For DNAT and REDIRECT
rules, rate limiting occurs in the nat table DNAT rule; the
corresponding ACCEPT rule in the filter table is not rate limited. If
you want to limit the filter table rule, you will need o create two
rules; a DNAT- rule and an ACCEPT rule which can be rate-limited
separately.<br>
&nbsp;<br>
<span style="font-weight: bold;">Warning: </span>When rate
limiting is specified on a rule with "all" in the SOURCE or DEST
fields, the limit will apply to each pair of zones individually rather
than as a single limit for all pairs of covered by the rule.<br>
&nbsp;<br>
To specify a rate limit, <br>
<br>
a) Follow ACCEPT, DNAT[-], REDIRECT[-] or LOG with<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;
&lt;rate&gt;/&lt;interval&gt;[:&lt;burst&gt;] &gt;<br>
&nbsp;<br>
&nbsp;
where<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;rate&gt; is the sustained rate per
&lt;interval&gt;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;interval&gt; is "sec" or "min"<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;burst&gt; is the largest burst
accepted within an &lt;interval&gt;. If not given, the default of 5 is
assumed.<br>
&nbsp;<br>
There may be no white space between the ACTION and "&lt;" nor there may
be any white space within the burst specification. If you want to
specify logging of a rate-limited rule, the ":" and log level comes
after the "&gt;" (e.g., ACCEPT&lt;2/sec:4&gt;:info ).<br>
<br>
b) A new RATE LIMIT column has been added to the /etc/shorewall/rules
file. You may specify the rate limit there in the format:<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&lt;rate&gt;/&lt;interval&gt;[:&lt;burst&gt;]<br>
&nbsp;<br>
Let's take an example:<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
ACCEPT&lt;2/sec:4&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
net&nbsp;&nbsp;&nbsp;&nbsp; dmz&nbsp;&nbsp;&nbsp;&nbsp;
tcp&nbsp;&nbsp;&nbsp;&nbsp; 80<br>
&nbsp;&nbsp;&nbsp; <br>
The first time this rule is reached, the packet will be accepted; in
fact, since the burst is 4, the first four packets will be accepted.
After this, it will be 500ms (1 second divided by the rate<br>
of 2) before a packet will be accepted from this rule, regardless of
how many packets reach it. Also, every 500ms which passes without
matching a packet, one of the bursts will be regained; if no packets
hit the rule for 2 second, the burst will be fully recharged; back
where we started.<br>
</li>
<li>Multiple chains may now be displayed in one "shorewall
show" command (e.g., shorewall show INPUT FORWARD OUTPUT).</li>
<li>Output rules (those with $FW as the SOURCE) may now be
limited to a set of local users and/or groups. See <a
href="UserSets.html">http://shorewall.net/UserSets.html</a>
for details.<br>
<br>
</li>
</ol>
<p><b>8/5/2003 - Shorewall-1.4.6b</b><b> <img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)"> <br>
<p><b>8/27/2003 - Shorewall Mirror in Australia&nbsp;</b></p>
<p>Thanks to Dave Kempe and Solutions First (<a
href="http://www.solutionsfirst.com.au"><font size="3">http://www.solutionsfirst.com.au</font></a>),
there is now a Shorewall Mirror in Australia:</p>
<p style="margin-left: 40px;"><a
href="http://www.shorewall.com.au" target="_top"><font size="3">http://www.shorewall.com.au</font></a><font
size="3"><br>
<a href="ftp://ftp.shorewall.com.au">ftp://ftp.shorewall.com.au</a></font><br>
</p>
<p><b>8/26/2003 - French Version of the Shorewall Setup
Guide&nbsp;</b></p>
Thanks to Fabien <font size="3">Demassieux, there is now a <a
href="shorewall_setup_guide_fr.htm">French translation of the
Shorewall Setup Guide</a>. Merci Beacoup, Fabien!<br>
</font>
<p><b>8/5/2003 - Shorewall-1.4.6b</b><b>&nbsp; <br>
</b></p>
<b>Problems Corrected since version 1.4.6:</b><br>
<ol>
@@ -317,7 +479,7 @@ Children's Foundation.</font></a> Thanks!</font></font></p>
</tr>
</tbody>
</table>
<p><font size="2">Updated 8/9/2003 - <a href="support.htm">Tom Eastep</a></font>
<p><font size="2">Updated 10/06/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
<br>

140
Shorewall-docs/shoreline.htm
View File

@@ -1,119 +1,67 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>About the Shorewall Author</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none">
</head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Tom Eastep</font></h1>
</td>
</tr>
</tbody>
</td>
</tr>
</tbody>
</table>
<p align="center"> <img border="3" src="images/Tom.jpg"
alt="Aging Geek - June 2003" width="320" height="240">
</p>
<p align="center">Tom -- June 2003<br>
<br>
</p>
<p align="center"> <img border="3" src="images/Tom.jpg"
alt="Aging Geek - June 2003" width="320" height="240"> </p>
<p align="center">"The Aging Geek" -- June 2003<br>
<br>
</p>
<ul>
<li>Born 1945 in <a
href="http://www.experiencewashington.com">Washington State</a> .</li>
<li>BA Mathematics from <a
href="http://www.wsu.edu">Washington State University</a> 1967</li>
<li>MA Mathematics from <a
href="http://www.washington.edu">University of Washington</a> 1969</li>
<li>Burroughs Corporation (now <a
href="http://www.unisys.com">Unisys</a> ) 1969 - 1980</li>
<li><a href="http://www.tandem.com">Tandem
Computers, Incorporated</a> (now part of the <a
href="http://www.hp.com">The New HP</a>) 1980 - present</li>
<li>Married 1969 - no children.</li>
<li>Born 1945 in <a href="http://www.experiencewashington.com">Washington
State</a> .</li>
<li>BA Mathematics from <a href="http://www.wsu.edu">Washington
State University</a> 1967</li>
<li>MA Mathematics from <a href="http://www.washington.edu">University
of Washington</a> 1969</li>
<li>Burroughs Corporation (now <a href="http://www.unisys.com">Unisys</a>
) 1969 - 1980</li>
<li><a href="http://www.tandem.com">Tandem Computers, Incorporated</a>
(now part of the <a href="http://www.hp.com">The New HP</a>) 1980 -
present</li>
<li>Married 1969 - no children.</li>
</ul>
<p>I am currently a member of the design team for the next-generation operating
system from the NonStop Enterprise Division of HP. </p>
<p>I became interested in Internet Security when I established a home office
in 1999 and had DSL service installed in our home. I
investigated ipchains and developed the scripts which are now
collectively known as <a href="http://seawall.sourceforge.net"> Seattle
Firewall</a>. Expanding on what I learned from Seattle
Firewall, I then designed and wrote Shorewall. </p>
<p>I am currently a member of the design team for the next-generation
operating system from the NonStop Enterprise Division of HP. </p>
<p>I became interested in Internet Security when I established a home
office in 1999 and had DSL service installed in our home. I
investigated ipchains and developed the scripts which are now
collectively known as <a href="http://seawall.sourceforge.net">
Seattle Firewall</a>. Expanding on what I learned from Seattle
Firewall, I then designed and wrote Shorewall. </p>
<p>I telework from our <a
href="http://lists.shorewall.net/SeattleInTheSpring.html">home</a> in<69><a
href="http://www.cityofshoreline.com">Shoreline, Washington</a> where
I live with my wife Tarry.<2E> </p>
href="http://lists.shorewall.net/SeattleInTheSpring.html">home</a>
in&nbsp;<a href="http://www.cityofshoreline.com">Shoreline, Washington</a>
where
I live with my wife Tarry.&nbsp; </p>
<p></p>
<ul>
</ul>
<p>For information about our home network see <a href="myfiles.htm">my Shorewall
Configuration files.</a></p>
<p>All of our other systems are made by <a
href="http://www.compaq.com">Compaq</a> (part of the new <a
href="http://www.hp.com/">HP</a>).</p>
<p><a href="http://www.redhat.com"><img border="0"
src="images/poweredby.png" width="88" height="31">
</a><a href="http://www.compaq.com"><img
border="0" src="images/poweredbycompaqlog0.gif" hspace="3" width="83"
height="25">
</a><a href="http://www.pureftpd.org"><img
border="0" src="images/pure.jpg" width="88" height="31">
</a><font size="4"><a
href="http://www.apache.org"><img border="0"
src="images/apache_pb1.gif" hspace="2" width="170" height="20">
</a><a href="http://www.mandrakelinux.com"><img
src="images/medbutton.png" alt="Powered by Mandrake" width="90"
height="32">
</a><img src="images/ProtectedBy.png"
alt="Protected by Shorewall" width="200" height="42" hspace="4">
<a href="http://www.opera.com"><img src="images/opera.png"
alt="(Opera Logo)" width="102" height="39" border="0">
</a> <20><a href="http://www.hp.com"><img
src="images/penquin_in_blue_racer_sm2.gif" alt="" width="120"
height="75" border="0">
</a><a href="http://www.opera.com"> </a> </font></p>
<p><font size="2">Last updated 7/20/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<font face="Trebuchet MS"><a
href="copyright.htm"><font size="2">Copyright</font> <20> <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<p>For information about our home network see <a href="myfiles.htm">my
Shorewall Configuration files.</a></p>
<p>All of our other systems are made by <a href="http://www.compaq.com">Compaq</a>
(part of the new <a href="http://www.hp.com/">HP</a>).</p>
<p><font size="2">Last updated 7/20/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
<EFBFBD> <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</body>
</html>

