extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-04-27 12:49:42 +02:00
Code Issues Packages Projects Releases Wiki Activity

Shorewall-1.4.7

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@756 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-10-06 22:38:40 +00:00
parent acad75f82f
commit a30b326a4b
96 changed files with 26174 additions and 26168 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

73
Lrp/etc/shorewall/accounting Executable file
View File

@ -0,0 +1,73 @@
#
# Shorewall version 1.4 - Accounting File
#
# /etc/shorewall/accounting
#
# Accounting rules exist simply to count packets and bytes in categories
# that you define in this file. You may display these rules and their
# packet and byte counters using the "shorewall show accounting" command.
#
# Please see http://shorewall.net/Accounting.html for examples and
# additional information about how to use this file.
#
#
# Columns are:
#
# ACTION - What to do when a match is found.
#
# COUNT - Simply count the match and continue
# with the next rule
# DONE - Count the match and don't attempt
# to match any other accounting rules
# in the chain specified in the CHAIN
# column.
# <chain>[:COUNT]
# - Where <chain> is the name of
# a chain. Shorewall will create
# the chain automatically if it
# doesn't already exist. Causes
# a jump to that chain. If :COUNT
# is including, a counting rule
# matching this record will be
# added to <chain>
#
# CHAIN - The name of a chain. If specified as "-" the
# 'accounting' chain is assumed. This is the chain
# where the accounting rule is added. The chain will
# be created if it doesn't already exist.
#
# SOURCE - Packet Source
#
# The name of an interface, an address (host or net) or
# an interface name followed by ":"
# and a host or net address.
#
# DESTINATION - Packet Destination
#
# Format the same as the SOURCE column.
#
# PROTOCOL A protocol name (from /etc/protocols), a protocol
# number.
#
# DEST PORT Destination Port number
#
# Service name from /etc/services or port number. May
# only be specified if the protocol is TCP or UDP (6
# or 17).
#
# SOURCE PORT Source Port number
#
# Service name from /etc/services or port number. May
# only be specified if the protocol is TCP or UDP (6
# or 17).
#
# In all of the above columns except ACTION and CHAIN, the values "-",
# "any" and "all" may be used as wildcards
#
# Please see http://shorewall.net/Accounting.html for examples and
# additional information about how to use this file.
#
#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE
# PORT PORT
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

9
Lrp/etc/shorewall/interfaces
View File

@ -103,6 +103,15 @@
# This option has no effect if # This option has no effect if
# NEWNOTSYN=Yes. # NEWNOTSYN=Yes.
# #
# arp_filter - If specified, this interface will only
# respond to ARP who-has requests for IP
# addresses configured on the interface.
# If not specified, the interface can
# respond to ARP who-has requests for
# IP addresses on any of the firewall's
# interface. The interface must be up
# when Shorewall is started.
#
# The order in which you list the options is not # The order in which you list the options is not
# significant but the list should have no embedded white # significant but the list should have no embedded white
# space. # space.

3
Lrp/etc/shorewall/masq
View File

@ -50,6 +50,9 @@
# #
# Example: 206.124.146.177-206.124.146.180 # Example: 206.124.146.177-206.124.146.180
# #
# Finally, you may also specify a comma-separated
# list of ranges and/or addresses in this column.
#
# This column may not contain DNS Names. # This column may not contain DNS Names.
# #
# Example 1: # Example 1:

3
Lrp/etc/shorewall/nat
View File

@ -32,5 +32,6 @@
# Yes or yes, NAT will be effective from the firewall # Yes or yes, NAT will be effective from the firewall
# system # system
############################################################################## ##############################################################################
#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL #EXTERNAL INTERFACE INTERNAL ALL LOCAL
# INTERFACES
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

10
Lrp/etc/shorewall/policy
View File

@ -3,6 +3,8 @@
# #
# /etc/shorewall/policy # /etc/shorewall/policy
# #
# THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT
#
# This file determines what to do with a new connection request if we # This file determines what to do with a new connection request if we
# don't get a match from the /etc/shorewall/rules file or from the # don't get a match from the /etc/shorewall/rules file or from the
# /etc/shorewall/common[.def] file. For each source/destination pair, the # /etc/shorewall/common[.def] file. For each source/destination pair, the
@ -69,8 +71,12 @@
# d) All other connection requests are rejected and logged at level # d) All other connection requests are rejected and logged at level
# KERNEL.INFO. # KERNEL.INFO.
############################################################################### ###############################################################################
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST #SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
loc net ACCEPT loc net ACCEPT
net all DROP info net all DROP info
#
# THE FOLLOWING POLICY MUST BE LAST
#
all all REJECT info all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE #LAST LINE -- DO NOT REMOVE

4
Lrp/etc/shorewall/rfc1918
View File

@ -22,7 +22,7 @@
255.255.255.255 RETURN # We need to allow limited broadcast 255.255.255.255 RETURN # We need to allow limited broadcast
169.254.0.0/16 DROP # DHCP autoconfig 169.254.0.0/16 DROP # DHCP autoconfig
172.16.0.0/12 logdrop # RFC 1918 172.16.0.0/12 logdrop # RFC 1918
192.0.2.0/24 logdrop # Example addresses 192.0.2.0/24 logdrop # Example addresses (RFC 3330)
192.168.0.0/16 logdrop # RFC 1918 192.168.0.0/16 logdrop # RFC 1918
# #
# The following are generated with the help of the Python program found at: # The following are generated with the help of the Python program found at:
@ -46,7 +46,6 @@
49.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98 49.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
50.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98 50.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
58.0.0.0/7 logdrop # Reserved 58.0.0.0/7 logdrop # Reserved
60.0.0.0/8 logdrop # Reserved
70.0.0.0/7 logdrop # Reserved 70.0.0.0/7 logdrop # Reserved
72.0.0.0/5 logdrop # Reserved 72.0.0.0/5 logdrop # Reserved
83.0.0.0/8 logdrop # Reserved 83.0.0.0/8 logdrop # Reserved
@ -57,6 +56,7 @@
197.0.0.0/8 logdrop # Reserved 197.0.0.0/8 logdrop # Reserved
198.18.0.0/15 logdrop # Reserved 198.18.0.0/15 logdrop # Reserved
201.0.0.0/8 logdrop # Reserved - Central & South America 201.0.0.0/8 logdrop # Reserved - Central & South America
223.0.0.0/8 logdrop # Reserved - Returned by APNIC in 2003
240.0.0.0/4 logdrop # Reserved 240.0.0.0/4 logdrop # Reserved
# #
# End of generated entries # End of generated entries

72
Lrp/etc/shorewall/rules
View File

@ -47,10 +47,29 @@
# (those) zone(s). # (those) zone(s).
# LOG -- Simply log the packet and continue. # LOG -- Simply log the packet and continue.
# #
# May optionally be followed by ":" and a syslog log # You may rate-limit the rule by optionally
# level (e.g, REJECT:info). This causes the packet to be # following ACCEPT, DNAT[-], REDIRECT[-] or LOG with
#
# < <rate>/<interval>[:<burst>] >
#
# where <rate> is the number of connections per
# <interval> ("sec" or "min") and <burst> is the
# largest burst permitted. If no <burst> is given,
# a value of 5 is assumed. There may be no
# no whitespace embedded in the specification.
#
# Example: ACCEPT<10/sec:20>
#
# The ACTION (and rate limit) may optionally be followed
# by ":" and a syslog log level (e.g, REJECT:info or
# DNAT<4/sec:8>:debugging). This causes the packet to be
# logged at the specified level. # logged at the specified level.
# #
# NOTE: For those of you who prefer to place the
# rate limit in a separate column, see the RATE LIMIT
# column below. If you specify a value in that column,
# you must not include a rate limit in the ACTION column
#
# You may also specify ULOG (must be in upper case) as a # You may also specify ULOG (must be in upper case) as a
# log level.This will log to the ULOG target for routing # log level.This will log to the ULOG target for routing
# to a separate log through use of ulogd # to a separate log through use of ulogd
@ -193,6 +212,39 @@
# If no source IP address is given, the original source # If no source IP address is given, the original source
# address is not altered. # address is not altered.
# #
# RATE LIMIT You may rate-limit the rule by placing a value in
# this colume:
#
# <rate>/<interval>[:<burst>]
#
# where <rate> is the number of connections per
# <interval> ("sec" or "min") and <burst> is the
# largest burst permitted. If no <burst> is given,
# a value of 5 is assumed. There may be no
# no whitespace embedded in the specification.
#
# Example: 10/sec:20
#
# If you place a rate limit in this column, you may not
# place a similar limit in the ACTION column.
#
# USER SET This column may only be non-empty if the SOURCE is
# the firewall itself and the ACTION is ACCEPT, DROP or
# REJECT.
#
# The column may contain a user set name defined in the
# /etc/shorewall/usersets file or it may contain:
#
# [<user name or number>]:[<group name or number>]
#
# When this column is non-empty, the rule applies only
# if the program generating the output is running under
# the effective <user>(s) and/or <group>(s) specified.
# When a user set name is given, a log level may not be
# present in the ACTION column; logging for such rules is
# controlled by the user set's entry in
# /etc/shorewall/usersets.
#
# Example: Accept SMTP requests from the DMZ to the internet # Example: Accept SMTP requests from the DMZ to the internet
# #
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
@ -206,6 +258,14 @@
# # PORT PORT(S) DEST # # PORT PORT(S) DEST
# DNAT net loc:192.168.1.3 tcp ssh,http # DNAT net loc:192.168.1.3 tcp ssh,http
# #
# Example: Forward all http connection requests from the internet
# to local system 192.168.1.3 with a limit of 3 per second and
# a maximum burst of 10
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# DNAT<3/sec:10> net loc:192.168.1.3 tcp http
#
# Example: Redirect all locally-originating www connection requests to # Example: Redirect all locally-originating www connection requests to
# port 3128 on the firewall (Squid running on the firewall # port 3128 on the firewall (Squid running on the firewall
# system) except when the destination address is 192.168.2.2 # system) except when the destination address is 192.168.2.2
@ -226,9 +286,9 @@
# #
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST # # PORT PORT(S) DEST
# ACCEPT net:130.252.100.69,130.252.100.70 \ # ACCEPT net:130.252.100.69,130.252.100.70 fw \
# tcp 22 # tcp 22
############################################################################## ####################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER
# PORT PORT(S) DEST # PORT PORT(S) DEST LIMIT
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

29
Lrp/etc/shorewall/shorewall.conf
View File

@ -434,6 +434,35 @@ MUTEX_TIMEOUT=60
NEWNOTSYN=No NEWNOTSYN=No
#
# FOR ADMINS THAT REPEATEDLY SHOOT THEMSELVES IN THE FOOT
#
# Normally, when a "shorewall stop" command is issued or an error occurs during
# the execution of another shorewall command, Shorewall puts the firewall into
# a state where only traffic to/from the hosts listed in
# /etc/shorewall/routestopped is accepted.
#
# When performing remote administration on a Shorewall firewall, it is
# therefore recommended that the IP address of the computer being used for
# administration be added to the firewall's /etc/shorewall/routestopped file.
#
# Some administrators have a hard time remembering to do this with the result
# that they get to drive across town in the middle of the night to restart
# a remote firewall (or worse, they have to get someone out of bed to drive
# across town to restart a very remote firewall).
#
# For those administrators, we offer ADMINISABSENTMINDED=Yes. With this setting,
# when the firewall enters the 'stopped' state:
#
# All traffic that is part of or related to established connections is still
# allowed and all OUTPUT traffic is allowed. This is in addition to traffic
# to and from hosts listed in /etc/shorewall/routestopped.
#
# If this variable is not set or it is set to the null value then
# ADMINISABSENTMINDED=No is assumed.
#
ADMINISABSENTMINDED=Yes
################################################################################ ################################################################################
# P A C K E T D I S P O S I T I O N # P A C K E T D I S P O S I T I O N
################################################################################ ################################################################################

3
Lrp/etc/shorewall/tcrules
View File

@ -58,5 +58,6 @@
# separated list of port names, port numbers or port # separated list of port names, port numbers or port
# ranges. # ranges.
############################################################################## ##############################################################################
#MARK SOURCE DEST PROTO PORT(S) CLIENT PORT(S) #MARK SOURCE DEST PROTO PORT(S) CLIENT
# PORT(S)
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

22
Lrp/etc/shorewall/tunnels
View File

@ -10,13 +10,20 @@
# The columns are: # The columns are:
# #
# TYPE -- must start in column 1 and be "ipsec", "ipsecnat","ip" # TYPE -- must start in column 1 and be "ipsec", "ipsecnat","ip"
# "gre", "6to4", "pptpclient", "pptpserver" or "openvpn". # "gre", "6to4", "pptpclient", "pptpserver", "openvpn" or
# "generic"
# #
# If type is "openvpn", it may optionally be followed # If type is "openvpn", it may optionally be followed
# by ":" and the port number used by the tunnel. if no # by ":" and the port number used by the tunnel. if no
# ":" and port number are included, then the default port # ":" and port number are included, then the default port
# of 5000 will be used # of 5000 will be used
# #
# If type is "generic", it must be followed by ":" and
# a protocol name (from /etc/protocols) or a protocol
# number. If the protocol is "tcp" or "udp" (6 or 17),
# then it may optionally be followed by ":" and a
# port number.
#
# ZONE -- The zone of the physical interface through which # ZONE -- The zone of the physical interface through which
# tunnel traffic passes. This is normally your internet # tunnel traffic passes. This is normally your internet
# zone. # zone.
@ -30,7 +37,7 @@
# column is a standalone host then this column should # column is a standalone host then this column should
# contain a comma-separated list of the names of the # contain a comma-separated list of the names of the
# zones that the host might be in. This column only # zones that the host might be in. This column only
# applies to IPSEC tunnels. # applies to IPSEC and generic tunnels.
# #
# Example 1: # Example 1:
# #
@ -85,5 +92,14 @@
# #
# openvpn:7777 net 4.33.99.124 # openvpn:7777 net 4.33.99.124
# #
# TYPE ZONE GATEWAY GATEWAY ZONE PORT # Example 8:
#
# You have a tunnel that is not one of the supported types.
# Your tunnel uses UDP port 4444. The other end of the
# tunnel is 4.3.99.124.
#
# generic:udp:4444 net 4.3.99.124
#
# TYPE ZONE GATEWAY GATEWAY
# ZONE
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

25
Lrp/etc/shorewall/users Normal file
View File

@ -0,0 +1,25 @@
#
# Shorewall version 1.4 - Users File
#
# /etc/shorewall/users
#
# This file is used to associate local users and/or groups to Shorewall
# "User Sets".
# Columns are:
#
# USERSET The name of a user set defined in
# /etc/shorewall/usersets.
#
# USER A Linux user name or number defined in /etc/passwd.
#
# GROUP A linux group name or number defined in /etc/groups.
#
# The GROUP may be omitted. If it is supplied, then the USER may be
# entered as "-" in which case all members of the specified group are
# included in the USERSET.
#
################################################################################
#USERSET USER GROUP
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

29
Lrp/etc/shorewall/usersets Normal file
View File

@ -0,0 +1,29 @@
#
# Shorewall version 1.4 - Users Sets File
#
# /etc/shorewall/usersets
#
# A user set is a list of <user>, <group> or <user:group> names and can
# be used to control access by individual users to other network hosts
# from the firewall system.
#
# Columns are:
#
# USERSET The name of a user set. May be up to 6 characters in
# length and must be a valid shell identifier.
#
# REJECT The log level for REJECT rules that match a user in this
# userset.
#
# ACCEPT The log level for ACCEPT rules that match a user in this
# userset.
#
# DROP The log level for DROP rules that match a user in this
# userset.
#
# To omit one of the last three columns yet supply a value to one of the
# following ones, enter "-".
#
#USERSET REJECT ACCEPT DROP
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

5
Lrp/etc/shorewall/zones
View File

@ -7,6 +7,11 @@
# DISPLAY Display name of the zone # DISPLAY Display name of the zone
# COMMENTS Comments about the zone # COMMENTS Comments about the zone
# #
# THE ORDER OF THE ENTRIES IN THIS FILE IS IMPORTANT IF YOU HAVE NESTED OR
# OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts.
#
# See http://www.shorewall.net/Documentation.htm#Nested
#
#ZONE DISPLAY COMMENTS #ZONE DISPLAY COMMENTS
net Net Internet net Net Internet
loc Local Local networks loc Local Local networks