262
Shorewall-docs/shorewall_logging.html
View File

@@ -2,155 +2,159 @@
<html>
<head>
<title>Shorewall Logging</title>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep">
</head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Logging</font></h1>
</td>
</tr>
</tbody>
</td>
</tr>
</tbody>
</table>
<br>
By default, Shorewall directs NetFilter to log using syslog (8). Syslog
classifies log messages by a <i>facility</i> and a <i>priority</i> (using
the notation <i>facility.priority</i>). <br>
<br>
The facilities defined by syslog are <i>auth, authpriv, cron, daemon,
kern, lpr, mail, mark, news, syslog, user, uucp</i> and <i>local0</i>
through <i>local7</i>.<br>
<br>
Throughout the Shorewall documentation, I will use the term <i>level</i>
rather than <i>priority</i> since <i>level</i> is the term used by NetFilter.
The syslog documentation uses the term <i>priority</i>.<br>
<br>
By default, Shorewall directs NetFilter to log using syslog (8). Syslog
classifies log messages by a <i>facility</i> and a <i>priority</i>
(using the notation <i>facility.priority</i>). <br>
<br>
The facilities defined by syslog are <i>auth, authpriv, cron, daemon,
kern, lpr, mail, mark, news, syslog, user, uucp</i> and <i>local0</i>
through <i>local7</i>.<br>
<br>
Throughout the Shorewall documentation, I will use the term <i>level</i>
rather than <i>priority</i> since <i>level</i> is the term used by
NetFilter. The syslog documentation uses the term <i>priority</i>.<br>
<h3>Syslog Levels<br>
</h3>
Syslog levels are a method of describing to syslog (8) the importance
of a message and a number of Shorewall parameters have a syslog level
as their value.<br>
<br>
Valid levels are:<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 7&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
debug<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 6&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
info<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 5&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
notice<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 4&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
warning<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 3&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
err<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
crit<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
alert<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
emerg<br>
<br>
For most Shorewall logging, a level of 6 (info) is appropriate.
Shorewall log messages are generated by NetFilter and are logged using
the <i>kern</i> facility and the level that you specify. If you are
unsure of the level to choose, 6 (info) is a safe bet. You may specify
levels by name or by number.<br>
<br>
Syslogd writes log messages to files (typically in /var/log/*)
based on their facility and level. The mapping of these facility/level
pairs to log files is done in /etc/syslog.conf (5). If you make changes
to this file, you must restart syslogd before the changes can take effect.<br>
</h3>
Syslog levels are a method of describing to syslog (8) the importance
of a message and a number of Shorewall parameters have a syslog level
as their value.<br>
<br>
Valid levels are:<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
7&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="font-weight: bold;">debug</span>
(Debug-level messages)<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
6&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="font-weight: bold;">info</span>
(Informational)<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
5&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="font-weight: bold;">notice</span>
(Normal but significant Condition)<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
4&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<span style="font-weight: bold;">
warning</span> (Warning Conditions)<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
3&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="font-weight: bold;">err</span>
(Error Conditions)<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
2&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="font-weight: bold;">crit</span>
(Critical Conditions)<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="font-weight: bold;">alert</span>
(Must be handled immediately)<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="font-weight: bold;">emerg</span>
(System is unusable)<br>
<br>
For most Shorewall logging, a level of 6 (info) is appropriate.
Shorewall log messages are generated by NetFilter and are logged using
the <i>kern</i> facility and the level that you specify. If you are
unsure of the level to choose, 6 (info) is a safe bet. You may specify
levels by name or by number.<br>
<br>
Syslogd writes log messages to files (typically in /var/log/*)
based on their facility and level. The mapping of these facility/level
pairs to log files is done in /etc/syslog.conf (5). If you make changes
to this file, you must restart syslogd before the changes can take
effect.<br>
<h3>Configuring a Separate Log for Shorewall Messages</h3>
There are a couple of limitations to syslogd-based logging:<br>
There are a couple of limitations to syslogd-based logging:<br>
<ol>
<li>If you give, for example, kern.info it's own log destination then
that destination will also receive all kernel messages of levels 5 (notice)
through 0 (emerg).</li>
<li>All kernel.info messages will go to that destination and not just
those from NetFilter.<br>
</li>
<li>If you give, for example, kern.info it's own log destination then
that destination will also receive all kernel messages of levels 5
(notice) through 0 (emerg).</li>
<li>All kernel.info messages will go to that destination and not just
those from NetFilter.<br>
</li>
</ol>
Beginning with Shorewall version 1.3.12, if your kernel has ULOG
target support (and most vendor-supplied kernels do), you may also specify
a log level of ULOG (must be all caps). When ULOG is used, Shorewall will
direct netfilter to log the related messages via the ULOG target which
will send them to a process called 'ulogd'. The ulogd program is available
from http://www.gnumonks.org/projects/ulogd and can be configured to log
all Shorewall message to their own log file.<br>
<br>
<b>Note: </b>The ULOG logging mechanism is <u>completely separate</u>
from syslog. Once you switch to ULOG, the settings in /etc/syslog.conf have
absolutely no effect on your Shorewall logging (except for Shorewall status
messages which still go to syslog).<br>
<br>
You will need to have the kernel source available to compile ulogd.<br>
<br>
Download the ulod tar file and:<br>
Beginning with Shorewall version 1.3.12, if your kernel has ULOG target
support (and most vendor-supplied kernels do), you may also specify a
log level of ULOG (must be all caps). When ULOG is used, Shorewall will
direct netfilter to log the related messages via the ULOG target which
will send them to a process called 'ulogd'. The ulogd program is
available from http://www.gnumonks.org/projects/ulogd and can be
configured to log all Shorewall message to their own log file.<br>
<br>
<b>Note: </b>The ULOG logging mechanism is <u>completely separate</u>
from syslog. Once you switch to ULOG, the settings in /etc/syslog.conf
have
absolutely no effect on your Shorewall logging (except for Shorewall
status
messages which still go to syslog).<br>
<br>
You will need to have the kernel source available to compile ulogd.<br>
<br>
Download the ulod tar file and:<br>
<ol>
<li>Be sure that /usr/src/linux is linked to your kernel source tree<br>
</li>
<li>cd /usr/local/src (or wherever you do your builds)</li>
<li>tar -zxf <i>source-tarball-that-you-downloaded</i></li>
<li>cd ulogd-<i>version</i><br>
</li>
<li>./configure</li>
<li>make</li>
<li>make install<br>
</li>
<li>Be sure that /usr/src/linux is linked to your kernel source tree<br>
</li>
<li>cd /usr/local/src (or wherever you do your builds)</li>
<li>tar -zxf <i>source-tarball-that-you-downloaded</i></li>
<li>cd ulogd-<i>version</i><br>
</li>
<li>./configure</li>
<li>make</li>
<li>make install<br>
</li>
</ol>
If you are like me and don't have a development environment on your
firewall, you can do the first six steps on another system then either NFS
mount your /usr/local/src directory or tar up the /usr/local/src/ulogd-<i>version</i>
directory and move it to your firewall system.<br>
<br>
Now on the firewall system, edit /usr/local/etc/ulogd.conf and set:<br>
If you are like me and don't have a development environment on your
firewall, you can do the first six steps on another system then either
NFS
mount your /usr/local/src directory or tar up the /usr/local/src/ulogd-<i>version</i>
directory and move it to your firewall system.<br>
<br>
Now on the firewall system, edit /usr/local/etc/ulogd.conf and set:<br>
<ol>
<li>syslogfile <i>&lt;file that you wish to log to&gt;</i></li>
<li>syslogsync 1</li>
<li>syslogfile <i>&lt;file that you wish to log to&gt;</i></li>
<li>syslogsync 1</li>
</ol>
Also on the firewall system:<br>
<blockquote>touch &lt;<i>file that you wish to log to</i>&gt;<br>
</blockquote>
I also copied the file /usr/local/src/ulogd-<i>version</i>/ulogd.init
to /etc/init.d/ulogd. I had to edit the line that read "daemon /usr/local/sbin/ulogd"
to read daemon /usr/local/sbin/ulogd -d". On a RedHat system, a simple
"chkconfig --level 3 ulogd on" starts ulogd during boot up. Your init system
may need something else done to activate the script.<br>
<br>
You will need to change all instances of log levels (usually 'info') in
your configuration files to 'ULOG' - this includes entries in the policy,
rules and shorewall.conf files. Here's what I have:<br>
I also copied the file /usr/local/src/ulogd-<i>version</i>/ulogd.init
to /etc/init.d/ulogd. I had to edit the line that read "daemon
/usr/local/sbin/ulogd" to read daemon /usr/local/sbin/ulogd -d". On a
RedHat system, a simple
"chkconfig --level 3 ulogd on" starts ulogd during boot up. Your init
system
may need something else done to activate the script.<br>
<br>
You will need to change all instances of log levels (usually 'info') in
your configuration files to 'ULOG' - this includes entries in the
policy, rules and shorewall.conf files. Here's what I have:<br>
<pre> [root@gateway shorewall]# grep ULOG *<br> policy:loc&nbsp; fw&nbsp;&nbsp; REJECT&nbsp; ULOG<br> policy:net&nbsp; all&nbsp; DROP&nbsp;&nbsp;&nbsp; ULOG&nbsp;&nbsp;&nbsp;10/sec:40<br> policy:all&nbsp; all&nbsp; REJECT&nbsp; ULOG<br> rules:REJECT:ULOG loc net tcp 6667<br> shorewall.conf:TCP_FLAGS_LOG_LEVEL=ULOG<br> shorewall.conf:RFC1918_LOG_LEVEL=ULOG<br> [root@gateway shorewall]#<br></pre>
Finally edit /etc/shorewall/shorewall.conf and set LOGFILE=<i>&lt;file
that you wish to log to&gt;</i>. This tells the /sbin/shorewall program
where to look for the log when processing its "show log", "logwatch" and
"monitor" commands.<br>
<p><font size="2"> Updated 7/25/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy;
<font size="2">2001, 2002, 2003 Thomas M. Eastep</font></a><br>
</p>
<br>
<br>
Finally edit /etc/shorewall/shorewall.conf and set LOGFILE=<i>&lt;file
that you wish to log to&gt;</i>. This tells the /sbin/shorewall program
where to look for the log when processing its "show log", "logwatch"
and
"monitor" commands.<br>
<h2>Syslog-ng</h2>
<a
href="http://marc.theaimsgroup.com/?l=gentoo-security&amp;m=106040714910563&amp;w=2">Here</a>
is a post describing configuring syslog-ng to work with Shorewall.<br>
<p><font size="2"> Updated 9/29/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
size="2">2001, 2002, 2003 Thomas M. Eastep</font></a><br>
</p>
<br>
<br>
</body>
</html>