89
Lrp/sbin/shorewall
View File

@ -51,7 +51,7 @@
# compensate for a change of # compensate for a change of
# broadcast address on any "detect" # broadcast address on any "detect"
# interface. # interface.
# shorewall show <chain> Display the rules in a <chain> # shorewall show <chain> [ <chain> ... ] Display the rules in each <chain> listed
# shorewall show log Print the last 20 log messages # shorewall show log Print the last 20 log messages
# shorewall show connections Show the kernel's connection # shorewall show connections Show the kernel's connection
# tracking table # tracking table
@ -517,6 +517,15 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
done done
} }
#
# Help information
#
help()
{
[ -x $HELP ] && { export version; exec $HELP $*; }
echo "Help subsystem is not installed at $HELP"
}
# #
# Give Usage Information # Give Usage Information
# #
@ -525,27 +534,28 @@ usage() # $1 = exit status
echo "Usage: `basename $0` [debug] [nolock] [-c <directory>] <command>" echo "Usage: `basename $0` [debug] [nolock] [-c <directory>] <command>"
echo "where <command> is one of:" echo "where <command> is one of:"
echo " add <interface>[:<host>] <zone>" echo " add <interface>[:<host>] <zone>"
echo " delete <interface>[:<host>] <zone>"
echo " show [<chain>|classifiers|connections|log|nat|tc|tos]"
echo " start"
echo " stop"
echo " reset"
echo " restart"
echo " status"
echo " clear"
echo " refresh"
echo " hits"
echo " monitor [<refresh interval>]"
echo " version"
echo " check"
echo " try <directory> [ <timeout> ]"
echo " logwatch [<refresh interval>]"
echo " drop <address> ..."
echo " reject <address> ..."
echo " allow <address> ..." echo " allow <address> ..."
echo " save" echo " check"
echo " clear"
echo " delete <interface>[:<host>] <zone>"
echo " drop <address> ..."
echo " help [ <command > | host | address ]"
echo " hits"
echo " ipcalc [ <address>/<vlsm> | <address> <netmask> ]" echo " ipcalc [ <address>/<vlsm> | <address> <netmask> ]"
echo " iprange <address>-<address>" echo " iprange <address>-<address>"
echo " logwatch [<refresh interval>]"
echo " monitor [<refresh interval>]"
echo " refresh"
echo " reject <address> ..."
echo " reset"
echo " restart"
echo " save"
echo " show [<chain> [ <chain> ... ]|classifiers|connections|log|nat|tc|tos]"
echo " start"
echo " stop"
echo " status"
echo " try <directory> [ <timeout> ]"
echo " version"
exit $1 exit $1
} }
@ -611,12 +621,11 @@ fi
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
MUTEX_TIMEOUT= MUTEX_TIMEOUT=
[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
SHARED_DIR=/usr/share/shorewall SHARED_DIR=/usr/share/shorewall
FIREWALL=$SHARED_DIR/firewall FIREWALL=$SHARED_DIR/firewall
FUNCTIONS=$SHARED_DIR/functions FUNCTIONS=$SHARED_DIR/functions
VERSION_FILE=$SHARED_DIR/version VERSION_FILE=$SHARED_DIR/version
HELP=$SHARED_DIR/help
if [ -f $FUNCTIONS ]; then if [ -f $FUNCTIONS ]; then
. $FUNCTIONS . $FUNCTIONS
@ -634,6 +643,8 @@ else
exit 2 exit 2
fi fi
[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
if [ ! -f $FIREWALL ]; then if [ ! -f $FIREWALL ]; then
echo "ERROR: Shorewall is not properly installed" echo "ERROR: Shorewall is not properly installed"
if [ -L $FIREWALL ]; then if [ -L $FIREWALL ]; then
@ -687,26 +698,29 @@ case "$1" in
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1 $2 $3 exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1 $2 $3
;; ;;
show|list) show|list)
[ $# -gt 2 ] && usage 1
case "$2" in case "$2" in
connections) connections)
[ $# -gt 2 ] && usage 1
echo "Shorewall-$version Connections at $HOSTNAME - `date`" echo "Shorewall-$version Connections at $HOSTNAME - `date`"
echo echo
cat /proc/net/ip_conntrack cat /proc/net/ip_conntrack
;; ;;
nat) nat)
[ $# -gt 2 ] && usage 1
echo "Shorewall-$version NAT at $HOSTNAME - `date`" echo "Shorewall-$version NAT at $HOSTNAME - `date`"
echo echo
show_reset show_reset
iptables -t nat -L -n -v iptables -t nat -L -n -v
;; ;;
tos|mangle) tos|mangle)
[ $# -gt 2 ] && usage 1
echo "Shorewall-$version TOS at $HOSTNAME - `date`" echo "Shorewall-$version TOS at $HOSTNAME - `date`"
echo echo
show_reset show_reset
iptables -t mangle -L -n -v iptables -t mangle -L -n -v
;; ;;
log) log)
[ $# -gt 2 ] && usage 1
get_config get_config
echo "Shorewall-$version Log at $HOSTNAME - `date`" echo "Shorewall-$version Log at $HOSTNAME - `date`"
echo echo
@ -715,20 +729,30 @@ case "$1" in
packet_log 20 packet_log 20
;; ;;
tc) tc)
[ $# -gt 2 ] && usage 1
echo "Shorewall-$version Traffic Control at $HOSTNAME - `date`" echo "Shorewall-$version Traffic Control at $HOSTNAME - `date`"
echo echo
show_tc show_tc
;; ;;
classifiers) classifiers)
[ $# -gt 2 ] && usage 1
echo "Shorewall-$version Clasifiers at $HOSTNAME - `date`" echo "Shorewall-$version Clasifiers at $HOSTNAME - `date`"
echo echo
show_classifiers show_classifiers
;; ;;
*) *)
echo "Shorewall-$version Chain $2 at $HOSTNAME - `date`" shift
echo "Shorewall-$version `[ $# -gt 1 ] && echo Chains || echo Chain` $* at $HOSTNAME - `date`"
echo echo
show_reset show_reset
iptables -L $2 -n -v if [ $# -gt 0 ]; then
for chain in $*; do
iptables -L $chain -n -v
done
else
iptables -L -n -v
fi
;; ;;
esac esac
;; ;;
@ -837,6 +861,8 @@ case "$1" in
mutex_on mutex_on
while [ $# -gt 1 ]; do while [ $# -gt 1 ]; do
shift shift
qt iptables -D dynamic -s $1 -j reject
qt iptables -D dynamic -s $1 -j DROP
iptables -A dynamic -s $1 -j DROP || break 1 iptables -A dynamic -s $1 -j DROP || break 1
echo "$1 Dropped" echo "$1 Dropped"
done done
@ -847,6 +873,8 @@ case "$1" in
mutex_on mutex_on
while [ $# -gt 1 ]; do while [ $# -gt 1 ]; do
shift shift
qt iptables -D dynamic -s $1 -j reject
qt iptables -D dynamic -s $1 -j DROP
iptables -A dynamic -s $1 -j reject || break 1 iptables -A dynamic -s $1 -j reject || break 1
echo "$1 Rejected" echo "$1 Rejected"
done done
@ -857,13 +885,7 @@ case "$1" in
mutex_on mutex_on
while [ $# -gt 1 ]; do while [ $# -gt 1 ]; do
shift shift
if qt iptables -D dynamic -s $1 -j reject; then if qt iptables -D dynamic -s $1 -j reject || qt iptables -D dynamic -s $1 -j DROP; then
#
# Address was rejected -- silently remove any drop as well
#
qt iptables -D dynamic -s $1 -j DROP
echo "$1 Allowed"
elif qt iptables -D dynamic -s $1 -j DROP; then
echo "$1 Allowed" echo "$1 Allowed"
else else
echo "$1 Not Dropped or Rejected" echo "$1 Not Dropped or Rejected"
@ -927,6 +949,11 @@ case "$1" in
shift; shift;
$@ $@
;; ;;
help)
shift
[ $# -ne 1 ] && usage 1
help $@
;;
*) *)
usage 1 usage 1
;; ;;

794
Lrp/usr/share/shorewall/firewall
View File

File diff suppressed because it is too large Load Diff

142
Lrp/usr/share/shorewall/functions
View File

@ -269,6 +269,13 @@ encodeaddr() {
# Enumerate the members of an IP range -- When using a shell supporting only # Enumerate the members of an IP range -- When using a shell supporting only
# 32-bit signed arithmetic, the range cannot span 128.0.0.0. # 32-bit signed arithmetic, the range cannot span 128.0.0.0.
# #
# Comes in two flavors:
#
# ip_range() - produces a mimimal list of network/host addresses that spans
# the range.
#
# ip_range_explicit() - explicitly enumerates the range.
#
ip_range() { ip_range() {
local first last l x y z vlsm local first last l x y z vlsm
@ -308,6 +315,31 @@ ip_range() {
done done
} }
ip_range_explicit() {
local first last
case $1 in
[0-9]*.*.*.*-*.*.*.*)
;;
*)
echo $1
return
;;
esac
first=`decodeaddr ${1%-*}`
last=`decodeaddr ${1#*-}`
if [ $first -gt $last ]; then
fatal_error "Invalid IP address range: $1"
fi
while [ $first -le $last ]; do
echo `encodeaddr $first`
first=$(($first + 1))
done
}
# #
# Netmask from CIDR # Netmask from CIDR
# #
@ -331,12 +363,11 @@ ip_network() {
# The following hack is supplied to compensate for the fact that many of # The following hack is supplied to compensate for the fact that many of
# the popular light-weight Bourne shell derivatives don't support XOR ("^"). # the popular light-weight Bourne shell derivatives don't support XOR ("^").
# #
# Note: 2147483647 = 0x7fffffff
ip_broadcast() { ip_broadcast() {
local x=$(( ${1#*/} - 1 )) local x=$(( 32 - ${1#*/} ))
[ $x -eq -1 ] && echo -1 || echo $(( 2147483647 >> $x )) [ $x -eq 0 ] && echo -1 || echo $(( $(( 1 $LEFTSHIFT $x )) - 1 ))
} }
# #
@ -380,3 +411,108 @@ ip_vlsm() {
fi fi
} }
#
# Chain name base for an interface -- replace all periods with underscores in the passed name.
# The result is echoed (less "+" and anything following).
#
chain_base() #$1 = interface
{
local c=${1%%+*}
while true; do
case $c in
*.*)
c="${c%.*}_${c##*.}"
;;
*)
echo ${c:=common}
return
;;
esac
done
}
#
# Remove trailing digits from a name
#
strip_trailing_digits() {
echo $1 | sed s'/[0-9].*$//'
}
#
# Loosly Match the name of an interface
#
if_match() # $1 = Name in interfaces file - may end in "+"
# $2 = Name from routing table
{
local if_file=$1
local rt_table=$2
case $if_file in
*+)
test "`strip_trailing_digits $rt_table`" = "${if_file%+}"
;;
*)
test "$rt_table" = "$if_file"
;;
esac
}
#
# Find the value 'dev' in the passed arguments then echo the next value
#
find_device() {
while [ $# -gt 1 ]; do
[ "x$1" = xdev ] && echo $2 && return
shift
done
}
#
# Find the interfaces that have a route to the passed address - the default
# route is not used.
#
find_rt_interface() {
ip route ls | while read addr rest; do
case $addr in
*/*)
in_subnet ${1%/*} $addr && echo `find_device $rest`
;;
default)
;;
*)
if [ "$addr" = "$1" -o "$addr/32" = "$1" ]; then
echo `find_device $rest`
fi
;;
esac
done
}
#
# Find the default route's interface
#
find_default_interface() {
ip route ls | while read first rest; do
[ "$first" = default ] && echo `find_device $rest` && return
done
}
#
# Echo the name of the interface(s) that will be used to send to the
# passed address
#
find_interface_by_address() {
local dev="`find_rt_interface $1`"
local first rest
[ -z "$dev" ] && dev=`find_default_interface`
[ -n "$dev" ] && echo $dev
}

2
Lrp/usr/share/shorewall/version
View File

@ -1 +1 @@
1.4.6 1.4.7

3
Lrp/var/lib/lrpkg/shorwall.conf
View File

@ -21,3 +21,6 @@
/etc/shorewall/start Start Commands executed after [re]start /etc/shorewall/start Start Commands executed after [re]start
/etc/shorewall/stop Stop Commands executed before stop /etc/shorewall/stop Stop Commands executed before stop
/etc/shorewall/stopped Stopped Commands executed after stop /etc/shorewall/stopped Stopped Commands executed after stop
/etc/shorewall/accounting Account Traffic Accounting Rules
/etc/shorewall/usersets UserSets User Set definitions
/etc/shorewall/users Users " " "

2
Lrp/var/lib/lrpkg/shorwall.version
View File

@ -1 +1 @@
1.4.6 1.4.7

111
STABLE/changelog.txt
View File

@ -1,66 +1,101 @@
Changes since 1.4.5 Changes since 1.4.6
1) Worked around RH7.3 "service" anomaly. 1) Added Smart Blacklisting.
2) Implemented 'newnotsyn' interface option. 2) Move determine_capabilities call to do_initialize to ensure that
MANGLE_ENABLED is set before it is tested.
3) Document range in masq ADDRESS column and suppress ADD_SNAT_ALIASES 3) Fixed MAC address handling in the SOURCE column of tcrules.
behavior in that case.
4) Enable ADD_SNAT_ALIASES=Yes for SNAT ranges. 4) Merged and corrected Steve Herber's command-specific help patch.
5) Allow Shorewall to add aliases to other than the first subnet on an 5) Removed some undocumented/braindead code from setup_masq()
interface.
6) Add support for load-balancing. 6) Don't allow 'stop' when startup is disabled
7) Toned down the disclaimer for the 'check' command. 7) Added ADMINISABSENTMINDED option.
8) Implemented support for the Connection Tracking Match extension in 8) Fixed adding addresses to ppp interfaces.
iptables 1.2.8/Kernel 2.4.21.
9) Removed the NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration 9) Added generic tunnel support.
parameters and replaced them with code that detects these
capabilities.
10) Added the SHOREWALL_SHELL configuraiton parameter. 10) Added support for Address Range Lists in /etc/shorewall/masq.
11) Fixed capability reporting (thanks to Simon Matter). 11) Simplify ip_broadcast()
12) Correct the implementation of destination IP list in DNAT[-] rules. 12) Add 'arp_filter' interface option.
13) Check for shells whose arithmetic support is broken. 13) Added accounting file support
14) Moved IP Address manipulation functions to 14) Fixed bug where an interface name alone appears in the DESTINATION
/usr/share/shorewall/functions. column of the accounting file.
15. Added ipcalc command. 15) Add ACTION column to accounting file.
16. Fixed handling of destination DNS names containing a "-" 16) Add CHAIN declarations to accounting file.
17. Make ip_range() smarter. 17) Replace calls to chain_exists with calls to havechain in
accounting code.
18. Added /sbin/shorewall iprange command. 18) Allow degenerate DONE and COUNT rules.
19. Fixed handling of excluded zone processing in DNAT and REDIRECT 19) Interface-specific dynamic blacklisting chains are now displayed by
rules (re-added the protocol to the rule). Fixed parsing of exclude "shorewall monitor".
zones.
20. Display policy chain along with policy in 'check' command. 20) Bridge interfaces (br[0-9]) can now be used in /etc/shorewall/maclist.
21. Support Linux 2.6 compressed modules. 21) Rate-limited rules added.
22. Don't display DHCP message when there are no DHCP interface. 22) Make burst optional in rate limited rules and policies.
23. Move determine_capabilities call to do_initialize to ensure that 23) Allow display of multiple chains in one "shorewall show" command.
MANGLE_ENABLED is set before it is tested.
24. Fixed MAC address handling in the SOURCE column of tcrules. 24) Add "RATE LIMIT" column for those who prefer their config files to
be wide but normalized.
25. Disabled 'stop' command when startup is disabled. 25) Redesign the accounting facility to make it simpler and more
flexible.
26. Fixed adding addresses to ppp interfaces. 26) Add Henry Wang's fix for LOGRATE/LOGBURST and enhance to resolve
conflict between that facility and rate-limited logging rules.
27. Corrected IP range in masq entry WRT ADD_SNAT_ALIASES 27) Add User Set capability.
28. Fix IPV6 address confusion. 28) Deimplement Smart Blacklisting and fix problem with multiple
'drop'/'reject' commands for the same address.
29) Update for 1.4.7 Beta 1.
30) Fix ADD_SNAT_ALIASES interaction with ip ranges used for
load-balancing.
31) Fix IPV6 address confusion.
32) Add "o.gz" to the list of module extensions.
33) Replace existing route to PROXY ARP host rather than adding another
one.
34) Update of rfc1918 file.
35) Correct rules file comment.
36) Extend USER SET column in /etc/shorewall/rules to allow user:group.
37) Reword error message to avoid the word 'illegal'.
38) Avoid shell error when there is no policy corresponding to a rule.
39) Fatal error if /etc/shorewall/common or /etc/shoreall/common.def do
not exist.
40) Process blacklist before DHCP.
41) Fix 'logunclean' log message disposition.
42) Update rfc1918.
43) Remove Conflict specification from shorewall.rpm to appease the
SuSE crowd.
44) Removed a fly-speck at the beginning of the 'masq' file.