135
Shorewall-docs/shorewall_mirrors.htm
View File

@@ -1,98 +1,89 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Mirrors</title>
</head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Mirrors</font></h1>
</td>
</tr>
</tbody>
</td>
</tr>
</tbody>
</table>
<p align="left"><b>Remember that updates to the mirrors are often delayed
for 6-12 hours after an update to the primary rsync site. For HTML content,
the main web site (<a href="http://shorewall.sf.net">http://shorewall.sf.net</a>)
is updated at the same time as the rsync site.</b></p>
<p align="left"><b>Remember that updates to the mirrors are often
delayed for 6-12 hours after an update to the primary rsync site. For
HTML content, the main web site (<a href="http://shorewall.sf.net">http://shorewall.sf.net</a>)
is updated at the same time as the rsync site.</b></p>
<p align="left">The main Shorewall Web Site is <a
href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>
and is located in California, USA. It is mirrored at:</p>
href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>
and is located in California, USA. It is mirrored at:</p>
<ul>
<li><a target="_top" href="http://slovakia.shorewall.net">
http://slovakia.shorewall.net</a> (Slovak Republic).</li>
<li> <a href="http://www.infohiiway.com/shorewall"
target="_top"> http://shorewall.infohiiway.com</a> (Texas, USA).</li>
<li><a target="_top" href="http://germany.shorewall.net">
http://germany.shorewall.net</a> (Hamburg, Germany)</li>
<li><a target="_top"
href="http://france.shorewall.net">http://france.shorewall.net</a>
<li><a target="_top" href="http://slovakia.shorewall.net">http://slovakia.shorewall.net</a>
(Slovak Republic).</li>
<li> <a href="http://www.infohiiway.com/shorewall" target="_top">http://shorewall.infohiiway.com</a>
(Texas, USA).</li>
<li><a target="_top" href="http://germany.shorewall.net">http://germany.shorewall.net</a>
- Also accessible as <a href="http://www.shorewall.de" target="_top">http://www.shorewall.de</a>
(Hamburg, Germany)</li>
<li><a target="_top" href="http://france.shorewall.net">http://france.shorewall.net</a>
(Paris, France)</li>
<li><a href="http://shorewall.syachile.cl" target="_top">http://shorewall.syachile.cl
</a>(Santiago Chile)</li>
<li><a href="http://shorewall.greshko.com" target="_top">http://shorewall.greshko.com</a>
(Taipei, Taiwan)</li>
<li><a href="http://argentina.shorewall.net" target="_top">http://argentina.shorewall.net</a>
(Argentina)</li>
<li><a href="http://shorewall.securityopensource.org.br"
target="_top">http://shorewall.securityopensource.org.br</a> (Brazil)<br>
</li>
<li><a href="http://www.shorewall.net" target="_top">http://www.shorewall.net</a>
(Washington State, USA)<br>
</li>
<li><a href="http://shorewall.syachile.cl" target="_top">http://shorewall.syachile.cl
</a>(Santiago Chile)</li>
<li><a href="http://shorewall.greshko.com" target="_top">http://shorewall.greshko.com</a>
(Taipei, Taiwan)</li>
<li><a href="http://argentina.shorewall.net" target="_top">http://argentina.shorewall.net</a>
(Argentina)</li>
<li><a href="http://shorewall.securityopensource.org.br" target="_top">http://shorewall.securityopensource.org.br</a>
(Brazil)</li>
<li><a href="http://www.shorewall.com.au" target="_top">http://www.shorewall.com.au</a>
(Australia)<br>
</li>
<li><a href="http://www.shorewall.net" target="_top">http://www.shorewall.net</a>
(Washington State, USA)<br>
</li>
</ul>
<p align="left">The rsync site is mirrored via FTP at:</p>
<ul>
<li><a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/">ftp://slovakia.shorewall.net/mirror/shorewall</a>
(Slovak Republic).</li>
<li> <a
href="ftp://ftp.infohiiway.com/pub/mirrors/shorewall/" target="_blank">ftp://ftp.infohiiway.com/pub/shorewall</a>
(Texas, USA -- temporarily unavailable).</li>
<li><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall"> ftp://germany.shorewall.net/pub/shorewall</a>
(Hamburg, Germany)</li>
<li> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall</a>
(Paris, France)</li>
<li><a href="ftp://shorewall.greshko.com/pub/shorewall"
target="_top">ftp://shorewall.greshko.com</a> (Taipei, Taiwan)</li>
<li><a href="ftp://ftp.shorewall.net/pub/shorewall"
target="_blank">ftp://ftp.shorewall.net </a>(Washington State, USA)<br>
</li>
<li><a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/">ftp://slovakia.shorewall.net/mirror/shorewall</a>
(Slovak Republic).</li>
<li> <a href="ftp://ftp.infohiiway.com/pub/mirrors/shorewall/"
target="_blank">ftp://ftp.infohiiway.com/pub/shorewall</a> (Texas, USA
-- temporarily unavailable).</li>
<li><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall">ftp://germany.shorewall.net/pub/shorewall</a>
AKA <a href="ftp://www.shorewall.de/pub/shorewall" target="_top">ftp://www.shorewall.de/pub/shorewall</a>
(Hamburg, Germany)</li>
<li> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall</a>
(Paris, France)</li>
<li><a href="ftp://shorewall.greshko.com/pub/shorewall" target="_top">ftp://shorewall.greshko.com</a>
(Taipei, Taiwan)</li>
<li><a href="ftp://ftp.shorewall.com.au" target="_top">ftp://ftp.shorewall.com.au</a>
(Australia)<br>
</li>
<li><a href="ftp://ftp.shorewall.net/pub/shorewall" target="_blank">ftp://ftp.shorewall.net
</a>(Washington State, USA)<br>
</li>
</ul>
Search results and the mailing list archives are always fetched
from the site in Washington State.<br>
<p align="left"><font size="2">Last Updated 8/4/2003 - <a
Search results and the mailing list archives are always fetched from
the site in Washington State.<br>
<p align="left"><font size="2">Last Updated 8/27/2003 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> <20> <font size="2">2001, 2002, 2003 Thomas M. Eastep</font></a></font><br>
</p>
<br>
size="2">Copyright</font> <20> <font size="2">2001, 2002, 2003 Thomas M.
Eastep</font></a></font><br>
</p>
<br>
</body>
</html>

24
Shorewall-docs/shorewall_quickstart_guide.htm
View File

@@ -26,7 +26,10 @@ Guides (HOWTO's)<br>
<p align="center">With thanks to Richard who reminded me once again
that we
must all first walk before we can run.<br>
The French Translations are courtesy of Patrice Vetsel<br>
The French Translations of the single-IP guides are courtesy of Patrice
Vetsel<br>
The French Translation of the Shorewall Setup Guide is courtesy of
Fabien Demassieux.<br>
</p>
<h2>The Guides</h2>
<p>These guides provide step-by-step instructions for configuring
@@ -55,10 +58,11 @@ IP address</b></big></big></font>:<br>
</p>
<blockquote>The <a href="shorewall_setup_guide.htm">Shorewall Setup
Guide</a> (See Index Below) outlines the steps necessary to set up a
firewall where there are <small><small><big><big>multiple public IP
addresses</big></big></small></small> involved or if you
firewall where there are multiple public IP
addresses involved or if you
want to learn more about Shorewall than is explained in the
single-address guides above.</blockquote>
single-address guides above (<a href="shorewall_setup_guide_fr.htm">Version
Fran<EFBFBD>aise</a>).</blockquote>
<ul>
</ul>
<h2><b><a name="Documentation"></a></b>Documentation Index</h2>
@@ -67,6 +71,8 @@ the <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a>
described above</b>. Please review the appropriate guide before trying
to use this documentation directly.</p>
<ul>
<li><a href="Accounting.html">Accounting</a><br>
</li>
<li><a href="Shorewall_and_Aliased_Interfaces.html">Aliased (virtual)
Interfaces (e.g., eth0:0)</a><br>
</li>
@@ -122,6 +128,9 @@ in Shorewall</a> </li>
<li><a href="Documentation.htm#Blacklist">blacklist</a></li>
<li><a href="Documentation.htm#rfc1918">rfc1918</a></li>
<li><a href="Documentation.htm#Routestopped">routestopped</a></li>
<li><a href="Accounting.html">accounting</a></li>
<li><a href="UserSets.html">usersets and users</a><br>
</li>
</ul>
</li>
<li><a href="CorpNetwork.htm">Corporate Network Example</a>
@@ -234,9 +243,12 @@ commands</li>
<li><font color="#000099"><a href="NAT.htm">Static NAT</a></font></li>
<li><a href="Shorewall_Squid_Usage.html">Squid as a Transparent Proxy
with Shorewall</a></li>
<li><a href="Accounting.html">Traffic Accounting</a><br>
</li>
<li><a href="traffic_shaping.htm">Traffic Shaping/QOS</a></li>
<li><a href="troubleshoot.htm">Troubleshooting (Things to try if it
doesn't work)</a><br>
doesn't work)</a></li>
<li><a href="UserSets.html">UID/GID Based Rules</a><br>
</li>
<li><a href="upgrade_issues.htm">Upgrade Issues</a><br>
</li>
@@ -260,7 +272,7 @@ firewall to a remote network.</li>
</ul>
<p>If you use one of these guides and have a suggestion for improvement
<a href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
<p><font size="2">Last modified 8/9/2003 - <a href="support.htm">Tom
<p><font size="2">Last modified 9/23/2003 - <a href="support.htm">Tom
Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright 2002, 2003 Thomas
M. Eastep</font></a><br>