6276
STABLE/documentation/Documentation.htm
View File

File diff suppressed because it is too large Load Diff

2272
STABLE/documentation/FAQ.htm
View File

File diff suppressed because it is too large Load Diff

350
STABLE/documentation/FTP.html
View File

@ -1,234 +1,214 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shorewall and FTP</title> <title>Shorewall and FTP</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90"> id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall and FTP</font></h1> <h1 align="center"><font color="#ffffff">Shorewall and FTP</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<h2></h2> <h2></h2>
<blockquote> </blockquote>
<blockquote> </blockquote> <p>FTP transfers involve two TCP connections. The first <u>control</u>
connection goes from the FTP client to port 21 on the FTP server. This
<p>FTP transfers involve two TCP connections. The first <u>control</u> connection connection is used for logon and to send commands and responses between
goes from the FTP client to port 21 on the FTP server. This connection is the endpoints. Data transfers (including the output of "ls" and "dir"
used for logon and to send commands and responses between the endpoints. commands) requires a second <u>data</u> connection. The data
Data transfers (including the output of "ls" and "dir" commands) requires connection is dependent on the <u>mode</u>
a second <u>data</u> connection. The data connection is dependent on the <u>mode</u>
that the client is operating in:<br> that the client is operating in:<br>
</p> </p>
<ul> <ul>
<li>Passive Mode (default for web browsers) -- The client issues a PASV <li>Passive Mode (default for web browsers) -- The client issues a
command. Upon receipt of this command, the server listens on a dynamically-allocated PASV command. Upon receipt of this command, the server listens on a
port then sends a PASV reply to the client. The PASV reply gives the IP address dynamically-allocated port then sends a PASV reply to the client. The
and port number that the server is listening on. The client then opens a PASV reply gives the IP address
and port number that the server is listening on. The client then opens
a
second connection to that IP address and port number.</li> second connection to that IP address and port number.</li>
<li>Active Mode (often the default for line-mode clients) -- The client <li>Active Mode (often the default for line-mode clients) -- The
listens on a dynamically-allocated port then sends a PORT command to the client listens on a dynamically-allocated port then sends a PORT
server. The PORT command gives the IP address and port number that the client command to the server. The PORT command gives the IP address and port
is listening on. The server then opens a connection to that IP address and number that the client is listening on. The server then opens a
port number; the <u>source port</u> for this connection is 20 (ftp-data in connection to that IP address and port number; the <u>source port</u>
/etc/services).</li> for this connection is 20 (ftp-data in /etc/services).</li>
</ul> </ul>
You can see these commands in action using your linux ftp command-line You can see these commands in action using your linux ftp command-line
client in debugging mode. Note that my ftp client defaults to passive mode client in debugging mode. Note that my ftp client defaults to passive
and that I can toggle between passive and active mode by issuing a "passive" mode and that I can toggle between passive and active mode by issuing a
command:<br> "passive" command:<br>
<blockquote> <blockquote>
<pre>[teastep@wookie Shorewall]$ <font color="#009900"><b>ftp ftp1.shorewall.net<br></b></font>Connected to lists.shorewall.net.<br>220-=(&lt;*&gt;)=-.:. (( Welcome to PureFTPd 1.0.12 )) .:.-=(&lt;*&gt;)=-<br>220-You are user number 1 of 50 allowed.<br>220-Local time is now 10:21 and the load is 0.14. Server port: 21.<br>220 You will be disconnected after 15 minutes of inactivity.<br>500 Security extensions not implemented<br>500 Security extensions not implemented<br>KERBEROS_V4 rejected as an authentication type<br>Name (ftp1.shorewall.net:teastep): ftp<br>331-Welcome to ftp.shorewall.net<br>331-<br>331 Any password will work<br>Password:<br>230 Any password will work<br>Remote system type is UNIX.<br>Using binary mode to transfer files.<br>ftp&gt; <font <pre>[teastep@wookie Shorewall]$ <font color="#009900"><b>ftp ftp1.shorewall.net<br></b></font>Connected to lists.shorewall.net.<br>220-=(&lt;*&gt;)=-.:. (( Welcome to PureFTPd 1.0.12 )) .:.-=(&lt;*&gt;)=-<br>220-You are user number 1 of 50 allowed.<br>220-Local time is now 10:21 and the load is 0.14. Server port: 21.<br>220 You will be disconnected after 15 minutes of inactivity.<br>500 Security extensions not implemented<br>500 Security extensions not implemented<br>KERBEROS_V4 rejected as an authentication type<br>Name (ftp1.shorewall.net:teastep): ftp<br>331-Welcome to ftp.shorewall.net<br>331-<br>331 Any password will work<br>Password:<br>230 Any password will work<br>Remote system type is UNIX.<br>Using binary mode to transfer files.<br>ftp&gt; <font
color="#009900"><b>debug<br></b></font>Debugging on (debug=1).<br>ftp&gt; <font color="#009900"><b>debug<br></b></font>Debugging on (debug=1).<br>ftp&gt; <font
color="#009900"><b>ls<br></b></font><b>---&gt; PASV</b><br><b>227 Entering Passive Mode (192,168,1,193,195,210)</b><br>---&gt; LIST<br>150 Accepted data connection<br>drwxr-xr-x 5 0 0 4096 Nov 9 2002 archives<br>drwxr-xr-x 2 0 0 4096 Feb 12 2002 etc<br>drwxr-sr-x 6 0 50 4096 Feb 19 15:24 pub<br>226-Options: -l<br>226 3 matches total<br>ftp&gt; <font color="#009900"><b>ls<br></b></font><b>---&gt; PASV</b><br><b>227 Entering Passive Mode (192,168,1,193,195,210)</b><br>---&gt; LIST<br>150 Accepted data connection<br>drwxr-xr-x 5 0 0 4096 Nov 9 2002 archives<br>drwxr-xr-x 2 0 0 4096 Feb 12 2002 etc<br>drwxr-sr-x 6 0 50 4096 Feb 19 15:24 pub<br>226-Options: -l<br>226 3 matches total<br>ftp&gt; <font
color="#009900"><b>passive<br></b></font>Passive mode off.<br>ftp&gt; <font color="#009900"><b>passive<br></b></font>Passive mode off.<br>ftp&gt; <font
color="#009900"><b>ls<br></b></font><b>---&gt; PORT 192,168,1,3,142,58</b><br>200 PORT command successful<br>---&gt; LIST<br>150 Connecting to port 36410<br>drwxr-xr-x 5 0 0 4096 Nov 9 2002 archives<br>drwxr-xr-x 2 0 0 4096 Feb 12 2002 etc<br>drwxr-sr-x 6 0 50 4096 Feb 19 15:24 pub<br>226-Options: -l<br>226 3 matches total<br>ftp&gt;<br></pre> color="#009900"><b>ls<br></b></font><b>---&gt; PORT 192,168,1,3,142,58</b><br>200 PORT command successful<br>---&gt; LIST<br>150 Connecting to port 36410<br>drwxr-xr-x 5 0 0 4096 Nov 9 2002 archives<br>drwxr-xr-x 2 0 0 4096 Feb 12 2002 etc<br>drwxr-sr-x 6 0 50 4096 Feb 19 15:24 pub<br>226-Options: -l<br>226 3 matches total<br>ftp&gt;<br></pre>
</blockquote> </blockquote>
Things to notice:<br> Things to notice:<br>
<ol> <ol>
<li>The commands that I issued are in <b><font color="#009900">green.</font></b><br> <li>The commands that I issued are in <b><font color="#009900">green.</font></b><br>
</li> </li>
<li>Commands sent by the client to the server are preceded by <b>---&gt;</b></li> <li>Commands sent by the client to the server are preceded by <b>---&gt;</b></li>
<li>Command responses from the server over the control connection are <li>Command responses from the server over the control connection are
numbered.<br> numbered.<br>
</li> </li>
<li>FTP uses a comma as a separator between the bytes of the IP address; <li>FTP uses a comma as a separator between the bytes of the IP
and</li> address; and</li>
<li>When sending a port number, FTP sends the MSB then the LSB and separates <li>When sending a port number, FTP sends the MSB then the LSB and
the two bytes by a comma. As shown in the PORT command, port 142,58 translates separates the two bytes by a comma. As shown in the PORT command, port
142,58 translates
to 142*256+58 = 36410.<br> to 142*256+58 = 36410.<br>
</li> </li>
</ol> </ol>
Given the normal loc-&gt;net policy of ACCEPT, passive mode access from Given the normal loc-&gt;net policy of ACCEPT, passive mode access from
local clients to remote servers will always work but active mode requires local clients to remote servers will always work but active mode
the firewall to dynamically open a "hole" for the server's connection back requires the firewall to dynamically open a "hole" for the server's
to the client. Similarly, if you are running an FTP server in your local connection back to the client. Similarly, if you are running an FTP
zone then active mode should always work but passive mode requires the firewall server in your local
to dynamically open a "hole" for the client's second connection to the server. zone then active mode should always work but passive mode requires the
This is the role of FTP connection-tracking support in the Linux kernel. firewall to dynamically open a "hole" for the client's second
connection to the server. This is the role of FTP connection-tracking
support in the Linux kernel.
<div align="left"><br> <div align="left"><br>
Where any form of NAT (SNAT, DNAT, Masquerading) on your firewall is involved, Where any form of NAT (SNAT, DNAT, Masquerading) on your firewall is
the PORT commands and PASV responses may also need to be modified by the involved, the PORT commands and PASV responses may also need to be
firewall. This is the job of the FTP nat support kernel function.<br> modified by the firewall. This is the job of the FTP nat support kernel
</div> function.<br>
</div>
<p>Including FTP connection-tracking and NAT support normally means that the <p>Including FTP connection-tracking and NAT support normally means
modules "ip_conntrack_ftp" and "ip_nat_ftp" need to be loaded. Shorewall automatically that the
modules "ip_conntrack_ftp" and "ip_nat_ftp" need to be loaded.
Shorewall automatically
loads these "helper" modules from /lib/modules/&lt;<i>kernel-version&gt;</i>/kernel/net/ipv4/netfilter/ loads these "helper" modules from /lib/modules/&lt;<i>kernel-version&gt;</i>/kernel/net/ipv4/netfilter/
and you can determine if they are loaded using the 'lsmod' command:<br> and you can determine if they are loaded using the 'lsmod' command:<br>
</p> </p>
<blockquote> <blockquote>
<p>Example:<br> <p>Example:<br>
</p> </p>
<blockquote> <blockquote>
<pre>[root@lists etc]# lsmod<br>Module Size Used by Not tainted<br>autofs 12148 0 (autoclean) (unused)<br>ipt_TOS 1560 12 (autoclean)<br>ipt_LOG 4120 5 (autoclean)<br>ipt_REDIRECT 1304 1 (autoclean)<br>ipt_REJECT 3736 4 (autoclean)<br>ipt_state 1048 13 (autoclean)<br>ip_nat_irc 3152 0 (unused)<br><b>ip_nat_ftp 3888 0 (unused)</b><br>ip_conntrack_irc 3984 1<br><b>ip_conntrack_ftp 5008 1</b><br>ipt_multiport 1144 2 (autoclean)<br>ipt_conntrack 1592 0 (autoclean)<br>iptable_filter 2316 1 (autoclean)<br>iptable_mangle 2680 1 (autoclean)<br>iptable_nat 20568 3 (autoclean) [ipt_REDIRECT ip_nat_irc ip_nat_ftp]<br>ip_conntrack 26088 5 (autoclean) [ipt_REDIRECT ipt_state ip_nat_irc ip_nat_ftp ip_conntrack_irc ip_conntrack_ftp ipt_conntrack iptable_nat]<br>ip_tables 14488 12 [ipt_TOS ipt_LOG ipt_REDIRECT ipt_REJECT ipt_state ipt_multiport ipt_conntrack iptable_filter iptable_mangle iptable_nat]<br>tulip 42464 0 (unused)<br>e100 50596 1<br>keybdev 2752 0 (unused)<br>mousedev 5236 0 (unused)<br>hid 20868 0 (unused)<br>input 5632 0 [keybdev mousedev hid]<br>usb-uhci 24684 0 (unused)<br>usbcore 73280 1 [hid usb-uhci]<br>ext3 64704 2<br>jbd 47860 2 [ext3]<br>[root@lists etc]#<br></pre> <pre>[root@lists etc]# lsmod<br>Module Size Used by Not tainted<br>autofs 12148 0 (autoclean) (unused)<br>ipt_TOS 1560 12 (autoclean)<br>ipt_LOG 4120 5 (autoclean)<br>ipt_REDIRECT 1304 1 (autoclean)<br>ipt_REJECT 3736 4 (autoclean)<br>ipt_state 1048 13 (autoclean)<br>ip_nat_irc 3152 0 (unused)<br><b>ip_nat_ftp 3888 0 (unused)</b><br>ip_conntrack_irc 3984 1<br><b>ip_conntrack_ftp 5008 1</b><br>ipt_multiport 1144 2 (autoclean)<br>ipt_conntrack 1592 0 (autoclean)<br>iptable_filter 2316 1 (autoclean)<br>iptable_mangle 2680 1 (autoclean)<br>iptable_nat 20568 3 (autoclean) [ipt_REDIRECT ip_nat_irc ip_nat_ftp]<br>ip_conntrack 26088 5 (autoclean) [ipt_REDIRECT ipt_state ip_nat_irc ip_nat_ftp ip_conntrack_irc ip_conntrack_ftp ipt_conntrack iptable_nat]<br>ip_tables 14488 12 [ipt_TOS ipt_LOG ipt_REDIRECT ipt_REJECT ipt_state ipt_multiport ipt_conntrack iptable_filter iptable_mangle iptable_nat]<br>tulip 42464 0 (unused)<br>e100 50596 1<br>keybdev 2752 0 (unused)<br>mousedev 5236 0 (unused)<br>hid 20868 0 (unused)<br>input 5632 0 [keybdev mousedev hid]<br>usb-uhci 24684 0 (unused)<br>usbcore 73280 1 [hid usb-uhci]<br>ext3 64704 2<br>jbd 47860 2 [ext3]<br>[root@lists etc]#<br></pre>
</blockquote> </blockquote>
</blockquote> </blockquote>
<blockquote> </blockquote>
<blockquote> </blockquote> <p>If you want Shorewall to load these modules from an alternate
directory, you need to set the MODULESDIR variable in
<p>If you want Shorewall to load these modules from an alternate directory, /etc/shorewall/shorewall.conf to point to that directory.<br>
you need to set the MODULESDIR variable in /etc/shorewall/shorewall.conf </p>
to point to that directory.<br>
</p>
<p>Server configuration is covered in <a href="Documentation.htm#Rules">the <p>Server configuration is covered in <a href="Documentation.htm#Rules">the
/etc/shorewall/rules documentation</a>,<br> /etc/shorewall/rules documentation</a>,<br>
</p> </p>
<p>For a client, you must open outbound TCP port 21.&nbsp;<br>
<p>For a client, you must open outbound TCP port 21. <br> </p>
</p> <p>The above discussion about commands and responses makes it clear
that the
<p>The above discussion about commands and responses makes it clear that the FTP connection-tracking and NAT helpers must scan the traffic on the
FTP connection-tracking and NAT helpers must scan the traffic on the control control
connection looking for PASV and PORT commands as well as PASV responses. If connection looking for PASV and PORT commands as well as PASV
you run an FTP server on a nonstandard port or you need to access such responses. If
a server,  you must therefore let the helpers know by specifying the port you run an FTP server on a nonstandard port or you need to access such
in /etc/shorewall/modules entries for the helpers. For example, if you a server,&nbsp; you must therefore let the helpers know by specifying
run an FTP server that listens on port 49 then you would have:<br> the port
</p> in /etc/shorewall/modules entries for the helpers. <span
style="font-weight: bold;">For example, if you
run an FTP server that listens on port 49 or you need to access a
server on the internet that listens on that port then you would have:</span><br>
</p>
<blockquote> <blockquote>
<p>loadmodule ip_conntrack_ftp ports=21,49<br> <p>loadmodule ip_conntrack_ftp ports=21,49<br>
loadmodule ip_nat_ftp ports=21,49<br> loadmodule ip_nat_ftp ports=21,49<br>
</p> </p>
</blockquote> </blockquote>
<p>Note that you MUST include port 21 in the <i>ports</i> list or you
<p>Note that you MUST include port 21 in the <i>ports</i> list or you may may have problems accessing regular FTP servers.</p>
have problems accessing regular FTP servers.</p> <p>If there is a possibility that these modules might be loaded before
Shorewall starts, then you should include the port list in
<p>If there is a possibility that these modules might be loaded before Shorewall /etc/modules.conf:<br>
starts, then you should include the port list in /etc/modules.conf:<br> </p>
</p>
<blockquote> <blockquote>
<p>options ip_conntrack_ftp ports=21,49<br> <p>options ip_conntrack_ftp ports=21,49<br>
options ip_nat_ftp ports=21,49<br> options ip_nat_ftp ports=21,49<br>
</p> </p>
</blockquote> </blockquote>
<p><b>IMPORTANT: </b>Once you have made these changes to
<p><b>IMPORTANT: </b>Once you have made these changes to /etc/shorewall/modules /etc/shorewall/modules and/or /etc/modules.conf, you must either:<br>
and/or /etc/modules.conf, you must either:<br> </p>
</p>
<ol> <ol>
<li>Unload the modules and restart shorewall: (<b><font <li>Unload the modules and restart shorewall: (<b><font
color="#009900">rmmod ip_nat_ftp; rmmod ip_conntrack_ftp; shorewall restart</font></b>); color="#009900">rmmod ip_nat_ftp; rmmod ip_conntrack_ftp; shorewall
or</li> restart</font></b>); or</li>
<li>Reboot</li> <li>Reboot</li>
</ol> </ol>
One problem that I see occasionally involves active mode and the FTP server One problem that I see occasionally involves active mode and the FTP
in my DMZ. I see the active data connection <u>to certain client IP addresses</u> server in my DMZ. I see the active data connection <u>to certain
being continuously rejected by my firewall. It is my conjecture that there client IP addresses</u> being continuously rejected by my firewall. It
is some broken client out there that is sending a PORT command that is being is my conjecture that there is some broken client out there that is
either missed or mis-interpreted by the FTP connection tracking helper yet sending a PORT command that is being either missed or mis-interpreted
it is being accepted by my FTP server. My solution is to add the following by the FTP connection tracking helper yet it is being accepted by my
rule:<br> FTP server. My solution is to add the following rule:<br>
<blockquote> <blockquote>
<table cellpadding="2" cellspacing="0" border="1"> <table cellpadding="2" cellspacing="0" border="1">
<tbody> <tbody>
<tr> <tr>
<td valign="top"><b>ACTION<br> <td valign="top"><b>ACTION<br>
</b></td> </b></td>
<td valign="top"><b>SOURCE<br> <td valign="top"><b>SOURCE<br>
</b></td> </b></td>
<td valign="top"><b>DESTINATION<br> <td valign="top"><b>DESTINATION<br>
</b></td> </b></td>
<td valign="top"><b>PROTOCOL<br> <td valign="top"><b>PROTOCOL<br>
</b></td> </b></td>
<td valign="top"><b>PORT(S)<br> <td valign="top"><b>PORT(S)<br>
</b></td> </b></td>
<td valign="top"><b>SOURCE<br> <td valign="top"><b>SOURCE<br>
PORT(S)<br> PORT(S)<br>
</b></td> </b></td>
<td valign="top"><b>ORIGINAL<br> <td valign="top"><b>ORIGINAL<br>
DESTINATION<br> DESTINATION<br>
</b></td> </b></td>
</tr> </tr>
<tr> <tr>
<td valign="top">ACCEPT:info<br> <td valign="top">ACCEPT:info<br>
</td> </td>
<td valign="top">dmz<br> <td valign="top">dmz<br>
</td> </td>
<td valign="top">net<br> <td valign="top">net<br>
</td> </td>
<td valign="top">tcp<br> <td valign="top">tcp<br>
</td> </td>
<td valign="top">-<br> <td valign="top">-<br>
</td> </td>
<td valign="top">20<br> <td valign="top">20<br>
</td> </td>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br>
</blockquote>
The above rule accepts and logs all active mode connections from my DMZ
to the net.<br>
<blockquote>
<p> </p>
</blockquote>
<blockquote> </blockquote>
<p><font size="2">Last updated 7/30/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2003 Thomas M. Eastep.</font></a><br>
<br>
<br> <br>
<br> </blockquote>
The above rule accepts and logs all active mode connections from my DMZ
to the net.<br>
<blockquote>
<p> </p>
</blockquote>
<blockquote> </blockquote>
<p><font size="2">Last updated 9/17/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2003 Thomas M. Eastep.</font></a><br>
<br>
<br>
<br>
</body> </body>
</html> </html>

1220
STABLE/documentation/IPSEC.htm
View File

File diff suppressed because it is too large Load Diff

8416
STABLE/documentation/News.htm
View File

File diff suppressed because it is too large Load Diff

1552
STABLE/documentation/PPTP.htm
View File

File diff suppressed because it is too large Load Diff

67
STABLE/documentation/Shorewall_Doesnt.html
View File

@ -2,51 +2,52 @@
<html> <html>
<head> <head>
<title>What Shorewall Cannot Do</title> <title>What Shorewall Cannot Do</title>
<meta http-equiv="content-type" <meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1"> content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep"> <meta name="author" content="Tom Eastep">
</head> </head>
<body> <body>
<small> </small><small> <small> </small><small> </small><small> </small><small> </small><small>
</small><small> </small> <small> </small>
</small><small>
</small><small>
</small> <small> </small>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4" style="border-collapse: collapse;" width="100%" id="AutoNumber4"
bgcolor="#3366ff" height="90"> bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"><small> </small> <td width="100%"><small> </small>
<h1 align="center"><small><font color="#ffffff">Some things that Shorewall <h1 align="center"><small><font color="#ffffff">Some things that
<b>Cannot</b> Do</font></small></h1> Shorewall <b>Cannot</b> Do</font></small></h1>
<small> <small> </small></td>
</small></td> </tr>
</tr>
</tbody> </tbody>
</table> </table>
<small><br> <small><br>
</small>Shorewall cannot:<br> </small>Shorewall cannot:<br>
<ul> <ul>
<li>Be used on a Linux System that is functioning as a Layer 2 Bridge</li> <li>Be used to filter traffic through a Layer 2 Bridge</li>
<li>Act as a "Personal Firewall" that allows internet access by application.</li> <li>Act as a "Personal Firewall" that allows internet access by
<li>Do content filtering -- better to use <a application.</li>
href="Shorewall_Squid_Usage.html">Squid</a> for that.<br> <li>Be used with an Operating System other than Linux (version &gt;=
</li> 2.4.0)<br>
</li>
<li>Do content filtering -- better to use <a
href="Shorewall_Squid_Usage.html">Squid</a> for that.</li>
</ul> </ul>
<br> In addition:<br>
<font size="2">Last updated 7/9/2003 - <a href="support.htm">Tom Eastep</a></font> <ul>
<li>Shorewall does not contain any support for Netfilter <span
style="font-style: italic;">Patch-O-Matic</span> features -- Shorewall
only supports features from released kernels.<br>
</li>
</ul>
<br>
<font size="2">Last updated 9/28/2003 - <a href="support.htm">Tom
Eastep</a></font>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font <p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br> <br>
<br> <br>
<br> <br>
</body> </body>
</html> </html>