232
Shorewall-docs/sourceforge_index.htm
View File

@@ -99,44 +99,131 @@ QuickStart Guide</a> for
details.
<h2></h2>
<h2><b>News</b></h2>
<p><b>8/9/2003 - Snapshot 1.4.6_20030809</b><b> <img
<b>10/06/2003 - Shorewall 1.4.7</b><b> <img
style="border: 0px solid ; width: 28px; height: 12px;"
src="images/new10.gif" alt="(New)" title=""></b><b> </b></p>
<blockquote>
<p><a href="http://shorewall.net/pub/shorewall/Snapshots/">http://shorewall.net/pub/shorewall/Snapshots/</a><br>
<a href="ftp://shorewall.net/pub/shorewall/Snapshots/"
target="_top">ftp://shorewall.net/pub/shorewall/Snapshots/</a></p>
</blockquote>
<b>Problems Corrected since version 1.4.6</b><br>
src="images/new10.gif" alt="(New)" title=""></b><br>
<b><br>
Problems Corrected since version 1.4.6 (Those in bold font
were corrected since 1.4.7 RC2).</b><br>
<ol>
<li>Corrected problem in 1.4.6 where the MANGLE_ENABLED
variable was being tested before it was set.</li>
<li>Corrected handling of MAC addresses in the SOURCE column of
the tcrules file. Previously, these addresses resulted in an invalid
iptables command.</li>
<li>The
"shorewall stop" command is now disabled when
<li>The "shorewall stop" command is now disabled when
/etc/shorewall/startup_disabled exists. This prevents people from
shooting themselves in the foot prior to having configured Shorewall.</li>
<li>A change introduced in version 1.4.6 caused error messages
during
"shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses were
being added to a PPP interface; the addresses were successfully added
in spite of the messages.<br>
during "shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses
were being added to a PPP interface; the addresses were successfully
added in spite of the messages.<br>
&nbsp;&nbsp;&nbsp; <br>
The firewall script has been modified to eliminate the error messages<br>
The firewall script has been modified to eliminate the error messages</li>
<li>Interface-specific dynamic blacklisting chains are
now displayed by "shorewall monitor" on the "Dynamic Chains" page
(previously named "Dynamic Chain").</li>
<li>Thanks to Henry Yang, LOGRATE and LOGBURST now work again.</li>
<li value="7">The 'shorewall reject'
and
'shorewall drop' commands now delete any existing rules for the subject
IP address before adding a new DROP or REJECT rule. Previously, there
could be many rules for the same IP address in the dynamic chain so
that multiple 'allow' commands were required to re-enable traffic
to/from the address.</li>
<li>When ADD_SNAT_ALIASES=Yes in
shorewall.conf, the following entry in /etc/shorewall/masq resulted in
a startup error:<br>
&nbsp;<br>
&nbsp;&nbsp; eth0 eth1&nbsp;&nbsp;&nbsp;&nbsp;
206.124.146.20-206.124.146.24<br>
<br>
</li>
<li>Shorewall previously choked over
IPV6
addresses configured on interfaces in contexts where Shorewall needed
to detect something about the interface (such as when "detect" appears
in the BROADCAST column of the /etc/shorewall/interfaces file).</li>
<li>Shorewall will now load
module files that are formed from the module name by appending ".o.gz".</li>
<li>When Shorewall adds a route to a
proxy
ARP host and such a route already exists, two routes resulted
previously. This has been corrected so that the existing route is
replaced if it already exists.</li>
<li>The rfc1918 file has been
updated to reflect recent allocations.</li>
<li>The documentation of the
USER SET column in the rules file has been corrected.</li>
<li>If there is no policy
defined for
the zones specified in a rule, the firewall script previously
encountered a shell syntax error:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [: NONE: unexpected operator<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<br>
Now, the absence of a policy generates an error message and the
firewall is stopped:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; No policy defined from zone
&lt;source&gt; to zone &lt;dest&gt;<br>
<br>
</li>
<li>Previously, if neither
/etc/shorewall/common nor /etc/shorewall/common.def existed, Shorewall
would fail to start and would not remove the lock file. Failure to
remove the lock file resulted in the following during subsequent
attempts to start:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<br>
&nbsp;&nbsp;&nbsp; Loading /usr/share/shorewall/functions...<br>
&nbsp;&nbsp;&nbsp; Processing /etc/shorewall/params ...<br>
&nbsp;&nbsp;&nbsp; Processing /etc/shorewall/shorewall.conf...<br>
&nbsp;&nbsp;&nbsp; Giving up on lock file /var/lib/shorewall/lock<br>
&nbsp;&nbsp;&nbsp; Shorewall Not Started<br>
<br>
Shorewall now reports a fatal error if neither of these two files exist
and correctly removes the lock fille.</li>
<li>The order of processing
the
various options has been changed such that blacklist entries now take
precedence over the 'dhcp' interface setting.</li>
<li>The log message generated
from the
'logunclean' interface option has been changed to reflect a disposition
of LOG rather than DROP.</li>
<li><span style="font-weight: bold;">When a user name and/or a
group
name was specified in the USER SET column and the destination zone was
qualified with a IP address, the user and/or group name was not being
used to qualify the rule.<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp; Example:<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp; ACCEPT fw&nbsp; net:192.0.2.12 tcp 23 - - - vladimir:<br>
<br>
</span></li>
<li><span style="font-weight: bold;">The /etc/shorewall/masq
file has had the spurious "/" character at the front removed.</span></li>
</ol>
<b>Migration Issues:</b><br>
<ol>
<li>Once you have installed this version of Shorewall, you must
restart Shorewall before you may use the 'drop', 'reject', 'allow' or
'save' commands.</li>
<li>To maintain strict compatibility with previous versions,
current uses of "shorewall drop" and "shorewall reject" should be
replaced with "shorewall dropall" and "shorewall rejectall" </li>
<li>Shorewall IP Traffic Accounting has changed since snapshot
20030813 -- see the <a href="Accounting.html">Accounting Page</a> for
details.</li>
<li>The Uset Set capability introduced in SnapShot 20030821 has
changed -- see the <a href="UserSets.html">User Set page</a> for
details.</li>
<li>The
per-interface Dynamic Blacklisting facility introduced in the first
post-1.4.6 Snapshot has been removed. The facility had too many
idiosyncrasies for dial-up users to be a viable part of Shorewall.<br>
</li>
</ol>
<b>New Features:</b><br>
<b></b><b>New Features:</b><br>
<ol>
<li>Shorewall now creates a dynamic blacklisting chain for each
interface defined in /etc/shorewall/interfaces. The 'drop' and 'reject'
@@ -191,10 +278,9 @@ stop".
As part of its stop processing, Shorewall removes eth0:0 which kills my
SSH
connection to 192.168.1.5!!!</li>
<li>Given
the wide range of VPN software, I can never hope to add specific
support for all of it. I have therefore decided to add "generic" tunnel
support.<br>
<li>Given the wide range of VPN software, I can never hope to
add specific support for all of it. I have therefore decided to add
"generic" tunnel support.<br>
&nbsp;<br>
Generic tunnels work pretty much like any of the other tunnel types.
You usually add a zone to represent the systems at the other end of the
@@ -218,9 +304,8 @@ the remote tunnel gateway<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;ip address&gt; is the IP
address of the remote tunnel gateway.<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;gateway zone&gt;&nbsp;&nbsp;
Optional. A comma-separated list of zone
names. If specified, the remote gateway is to be considered part of
these zones.</li>
Optional. A comma-separated list of zone names. If specified, the
remote gateway is to be considered part of these zones.</li>
<li>An 'arp_filter' option has been added to the
/etc/shorewall/interfaces file. This option causes
/proc/sys/net/ipv4/conf/&lt;interface&gt;/arp_filter to be set with the
@@ -230,9 +315,94 @@ facilitates testing of your firewall where multiple firewall interfaces
are connected to the same HUB/Switch (all interfaces connected to the
single HUB/Switch should have this option specified). Note that using
such a configuration in a production environment is strongly
recommended against.<br>
recommended against.</li>
<li>The ADDRESS column in /etc/shorewall/masq may now include a
comma-separated list of addresses and/or address ranges. Netfilter will
use all listed addresses/ranges in round-robin fashion. \</li>
<li>An /etc/shorewall/accounting file has been added to allow
for traffic accounting.&nbsp; See the <a href="Accounting.html">accounting
documentation</a> for a description of this facility.</li>
<li>Bridge interfaces (br[0-9]) may now be used in
/etc/shorewall/maclist.</li>
<li>ACCEPT, DNAT[-], REDIRECT[-] and LOG rules defined in
/etc/shorewall/rules may now be rate-limited. For DNAT and REDIRECT
rules, rate limiting occurs in the nat table DNAT rule; the
corresponding ACCEPT rule in the filter table is not rate limited. If
you want to limit the filter table rule, you will need o create two
rules; a DNAT- rule and an ACCEPT rule which can be rate-limited
separately.<br>
&nbsp;<br>
<span style="font-weight: bold;">Warning: </span>When rate
limiting is specified on a rule with "all" in the SOURCE or DEST
fields, the limit will apply to each pair of zones individually rather
than as a single limit for all pairs of covered by the rule.<br>
&nbsp;<br>
To specify a rate limit, <br>
<br>
a) Follow ACCEPT, DNAT[-], REDIRECT[-] or LOG with<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;
&lt;rate&gt;/&lt;interval&gt;[:&lt;burst&gt;] &gt;<br>
&nbsp;<br>
&nbsp;
where<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;rate&gt; is the sustained rate per
&lt;interval&gt;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;interval&gt; is "sec" or "min"<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;burst&gt; is the largest burst
accepted within an &lt;interval&gt;. If not given, the default of 5 is
assumed.<br>
&nbsp;<br>
There may be no white space between the ACTION and "&lt;" nor there may
be any white space within the burst specification. If you want to
specify logging of a rate-limited rule, the ":" and log level comes
after the "&gt;" (e.g., ACCEPT&lt;2/sec:4&gt;:info ).<br>
<br>
b) A new RATE LIMIT column has been added to the /etc/shorewall/rules
file. You may specify the rate limit there in the format:<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&lt;rate&gt;/&lt;interval&gt;[:&lt;burst&gt;]<br>
&nbsp;<br>
Let's take an example:<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
ACCEPT&lt;2/sec:4&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
net&nbsp;&nbsp;&nbsp;&nbsp; dmz&nbsp;&nbsp;&nbsp;&nbsp;
tcp&nbsp;&nbsp;&nbsp;&nbsp; 80<br>
&nbsp;&nbsp;&nbsp; <br>
The first time this rule is reached, the packet will be accepted; in
fact, since the burst is 4, the first four packets will be accepted.
After this, it will be 500ms (1 second divided by the rate<br>
of 2) before a packet will be accepted from this rule, regardless of
how many packets reach it. Also, every 500ms which passes without
matching a packet, one of the bursts will be regained; if no packets
hit the rule for 2 second, the burst will be fully recharged; back
where we started.<br>
</li>
<li>Multiple chains may now be displayed in one "shorewall
show" command (e.g., shorewall show INPUT FORWARD OUTPUT).</li>
<li>Output rules (those with $FW as the SOURCE) may now be
limited to a set of local users and/or groups. See <a
href="UserSets.html">http://shorewall.net/UserSets.html</a> for
details.</li>
</ol>
<p><b>8/27/2003 - Shorewall Mirror in Australia&nbsp;</b></p>
<p>Thanks to Dave Kempe and Solutions First (<a
href="http://www.solutionsfirst.com.au"><font size="3">http://www.solutionsfirst.com.au</font></a>),
there is now a Shorewall Mirror in Australia:</p>
<div style="margin-left: 40px;"><a
href="http://www.shorewall.com.au" target="_top"><font size="3">http://www.shorewall.com.au</font></a><br>
<font size="3"><a href="ftp://ftp.shorewall.com.au">ftp://ftp.shorewall.com.au</a></font></div>
<p><b>8/26/2003 - French Version of the Shorewall Setup
Guide&nbsp;</b></p>
Thanks to Fabien <font size="3">Demassieux, there is now a <a
href="shorewall_setup_guide_fr.htm">French translation of the
Shorewall Setup Guide</a>. Merci Beacoup, Fabien!</font> <b>9/15/2003
- Shorewall 1.4.7 Beta 2</b><b> <img
style="border: 0px solid ; width: 28px; height: 12px;"
src="file:///vfat/Shorewall-docs/images/new10.gif" alt="(New)" title=""></b>
<p><b>8/5/2003 - Shorewall-1.4.6b</b><b> <img
style="border: 0px solid ; width: 28px; height: 12px;"
src="images/new10.gif" alt="(New)" title=""> <br>
@@ -333,7 +503,7 @@ Children's Foundation.</font></a> Thanks!</font></font></p>
</tr>
</tbody>
</table>
<p><font size="2">Updated 8/9/2003 - <a href="support.htm">Tom Eastep</a></font>
<p><font size="2">Updated 10/06/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
</body>

596
Shorewall-docs/starting_and_stopping_shorewall.htm
View File

@@ -1,368 +1,326 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Starting and Stopping Shorewall</title>
</head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Starting/Stopping and Monitoring
the Firewall</font></h1>
</td>
</tr>
</tbody>
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Starting/Stopping and
Monitoring the Firewall</font></h1>
</td>
</tr>
</tbody>
</table>
<p> If you have a permanent internet connection such as DSL or Cable,
I recommend that you start the firewall automatically at boot.
Once you have installed "firewall" in your init.d directory, simply
type "chkconfig --add firewall". This will start the firewall
in run levels 2-5 and stop it in run levels 1 and 6. If you want
to configure your firewall differently from this default, you can
use the "--level" option in chkconfig (see "man chkconfig") or using
your favorite graphical run-level editor.</p>
<p><strong><u> <font color="#000099"> Important Notes:</font></u></strong><br>
</p>
<p> If you have a permanent internet connection such as DSL or Cable, I
recommend that you start the firewall automatically at boot. Once you
have installed "firewall" in your init.d directory, simply type
"chkconfig --add firewall". This will start the firewall in run levels
2-5 and stop it in run levels 1 and 6. If you want to configure your
firewall differently from this default, you can
use the "--level" option in chkconfig (see "man chkconfig") or using
your favorite graphical run-level editor.</p>
<p><strong><u> <font color="#000099"> Important Notes:</font></u></strong><br>
</p>
<ol>
<li>Shorewall startup is disabled by default. Once you
have configured your firewall, you can enable startup by removing the
file /etc/shorewall/startup_disabled. Note: Users of the .deb package
must edit /etc/default/shorewall and set 'startup=1'.<br>
</li>
<li>If you use dialup, you may want to start the firewall
in your /etc/ppp/ip-up.local script. I recommend just placing "shorewall
restart" in that script.</li>
<li>Shorewall startup is disabled by default. Once you have
configured your firewall, you can enable startup by removing the
file /etc/shorewall/startup_disabled. Note: Users of the .deb package
must edit /etc/default/shorewall and set 'startup=1'.<br>
</li>
<li>If you use dialup, you may want to start the firewall in your
/etc/ppp/ip-up.local script. I recommend just placing "shorewall
restart" in that script.</li>
</ol>
<p> </p>
<p> You can manually start and stop Shoreline Firewall using the "shorewall"
shell program. Please refer to the <a
<p> </p>
<p> You can manually start and stop Shoreline Firewall using the
"shorewall" shell program. Please refer to the <a
href="file:///vfat/Shorewall-docs/starting_and_stopping_shorewall.htm#StateDiagram">Shorewall
State Diagram</a> is shown at the bottom of this page. </p>
State Diagram</a> is shown at the bottom of this page. </p>
<ul>
<li>shorewall start - starts the firewall</li>
<li>shorewall stop - stops the firewall; the only traffic
permitted through the firewall is from systems listed in /etc/shorewall/routestopped
(Beginning with version 1.4.7, if ADMINISABSENTMINDED=Yes in /etc/shorewall/shorewall.conf
then in addition, all existing connections are permitted and any new connections
<li>shorewall start - starts the firewall</li>
<li>shorewall stop - stops the firewall; the only traffic permitted
through the firewall is from systems listed in
/etc/shorewall/routestopped
(Beginning with version 1.4.7, if ADMINISABSENTMINDED=Yes in
/etc/shorewall/shorewall.conf
then in addition, all existing connections are permitted and any new
connections
originating from the firewall itself are allowed).</li>
<li>shorewall restart - stops the firewall (if it's
running) and then starts it again</li>
<li>shorewall reset - reset the packet and byte counters
in the firewall</li>
<li>shorewall clear - remove all rules and chains
installed by Shoreline Firewall. The firewall is "wide open"</li>
<li>shorewall refresh - refresh the rules involving
the broadcast addresses of firewall interfaces, <a
<li>shorewall restart - stops the firewall (if it's running) and then
starts it again</li>
<li>shorewall reset - reset the packet and byte counters in the
firewall</li>
<li>shorewall clear - remove all rules and chains installed by
Shoreline Firewall. The firewall is "wide open"</li>
<li>shorewall refresh - refresh the rules involving
the broadcast addresses of firewall interfaces, <a
href="blacklisting_support.htm">the black list</a>, <a
href="traffic_shaping.htm">traffic control rules</a> and <a
href="ECN.html">ECN control rules</a>.</li>
</ul>
If you include the keyword <i>debug</i> as the first argument,
then a shell trace of the command is produced as in:<br>
If you include the keyword <i>debug</i> as the first argument, then a
shell trace of the command is produced as in:<br>
<pre> <font color="#009900"><b>shorewall debug start 2&gt; /tmp/trace</b></font><br></pre>
<p>The above command would trace the 'start' command and place the trace information
<p>The above command would trace the 'start' command and place the
trace information
in the file /tmp/trace<br>
</p>
<p>Beginning with version 1.4.7, shorewall can give detailed help about each
of its commands:<br>
</p>
</p>
<p>Beginning with version 1.4.7, shorewall can give detailed help about
each of its commands:<br>
</p>
<ul>
<li>shorewall help [ <i>command</i> | host | address ]<br>
</li>
<li>shorewall help [ <i>command</i> | host | address ]<br>
</li>
</ul>
<p>The "shorewall" program may also be used to monitor the firewall.</p>
<p>The "shorewall" program may also be used to monitor the firewall.</p>
<ul>
<li>shorewall status - produce a verbose report about
the firewall (iptables -L -n -v)</li>
<li>shorewall show <i>chain</i> - produce a verbose
report about <i>chain </i>(iptables -L <i>chain</i>
-n -v)</li>
<li>shorewall show nat - produce a verbose report about
the nat table (iptables -t nat -L -n -v)</li>
<li>shorewall show tos - produce a verbose report about
the mangle table (iptables -t mangle -L -n -v)</li>
<li>shorewall show log - display the last 20 packet
log entries.</li>
<li>shorewall show connections - displays the IP connections
currently being tracked by the firewall.</li>
<li>shorewall
show tc
- displays information about the traffic control/shaping configuration.</li>
<li>shorewall monitor [ delay ] - Continuously display
the firewall status, last 20 log entries and nat. When the
log entry display changes, an audible alarm is sounded.</li>
<li>shorewall hits - Produces several reports about
the Shorewall packet log messages in the current /var/log/messages
file.</li>
<li>shorewall version - Displays the installed
version number.</li>
<li>shorewall check - Performs a <u>cursory</u> validation of
the zones, interfaces, hosts, rules and policy files.<br>
<br>
<font size="4" color="#ff6666"><b>The "check" command is totally
unsuppored and does not parse and validate the generated iptables
commands. Even though the "check" command completes successfully,
the configuration may fail to start. Problem reports that complain about
errors that the 'check' command does not detect will not be accepted.<br>
<br>
See the recommended way to make configuration changes described
below.</b></font><br>
<br>
</li>
<li>shorewall try<i> configuration-directory</i> [<i>
timeout</i> ] - Restart shorewall using the specified configuration
and if an error occurs or if the<i> timeout </i> option is given
and the new configuration has been up for that many seconds then
shorewall is restarted using the standard configuration.</li>
<li>shorewall deny, shorewall reject, shorewall accept
and shorewall save implement <a
href="blacklisting_support.htm">dynamic blacklisting</a>.</li>
<li>shorewall logwatch (added in version 1.3.2) - Monitors
the <a href="#Conf">LOGFILE </a>and produces an audible alarm
when new Shorewall messages are logged.</li>
<li>shorewall status - produce a verbose report about the firewall
(iptables -L -n -v)</li>
<li>shorewall show <i>chain</i>1 [ <span style="font-style: italic;">chain2
... </span>] - produce a verbose
report about the listed <i>chains </i>(iptables -L <i>chain</i>
-n -v) <span style="font-weight: bold;">Note: </span>You may only
list one chain in the <span style="font-weight: bold;">show</span>
command when running Shorewall version 1.4.6 and earlier.&nbsp; Version
1.4.7 and later allow you to list multiple chains in one command.<br>
</li>
<li>shorewall show nat - produce a verbose report about the nat table
(iptables -t nat -L -n -v)</li>
<li>shorewall show tos - produce a verbose report about the mangle
table (iptables -t mangle -L -n -v)</li>
<li>shorewall show log - display the last 20 packet
log entries.</li>
<li>shorewall show connections - displays the IP connections
currently being tracked by the firewall.</li>
<li>shorewall show tc - displays information about the traffic
control/shaping configuration.</li>
<li>shorewall monitor [ delay ] - Continuously display the firewall
status, last 20 log entries and nat. When the log entry display
changes, an audible alarm is sounded.</li>
<li>shorewall hits - Produces several reports about
the Shorewall packet log messages in the current /var/log/messages file.</li>
<li>shorewall version - Displays the installed version number.</li>
<li>shorewall check - Performs a <u>cursory</u> validation of the
zones, interfaces, hosts, rules and policy files.<br>
<br>
<font size="4" color="#ff6666"><b>The "check" command is totally
unsuppored and does not parse and validate the generated iptables
commands. Even though the "check" command completes successfully,
the configuration may fail to start. Problem reports that complain
about
errors that the 'check' command does not detect will not be accepted.<br>
<br>
See the recommended way to make configuration changes described below.</b></font><br>
<br>
</li>
<li>shorewall try<i> configuration-directory</i> [<i> timeout</i> ] -
Restart shorewall using the specified configuration and if an error
occurs or if the<i> timeout </i> option is given
and the new configuration has been up for that many seconds then
shorewall is restarted using the standard configuration.</li>
<li>shorewall logwatch (added in version 1.3.2) - Monitors the <a
href="#Conf">LOGFILE </a>and produces an audible alarm when new
Shorewall messages are logged.</li>
</ul>
Beginning with Shorewall 1.4.6, /sbin/shorewall supports a couple of
commands for dealing with IP addresses and IP address ranges:<br>
Beginning with Shorewall 1.4.6, /sbin/shorewall supports a couple of
commands for dealing with IP addresses and IP address ranges:<br>
<ul>
<li>shorewall ipcalc [ <i>address mask </i>| <i>address/vlsm</i> ]
- displays the network address, broadcast address, network in CIDR notation
and netmask corresponding to the input[s].</li>
<li>shorewall iprange <i>address1-address2</i> - Decomposes the specified
range of IP addresses into the equivalent list of network/host addresses.
<br>
</li>
<li>shorewall ipcalc [ <i>address mask </i>| <i>address/vlsm</i> ]
- displays the network address, broadcast address, network in CIDR
notation and netmask corresponding to the input[s].</li>
<li>shorewall iprange <i>address1-address2</i> - Decomposes the
specified range of IP addresses into the equivalent list of
network/host addresses. <br>
</li>
</ul>
There is a set of commands dealing with <a
There is a set of commands dealing with <a
href="blacklisting_support.htm">dynamic blacklisting</a>:<br>
<ul>