820
STABLE/documentation/Shorewall_Squid_Usage.html
View File

@ -2,540 +2,462 @@
<html> <html>
<head> <head>
<title>Shorewall Squid Usage</title> <title>Shorewall Squid Usage</title>
<meta http-equiv="content-type" <meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1"> content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep"> <meta name="author" content="Tom Eastep">
</head> </head>
<body> <body>
<table cellpadding="0" cellspacing="0" border="0" width="100%" <table cellpadding="0" cellspacing="0" border="0" width="100%"
bgcolor="#3366ff"> bgcolor="#3366ff">
<tbody> <tbody>
<tr> <tr>
<td valign="middle" width="33%" bgcolor="#3366ff"><a <td valign="middle" width="33%" bgcolor="#3366ff"><a
href="http://www.squid-cache.org/"><img src="images/squidnow.gif" href="http://www.squid-cache.org/"><img src="images/squidnow.gif"
alt="" width="88" height="31" hspace="4"> alt="" width="88" height="31" hspace="4"> </a><br>
</a><br> </td>
</td> <td valign="middle" height="90" align="center" width="34%">
<td valign="middle" height="90" align="center"
width="34%">
<h1><font color="#ffffff"><b>Using Shorewall with Squid</b></font></h1> <h1><font color="#ffffff"><b>Using Shorewall with Squid</b></font></h1>
<h1> </h1>
<h1> </h1> </td>
</td> <td valign="middle" height="90" width="33%" align="right"><a
<td valign="middle" height="90" width="33%" href="http://www.squid-cache.org/"><img src="images/cache_now.gif"
align="right"><a href="http://www.squid-cache.org/"><img alt="" width="100" height="31" hspace="4"> </a><br>
src="images/cache_now.gif" alt="" width="100" height="31" hspace="4"> </td>
</a><br> </tr>
</td>
</tr>
</tbody> </tbody>
</table> </table>
<br> <br>
This page covers Shorewall configuration to use with <a This page covers Shorewall configuration to use with <a
href="http://www.squid-cache.org/">Squid </a>running as a <u><b>Transparent href="http://www.squid-cache.org/">Squid </a>running as a <u><b>Transparent
Proxy</b></u>. If you are running Shorewall 1.3, please see <a Proxy</b></u>. If you are running Shorewall 1.3, please see <a
href="1.3/Shorewall_Squid_Usage.html">this documentation</a>.<br> href="1.3/Shorewall_Squid_Usage.html">this documentation</a>.<br>
<br> <br>
<img border="0" src="images/j0213519.gif" width="60" <img border="0" src="images/j0213519.gif" width="60" height="60"
height="60" alt="Caution" align="middle"> alt="Caution" align="middle"> &nbsp;&nbsp;&nbsp; Please observe the
&nbsp;&nbsp;&nbsp; Please observe the following general requirements:<br> following general requirements:<br>
<br> <br>
<b><img src="images/BD21298_3.gif" alt="" width="13" <b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
height="13"> &nbsp;&nbsp;&nbsp; </b>In all cases, Squid should be configured to run
&nbsp;&nbsp;&nbsp; </b>In all cases, Squid should be configured as a transparent proxy as described at <a
to run as a transparent proxy as described at <a
href="http://tldp.org/HOWTO/mini/TransparentProxy.html">http://tldp.org/HOWTO/mini/TransparentProxy.html</a>.<br> href="http://tldp.org/HOWTO/mini/TransparentProxy.html">http://tldp.org/HOWTO/mini/TransparentProxy.html</a>.<br>
<b><br> <b><br>
</b><b><img src="images/BD21298_3.gif" alt="" width="13" </b><b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
height="13"> &nbsp;&nbsp;&nbsp; </b>The following instructions mention
&nbsp;&nbsp;&nbsp; </b>The following instructions mention the files /etc/shorewall/start and /etc/shorewall/init -- if you don't
the files /etc/shorewall/start and /etc/shorewall/init -- if you don't have those files, siimply create them.<br>
have those files, siimply create them.<br> <br>
<br> <b><img src="images/BD21298_3.gif" alt="" width="13" height="13"> </b>&nbsp;&nbsp;&nbsp;
<b><img src="images/BD21298_3.gif" alt="" width="13" When the Squid server is in the DMZ zone or in the local zone, that
height="13"> zone must be defined ONLY by its interface -- no /etc/shorewall/hosts
</b>&nbsp;&nbsp;&nbsp; When the Squid server is in the DMZ file entries. That is because the packets being routed to the Squid
zone or in the local zone, that zone must be defined ONLY by its interface server still have their original destination IP addresses.<br>
-- no /etc/shorewall/hosts file entries. That is because the packets <br>
being routed to the Squid server still have their original destination <b><img src="images/BD21298_3.gif" alt="" width="13" height="13"> </b>&nbsp;&nbsp;&nbsp;
IP addresses.<br> You must have iptables installed on your Squid server.<br>
<br> <br>
<b><img src="images/BD21298_3.gif" alt="" width="13" <b><img src="images/BD21298_3.gif" alt="" width="13" height="13"> </b>&nbsp;&nbsp;&nbsp;
height="13"> If you run a Shorewall version earlier than 1.4.6, you must have NAT
</b>&nbsp;&nbsp;&nbsp; You must have iptables installed on and MANGLE enabled in your /etc/shorewall/conf file<br>
your Squid server.<br> <br>
<br> &nbsp;&nbsp;&nbsp; <b><font color="#009900">&nbsp;&nbsp;&nbsp;
<b><img src="images/BD21298_3.gif" alt="" width="13" NAT_ENABLED=Yes<br>
height="13"> </font></b>&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <font color="#009900"><b>MANGLE_ENABLED=Yes</b></font><br>
</b>&nbsp;&nbsp;&nbsp; If you run a Shorewall version earlier <br>
than 1.4.6, you must have NAT and MANGLE enabled in your /etc/shorewall/conf Three different configurations are covered:<br>
file<br>
<br>
&nbsp;&nbsp;&nbsp; <b><font color="#009900">&nbsp;&nbsp;&nbsp;
NAT_ENABLED=Yes<br>
</font></b>&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <font
color="#009900"><b>MANGLE_ENABLED=Yes</b></font><br>
<br>
Three different configurations are covered:<br>
<ol> <ol>
<li><a href="Shorewall_Squid_Usage.html#Firewall">Squid <li><a href="Shorewall_Squid_Usage.html#Firewall">Squid
running on the Firewall.</a></li> running on the Firewall.</a></li>
<li><a href="Shorewall_Squid_Usage.html#Local">Squid running <li><a href="Shorewall_Squid_Usage.html#Local">Squid running in the
in the local network</a></li> local network</a></li>
<li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running <li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running in the DMZ</a></li>
in the DMZ</a></li>
</ol> </ol>
<h2><a name="Firewall"></a>Squid Running on the Firewall</h2> <h2><a name="Firewall"></a>Squid Running on the Firewall</h2>
You want to redirect all local www connection requests You want to redirect all local www connection requests
EXCEPT those to your EXCEPT those to your own http server (206.124.146.177) to a Squid
own http server transparent proxy running on the firewall
(206.124.146.177) to a Squid and listening on port 3128. Squid will of course require access
transparent proxy running on the firewall
and listening on port 3128. Squid will of course require access
to remote web servers.<br> to remote web servers.<br>
<br> <br>
In /etc/shorewall/rules:<br> In /etc/shorewall/rules:<br>
<br> <br>
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"> <table border="1" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
<tr> <tr>
<td><b>ACTION</b></td> <td><b>ACTION</b></td>
<td><b>SOURCE</b></td> <td><b>SOURCE</b></td>
<td><b>DEST</b></td> <td><b>DEST</b></td>
<td><b> PROTO</b></td> <td><b> PROTO</b></td>
<td><b>DEST<br> <td><b>DEST<br>
PORT(S)</b></td> PORT(S)</b></td>
<td><b>SOURCE<br> <td><b>SOURCE<br>
PORT(S)</b></td> PORT(S)</b></td>
<td><b>ORIGINAL<br> <td><b>ORIGINAL<br>
DEST</b></td> DEST</b></td>
</tr> </tr>
<tr> <tr>
<td>REDIRECT</td> <td>REDIRECT</td>
<td>loc</td> <td>loc</td>
<td>3128</td> <td>3128</td>
<td>tcp</td> <td>tcp</td>
<td>www</td> <td>www</td>
<td> -<br> <td> -<br>
</td> </td>
<td>!206.124.146.177</td> <td>!206.124.146.177</td>
</tr> </tr>
<tr> <tr>
<td>ACCEPT</td> <td>ACCEPT</td>
<td>fw</td> <td>fw</td>
<td>net</td> <td>net</td>
<td>tcp</td> <td>tcp</td>
<td>www</td> <td>www</td>
<td> <br> <td> <br>
</td> </td>
<td> <br> <td> <br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br> <br>
</blockquote> </blockquote>
There may be a requirement to exclude additional destination There may be a requirement to exclude additional destination
hosts or networks from being redirected. For example, you might also want hosts or networks from being redirected. For example, you might also
requests destined for 130.252.100.0/24 to not be routed to Squid. In that want
case, you must add a manual rule in /etc/shorewall/start:<br> requests destined for 130.252.100.0/24 to not be routed to Squid. In
that
case, you must add a manual rule in /etc/shorewall/start:<br>
<blockquote> <blockquote>
<pre>run_iptables -t nat -I loc_dnat -p tcp --dport www -d 130.252.100.0/24 -j RETURN<br></pre> <pre>run_iptables -t nat -I loc_dnat -p tcp --dport www -d 130.252.100.0/24 -j RETURN<br></pre>
</blockquote> </blockquote>
&nbsp;To exclude additional hosts or networks, just add additional &nbsp;To exclude additional hosts or networks, just add additional
similar rules.<br> similar rules.<br>
<h2><a name="Local"></a>Squid Running in the local network</h2> <h2><a name="Local"></a>Squid Running in the local network</h2>
You want to redirect all local www connection requests You want to redirect all local www connection requests to a Squid
to a Squid transparent transparent proxy running in your local zone at 192.168.1.3 and
proxy running in your local zone at 192.168.1.3 and listening listening
on port 3128. Your local interface is eth1. There may also be a web on port 3128. Your local interface is eth1. There may also be a web
server running on 192.168.1.3. It is assumed that web access is already server running on 192.168.1.3. It is assumed that web access is already
enabled from the local zone to the internet.<br> enabled from the local zone to the internet..<br>
<p><font color="#ff0000"><b>WARNING: </b></font>This setup may conflict with
other aspects of your gateway including but not limited to traffic
shaping and route redirection. For that reason, <b>I don't recommend
it</b>.<br>
</p>
<ul> <ul>
<li>On your firewall system, issue the following command<br> <li>On your firewall system, issue the following command<br>
</li> </li>
</ul> </ul>
<blockquote> <blockquote>
<pre><b><font color="#009900">echo 202 www.out &gt;&gt; /etc/iproute2/rt_tables</font></b><br></pre> <pre><b><font color="#009900">echo 202 www.out &gt;&gt; /etc/iproute2/rt_tables</font></b><br></pre>
</blockquote> </blockquote>
<ul> <ul>
<li>In /etc/shorewall/init, put:<br> <li>In /etc/shorewall/init, put:<br>
</li> </li>
</ul> </ul>
<blockquote> <blockquote>
<pre><b><font color="#009900">if [ -z "`ip rule list | grep www.out`" ] ; then<br> ip rule add fwmark 202 table www.out<br> ip route add default via 192.168.1.3 dev eth1 table www.out<br> ip route flush cache<br> echo 0 &gt; /proc/sys/net/ipv4/conf/eth1/send_redirects<br>fi<br></font></b></pre> <pre><b><font color="#009900">if [ -z "`ip rule list | grep www.out`" ] ; then<br> ip rule add fwmark 202 table www.out<br> ip route add default via 192.168.1.3 dev eth1 table www.out<br> ip route flush cache<br> echo 0 &gt; /proc/sys/net/ipv4/conf/eth1/send_redirects<br>fi<br></font></b></pre>
</blockquote> </blockquote>
<ul> <ul>
<li>If you are running Shorewall 1.4.1 or Shorewall 1.4.1a, <li>If you are running Shorewall 1.4.1 or Shorewall 1.4.1a, please
please upgrade to Shorewall 1.4.2 or later.<br> upgrade to Shorewall 1.4.2 or later.<br>
<br> <br>
</li> </li>
<li>If you are running Shorewall 1.4.2 or later, then in /etc/shorewall/interfaces:<br> <li>If you are running Shorewall 1.4.2 or later, then in
<br> /etc/shorewall/interfaces:<br>
<br>
<table cellpadding="2" cellspacing="0" border="1"> <table cellpadding="2" cellspacing="0" border="1">
<tbody> <tbody>
<tr> <tr>
<td valign="top">ZONE<br> <td valign="top">ZONE<br>
</td> </td>
<td valign="top">INTERFACE<br> <td valign="top">INTERFACE<br>
</td> </td>
<td valign="top">BROADCAST<br> <td valign="top">BROADCAST<br>
</td> </td>
<td valign="top">OPTIONS<br> <td valign="top">OPTIONS<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">loc<br> <td valign="top">loc<br>
</td> </td>
<td valign="top">eth1<br> <td valign="top">eth1<br>
</td> </td>
<td valign="top">detect<br> <td valign="top">detect<br>
</td> </td>
<td valign="top"><b>routeback</b><br> <td valign="top"><b>routeback</b><br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br> <br>
</li> </li>
<li>In /etc/shorewall/rules:<br> <li>In /etc/shorewall/rules:<br>
<br> <br>
<table border="1" cellpadding="2" style="border-collapse: collapse;"> <table border="1" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
<tr> <tr>
<td><b>ACTION</b></td> <td><b>ACTION</b></td>
<td><b>SOURCE</b></td> <td><b>SOURCE</b></td>
<td><b>DEST</b></td> <td><b>DEST</b></td>
<td><b> PROTO</b></td> <td><b> PROTO</b></td>
<td><b>DEST<br> <td><b>DEST<br>
PORT(S)</b></td> PORT(S)</b></td>
<td><b>SOURCE<br> <td><b>SOURCE<br>
PORT(S)</b></td> PORT(S)</b></td>
<td><b>ORIGINAL<br> <td><b>ORIGINAL<br>
DEST</b></td> DEST</b></td>
</tr> </tr>
<tr> <tr>
<td>ACCEPT<br> <td>ACCEPT<br>
</td> </td>
<td>loc</td> <td>loc</td>
<td>loc<br> <td>loc<br>
</td> </td>
<td>tcp</td> <td>tcp</td>
<td>www</td> <td>www</td>
<td> <br> <td> <br>
</td> </td>
<td><br> <td><br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</li> </li>
<br> <br>
<li>Alternativfely, if you are running Shorewall 1.4.0 you can have <li>Alternativfely, if you are running Shorewall 1.4.0 you can have
the following policy in place of the above rule:<br> the following policy in place of the above rule:<br>
<table cellpadding="2" cellspacing="0" border="1"> <table cellpadding="2" cellspacing="0" border="1">
<tbody> <tbody>
<tr> <tr>
<td valign="top"><b>SOURCE<br> <td valign="top"><b>SOURCE<br>
</b></td> </b></td>
<td valign="top"><b>DESTINATION<br> <td valign="top"><b>DESTINATION<br>
</b></td> </b></td>
<td valign="top"><b>POLICY<br> <td valign="top"><b>POLICY<br>
</b></td> </b></td>
<td valign="top"><b>LOG LEVEL<br> <td valign="top"><b>LOG LEVEL<br>
</b></td> </b></td>
<td valign="top"><b>BURST PARAMETERS<br> <td valign="top"><b>BURST PARAMETERS<br>
</b></td> </b></td>
</tr> </tr>
<tr> <tr>
<td valign="top">loc<br> <td valign="top">loc<br>
</td> </td>
<td valign="top">loc<br> <td valign="top">loc<br>
</td> </td>
<td valign="top">ACCEPT<br> <td valign="top">ACCEPT<br>
</td> </td>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br> <br>
</li> </li>
<li>In /etc/shorewall/start add:<br> <li>In /etc/shorewall/start add:<br>
</li> </li>
</ul> </ul>
<blockquote> <blockquote>
<pre><font color="#009900"><b>iptables -t mangle -A PREROUTING -i eth1 -s ! 192.168.1.3 -p tcp --dport 80 -j MARK --set-mark 202</b></font><br></pre> <pre><font color="#009900"><b>iptables -t mangle -A PREROUTING -i eth1 -s ! 192.168.1.3 -p tcp --dport 80 -j MARK --set-mark 202</b></font><br></pre>
</blockquote> </blockquote>
<ul> <ul>
<li>On 192.168.1.3, arrange for the following command to <li>On 192.168.1.3, arrange for the following command to be executed
be executed after networking has come up<br> after networking has come up<br>
<pre><b><font color="#009900">iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128</font></b><br></pre> <pre><b><font color="#009900">iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128</font></b><br></pre>
</li> </li>
</ul> </ul>
<blockquote> If you are running RedHat on the server, you can simply
<blockquote> If you are running RedHat on the server, you can simply execute execute the following commands after you have typed the iptables
the following commands after you have typed the iptables command above:<br> command above:<br>
</blockquote> </blockquote>
<blockquote> <blockquote>
<blockquote> </blockquote> <blockquote> </blockquote>
<pre><font color="#009900"><b>iptables-save &gt; /etc/sysconfig/iptables</b></font><font <pre><font color="#009900"><b>iptables-save &gt; /etc/sysconfig/iptables</b></font><font
color="#009900"><b><br>chkconfig --level 35 iptables on<br></b></font></pre> color="#009900"><b><br>chkconfig --level 35 iptables on<br></b></font></pre>
</blockquote> </blockquote>
<blockquote> </blockquote>
<blockquote> </blockquote>
<h2><a name="DMZ"></a>Squid Running in the DMZ (This is what I do)</h2> <h2><a name="DMZ"></a>Squid Running in the DMZ (This is what I do)</h2>
You have a single Linux system in your DMZ with IP address You have a single Linux system in your DMZ with IP address 192.0.2.177.
192.0.2.177. You want to run both a web server and Squid on that system. You want to run both a web server and Squid on that system. Your DMZ
Your DMZ interface is eth1 and your local interface is eth2.<br> interface is eth1 and your local interface is eth2.<br>
<ul> <ul>
<li>On your firewall system, issue the following command<br> <li>On your firewall system, issue the following command<br>
</li> </li>
</ul> </ul>
<blockquote> <blockquote>
<pre><font color="#009900"><b>echo 202 www.out &gt;&gt; /etc/iproute2/rt_tables</b></font><br></pre> <pre><font color="#009900"><b>echo 202 www.out &gt;&gt; /etc/iproute2/rt_tables</b></font><br></pre>
</blockquote> </blockquote>
<ul> <ul>
<li>In /etc/shorewall/init, put:<br> <li>In /etc/shorewall/init, put:<br>
</li> </li>
</ul> </ul>
<blockquote> <blockquote>
<pre><font color="#009900"><b>if [ -z "`ip rule list | grep www.out`" ] ; then<br> ip rule add fwmark 202 table www.out<br> ip route add default via 192.0.2.177 dev eth1 table www.out<br> ip route flush cache<br>fi</b></font><br></pre> <pre><font color="#009900"><b>if [ -z "`ip rule list | grep www.out`" ] ; then<br> ip rule add fwmark 202 table www.out<br> ip route add default via 192.0.2.177 dev eth1 table www.out<br> ip route flush cache<br>fi</b></font><br></pre>
</blockquote> </blockquote>
<ul> <ul>
<li>&nbsp;Do<b> one </b>of the following:<br> <li>&nbsp;Do<b> one </b>of the following:<br>
<br> <br>
A) In /etc/shorewall/start add<br> A) In /etc/shorewall/start add<br>
</li> </li>
</ul> </ul>
<blockquote> <blockquote>
<pre><b><font color="#009900"> iptables -t mangle -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 202</font></b><br></pre> <pre><b><font color="#009900"> iptables -t mangle -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 202</font></b><br></pre>
</blockquote> </blockquote>
<blockquote>B) Set MARK_IN_FORWARD_CHAIN=No in
<blockquote>B) Set MARK_IN_FORWARD_CHAIN=No in /etc/shorewall/shorewall.conf /etc/shorewall/shorewall.conf and add the following entry in
and add the following entry in /etc/shorewall/tcrules:<br> /etc/shorewall/tcrules:<br>
</blockquote> </blockquote>
<blockquote> <blockquote>
<blockquote> <blockquote>
<table cellpadding="2" border="1" cellspacing="0"> <table cellpadding="2" border="1" cellspacing="0">
<tbody> <tbody>
<tr> <tr>
<td valign="top">MARK<br> <td valign="top">MARK<br>
</td> </td>
<td valign="top">SOURCE<br> <td valign="top">SOURCE<br>
</td> </td>
<td valign="top">DESTINATION<br> <td valign="top">DESTINATION<br>
</td> </td>
<td valign="top">PROTOCOL<br> <td valign="top">PROTOCOL<br>
</td> </td>
<td valign="top">PORT<br> <td valign="top">PORT<br>
</td> </td>
<td valign="top">CLIENT PORT<br> <td valign="top">CLIENT PORT<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">202<br> <td valign="top">202<br>
</td> </td>
<td valign="top">eth2<br> <td valign="top">eth2<br>
</td> </td>
<td valign="top">0.0.0.0/0<br> <td valign="top">0.0.0.0/0<br>
</td> </td>
<td valign="top">tcp<br> <td valign="top">tcp<br>
</td> </td>
<td valign="top">80<br> <td valign="top">80<br>
</td> </td>
<td valign="top">-<br> <td valign="top">-<br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
C) Run Shorewall 1.3.14 or later and add the following entry C) Run Shorewall 1.3.14 or later and add the following entry
in /etc/shorewall/tcrules:<br> in /etc/shorewall/tcrules:<br>
</blockquote> </blockquote>
<blockquote> <blockquote>
<blockquote> <blockquote>
<table cellpadding="2" border="1" cellspacing="0"> <table cellpadding="2" border="1" cellspacing="0">
<tbody> <tbody>
<tr> <tr>
<td valign="top">MARK<br> <td valign="top">MARK<br>
</td> </td>
<td valign="top">SOURCE<br> <td valign="top">SOURCE<br>
</td> </td>
<td valign="top">DESTINATION<br> <td valign="top">DESTINATION<br>
</td> </td>
<td valign="top">PROTOCOL<br> <td valign="top">PROTOCOL<br>
</td> </td>
<td valign="top">PORT<br> <td valign="top">PORT<br>
</td> </td>
<td valign="top">CLIENT PORT<br> <td valign="top">CLIENT PORT<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">202:P<br> <td valign="top">202:P<br>
</td> </td>
<td valign="top">eth2<br> <td valign="top">eth2<br>
</td> </td>
<td valign="top">0.0.0.0/0<br> <td valign="top">0.0.0.0/0<br>
</td> </td>
<td valign="top">tcp<br> <td valign="top">tcp<br>
</td> </td>
<td valign="top">80<br> <td valign="top">80<br>
</td> </td>
<td valign="top">-<br> <td valign="top">-<br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
</blockquote> </blockquote>
<ul> <ul>
<li>In /etc/shorewall/rules, you will need:</li> <li>In /etc/shorewall/rules, you will need:</li>
</ul> </ul>
<blockquote> <blockquote>
<table cellpadding="2" border="1" cellspacing="0"> <table cellpadding="2" border="1" cellspacing="0">
<tbody> <tbody>
<tr> <tr>
<td valign="top">ACTION<br> <td valign="top">ACTION<br>
</td> </td>
<td valign="top">SOURCE<br> <td valign="top">SOURCE<br>
</td> </td>
<td valign="top">DEST<br> <td valign="top">DEST<br>
</td> </td>
<td valign="top">PROTO<br> <td valign="top">PROTO<br>
</td> </td>
<td valign="top">DEST<br> <td valign="top">DEST<br>
PORT(S)<br> PORT(S)<br>
</td> </td>
<td valign="top">CLIENT<br> <td valign="top">CLIENT<br>
PORT(2)<br> PORT(2)<br>
</td> </td>
<td valign="top">ORIGINAL<br> <td valign="top">ORIGINAL<br>
DEST<br> DEST<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">ACCEPT<br> <td valign="top">ACCEPT<br>
</td> </td>
<td valign="top">loc<br> <td valign="top">loc<br>
</td> </td>
<td valign="top">dmz<br> <td valign="top">dmz<br>
</td> </td>
<td valign="top">tcp<br> <td valign="top">tcp<br>
</td> </td>
<td valign="top">80<br> <td valign="top">80<br>
</td> </td>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">ACCEPT<br> <td valign="top">ACCEPT<br>
</td> </td>
<td valign="top">dmz<br> <td valign="top">dmz<br>
</td> </td>
<td valign="top">net<br> <td valign="top">net<br>
</td> </td>
<td valign="top">tcp<br> <td valign="top">tcp<br>
</td> </td>
<td valign="top">80<br> <td valign="top">80<br>
</td> </td>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br> <br>
</blockquote> </blockquote>
<ul> <ul>
<li>On 192.0.2.177 (your Web/Squid server), arrange for <li>On 192.0.2.177 (your Web/Squid server), arrange for the following
the following command to be executed after networking has come up<br> command to be executed after networking has come up<br>
<pre><font color="#009900"><b>iptables -t nat -A PREROUTING -i eth0 -d ! 192.0.2.177 -p tcp --dport 80 -j REDIRECT --to-ports 3128</b></font><br></pre> <pre><font color="#009900"><b>iptables -t nat -A PREROUTING -i eth0 -d ! 192.0.2.177 -p tcp --dport 80 -j REDIRECT --to-ports 3128</b></font><br></pre>
</li> </li>
</ul> </ul>
<blockquote> If you are running RedHat on the server, you can simply
<blockquote> If you are running RedHat on the server, you can simply execute execute the following commands after you have typed the iptables
the following commands after you have typed the iptables command above:<br> command above:<br>
</blockquote> </blockquote>
<blockquote> <blockquote>
<blockquote> </blockquote> <blockquote> </blockquote>
<pre><font color="#009900"><b>iptables-save &gt; /etc/sysconfig/iptables</b></font><font <pre><font color="#009900"><b>iptables-save &gt; /etc/sysconfig/iptables</b></font><font
color="#009900"><b><br>chkconfig --level 35 iptables on<br></b></font></pre> color="#009900"><b><br>chkconfig --level 35 iptables on<br></b></font></pre>
</blockquote> </blockquote>
<blockquote> </blockquote>
<blockquote> </blockquote> <p><font size="-1"> Updated 8/9/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><font size="-1"> Updated 8/4/2003 - <a href="support.htm">Tom Eastep</a> <a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
</font></p> size="2">2003 Thomas M. Eastep.</font></a><br>
<a href="copyright.htm"><font size="2">Copyright</font>
&copy; <font size="2">2003 Thomas M. Eastep.</font></a><br>
</body> </body>
</html> </html>

614
STABLE/documentation/configuration_file_basics.htm
View File

@ -1,409 +1,341 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Configuration File Basics</title> <title>Configuration File Basics</title>
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90"> id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Configuration Files</font></h1> <h1 align="center"><font color="#ffffff">Configuration Files</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p><b><font color="#ff0000">Warning: </font>If you copy or edit your
<p><b><font color="#ff0000">Warning: </font>If you copy or edit your configuration configuration files on a system running Microsoft Windows, you <u>must</u>
files on a system running Microsoft Windows, you <u>must</u> run them through <a
run them through <a href="http://www.megaloman.com/%7Ehany/software/hd2u/"> dos2unix</a>
href="http://www.megaloman.com/%7Ehany/software/hd2u/"> dos2unix</a> before you use them with Shorewall.</b></p>
before you use them with Shorewall.</b></p>
<h2><a name="Files"></a>Files</h2> <h2><a name="Files"></a>Files</h2>
<p>Shorewall's configuration files are in the directory /etc/shorewall.</p> <p>Shorewall's configuration files are in the directory /etc/shorewall.</p>
<ul> <ul>
<li>/etc/shorewall/shorewall.conf - used to <li>/etc/shorewall/shorewall.conf - used to
set several firewall parameters.</li> set several firewall parameters.</li>
<li>/etc/shorewall/params - use this file to <li>/etc/shorewall/params - use this file to set shell variables that
set shell variables that you will expand in other files.</li> you will expand in other files.</li>
<li>/etc/shorewall/zones - partition the firewall's <li>/etc/shorewall/zones - partition the firewall's view of the world
view of the world into <i>zones.</i></li> into <i>zones.</i></li>
<li>/etc/shorewall/policy - establishes firewall <li>/etc/shorewall/policy - establishes firewall high-level policy.</li>
high-level policy.</li> <li>/etc/shorewall/interfaces - describes the interfaces on the
<li>/etc/shorewall/interfaces - describes the firewall system.</li>
interfaces on the firewall system.</li> <li>/etc/shorewall/hosts - allows defining zones in terms of
<li>/etc/shorewall/hosts - allows defining zones individual hosts and subnetworks.</li>
in terms of individual hosts and subnetworks.</li> <li>/etc/shorewall/masq - directs the firewall where to use
<li>/etc/shorewall/masq - directs the firewall many-to-one (dynamic) Network Address Translation (a.k.a. Masquerading)
where to use many-to-one (dynamic) Network Address Translation and Source Network Address Translation (SNAT).</li>
(a.k.a. Masquerading) and Source Network Address Translation <li>/etc/shorewall/modules - directs the firewall to load kernel
(SNAT).</li> modules.</li>
<li>/etc/shorewall/modules - directs the firewall <li>/etc/shorewall/rules - defines rules that are exceptions to the
to load kernel modules.</li> overall policies established in /etc/shorewall/policy.</li>
<li>/etc/shorewall/rules - defines rules that <li>/etc/shorewall/nat - defines static NAT
are exceptions to the overall policies established in /etc/shorewall/policy.</li>
<li>/etc/shorewall/nat - defines static NAT
rules.</li> rules.</li>
<li>/etc/shorewall/proxyarp - defines use of <li>/etc/shorewall/proxyarp - defines use of Proxy ARP.</li>
Proxy ARP.</li> <li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines
<li>/etc/shorewall/routestopped (Shorewall 1.3.4 hosts accessible when Shorewall is stopped.</li>
and later) - defines hosts accessible when Shorewall is stopped.</li> <li>/etc/shorewall/tcrules - defines marking of packets for later use
<li>/etc/shorewall/tcrules - defines marking by traffic control/shaping or policy routing.</li>
of packets for later use by traffic control/shaping or policy <li>/etc/shorewall/tos - defines rules for setting the TOS field in
routing.</li> packet headers.</li>
<li>/etc/shorewall/tos - defines rules for setting <li>/etc/shorewall/tunnels - defines IPSEC,
the TOS field in packet headers.</li> GRE and IPIP tunnels with end-points on the firewall system.</li>
<li>/etc/shorewall/tunnels - defines IPSEC, <li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC
GRE and IPIP tunnels with end-points on the firewall system.</li> addresses.</li>
<li>/etc/shorewall/blacklist - lists blacklisted <li>/etc/shorewall/init - commands that you wish to execute at
IP/subnet/MAC addresses.</li> the beginning of a "shorewall start" or "shorewall restart".</li>
<li>/etc/shorewall/init - commands that you wish to execute at <li>/etc/shorewall/start - commands that you wish to execute at the
the beginning of a "shorewall start" or "shorewall restart".</li> completion of a "shorewall start" or "shorewall restart"</li>
<li>/etc/shorewall/start - commands that you wish to execute at <li>/etc/shorewall/stop - commands that you wish to execute at
the completion of a "shorewall start" or "shorewall restart"</li> the beginning of a "shorewall stop".</li>
<li>/etc/shorewall/stop - commands that you wish to execute at <li>/etc/shorewall/stopped - commands that you wish to execute
the beginning of a "shorewall stop".</li> at the completion of a "shorewall stop".</li>
<li>/etc/shorewall/stopped - commands that you wish to execute <li>/etc/shorewall/ecn - disable Explicit Congestion Notification
at the completion of a "shorewall stop".</li> (ECN - RFC 3168) to remote hosts or networks.</li>
<li>/etc/shorewall/ecn - disable Explicit Congestion Notification (ECN <li>/etc/shorewall/accounting - define IP traffic accounting rules</li>
- RFC 3168) to remote hosts or networks.<br> <li>/etc/shorewall/usersets and /etc/shorewall/users - define sets of
</li> users/groups with
similar access rights<br>
</li>
</ul> </ul>
<h2>Comments</h2>
<h2><a name="Comments"></a>Comments</h2> <p>You may place comments in configuration files by making the first
non-whitespace character a pound sign ("#"). You may also place
<p>You may place comments in configuration files by making the first non-whitespace comments at the end of any line, again by delimiting the comment from
character a pound sign ("#"). You may also place comments the
at the end of any line, again by delimiting the comment from the rest of the line with a pound sign.</p>
rest of the line with a pound sign.</p>
<p>Examples:</p> <p>Examples:</p>
<pre># This is a comment</pre> <pre># This is a comment</pre>
<pre>ACCEPT net fw tcp www #This is an end-of-line comment</pre> <pre>ACCEPT net fw tcp www #This is an end-of-line comment</pre>
<h2><a name="Continuation"></a>Line Continuation</h2> <h2><a name="Continuation"></a>Line Continuation</h2>
<p>You may continue lines in the configuration files using the usual
<p>You may continue lines in the configuration files using the usual backslash backslash ("\") followed immediately by a new line character.</p>
("\") followed immediately by a new line character.</p>
<p>Example:</p> <p>Example:</p>
<pre>ACCEPT net fw tcp \<br>smtp,www,pop3,imap #Services running on the firewall</pre> <pre>ACCEPT net fw tcp \<br>smtp,www,pop3,imap #Services running on the firewall</pre>
<h2><a name="INCLUDE"></a>IN<small><small></small></small>CLUDE
<h2><a name="INCLUDE"></a>IN<small><small></small></small>CLUDE Directive</h2> Directive</h2>
Beginning with Shorewall version 1.4.2, any file may contain INCLUDE directives. Beginning with Shorewall version 1.4.2, any file may contain INCLUDE
An INCLUDE directive consists of the word INCLUDE followed by a file name directives. An INCLUDE directive consists of the word INCLUDE followed
and causes the contents of the named file to be logically included into by a file name and causes the contents of the named file to be
the file containing the INCLUDE. File names given in an INCLUDE directive logically included into the file containing the INCLUDE. File names
are assumed to reside in /etc/shorewall or in an alternate configuration given in an INCLUDE directive are assumed to reside in /etc/shorewall
directory if one has been specified for the command.<br> or in an alternate configuration directory if one has been specified
<br> for the command.<br>
INCLUDE's may be nested to a level of 3 -- further nested INCLUDE directives <br>
are ignored with a warning message.<big><big><br> INCLUDE's may be nested to a level of 3 -- further nested INCLUDE
<br> directives are ignored with a warning message.<big><big><br>
</big></big> Examples:<big> </big> <br> <br>
</big></big> Examples:<big> </big> <br>
<blockquote>    shorewall/params.mgmt:<br> <blockquote> &nbsp;&nbsp; shorewall/params.mgmt:<br>
<blockquote> &nbsp;&nbsp; MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3<br>
<blockquote>    MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3<br> &nbsp;&nbsp; TIME_SERVERS=4.4.4.4<br>
   TIME_SERVERS=4.4.4.4<br> &nbsp;&nbsp; BACKUP_SERVERS=5.5.5.5<br>
   BACKUP_SERVERS=5.5.5.5<br> </blockquote>
</blockquote> &nbsp;&nbsp; ----- end params.mgmt -----<br>
   ----- end params.mgmt -----<br> </blockquote>
</blockquote> <blockquote> &nbsp;&nbsp; shorewall/params:<br>
</blockquote>
<blockquote>    shorewall/params:<br>
</blockquote>
<blockquote> <blockquote>
<blockquote>    # Shorewall 1.3 /etc/shorewall/params<br> <blockquote> &nbsp;&nbsp; # Shorewall 1.3 /etc/shorewall/params<br>
   [..]<br> &nbsp;&nbsp; [..]<br>
   #######################################<br> &nbsp;&nbsp; #######################################<br>
 <br> &nbsp;<br>
   INCLUDE params.mgmt    <br> &nbsp;&nbsp; INCLUDE params.mgmt&nbsp;&nbsp;&nbsp; <br>
  <br> &nbsp; <br>
   # params unique to this host here<br> &nbsp;&nbsp; # params unique to this host here<br>
   #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE<br> &nbsp;&nbsp; #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT
</blockquote> REMOVE<br>
</blockquote> </blockquote>
</blockquote>
<blockquote>    ----- end params -----<br> <blockquote> &nbsp;&nbsp; ----- end params -----<br>
</blockquote> </blockquote>
<blockquote> &nbsp;&nbsp; shorewall/rules.mgmt:<br>
<blockquote>    shorewall/rules.mgmt:<br> </blockquote>
</blockquote>
<blockquote> <blockquote>
<blockquote>    ACCEPT net:$MGMT_SERVERS          $FW    tcp    22<br> <blockquote> &nbsp;&nbsp; ACCEPT
   ACCEPT $FW          net:$TIME_SERVERS    udp    123<br> net:$MGMT_SERVERS&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
   ACCEPT $FW          net:$BACKUP_SERVERS  tcp    22<br> $FW&nbsp;&nbsp;&nbsp; tcp&nbsp;&nbsp;&nbsp; 22<br>
</blockquote> &nbsp;&nbsp; ACCEPT
</blockquote> $FW&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
net:$TIME_SERVERS&nbsp;&nbsp;&nbsp; udp&nbsp;&nbsp;&nbsp; 123<br>
<blockquote>    ----- end rules.mgmt -----<br> &nbsp;&nbsp; ACCEPT
</blockquote> $FW&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
net:$BACKUP_SERVERS&nbsp; tcp&nbsp;&nbsp;&nbsp; 22<br>
<blockquote>    shorewall/rules:<br> </blockquote>
</blockquote> </blockquote>
<blockquote> &nbsp;&nbsp; ----- end rules.mgmt -----<br>
</blockquote>
<blockquote> &nbsp;&nbsp; shorewall/rules:<br>
</blockquote>
<blockquote> <blockquote>
<blockquote>    # Shorewall version 1.3 - Rules File<br> <blockquote> &nbsp;&nbsp; # Shorewall version 1.3 - Rules File<br>
   [..]<br> &nbsp;&nbsp; [..]<br>
   #######################################<br> &nbsp;&nbsp; #######################################<br>
 <br> &nbsp;<br>
   INCLUDE rules.mgmt     <br> &nbsp;&nbsp; INCLUDE rules.mgmt&nbsp;&nbsp;&nbsp;&nbsp; <br>
  <br> &nbsp; <br>
   # rules unique to this host here<br> &nbsp;&nbsp; # rules unique to this host here<br>
   #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE<br> &nbsp;&nbsp; #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT
</blockquote> REMOVE<br>
</blockquote> </blockquote>
</blockquote>
<blockquote>    ----- end rules -----<br> <blockquote> &nbsp;&nbsp; ----- end rules -----<br>
</blockquote> </blockquote>
<h2><a name="dnsnames"></a>Using DNS Names</h2> <h2><a name="dnsnames"></a>Using DNS Names</h2>
<p align="left"> </p>
<p align="left"> </p>
<p align="left"><b>WARNING: I personally recommend strongly <u>against</u> <p align="left"><b>WARNING: I personally recommend strongly <u>against</u>
using DNS names in Shorewall configuration files. If you use DNS using DNS names in Shorewall configuration files. If you use DNS names
names and you are called out of bed at 2:00AM because Shorewall won't and you are called out of bed at 2:00AM because Shorewall won't start
start as a result of DNS problems then don't say that you were not forewarned. as a result of DNS problems then don't say that you were not
<br> forewarned. <br>
</b></p> </b></p>
<p align="left"><b>&nbsp;&nbsp;&nbsp; -Tom<br>
<p align="left"><b>    -Tom<br> </b></p>
</b></p> <p align="left">Beginning with Shorewall 1.3.9, Host addresses in
Shorewall configuration files may be specified as either IP addresses
<p align="left">Beginning with Shorewall 1.3.9, Host addresses in Shorewall or DNS Names.<br>
configuration files may be specified as either IP addresses or DNS <br>
Names.<br> DNS names in iptables rules aren't nearly as useful
<br> as they first appear. When a DNS name appears in a rule, the iptables
DNS names in iptables rules aren't nearly as useful utility resolves the name to one or more IP addresses and inserts those
as they first appear. When a DNS name appears in a rule, the iptables addresses into the rule. So changes in the DNS-&gt;IP address
utility resolves the name to one or more IP addresses and inserts relationship that occur after the firewall has started have absolutely
those addresses into the rule. So changes in the DNS-&gt;IP address no effect on the firewall's ruleset. </p>
relationship that occur after the firewall has started have absolutely <p align="left"> If your firewall rules include DNS names then:</p>
no effect on the firewall's ruleset. </p>