<li>shorewall drop <i>&lt;ip address list&gt; </i>- causes packets from
the listed IP addresses to be silently dropped by the firewall.</li>
<li>shorewall reject <i>&lt;ip address list&gt; </i>- causes packets from
the listed IP addresses to be rejected by the firewall.</li>
<li>shorewall allow <i>&lt;ip address list&gt; </i>- re-enables receipt
of packets from hosts previously blacklisted by a <i>drop</i> or <i>reject</i>
command.</li>
<li>shorewall save - save the dynamic blacklisting configuration so that
it will be automatically restored the next time that the firewall is
restarted.</li>
<li>show dynamic - displays the dynamic blacklisting chain.<br>
</li>
<li>shorewall drop <i>&lt;ip address list&gt; </i>- causes packets
from the listed IP addresses to be silently dropped by the firewall.</li>
<li>shorewall reject <i>&lt;ip address list&gt; </i>- causes
packets from the listed IP addresses to be rejected by the firewall.</li>
<li>shorewall allow <i>&lt;ip address list&gt; </i>- re-enables
receipt of packets from hosts previously blacklisted by a <i>drop</i>
or <i>reject</i> command.</li>
<li>shorewall save - save the dynamic blacklisting configuration so
that it will be automatically restored the next time that the firewall
is restarted.</li>
<li>show dynamic - displays the dynamic blacklisting chain.<br>
</li>
</ul>
Finally, the "shorewall" program may be used to dynamically alter the
contents of a zone.<br>
Finally, the "shorewall" program may be used to dynamically alter the
contents of a zone.<br>
<ul>
<li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone
</i>- Adds the specified interface (and host if included) to the
specified zone.</li>
<li>shorewall delete <i>interface</i>[:<i>host]</i> <i>zone
</i>- Deletes the specified interface (and host if included) from
the specified zone.</li>
<li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone </i>-
Adds the specified interface (and host if included) to the specified
zone.</li>
<li>shorewall delete <i>interface</i>[:<i>host]</i> <i>zone </i>-
Deletes the specified interface (and host if included) from the
specified zone.</li>
</ul>
<blockquote>Examples:<br>
<blockquote><font color="#009900"><b>shorewall add ipsec0:192.0.2.24 vpn1</b></font>
-- adds the address 192.0.2.24 from interface ipsec0 to the zone vpn1<br>
<font color="#009900"><b> shorewall delete ipsec0:192.0.2.24
vpn1</b></font> -- deletes the address 192.0.2.24 from interface ipsec0
from zone vpn1<br>
</blockquote>
</blockquote>
<p> The <b>shorewall start</b>, <b>shorewall restart, shorewall check, </b>and
<b>shorewall try </b>commands allow you to specify which <a
href="configuration_file_basics.htm#Configs"> Shorewall configuration</a>
to use:</p>
<blockquote>
<p> shorewall [ -c <i>configuration-directory</i> ] {start|restart|check}<br>
shorewall try <i>configuration-directory</i></p>
</blockquote>
<p> If a <i>configuration-directory</i> is specified, each time that Shorewall
is going to use a file in /etc/shorewall it will first look in the
<i>configuration-directory</i> . If the file is present in the <i>configuration-directory</i>,
that file will be used; otherwise, the file in /etc/shorewall will
be used.</p>
<p> When changing the configuration of a production firewall, I recommend
the following:</p>
<blockquote><font color="#009900"><b>shorewall add ipsec0:192.0.2.24
vpn1</b></font> -- adds the address 192.0.2.24 from interface ipsec0 to
the zone vpn1<br>
<font color="#009900"><b> shorewall delete ipsec0:192.0.2.24 vpn1</b></font>
-- deletes the address 192.0.2.24 from interface ipsec0 from zone vpn1<br>
</blockquote>
</blockquote>
<p> The <b>shorewall start</b>, <b>shorewall restart, shorewall
check, </b>and <b>shorewall try </b>commands allow you to specify
which <a href="configuration_file_basics.htm#Configs"> Shorewall
configuration</a> to use:</p>
<blockquote>
<p> shorewall [ -c <i>configuration-directory</i> ]
{start|restart|check}<br>
shorewall try <i>configuration-directory</i></p>
</blockquote>
<p> If a <i>configuration-directory</i> is specified, each time that
Shorewall is going to use a file in /etc/shorewall it will first look
in the <i>configuration-directory</i> . If the file is present in the <i>configuration-directory</i>,
that file will be used; otherwise, the file in /etc/shorewall will be
used.</p>
<p> When changing the configuration of a production firewall, I
recommend the following:</p>
<ul>
<li><font color="#009900"><b>mkdir /etc/test</b></font></li>
<li><font color="#009900"><b>cd /etc/test</b></font></li>
<li>&lt;copy any files that you need to change
from /etc/shorewall to . and change them here&gt;</li>
<li><font color="#009900"><b>shorewall -c . check</b></font></li>
<li>&lt;correct any errors found by check and check again&gt;</li>
<li><font
color="#009900"><b>/sbin/shorewall try .</b></font></li>
<li><font color="#009900"><b>mkdir /etc/test</b></font></li>
<li><font color="#009900"><b>cd /etc/test</b></font></li>
<li>&lt;copy any files that you need to change from /etc/shorewall to
. and change them here&gt;</li>
<li><font color="#009900"><b>shorewall -c . check</b></font></li>
<li>&lt;correct any errors found by check and check again&gt;</li>
<li><font color="#009900"><b>/sbin/shorewall try .</b></font></li>
</ul>
<p> If the configuration starts but doesn't work, just "shorewall restart"
to restore the old configuration. If the new configuration fails
to start, the "try" command will automatically start the old one for
you.</p>
<p> When the new configuration works then just </p>
<p> If the configuration starts but doesn't work, just "shorewall
restart" to restore the old configuration. If the new configuration
fails to start, the "try" command will automatically start the old one
for you.</p>
<p> When the new configuration works then just </p>
<ul>
<li><font color="#009900"><b>cp * /etc/shorewall</b></font></li>
<li><font color="#009900"><b>cd</b></font></li>
<li><font color="#009900"><b>rm -rf /etc/test</b></font></li>
<li><font color="#009900"><b>cp * /etc/shorewall</b></font></li>
<li><font color="#009900"><b>cd</b></font></li>
<li><font color="#009900"><b>rm -rf /etc/test</b></font></li>
</ul>
<p><a name="StateDiagram"></a>The Shorewall State Diargram is depicted below.<br>
</p>
<p><a name="StateDiagram"></a>The Shorewall State Diargram is depicted
below.<br>
</p>
<div align="center"><img src="images/State_Diagram.png"
alt="(State Diagram)" width="747" height="714" align="middle">
<br>
</div>
<p><EFBFBD> <br>
</p>
You will note that the commands that result in state transitions
use the word "firewall" rather than "shorewall". That is because the
actual transitions are done by /usr/share/shorewall/firewall; /sbin/shorewall
runs 'firewall" according to the following table:<br>
<br>
alt="(State Diagram)" width="747" height="714" align="middle"> <br>
</div>
<p>&nbsp; <br>
</p>
You will note that the commands that result in state transitions use
the word "firewall" rather than "shorewall". That is because the actual
transitions are done by /usr/share/shorewall/firewall; /sbin/shorewall
runs 'firewall" according to the following table:<br>
<br>
<table cellpadding="2" cellspacing="2" border="1">
<tbody>
<tr>
<td valign="top"><u><b>/sbin/shorewall Command</b><br>
</u></td>
<td valign="top"><u><b>Resulting /usr/share/shorewall/firewall Command</b><br>
</u></td>
<td valign="top"><u><b>Effect if the Command Succeeds</b><br>
</u></td>
</tr>
<tr>
<td valign="top">shorewall start<br>
</td>
<td valign="top">firewall start<br>
</td>
<td valign="top">The system filters packets based on your current
<tbody>
<tr>
<td valign="top"><u><b>/sbin/shorewall Command</b><br>
</u></td>
<td valign="top"><u><b>Resulting /usr/share/shorewall/firewall
Command</b><br>
</u></td>
<td valign="top"><u><b>Effect if the Command Succeeds</b><br>
</u></td>
</tr>
<tr>
<td valign="top">shorewall start<br>
</td>
<td valign="top">firewall start<br>
</td>
<td valign="top">The system filters packets based on your current
Shorewall Configuration<br>
</td>
</tr>
<tr>
<td valign="top">shorewall stop<br>
</td>
<td valign="top">firewall stop<br>
</td>
<td valign="top">Only traffic to/from hosts listed in /etc/shorewall/hosts
is passed to/from/through the firewall. For Shorewall versions beginning
with 1.4.7, if ADMINISABSENTMINDED=Yes in /etc/shorewall/shorewall.conf then
in addition, all existing connections are retained and all connection requests
</td>
</tr>
<tr>
<td valign="top">shorewall stop<br>
</td>
<td valign="top">firewall stop<br>
</td>
<td valign="top">Only traffic to/from hosts listed in
/etc/shorewall/hosts is passed to/from/through the firewall. For
Shorewall versions beginning
with 1.4.7, if ADMINISABSENTMINDED=Yes in /etc/shorewall/shorewall.conf
then
in addition, all existing connections are retained and all connection
requests
from the firewall are accepted.<br>
</td>
</tr>
<tr>
<td valign="top">shorewall restart<br>
</td>
<td valign="top">firewall restart<br>
</td>
<td valign="top">Logically equivalent to "firewall stop;firewall
</td>
</tr>
<tr>
<td valign="top">shorewall restart<br>
</td>
<td valign="top">firewall restart<br>
</td>
<td valign="top">Logically equivalent to "firewall stop;firewall
start"<br>
</td>
</tr>
<tr>
<td valign="top">shorewall add<br>
</td>
<td valign="top">firewall add<br>
</td>
<td valign="top">Adds a host or subnet to a dynamic zone<br>
</td>
</tr>
<tr>
<td valign="top">shorewall delete<br>
</td>
<td valign="top">firewall delete<br>
</td>
<td valign="top">Deletes a host or subnet from a dynamic zone<br>
</td>
</tr>
<tr>
<td valign="top">shorewall refresh<br>
</td>
<td valign="top">firewall refresh<br>
</td>
<td valign="top">Reloads rules dealing with static blacklisting,
traffic control and ECN.<br>
</td>
</tr>
<tr>
<td valign="top">shorewall clear<br>
</td>
<td valign="top">firewall clear<br>
</td>
<td valign="top">Removes all Shorewall rules, chains, addresses,
routes and ARP entries.<br>
</td>
</tr>
<tr>
<td valign="top">shorewall try<br>
</td>
<td valign="top">firewall -c &lt;new configuration&gt;
restart<br>
If unsuccessful then firewall start (standard configuration)<br>
If timeout then firewall restart (standard configuration)<br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</td>
</tr>
<tr>
<td valign="top">shorewall add<br>
</td>
<td valign="top">firewall add<br>
</td>
<td valign="top">Adds a host or subnet to a dynamic zone<br>
</td>
</tr>
<tr>
<td valign="top">shorewall delete<br>
</td>
<td valign="top">firewall delete<br>
</td>
<td valign="top">Deletes a host or subnet from a dynamic zone<br>
</td>
</tr>
<tr>
<td valign="top">shorewall refresh<br>
</td>
<td valign="top">firewall refresh<br>
</td>
<td valign="top">Reloads rules dealing with static blacklisting,
traffic control and ECN.<br>
</td>
</tr>
<tr>
<td valign="top">shorewall clear<br>
</td>
<td valign="top">firewall clear<br>
</td>
<td valign="top">Removes all Shorewall rules, chains, addresses,
routes and ARP entries.<br>
</td>
</tr>
<tr>
<td valign="top">shorewall try<br>
</td>
<td valign="top">firewall -c &lt;new configuration&gt; restart<br>
If unsuccessful then firewall start (standard configuration)<br>
If timeout then firewall restart (standard configuration)<br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
<p><font size="2"> Updated 7/31/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
<20> <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
<br>
<p><font size="2"> Updated 8/25/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
<EFBFBD> <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
</body>
</html>