<p align="left"> If your firewall rules include DNS names then:</p>
<ul> <ul>
<li>If your /etc/resolv.conf is wrong then your firewall <li>If your /etc/resolv.conf is wrong then your firewall won't start.</li>
won't start.</li> <li>If your /etc/nsswitch.conf is wrong then your firewall won't
<li>If your /etc/nsswitch.conf is wrong then your firewall start.</li>
won't start.</li> <li>If your Name Server(s) is(are) down then your firewall won't
<li>If your Name Server(s) is(are) down then your firewall start.</li>
won't start.</li> <li>If your startup scripts try to start your firewall before
<li>If your startup scripts try to start your firewall starting your DNS server then your firewall won't start.<br>
before starting your DNS server then your firewall won't start.<br> </li>
</li> <li>Factors totally outside your control (your ISP's router is down
<li>Factors totally outside your control (your ISP's for example), can prevent your firewall from starting.</li>
router is down for example), can prevent your firewall from starting.</li> <li>You must bring up your network interfaces prior
<li>You must bring up your network interfaces prior to starting your firewall.<br>
to starting your firewall.<br> </li>
</li>
</ul> </ul>
<p align="left"> Each DNS name much be fully qualified and include a
<p align="left"> Each DNS name much be fully qualified and include a minumum minumum of two periods (although one may be trailing). This restriction
of two periods (although one may be trailing). This restriction is is imposed by Shorewall to insure backward compatibility with existing
imposed by Shorewall to insure backward compatibility with existing configuration files.<br>
configuration files.<br> <br>
<br> Examples of valid DNS names:<br>
Examples of valid DNS names:<br> </p>
</p>
<ul> <ul>
<li>mail.shorewall.net</li> <li>mail.shorewall.net</li>
<li>shorewall.net. (note the trailing period).</li> <li>shorewall.net. (note the trailing period).</li>
</ul> </ul>
Examples of invalid DNS names:<br> Examples of invalid DNS names:<br>
<ul> <ul>
<li>mail (not fully qualified)</li> <li>mail (not fully qualified)</li>
<li>shorewall.net (only one period)</li> <li>shorewall.net (only one period)</li>
</ul> </ul>
DNS names may not be used as:<br> DNS names may not be used as:<br>
<ul> <ul>
<li>The server address in a DNAT rule (/etc/shorewall/rules <li>The server address in a DNAT rule (/etc/shorewall/rules file)</li>
file)</li> <li>In the ADDRESS column of an entry in /etc/shorewall/masq.</li>
<li>In the ADDRESS column of an entry in /etc/shorewall/masq.</li> <li>In the /etc/shorewall/nat file.</li>
<li>In the /etc/shorewall/nat file.</li>
</ul> </ul>
These restrictions are not imposed by Shorewall simply These restrictions are not imposed by Shorewall simply for your
for your inconvenience but are rather limitations of iptables.<br> inconvenience but are rather limitations of iptables.<br>
<h2><a name="Compliment"></a>Complementing an Address or Subnet</h2> <h2><a name="Compliment"></a>Complementing an Address or Subnet</h2>
<p>Where specifying an IP address, a subnet or an interface, you can
<p>Where specifying an IP address, a subnet or an interface, you can precede precede the item with "!" to specify the complement of the item. For
the item with "!" to specify the complement of the item. For example, example, !192.168.1.4 means "any host but 192.168.1.4". There must be
!192.168.1.4 means "any host but 192.168.1.4". There must be no white space no white space following the "!".</p>
following the "!".</p>
<h2><a name="Lists"></a>Comma-separated Lists</h2> <h2><a name="Lists"></a>Comma-separated Lists</h2>
<p>Comma-separated lists are allowed in a number of contexts within the <p>Comma-separated lists are allowed in a number of contexts within the
configuration files. A comma separated list:</p> configuration files. A comma separated list:</p>
<ul> <ul>
<li>Must not have any embedded white space.<br> <li>Must not have any embedded white space.<br>
Valid: routefilter,dhcp,norfc1918<br> Valid: routefilter,dhcp,norfc1918<br>
Invalid: routefilter,     dhcp,     Invalid: routefilter,&nbsp;&nbsp;&nbsp;&nbsp;
norfc1818</li> dhcp,&nbsp;&nbsp;&nbsp;&nbsp; norfc1818</li>
<li>If you use line continuation to break a <li>If you use line continuation to break a
comma-separated list, the continuation line(s) must begin comma-separated list, the continuation line(s) must begin
in column 1 (or there would be embedded white space)</li> in column 1 (or there would be embedded white space)</li>
<li>Entries in a comma-separated list may appear <li>Entries in a comma-separated list may appear in any order.</li>
in any order.</li>
</ul> </ul>
<h2><a name="Ports"></a>Port Numbers/Service Names</h2> <h2><a name="Ports"></a>Port Numbers/Service Names</h2>
<p>Unless otherwise specified, when giving a port number you can use
<p>Unless otherwise specified, when giving a port number you can use either either an integer or a service name from /etc/services. </p>
an integer or a service name from /etc/services. </p>
<h2><a name="Ranges"></a>Port Ranges</h2> <h2><a name="Ranges"></a>Port Ranges</h2>
<p>If you need to specify a range of ports, the proper syntax is &lt;<i>low <p>If you need to specify a range of ports, the proper syntax is &lt;<i>low
port number</i>&gt;:&lt;<i>high port number</i>&gt;. For example, port number</i>&gt;:&lt;<i>high port number</i>&gt;. For example, if
if you want to forward the range of tcp ports 4000 through 4100 to you want to forward the range of tcp ports 4000 through 4100 to local
local host 192.168.1.3, the entry in /etc/shorewall/rules is:<br> host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
</p> </p>
<pre> DNAT net loc:192.168.1.3 tcp 4000:4100<br></pre> <pre> DNAT net loc:192.168.1.3 tcp 4000:4100<br></pre>
If you omit the low port number, a value of zero is assumed; if you If you omit the low port number, a value of zero is assumed; if you
omit the high port number, a value of 65535 is assumed.<br> omit the high port number, a value of 65535 is assumed.<br>
<h2><a name="Variables"></a>Using Shell Variables</h2> <h2><a name="Variables"></a>Using Shell Variables</h2>
<p>You may use the /etc/shorewall/params file to set shell variables
<p>You may use the /etc/shorewall/params file to set shell variables that you can then use in some of the other configuration files.</p>
that you can then use in some of the other configuration files.</p>
<p>It is suggested that variable names begin with an upper case letter<font <p>It is suggested that variable names begin with an upper case letter<font
size="1"> </font>to distinguish them from variables used internally size="1"> </font>to distinguish them from variables used internally
within the Shorewall programs</p> within the Shorewall programs</p>
<p>Example:</p> <p>Example:</p>
<blockquote> <blockquote>
<pre>NET_IF=eth0<br>NET_BCAST=130.252.100.255<br>NET_OPTIONS=routefilter,norfc1918</pre> <pre>NET_IF=eth0<br>NET_BCAST=130.252.100.255<br>NET_OPTIONS=routefilter,norfc1918</pre>
</blockquote> </blockquote>
<p><br> <p><br>
Example (/etc/shorewall/interfaces record):</p> Example (/etc/shorewall/interfaces record):</p>
<font <font face="Century Gothic, Arial, Helvetica">
face="Century Gothic, Arial, Helvetica">
<blockquote> <blockquote>
<pre><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></pre> <pre><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></pre>
</blockquote> </blockquote>
</font> </font>
<p>The result will be the same as if the record had been written</p> <p>The result will be the same as if the record had been written</p>
<font <font face="Century Gothic, Arial, Helvetica">
face="Century Gothic, Arial, Helvetica">
<blockquote> <blockquote>
<pre>net eth0 130.252.100.255 routefilter,norfc1918</pre> <pre>net eth0 130.252.100.255 routefilter,norfc1918</pre>
</blockquote> </blockquote>
</font> </font>
<p>Variables may be used anywhere in the other configuration files.</p>
<p>Variables may be used anywhere in the other configuration
files.</p>
<h2><a name="MAC"></a>Using MAC Addresses</h2> <h2><a name="MAC"></a>Using MAC Addresses</h2>
<p>Media Access Control (MAC) addresses can be used to specify packet
<p>Media Access Control (MAC) addresses can be used to specify packet source in several of the configuration files. To use this feature, your
source in several of the configuration files. To use this kernel must have MAC Address Match support
feature, your kernel must have MAC Address Match support (CONFIG_IP_NF_MATCH_MAC) included.</p>
(CONFIG_IP_NF_MATCH_MAC) included.</p> <p>MAC addresses are 48 bits wide and each Ethernet Controller has a
unique MAC address.<br>
<p>MAC addresses are 48 bits wide and each Ethernet Controller has a unique <br>
MAC address.<br> In GNU/Linux, MAC addresses are usually written as a series of 6 hex
<br> numbers separated by colons. Example:<br>
In GNU/Linux, MAC addresses are usually written <br>
as a series of 6 hex numbers separated by colons. Example:<br> &nbsp;&nbsp;&nbsp;&nbsp; [root@gateway root]# ifconfig eth0<br>
<br> &nbsp;&nbsp;&nbsp;&nbsp; eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>
     [root@gateway root]# ifconfig eth0<br> &nbsp;&nbsp;&nbsp;&nbsp; inet addr:206.124.146.176
     eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br> Bcast:206.124.146.255 Mask:255.255.255.0<br>
     inet addr:206.124.146.176 Bcast:206.124.146.255 &nbsp;&nbsp;&nbsp;&nbsp; UP BROADCAST RUNNING MULTICAST MTU:1500
Mask:255.255.255.0<br> Metric:1<br>
     UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br> &nbsp;&nbsp;&nbsp;&nbsp; RX packets:2398102 errors:0 dropped:0
     RX packets:2398102 errors:0 dropped:0 overruns:0 overruns:0 frame:0<br>
frame:0<br> &nbsp;&nbsp;&nbsp;&nbsp; TX packets:3044698 errors:0 dropped:0
     TX packets:3044698 errors:0 dropped:0 overruns:0 overruns:0 carrier:0<br>
carrier:0<br> &nbsp;&nbsp;&nbsp;&nbsp; collisions:30394 txqueuelen:100<br>
     collisions:30394 txqueuelen:100<br> &nbsp;&nbsp;&nbsp;&nbsp; RX bytes:419871805 (400.4 Mb) TX
     RX bytes:419871805 (400.4 Mb) TX bytes:1659782221 bytes:1659782221 (1582.8 Mb)<br>
(1582.8 Mb)<br> &nbsp;&nbsp;&nbsp;&nbsp; Interrupt:11 Base address:0x1800<br>
     Interrupt:11 Base address:0x1800<br> <br>
<br> Because Shorewall uses colons as a separator for address fields,
Because Shorewall uses colons as a separator for Shorewall requires MAC addresses to be written in another way. In
address fields, Shorewall requires MAC addresses to be written Shorewall, MAC addresses begin with a tilde ("~") and consist of 6 hex
in another way. In Shorewall, MAC addresses begin with a tilde numbers separated by hyphens. In Shorewall, the MAC address in the
("~") and consist of 6 hex numbers separated by hyphens. In Shorewall, example above would be written "~02-00-08-E3-FA-55".<br>
the MAC address in the example above would be written "~02-00-08-E3-FA-55".<br> </p>
</p> <p><b>Note: </b>It is not necessary to use the special Shorewall
notation in the <a href="MAC_Validation.html">/etc/shorewall/maclist</a>
<p><b>Note: </b>It is not necessary to use the special Shorewall notation file.<br>
in the <a href="MAC_Validation.html">/etc/shorewall/maclist</a> file.<br> </p>
</p>
<h2><a name="Levels"></a>Shorewall Configurations</h2> <h2><a name="Levels"></a>Shorewall Configurations</h2>
<p> Shorewall allows you to have configuration directories other than
<p> Shorewall allows you to have configuration directories other than /etc/shorewall. /etc/shorewall. The <a href="starting_and_stopping_shorewall.htm">shorewall
The <a href="starting_and_stopping_shorewall.htm">shorewall check, check, start and restart</a> commands allow you to specify an alternate
start and restart</a> commands allow you to specify an alternate configuration directory and Shorewall will use the files in the
configuration directory and Shorewall will use the files in the alternate alternate directory rather than the corresponding files in
directory rather than the corresponding files in /etc/shorewall. The /etc/shorewall. The alternate directory need not contain a complete
alternate directory need not contain a complete configuration; those configuration; those files not in the alternate directory will be read
files not in the alternate directory will be read from /etc/shorewall.</p> from /etc/shorewall.</p>
<p> This facility permits you to easily create a test or temporary
<p> This facility permits you to easily create a test or temporary configuration configuration by:</p>
by:</p>
<ol> <ol>
<li> copying the files that need modification <li> copying the files that need modification from /etc/shorewall to
from /etc/shorewall to a separate directory;</li> a separate directory;</li>
<li> modify those files in the separate directory; <li> modify those files in the separate directory; and</li>
and</li> <li> specifying the separate directory in a shorewall start or
<li> specifying the separate directory in a shorewall restart command (e.g., <i><b>shorewall -c /etc/testconfig
shorewall start or shorewall restart command (e.g., <i><b>shorewall restart</b></i> )</li>
-c /etc/testconfig restart</b></i> )</li>
</ol> </ol>
The <a href="starting_and_stopping_shorewall.htm"><b>try</b> command</a> The <a href="starting_and_stopping_shorewall.htm"><b>try</b> command</a>
allows you to attempt to restart using an alternate configuration and if an allows you to attempt to restart using an alternate configuration and
if an
error occurs to automatically restart the standard configuration.<br> error occurs to automatically restart the standard configuration.<br>
<p><font size="2"> Updated 8/22/2003 - <a href="support.htm">Tom Eastep</a>
<p><font size="2"> Updated 6/29/2003 - <a href="support.htm">Tom Eastep</a> </font></p>
</font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p> </p>
<br> <br>
</body> </body>
</html> </html>

330
STABLE/documentation/download.htm
View File

@ -1,234 +1,196 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<title>Download</title> <title>Download</title>
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90"> id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Download</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Download</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p><b>I strongly urge you to read and print a copy of the <a
<p><b>I strongly urge you to read and print a copy of the <a
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a> href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
for the configuration that most closely matches your own.<br> for the configuration that most closely matches your own.<br>
</b></p> </b></p>
<p>The entire set of Shorewall documentation is available in PDF format
<p>The entire set of Shorewall documentation is available in PDF format at:</p> at:</p>
<p>&nbsp;&nbsp;&nbsp; <a
<p>    <a href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br> href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a &nbsp;&nbsp;&nbsp; <a
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br> href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
    <a &nbsp;&nbsp;&nbsp; <a
href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a> href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>
</p> </p>
<p>The documentation in HTML format is included in the .rpm and in the
<p>The documentation in HTML format is included in the .rpm and in the .tgz .tgz
packages below.</p> packages below.</p>
<p> Once you've printed the appropriate QuickStart Guide, download <u>
<p> Once you've printed the appropriate QuickStart Guide, download <u> one</u> of the modules:</p>
one</u> of the modules:</p>
<ul> <ul>
<li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <b> Linux
<b> Linux PPC</b> or <b> TurboLinux</b> distribution PPC</b>, <span style="font-weight: bold;">Trustix</span> or <b>
with a 2.4 kernel, you can use the RPM version (note: the TurboLinux</b> distribution with a 2.4 kernel, you can
RPM should also work with other distributions that store use the RPM version (note: the RPM should also work with other
init scripts in /etc/init.d and that include chkconfig distributions that store init scripts in /etc/init.d and that include
or insserv). If you find that it works in other cases, let <a chkconfig or insserv). If you find that it works in other cases, let <a
href="mailto:teastep@shorewall.net"> me</a> know so that href="mailto:teastep@shorewall.net"> me</a> know so that I can mention
I can mention them here. See the <a href="Install.htm">Installation them here. See the <a href="Install.htm">Installation Instructions</a>
Instructions</a> if you have problems installing the RPM.</li> if you have problems installing the RPM.</li>
<li>If you are running LRP, download the .lrp <li>If you are running LRP, download the .lrp file (you might also
file (you might also want to download the .tgz so you will want to download the .tgz so you will have a copy of the documentation).</li>
have a copy of the documentation).</li> <li>If you run <a href="http://www.debian.org"><b>Debian</b></a> and
<li>If you run <a would like a .deb package, Shorewall is included in both the <a
href="http://www.debian.org"><b>Debian</b></a> and would
like a .deb package, Shorewall is included in both the <a
href="http://packages.debian.org/testing/net/shorewall.html">Debian href="http://packages.debian.org/testing/net/shorewall.html">Debian
Testing Branch</a> and the <a Testing Branch</a> and the <a
href="http://packages.debian.org/unstable/net/shorewall.html">Debian Unstable href="http://packages.debian.org/unstable/net/shorewall.html">Debian
Branch</a>.</li> Unstable Branch</a>.</li>
<li>Otherwise, download the <i>shorewall</i> <li>Otherwise, download the <i>shorewall</i> module (.tgz)</li>
module (.tgz)</li>
</ul> </ul>
<p>The documentation in HTML format is included in the .tgz and .rpm
<p>The documentation in HTML format is included in the .tgz and .rpm files files and there is an documentation .deb that also contains the
and there is an documentation .deb that also contains the documentation.  The documentation.&nbsp;&nbsp;The .rpm will install the documentation in
.rpm will install the documentation in your default document directory your default document directory which can be obtained using the
which can be obtained using the following command:<br> following command:<br>
</p> </p>
<blockquote> <blockquote>
<p><font color="#009900"><b>rpm --eval '%{defaultdocdir}'</b></font></p> <p><font color="#009900"><b>rpm --eval '%{_defaultdocdir}'</b></font></p>
</blockquote> </blockquote>
<p>Please check the <font color="#ff0000"> <a href="errata.htm">
<p>Please check the <font color="#ff0000"> <a href="errata.htm"> errata</a></font> errata</a></font> to see if there are updates that apply to the version
to see if there are updates that apply to the version that you have downloaded.</p>
that you have downloaded.</p> <p><font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY
INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME
<p><font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY INSTALL CONFIGURATION IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have
THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION completed configuration of your firewall, you can enable startup by
IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed configuration removing the file /etc/shorewall/startup_disabled.</b></font></p>
of your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.</b></font></p>
<p><b></b></p> <p><b></b></p>
<p><b>Download Sites:</b></p> <p><b>Download Sites:</b></p>
<blockquote> <blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
<tr> <tr>
<td><b>SERVER LOCATION</b></td> <td><b>SERVER LOCATION</b></td>
<td><b>DOMAIN</b></td> <td><b>DOMAIN</b></td>
<td><b>HTTP</b></td> <td><b>HTTP</b></td>
<td><b>FTP</b></td> <td><b>FTP</b></td>
</tr> </tr>
<tr> <tr>
<td>SourceForge<br> <td>SourceForge<br>
</td> </td>
<td>sf.net</td> <td>sf.net</td>
<td><a <td><a
href="http://sourceforge.net/project/showfiles.php?group_id=22587">Browse</a></td> href="http://sourceforge.net/project/showfiles.php?group_id=22587">Browse</a></td>
<td>N/A</td> <td>N/A</td>
</tr> </tr>
<tr> <tr>
<td>Slovak Republic</td> <td>Slovak Republic</td>
<td>Shorewall.net</td> <td>Shorewall.net</td>
<td><a <td><a href="http://slovakia.shorewall.net/pub/shorewall/">Browse</a></td>
href="http://slovakia.shorewall.net/pub/shorewall/">Browse</a></td> <td> <a target="_blank"
<td> <a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/">Browse</a></td> href="ftp://slovakia.shorewall.net/mirror/shorewall/">Browse</a></td>
</tr> </tr>
<tr> <tr>
<td>Texas, USA</td> <td>Texas, USA</td>
<td>Infohiiway.com</td> <td>Infohiiway.com</td>
<td><a <td><a href="http://shorewall.infohiiway.com/pub/shorewall">Browse</a></td>
href="http://shorewall.infohiiway.com/pub/shorewall">Browse</a></td> <td><a target="_blank"
<td><a target="_blank" href="ftp://ftp.infohiiway.com/pub/shorewall/">Browse (Temporarily
href="ftp://ftp.infohiiway.com/pub/shorewall/">Browse (Temporarily Unavailable)</a></td> Unavailable)</a></td>
</tr> </tr>
<tr> <tr>
<td>Hamburg, Germany</td> <td>Hamburg, Germany</td>
<td>Shorewall.net</td> <td>Shorewall.net</td>
<td><a <td><a href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td>
href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td> <td><a target="_blank"
<td><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall">Browse</a></td> href="ftp://germany.shorewall.net/pub/shorewall">Browse</a></td>
</tr> </tr>
<tr> <tr>
<td>France</td> <td>France</td>
<td>Shorewall.net</td> <td>Shorewall.net</td>
<td><a <td><a
href="http://france.shorewall.net/pub/shorewall/LATEST.lrp">Browse</a></td> href="http://france.shorewall.net/pub/shorewall/LATEST.lrp">Browse</a></td>
<td> <a target="_blank" <td> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/">Browse</a></td> href="ftp://france.shorewall.net/pub/mirrors/shorewall/">Browse</a></td>
</tr> </tr>
<tr> <tr>
<td valign="top">Taiwan<br> <td valign="top">Taiwan<br>
</td> </td>
<td valign="top">Greshko.com<br> <td valign="top">Greshko.com<br>
</td> </td>
<td valign="top"><a <td valign="top"><a
href="http://shorewall.greshko.com/pub/shorewall/">Browse<br> href="http://shorewall.greshko.com/pub/shorewall/">Browse<br>
</a></td> </a></td>
<td valign="top"><a <td valign="top"><a
href="ftp://shorewall.greshko.com/pub/shorewall/" target="_top">Browse</a><br> href="ftp://shorewall.greshko.com/pub/shorewall/" target="_top">Browse</a><br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">Argentina<br> <td valign="top">Argentina<br>
</td> </td>
<td valign="top">Shorewall.net<br> <td valign="top">Shorewall.net<br>
</td> </td>
<td valign="top"><a <td valign="top"><a
href="http://argentina.shorewall.net/pub/shorewall/shorewall">Browse</a><br> href="http://argentina.shorewall.net/pub/shorewall/shorewall">Browse</a><br>
</td> </td>
<td valign="top">N/A<br> <td valign="top">N/A<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">Brazil<br> <td valign="top">Brazil<br>
</td> </td>
<td valign="top">securityopensource.org.br<br> <td valign="top">securityopensource.org.br<br>
</td> </td>
<td valign="top"><a <td valign="top"><a
href="http://shorewall.securityopensource.org.br/pub/shorewall/">Browse</a><br> href="http://shorewall.securityopensource.org.br/pub/shorewall/">Browse</a><br>
</td> </td>
<td valign="top">N/A<br> <td valign="top">N/A<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td>Washington State, USA</td> <td>Washington State, USA</td>
<td>Shorewall.net</td> <td>Shorewall.net</td>
<td><a <td><a href="http://www.shorewall.net/pub/shorewall/">Browse</a></td>
href="http://www.shorewall.net/pub/shorewall/">Browse</a></td> <td><a href="ftp://ftp.shorewall.net/pub/shorewall/"
<td><a target="_blank">Browse</a></td>
href="ftp://ftp.shorewall.net/pub/shorewall/" target="_blank">Browse</a></td> </tr>
</tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
<p align="left"><b>CVS:</b></p> <p align="left"><b>CVS:</b></p>
<blockquote> <blockquote>
<p align="left">The <a target="_top" <p align="left">The <a target="_top"
href="http://cvs.shorewall.net/Shorewall_CVS_Access.html">CVS repository href="http://cvs.shorewall.net/Shorewall_CVS_Access.html">CVS
at cvs.shorewall.net</a> contains the latest snapshots of the repository at cvs.shorewall.net</a> contains the latest snapshots of
each Shorewall component. There's no guarantee that what you find the each Shorewall component. There's no guarantee that what you find
there will work at all.<br> there will work at all.<br>
</p> </p>
</blockquote> </blockquote>
<p align="left"><b>Shapshots:<br> <p align="left"><b>Shapshots:<br>
</b></p> </b></p>
<blockquote> <blockquote>
<p align="left">Periodic snapshots from CVS may be found at <a <p align="left">Periodic snapshots from CVS may be found at <a
href="http://shorewall.net/pub/shorewall/Snapshots/">http://shorewall.net/pub/shorewall/Snapshots</a> href="http://shorewall.net/pub/shorewall/Snapshots/">http://shorewall.net/pub/shorewall/Snapshots</a>
(<a href="ftp://shorewall.net/pub/shorewall/Snapshots/" target="_top">FTP</a>). (<a href="ftp://shorewall.net/pub/shorewall/Snapshots/" target="_top">FTP</a>).
These snapshots have undergone initial testing and will have been installed These snapshots have undergone initial testing and will have been
and run at shorewall.net.<br> installed and run at shorewall.net.<br>
</p> </p>
</blockquote> </blockquote>
<p align="left"><font size="2">Last Updated 9/25/2003 - <a
<p align="left"><font size="2">Last Updated 8/4/2003 - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</body> </body>
</html> </html>