445
Shorewall-docs/support.htm
View File

@@ -1,92 +1,62 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall Support Guide</title>
</head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Support Guide<img
src="images/obrasinf.gif" alt="" width="90" height="90" align="middle">
</font></h1>
</td>
</font></h1>
</td>
</tr>
</tbody>
</tbody>
</table>
<h2>Before Reporting a Problem or Asking a Question<br>
</h2>
There are a number of sources of Shorewall information. Please
try these before you post.
</h2>
There are a number of sources of Shorewall information. Please try
these before you post.
<ul>
<li>Shorewall versions
earlier that 1.3.0 are no longer supported.<br>
</li>
<li>More than half of the questions posted on the support
list have answers directly accessible from the <a
href="http://www.shorewall.net/shorewall_quickstart_guide.htm#Documentation">Documentation
Index</a><br>
</li>
<li>
The <a href="http://www.shorewall.net/FAQ.htm">FAQ</a>
has solutions to more than 20 common problems.
</li>
<li>
The <a href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a>
Information contains a number of tips
to help you solve common problems. </li>
<li>
The <a href="http://www.shorewall.net/errata.htm"> Errata</a>
has links to download updated components. </li>
<li>
The Site and Mailing List Archives search facility
can locate documents and posts about similar problems:
</li>
<li>Shorewall versions earlier that 1.3.0 are no longer supported.<br>
</li>
<li>More than half of the questions posted on the support list have
answers directly accessible from the <a
href="http://www.shorewall.net/shorewall_quickstart_guide.htm#Documentation">Documentation
Index</a><br>
</li>
<li> The <a href="http://www.shorewall.net/FAQ.htm">FAQ</a> has
solutions to more than 20 common problems. </li>
<li> The <a href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a>
Information contains a number of tips
to help you solve common problems. </li>
<li> The <a href="http://www.shorewall.net/errata.htm"> Errata</a>
has links to download updated components. </li>
<li> The Site and Mailing List Archives search facility can locate
documents and posts about similar problems: </li>
</ul>
<h2>Site and Mailing List Archive Search</h2>
<blockquote>
<blockquote>
<form method="post"
action="http://lists.shorewall.net/cgi-bin/htsearch"> <font size="-1"> Match:
action="http://lists.shorewall.net/cgi-bin/htsearch"> <font size="-1">Match:
<select name="method">
<option value="and">All </option>
<option value="or">Any </option>
<option value="boolean">Boolean </option>
</select>
Format:
Format:
<select name="format">
<option value="builtin-long">Long </option>
<option value="builtin-short">Short </option>
</select>
Sort by:
Sort by:
<select name="sort">
<option value="score">Score </option>
<option value="time">Time </option>
@@ -95,250 +65,193 @@ can locate documents and posts about similar problems:
<option value="revtime">Reverse Time </option>
<option value="revtitle">Reverse Title </option>
</select>
</font><input type="hidden" name="config"
value="htdig"><input type="hidden" name="restrict" value=""><font
size="-1"> Include Mailing List Archives:
</font><input type="hidden" name="config" value="htdig"><input
type="hidden" name="restrict" value=""><font size="-1"> Include
Mailing List Archives:
<select size="1" name="exclude">
<option value="">Yes</option>
<option value="[http://lists.shorewall.net/pipermail/.*]">No</option>
</select>
</font><br>
Search: <input type="text" size="30"
name="words" value=""> <input type="submit" value="Search"><br>
</form>
</blockquote>
</font><br>
Search: <input type="text" size="30" name="words" value=""> <input
type="submit" value="Search"><br>
</form>
</blockquote>
<h2>Problem Reporting Guidelines<br>
</h2>
</h2>
<ul>
<li>Please remember we only
know what is posted in your message. Do not leave out
any information that appears to be correct, or was mentioned
in a previous post. There have been countless posts by people
who were sure that some part of their configuration was correct
when it actually contained a small error. We tend to be skeptics
where detail is lacking.<br>
<br>
</li>
<li>Please keep in mind that
you're asking for <strong>free</strong> technical
support. Any help we offer is an act of generosity, not an obligation.
Try to make it easy for us to help you. Follow good, courteous
practices in writing and formatting your e-mail. Provide details
that we need if you expect good answers. <em>Exact quoting </em>
of error messages, log entries, command output, and other output is
better than a paraphrase or summary.<br>
<br>
</li>
<li>
Please don't describe your environment and then
ask us to send you custom configuration files.
We're here to answer your questions but we can't
do your job for you.<br>
<br>
</li>
<li>When reporting a problem,
<strong>ALWAYS</strong> include this information:</li>
<li>Please remember we only know what is posted in your message. Do
not leave out
any information that appears to be correct, or was mentioned in a
previous post. There have been countless posts by people who were sure
that some part of their configuration was correct when it actually
contained a small error. We tend to be skeptics where detail is lacking.<br>
<br>
</li>
<li>Please keep in mind that you're asking for <strong>free</strong>
technical support. Any help we offer is an act of generosity, not an
obligation. Try to make it easy for us to help you. Follow good,
courteous practices in writing and formatting your e-mail. Provide
details
that we need if you expect good answers. <em>Exact quoting </em> of
error messages, log entries, command output, and other output is
better than a paraphrase or summary.<br>
<br>
</li>
<li> Please don't describe your environment and then ask us to send
you custom configuration files. We're here to answer your questions but
we can't do your job for you.<br>
<br>
</li>
<li>When reporting a problem, <strong>ALWAYS</strong> include this
information:</li>
</ul>
<ul>
<ul>
<li>the exact version of
Shorewall you are running.<br>
<br>
<b><font
color="#009900">shorewall version</font><br>
</b> <br>
</li>
<li>the exact version of Shorewall you are running.<br>
<br>
<b><font color="#009900">shorewall version</font><br>
</b> <br>
</li>
</ul>
<ul>
</ul>
<ul>
<li>the complete, exact
output of<br>
<br>
<font color="#009900"><b>ip
addr show<br>
<br>
</b></font></li>
<li>the complete, exact
output of<br>
<br>
<font color="#009900"><b>ip addr show<br>
<br>
</b></font></li>
</ul>
<ul>
<li>the complete, exact
output of<br>
<br>
<font color="#009900"><b>ip
route show<br>
</b></font></li>
<li>the complete, exact
output of<br>
<br>
<font color="#009900"><b>ip route show<br>
</b></font></li>
</ul>
<ul>
</ul>
</ul>
<ul>
<ul>
<li><small><small><font color="#ff0000"><u><i><big><b>THIS
IS IMPORTANT!</b></big></i></u></font></small></small><big> </big>If your
problem is that some type of connection to/from or through your firewall
isn't working then please perform the following four steps:<br>
<br>
1. <b><font color="#009900">/sbin/shorewall reset</font></b><br>
<br>
2. Try making the connection that is failing.<br>
<br>
3.<b><font color="#009900"> /sbin/shorewall
status &gt; /tmp/status.txt</font></b><br>
<br>
4. Post the /tmp/status.txt file as an
attachment (you may compress it if you like).<br>
<br>
</li>
<li>the exact wording of any <code
<li><small><small><font color="#ff0000"><u><i><big><b>THIS
IS IMPORTANT!</b></big></i></u></font></small></small><big> </big>If
your
problem is that some type of connection to/from or through your
firewall
isn't working then please perform the following four steps:<br>
<br>
1. <b><font color="#009900">/sbin/shorewall reset</font></b><br>
<br>
2. Try making the connection that is failing.<br>
<br>
3.<b><font color="#009900"> /sbin/shorewall status &gt; /tmp/status.txt</font></b><br>
<br>
4. Post the /tmp/status.txt file as an
attachment (you may compress it if you like).<br>
<br>
</li>
<li>the exact wording of any <code
style="color: green; font-weight: bold;">ping</code> failure responses<br>
<br>
</li>
<li>If you installed Shorewall using one of the QuickStart
Guides, please indicate which one. <br>
<br>
</li>
<li><b>If you are running Shorewall under Mandrake
using the Mandrake installation of Shorewall, please say so.<br>
<br>
</b></li>
<br>
</li>
<li>If you installed Shorewall using one of the QuickStart Guides,
please indicate which one. <br>
<br>
</li>
<li><b>If you are running Shorewall under Mandrake
using the Mandrake installation of Shorewall, please say so.<br>
<br>
</b></li>
</ul>
<li>As a general matter, please <strong>do not edit the
diagnostic information</strong> in an attempt to conceal
your IP address, netmask, nameserver addresses, domain name,
etc. These aren't secrets, and concealing them often misleads
us (and 80% of the time, a hacker could derive them anyway
from information contained in the SMTP headers of your post).<br>
<br>
<strong></strong></li>
<li>Do you see any "Shorewall" messages
("<b><font color="#009900">/sbin/shorewall show log</font></b>")
when you exercise the function that is giving you problems?
If so, include the message(s) in your post along with a copy of
your /etc/shorewall/interfaces file.<br>
<br>
</li>
<li>Please include any of the Shorewall configuration
files (especially the /etc/shorewall/hosts file
if you have modified that file) that you think are
relevant. If you include /etc/shorewall/rules, please include
/etc/shorewall/policy as well (rules are meaningless unless
one also knows the policies).<br>
<br>
</li>
<li>If an error occurs when you try
to "<font color="#009900"><b>shorewall start</b></font>", include
a trace (See the <a
href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a>
section for instructions).<br>
<br>
</li>
<li><b>The list server limits posts to 120kb
so don't post GIFs of your network
layout, etc. to the Mailing List -- your post will be
<li>As a general matter, please <strong>do not edit the diagnostic
information</strong> in an attempt to conceal your IP address, netmask,
nameserver addresses, domain name, etc. These aren't secrets, and
concealing them often misleads us (and 80% of the time, a hacker could
derive them anyway from information contained in the SMTP headers of
your post).<br>
<br>
<strong></strong></li>
<li>Do you see any "Shorewall" messages ("<b><font color="#009900">/sbin/shorewall
show log</font></b>") when you exercise the function that is giving you
problems? If so, include the message(s) in your post along with a copy
of your /etc/shorewall/interfaces file.<br>
<br>
</li>
<li>Please include any of the Shorewall configuration files
(especially the /etc/shorewall/hosts file if you have modified that
file) that you think are relevant. If you include /etc/shorewall/rules,
please include /etc/shorewall/policy as well (rules are meaningless
unless one also knows the policies).<br>
<br>
</li>
<li>If an error occurs when you try to "<font color="#009900"><b>shorewall
start</b></font>", include a trace (See the <a
href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a>
section for instructions).<br>
<br>
</li>
<li><b>The list server limits posts to 120kb so don't post GIFs of
your network
layout, etc. to the Mailing List -- your post will be
rejected.</b></li>
</ul>
<blockquote> The author gratefully acknowleges that the above list was
heavily plagiarized from the excellent LEAF document by <i>Ray</i>
<em>Olszewski</em> found at <a
<blockquote> The author gratefully acknowleges that the above list was
heavily plagiarized from the excellent LEAF document by <i>Ray</i> <em>Olszewski</em>
found at <a
href="http://leaf-project.org/pub/doc/docmanager/docid_1891.html">http://leaf-project.org/pub/doc/docmanager/docid_1891.html</a>.<br>
</blockquote>
</blockquote>
<h2>When using the mailing list, please post in plain text</h2>
<blockquote> A growing number of MTAs serving list subscribers are
rejecting all HTML traffic. At least one MTA has gone so far as to
blacklist shorewall.net "for continuous abuse" because it has been
my policy to allow HTML in list posts!!<br>
<br>
I think that blocking all
HTML is a Draconian way to control spam and that the
ultimate losers here are not the spammers but the list subscribers
whose MTAs are bouncing all shorewall.net mail. As one list
subscriber wrote to me privately "These e-mail admin's need
to get a <i>(expletive deleted)</i> life instead of trying to
rid the planet of HTML based e-mail". Nevertheless, to allow
subscribers to receive list posts as must as possible, I have now
configured the list server at shorewall.net to strip all HTML from
outgoing posts.<br>
</blockquote>
<blockquote> A growing number of MTAs serving list subscribers are
rejecting all HTML traffic. At least one MTA has gone so far as to
blacklist shorewall.net "for continuous abuse" because it has been
my policy to allow HTML in list posts!!<br>
<br>
I think that blocking all HTML is a Draconian way to control spam and
that the ultimate losers here are not the spammers but the list
subscribers whose MTAs are bouncing all shorewall.net mail. As one list
subscriber wrote to me privately "These e-mail admin's need to get a <i>(expletive
deleted)</i> life instead of trying to rid the planet of HTML based
e-mail". Nevertheless, to allow
subscribers to receive list posts as must as possible, I have now
configured the list server at shorewall.net to convert all HTML to
plain text. These converted posts are difficult to read so all of us
will appreciate it if you just post in plain text to begin with.<br>
</blockquote>
<h2>Where to Send your Problem Report or to Ask for Help</h2>
<blockquote>
<blockquote>
<h4>If you run Shorewall under Bering -- <span
style="font-weight: 400;">please post your question or problem
to the <a
href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing
list</a>.</span></h4>
<b>If you run Shorewall
under MandrakeSoft Multi Network Firewall (MNF) and
you have not purchased an MNF license from MandrakeSoft then
you can post non MNF-specific Shorewall questions to the </b><a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
list</a>. <b>Do not expect to get free MNF support on the list</b>
style="font-weight: 400;">please post your question or problem to the <a
href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing list</a>.</span></h4>
<b>If you run Shorewall under MandrakeSoft Multi Network Firewall
(MNF) and you have not purchased an MNF license from MandrakeSoft then
you can post non MNF-specific Shorewall questions to the </b><a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users
mailing list</a>. <b>Do not expect to get free MNF support on the list</b>
<p>Otherwise, please post your question or problem to the <a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
list.</a> </p>
</blockquote>
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users
mailing list.</a> </p>
</blockquote>
<h2>Subscribing to the Users Mailing List<br>
</h2>
<blockquote>
<p> To Subscribe to the mailing list go to <a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a>
<br>
Secure: <a
<p> To Subscribe to the mailing list go to <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-users"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-users</a>.<br>
</p>
</blockquote>
</p>
</blockquote>
<p>For information on other Shorewall mailing lists, go to <a
href="http://lists.shorewall.net">http://lists.shorewall.net</a><br>
</p>
<p align="left"><font size="2">Last Updated 8/1/2003 - Tom Eastep</font></p>
</p>
<p align="left"><font size="2">Last Updated 9/17/2003 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> <20> <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
<br>
<br>
size="2">Copyright</font> <20> <font size="2">2001, 2002, 2003 Thomas M.
Eastep.</font></a></font><br>
</p>
<br>
<br>
<br>
</body>
</html>

7
Shorewall-docs/troubleshoot.htm
View File

@@ -21,6 +21,11 @@
</tr>
</tbody>
</table>
<h3 style="text-align: center;"><span style="font-style: italic;">"If
you think you can you can; if you think you can't you're right.<br>
If you don't believe that you can, why should someone else?" -- Gunnar
Tapper<br>
</span></h3>
<h3 align="left">Check the Errata</h3>
<p align="left">Check the <a href="errata.htm">Shorewall Errata</a> to
be sure that there isn't an update that you are missing for your
@@ -194,7 +199,7 @@ in /etc/shorewall/shorewall.conf.</li>
<font face="Century Gothic, Arial, Helvetica">
<blockquote> </blockquote>
</font>
<p><font size="2">Last updated 8/8/2003 - Tom Eastep</font> </p>
<p><font size="2">Last updated 8/29/2003 - Tom Eastep</font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
<EFBFBD> <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
</p>