508
STABLE/documentation/errata.htm
View File

@ -1,391 +1,319 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shorewall 1.4 Errata</title> <title>Shorewall 1.4 Errata</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
<meta name="author" content="Tom Eastep"> <meta name="author" content="Tom Eastep">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#3366ff" height="90"> bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade
Issues</font></h1>
<h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1> </td>
</td> </tr>
</tr>
</tbody> </tbody>
</table> </table>
<p align="center"> <b><u>IMPORTANT</u></b></p>
<p align="center"> <b><u>IMPORTANT</u></b></p>
<ol> <ol>
<li> <li>
<p align="left"> <b><u>I</u>f you use a Windows system to download
<p align="left"> <b><u>I</u>f you use a Windows system to download a corrected script, be sure to run the script through <u> <a
a corrected script, be sure to run the script through
<u> <a
href="http://www.megaloman.com/%7Ehany/software/hd2u/" href="http://www.megaloman.com/%7Ehany/software/hd2u/"
style="text-decoration: none;"> dos2unix</a></u> after you have moved style="text-decoration: none;"> dos2unix</a></u> after you have moved
it to your Linux system.</b></p> it to your Linux system.</b></p>
</li> </li>
<li> <li>
<p align="left"> <b>If you are installing Shorewall for the first
<p align="left"> <b>If you are installing Shorewall for the first time and plan to use the .tgz and install.sh script, you can untar
time and plan to use the .tgz and install.sh script, you can untar the archive, replace the 'firewall' script in the untarred directory
the archive, replace the 'firewall' script in the untarred directory with the one you downloaded below, and then run install.sh.</b></p>
with the one you downloaded below, and then run install.sh.</b></p> </li>
</li> <li>
<li> <p align="left"> <b>When the instructions say to install a
corrected firewall script in /usr/share/shorewall/firewall,
<p align="left"> <b>When the instructions say to install a corrected you may rename the existing file before copying in the new file.</b></p>
firewall script in /usr/share/shorewall/firewall, </li>
you may rename the existing file before copying in the new file.</b></p> <li>
</li> <p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED
<li> COMPONENTS ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER
BELOW. For example, do NOT install the 1.3.9a firewall script
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS if you are running 1.3.7c.</font></b><br>
ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER </p>
BELOW. For example, do NOT install the 1.3.9a firewall script </li>
if you are running 1.3.7c.</font></b><br>
</p>
</li>
</ol> </ol>
<ul> <ul>
<li><b><a <li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
href="upgrade_issues.htm">Upgrade Issues</a></b></li> <li><b><a href="#V1.4">Problems in Version 1.4</a></b><br>
<li><b><a href="#V1.4">Problems in Version 1.4</a></b><br> </li>
</li> <li> <b><a href="errata_3.html">Problems in Version 1.3</a></b></li>
<li> <b><a <li> <b><a href="errata_2.htm">Problems in Version 1.2</a></b></li>
href="errata_3.html">Problems in Version 1.3</a></b></li> <li> <b><font color="#660066"> <a href="errata_1.htm">Problems in
<li> <b><a Version 1.1</a></font></b></li>
href="errata_2.htm">Problems in Version 1.2</a></b></li> <li> <b><font color="#660066"><a href="#iptables"> Problem with
<li> <b><font iptables version 1.2.3 on RH7.2</a></font></b></li>
color="#660066"> <a href="errata_1.htm">Problems in Version 1.1</a></font></b></li> <li> <b><a href="#Debug">Problems with kernels &gt;= 2.4.18 and
<li> <b><font RedHat
color="#660066"><a href="#iptables"> Problem with iptables version 1.2.3
on RH7.2</a></font></b></li>
<li> <b><a
href="#Debug">Problems with kernels &gt;= 2.4.18 and RedHat
iptables</a></b></li> iptables</a></b></li>
<li><b><a href="#SuSE">Problems installing/upgrading <li><b><a href="#SuSE">Problems installing/upgrading RPM on SuSE</a></b></li>
RPM on SuSE</a></b></li> <li><b><a href="#Multiport">Problems with iptables version 1.2.7 and
<li><b><a href="#Multiport">Problems MULTIPORT=Yes</a></b></li>
with iptables version 1.2.7 and MULTIPORT=Yes</a></b></li> <li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10 and NAT</a></b></li>
<li><b><a href="#NAT">Problems with RH Kernel <li><b><a href="#REJECT">Problems with RH Kernels after 2.4.20-9 and
2.4.18-10 and NAT</a></b></li> REJECT (also applies to 2.4.21-RC1) <img src="images/new10.gif"
<li><b><a href="#REJECT">Problems with RH Kernels after 2.4.20-9 and alt="(New)" width="28" height="12" border="0"> </a><br>
REJECT (also applies to 2.4.21-RC1) <img src="images/new10.gif" </b></li>
alt="(New)" width="28" height="12" border="0">
</a><br>
</b></li>
</ul> </ul>
<hr> <hr>
<h2 align="left"><a name="V1.4"></a>Problems in Version 1.4</h2> <h2 align="left"><a name="V1.4"></a>Problems in Version 1.4</h2>
<h3></h3> <h3></h3>
<h3>1.4.6</h3> <h3>1.4.6</h3>
<ul> <ul>
<li>If TC_ENABLED is set to yes in shorewall.conf then Shorewall would <li>If TC_ENABLED is set to yes in shorewall.conf then Shorewall
fail to start with the error "ERROR:  Traffic Control requires Mangle"; would fail to start with the error "ERROR:&nbsp; Traffic Control
that problem has been corrected in <a requires Mangle";
href="http://shorewall.net/pub/shorewall/errata/1.4.6/firewall">this firewall that problem has been corrected in <a
script</a> which may be installed in /var/share/shorewall/firewall as described href="http://shorewall.net/pub/shorewall/errata/1.4.6/firewall">this
above. This problem is also corrected in bugfix release 1.4.6a.</li> firewall script</a> which may be installed in
<li>This problem occurs in all versions supporting traffic control. If /var/share/shorewall/firewall as described above. This problem is also
a MAC address is used in the SOURCE column, an error occurs as follows:<br> corrected in bugfix release 1.4.6a.</li>
<br> <li>This problem occurs in all versions supporting traffic control.
     <font size="3"><tt>iptables v1.2.8: Bad mac adress `00:08:B5:35:52:E7-d`</tt></font><br> If a MAC address is used in the SOURCE column, an error occurs as
<br> follows:<br>
For Shorewall 1.4.6 and 1.4.6a users, this problem has been corrected in <br>
<a href="http://shorewall.net/pub/shorewall/errata/1.4.6/firewall">this &nbsp; &nbsp; &nbsp;<font size="3"><tt>iptables v1.2.8: Bad mac adress
firewall script</a> which may be installed in /var/share/shorewall/firewall `00:08:B5:35:52:E7-d`</tt></font><br>
as described above. For all other versions, you will have to edit your 'firewall' <br>
script (in versions 1.4.*, it is located in /usr/share/shorewall/firewall). For Shorewall 1.4.6 and 1.4.6a users, this problem has been corrected
Locate the function add_tcrule_() and in that function, replace this line:<br> in <a href="http://shorewall.net/pub/shorewall/errata/1.4.6/firewall">this
<br> firewall script</a> which may be installed in
    r=`mac_match $source` <br> /var/share/shorewall/firewall
<br> as described above. For all other versions, you will have to edit your
with<br> 'firewall'
<br> script (in versions 1.4.*, it is located in
     r="`mac_match $source` "<br> /usr/share/shorewall/firewall).
<br> Locate the function add_tcrule_() and in that function, replace this
Note that there must be a space before the ending quote!<br> line:<br>
</li> <br>
&nbsp; &nbsp; <span style="font-family: monospace;">r=`mac_match
$source`&nbsp;</span><br>
<br>
with<br>
<br>
&nbsp; &nbsp; &nbsp;<span style="font-family: monospace;">r="`mac_match
$source` "</span><br>
<br>
Note that there must be a space before the ending quote!<br>
</li>
</ul> </ul>
<h3>1.4.4b</h3> <h3>1.4.4b</h3>
<ul> <ul>
<li>Shorewall is ignoring records in /etc/shorewall/routestopped <li>Shorewall is ignoring records in /etc/shorewall/routestopped
that have an empty second column (HOSTS). This problem may be corrected that have an empty second column (HOSTS). This problem may be corrected
by installing <a by installing <a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4b/firewall" href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4b/firewall"
target="_top">this firewall script</a> in /usr/share/shorewall/firewall as target="_top">this firewall script</a> in
/usr/share/shorewall/firewall as
described above.</li> described above.</li>
<li>The INCLUDE directive doesn't work when placed in the /etc/shorewall/zones <li>The INCLUDE directive doesn't work when placed in the
file. This problem may be corrected by installing <a /etc/shorewall/zones file. This problem may be corrected by installing <a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4b/functions" href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4b/functions"
target="_top">this functions script</a> in /usr/share/shorewall/functions.<br> target="_top">this functions script</a> in
</li> /usr/share/shorewall/functions.<br>
</li>
</ul> </ul>
<h3>1.4.4-1.4.4a</h3> <h3>1.4.4-1.4.4a</h3>
<ul> <ul>
<li>Log messages are being displayed on the system console even <li>Log messages are being displayed on the system console even
though the log level for the console is set properly according to <a though the log level for the console is set properly according to <a
href="FAQ.htm#faq16">FAQ 16</a>. This problem may be corrected by installing href="FAQ.htm#faq16">FAQ 16</a>. This problem may be corrected by
<a installing <a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4a/firewall" href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4a/firewall"
target="_top">this firewall script</a> in /usr/share/shorewall/firewall as target="_top">this firewall script</a> in
/usr/share/shorewall/firewall as
described above.<br> described above.<br>
</li> </li>
</ul> </ul>
<h3>1.4.4<br> <h3>1.4.4<br>
</h3> </h3>
<ul> <ul>
<li> If you have zone names that are 5 characters long, you may <li> If you have zone names that are 5 characters long, you may
experience problems starting Shorewall because the --log-prefix in a logging experience problems starting Shorewall because the --log-prefix in a
rule is too long. Upgrade to Version 1.4.4a to fix this problem..</li> logging rule is too long. Upgrade to Version 1.4.4a to fix this
problem..</li>
</ul> </ul>
<h3>1.4.3</h3> <h3>1.4.3</h3>
<ul> <ul>
<li>The LOGMARKER variable introduced in version 1.4.3 was intended <li>The LOGMARKER variable introduced in version 1.4.3 was intended
to allow integration of Shorewall with Fireparse (http://www.firewparse.com). to allow integration of Shorewall with Fireparse
Unfortunately, LOGMARKER only solved part of the integration problem. (http://www.firewparse.com). Unfortunately, LOGMARKER only solved part
I have implimented a new LOGFORMAT variable which will replace LOGMARKER of the integration problem. I have implimented a new LOGFORMAT variable
which has completely solved this problem and is currently in production which will replace LOGMARKER which has completely solved this problem
with fireparse here at shorewall.net. The updated files may be found at and is currently in production with fireparse here at shorewall.net.
<a The updated files may be found at <a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/" href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/"
target="_top">ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/</a>. target="_top">ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/</a>.
See the 0README.txt file for details.<br> See the 0README.txt file for details.<br>
</li> </li>
</ul> </ul>
<h3>1.4.2</h3> <h3>1.4.2</h3>
<ul> <ul>
<li>When an 'add' or 'delete' command is executed, a temporary <li>When an 'add' or 'delete' command is executed, a temporary
directory created in /tmp is not being removed. This problem may be corrected directory created in /tmp is not being removed. This problem may be
by installing <a corrected by installing <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.2/firewall" href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.2/firewall"
target="_top">this firewall script</a> in /usr/share/shorewall/firewall as target="_top">this firewall script</a> in
/usr/share/shorewall/firewall as
described above. <br> described above. <br>
</li> </li>
</ul> </ul>
<h3>1.4.1a, 1.4.1 and 1.4.0</h3> <h3>1.4.1a, 1.4.1 and 1.4.0</h3>
<ul> <ul>
<li>Some TCP requests are rejected in the 'common' chain with <li>Some TCP requests are rejected in the 'common' chain with an ICMP
an ICMP port-unreachable response rather than the more appropriate TCP port-unreachable response rather than the more appropriate TCP RST
RST response. This problem is corrected in <a response. This problem is corrected in <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1a/common.def" href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1a/common.def"
target="_top">this updated common.def file</a> which may be installed in target="_top">this updated common.def file</a> which may be installed
/etc/shorewall/common.def.<br> in /etc/shorewall/common.def.<br>
</li> </li>
</ul> </ul>
<h3>1.4.1</h3> <h3>1.4.1</h3>
<ul> <ul>
<li>When a "shorewall check" command is executed, each "rule" <li>When a "shorewall check" command is executed, each "rule"
produces the harmless additional message:<br> produces the harmless additional message:<br>
<br> <br>
     /usr/share/shorewall/firewall: line 2174: [: =: unary operator &nbsp; &nbsp; &nbsp;/usr/share/shorewall/firewall: line 2174: [: =:
expected<br> unary operator expected<br>
<br> <br>
You may correct the problem by installing <a You may correct the problem by installing <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1/firewall" href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1/firewall"
target="_top">this corrected script</a> in /usr/share/shorewall/firewall target="_top">this corrected script</a> in
as described above.<br> /usr/share/shorewall/firewall as described above.<br>
</li> </li>
</ul> </ul>
<h3>1.4.0</h3> <h3>1.4.0</h3>
<ul> <ul>
<li>When running under certain shells Shorewall will attempt <li>When running under certain shells Shorewall will attempt to
to create ECN rules even when /etc/shorewall/ecn is empty. You may create ECN rules even when /etc/shorewall/ecn is empty. You may
either just remove /etc/shorewall/ecn or you can install <a either just remove /etc/shorewall/ecn or you can install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.4.0/firewall">this href="http://www.shorewall.net/pub/shorewall/errata/1.4.0/firewall">this
correct script</a> in /usr/share/shorewall/firewall as described above.<br> correct script</a> in /usr/share/shorewall/firewall as described above.<br>
</li> </li>
</ul> </ul>
<hr width="100%" size="2"> <hr width="100%" size="2">
<h2 align="left"><a name="Upgrade"></a>Upgrade Issues</h2> <h2 align="left"><a name="Upgrade"></a>Upgrade Issues</h2>
<p align="left">The upgrade issues have moved to <a
<p align="left">The upgrade issues have moved to <a
href="upgrade_issues.htm">a separate page</a>.</p> href="upgrade_issues.htm">a separate page</a>.</p>
<hr> <hr>
<h3 align="left"><a name="iptables"></a><font color="#660066"> Problem with <h3 align="left"><a name="iptables"></a><font color="#660066"> Problem
iptables version 1.2.3</font></h3> with iptables version 1.2.3</font></h3>
<blockquote> <blockquote>
<p align="left">There are a couple of serious bugs in iptables 1.2.3 that <p align="left">There are a couple of serious bugs in iptables 1.2.3
prevent it from working with Shorewall. Regrettably, that prevent it from working with Shorewall. Regrettably, RedHat
RedHat released this buggy iptables in RedHat 7.2. </p> released this buggy iptables in RedHat 7.2.&nbsp;</p>
<p align="left"> I have built a <a <p align="left"> I have built a <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm"> href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
corrected 1.2.3 rpm which you can download here</a>  and corrected 1.2.3 rpm which you can download here</a>&nbsp; and I have
I have also built an <a also built an <a
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm"> href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
iptables-1.2.4 rpm which you can download here</a>. If you are currently iptables-1.2.4 rpm which you can download here</a>. If you are
running RedHat 7.1, you can install either of these RPMs currently running RedHat 7.1, you can install either of these RPMs <b><u>before</u>
<b><u>before</u> </b>you upgrade to RedHat 7.2.</p> </b>you upgrade to RedHat 7.2.</p>
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat has released an iptables-1.2.4 RPM of their own which
has released an iptables-1.2.4 RPM of their own which you can download from<font color="#ff6633"> <a
you can download from<font color="#ff6633"> <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>. href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
</font>I have installed this RPM on my firewall and </font>I have installed this RPM on my firewall and
it works fine.</p> it works fine.</p>
<p align="left">If you would like to patch iptables 1.2.3 yourself,
<p align="left">If you would like to patch iptables 1.2.3 yourself, the patches are available for download. This <a
the patches are available for download. This <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a> href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
which corrects a problem with parsing of the --log-level which corrects a problem with parsing of the --log-level specification
specification while this <a while this <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a> href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
corrects a problem in handling the  TOS target.</p> corrects a problem in handling the&nbsp; TOS target.</p>
<p align="left">To install one of the above patches:</p> <p align="left">To install one of the above patches:</p>
<ul> <ul>
<li>cd iptables-1.2.3/extensions</li> <li>cd iptables-1.2.3/extensions</li>
<li>patch -p0 &lt; <i>the-patch-file</i></li> <li>patch -p0 &lt; <i>the-patch-file</i></li>
</ul> </ul>
</blockquote> </blockquote>
<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18 and
<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18 and
RedHat iptables</h3> RedHat iptables</h3>
<blockquote> <blockquote>
<p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19 <p>Users who use RedHat iptables RPMs and who upgrade to kernel
may experience the following:</p> 2.4.18/19 may experience the following:</p>
<blockquote> <blockquote>
<pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre> <pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre>
</blockquote> </blockquote>
<p>The RedHat iptables RPM is compiled with debugging enabled but the <p>The RedHat iptables RPM is compiled with debugging enabled but the
user-space debugging code was not updated to reflect recent changes in user-space debugging code was not updated to reflect recent changes in
the Netfilter 'mangle' table. You can correct the problem by the Netfilter 'mangle' table. You can correct the problem by installing
installing <a <a
href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm"> href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
this iptables RPM</a>. If you are already running a this iptables RPM</a>. If you are already running a
1.2.5 version of iptables, you will need to specify the 1.2.5 version of iptables, you will need to specify the
--oldpackage option to rpm (e.g., "iptables -Uvh --oldpackage --oldpackage option to rpm (e.g., "iptables -Uvh --oldpackage
iptables-1.2.5-1.i386.rpm").</p> iptables-1.2.5-1.i386.rpm").</p>
</blockquote> </blockquote>
<h3><a name="SuSE"></a>Problems installing/upgrading RPM on SuSE</h3>
<h3><a name="SuSE"></a>Problems installing/upgrading <p>If you find that rpm complains about a conflict with kernel &lt;=
RPM on SuSE</h3> 2.2 yet you have a 2.4 kernel installed, simply use the "--nodeps"
option to rpm.</p>
<p>If you find that rpm complains about a conflict with kernel &lt;=
2.2 yet you have a 2.4 kernel installed, simply use the
"--nodeps" option to rpm.</p>
<p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p> <p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p> <p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<h3><a name="Multiport"></a><b>Problems with iptables version 1.2.7 and
<h3><a name="Multiport"></a><b>Problems with iptables version 1.2.7 and MULTIPORT=Yes</b></h3>
MULTIPORT=Yes</b></h3> <p>The iptables 1.2.7 release of iptables has made an incompatible
change to the syntax used to specify multiport match rules; as a
<p>The iptables 1.2.7 release of iptables has made an incompatible consequence, if you install iptables 1.2.7 you must be running
change to the syntax used to specify multiport match rules; Shorewall 1.3.7a or later or:</p>
as a consequence, if you install iptables 1.2.7 you
must be running Shorewall 1.3.7a or later or:</p>
<ul> <ul>
<li>set <li>set MULTIPORT=No in /etc/shorewall/shorewall.conf; or </li>
MULTIPORT=No in /etc/shorewall/shorewall.conf; <li>if you are running Shorewall 1.3.6 you may install <a
or </li>
<li>if
you are running Shorewall 1.3.6 you may
install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this firewall script</a> in /var/lib/shorewall/firewall this firewall script</a> in /var/lib/shorewall/firewall as described
as described above.</li> above.</li>
</ul> </ul>
<h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br> <h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br>
</h3> </h3>
/etc/shorewall/nat entries of the following /etc/shorewall/nat entries of the following form will result in
form will result in Shorewall being unable to start:<br> Shorewall being unable to start:<br>
<br> <br>
<pre>#EXTERNAL&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; INTERFACE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; INTERNAL&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ALL INTERFACES&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LOCAL<br>192.0.2.22&nbsp;&nbsp;&nbsp; eth0&nbsp;&nbsp;&nbsp; 192.168.9.22&nbsp;&nbsp; yes&nbsp;&nbsp;&nbsp;&nbsp; yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22    eth0    192.168.9.22   yes     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre> Error message is:<br>
Error message is:<br>
<pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre> <pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
The solution is to put "no" in the LOCAL column. The solution is to put "no" in the LOCAL column. Kernel support for
Kernel support for LOCAL=yes has never worked properly and 2.4.18-10 LOCAL=yes has never worked properly and 2.4.18-10 has disabled it. The
has disabled it. The 2.4.19 kernel contains corrected support 2.4.19 kernel contains corrected support
under a new kernel configuraiton option; see <a under a new kernel configuraiton option; see <a
href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br> href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
<br> <br>
<h3><a name="REJECT"></a><b> Problems with RH Kernels after 2.4.20-9
<h3><a name="REJECT"></a><b> Problems with RH Kernels after 2.4.20-9 and REJECT and REJECT
(also applies to 2.4.21-RC1)</b></h3> (also applies to 2.4.21-RC1)</b></h3>
Beginning with errata kernel 2.4.20-13.9, "REJECT --reject-with tcp-reset" Beginning with errata kernel 2.4.20-13.9, "REJECT --reject-with
is broken. The symptom most commonly seen is that REJECT rules act just tcp-reset" is broken. The symptom most commonly seen is that REJECT
like DROP rules when dealing with TCP. A kernel patch and precompiled modules rules act just like DROP rules when dealing with TCP. A kernel patch
to fix this problem are available at <a and precompiled modules to fix this problem are available at <a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel" href="ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel"
target="_top">ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel</a>.<br> target="_top">ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel</a>.<br>
<hr> <hr>
<p><font size="2"> Last updated 7/23/2003 - <a href="support.htm">Tom Eastep</a></font> <p><font size="2"> Last updated 7/23/2003 - <a href="support.htm">Tom
Eastep</a></font>
</p> </p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br> <br>
<br> <br>
</body> </body>
</html> </html>

BIN
STABLE/documentation/images/Netfilter.png
View File

Binary file not shown.

BIN
STABLE/documentation/images/menuconfig1.jpg
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 88 KiB

After

Width:  |  Height:  |  Size: 103 KiB

BIN
STABLE/documentation/images/netopts.jpg
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 110 KiB

After

Width:  |  Height:  |  Size: 107 KiB

179
STABLE/documentation/kernel.htm
View File

@ -15,25 +15,25 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90"> id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Kernel Configuration</font></h1> <h1 align="center"><font color="#ffffff">Kernel Configuration</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p>For information regarding configuring and building GNU/Linux kernels, <p>For information regarding configuring and building GNU/Linux kernels, see
see <a href="http://www.kernelnewbies.org">http://www.kernelnewbies.org</a>.</p> <a href="http://www.kernelnewbies.org">http://www.kernelnewbies.org</a>.</p>
<p>Here's a screen shot of my Network Options Configuration:</p> <p>Here's a screen shot of my Network Options Configuration:</p>
<blockquote> <blockquote>
<p> <img border="0" src="images/netopts.jpg" width="609" height="842"> <p> <img border="0" src="images/netopts.jpg" width="609" height="842">
</p> </p>
</blockquote> </blockquote>
<p>While not all of the options that I've selected are required, they should <p>While not all of the options that I've selected are required, they should
be sufficient for most applications. Here's an excerpt from the corresponding be sufficient for most applications. Here's an excerpt from the corresponding
@ -42,124 +42,61 @@ to select CONFIG_NETLINK and CONFIG_RTNETLINK):</p>
<blockquote> <font size="2"> <blockquote> <font size="2">
<p>#<br> <p>#<br>
# Networking options<br> # Networking options<br>
#<br> #<br>
CONFIG_PACKET=y<br> CONFIG_PACKET=y<br>
# CONFIG_PACKET_MMAP is not set<br> # CONFIG_PACKET_MMAP is not set<br>
# CONFIG_NETLINK_DEV is not set<br> # CONFIG_NETLINK_DEV is not set<br>
CONFIG_NETFILTER=y<br> CONFIG_NETFILTER=y<br>
CONFIG_NETFILTER_DEBUG=y<br> # CONFIG_NETFILTER_DEBUG is not set<br>
CONFIG_FILTER=y<br> CONFIG_FILTER=y<br>
CONFIG_UNIX=y<br> CONFIG_UNIX=y<br>
CONFIG_INET=y<br> CONFIG_INET=y<br>
CONFIG_IP_MULTICAST=y<br> CONFIG_IP_MULTICAST=y<br>
CONFIG_IP_ADVANCED_ROUTER=y<br> CONFIG_IP_ADVANCED_ROUTER=y<br>
CONFIG_IP_MULTIPLE_TABLES=y<br> CONFIG_IP_MULTIPLE_TABLES=y<br>
CONFIG_IP_ROUTE_FWMARK=y<br> CONFIG_IP_ROUTE_FWMARK=y<br>
CONFIG_IP_ROUTE_NAT=y<br> CONFIG_IP_ROUTE_NAT=y<br>
CONFIG_IP_ROUTE_MULTIPATH=y<br> CONFIG_IP_ROUTE_MULTIPATH=y<br>
CONFIG_IP_ROUTE_TOS=y<br> CONFIG_IP_ROUTE_TOS=y<br>
CONFIG_IP_ROUTE_VERBOSE=y<br> CONFIG_IP_ROUTE_VERBOSE=y<br>
# CONFIG_IP_ROUTE_LARGE_TABLES is not set<br> # CONFIG_IP_ROUTE_LARGE_TABLES is not set<br>
# CONFIG_IP_PNP is not set<br> # CONFIG_IP_PNP is not set<br>
CONFIG_NET_IPIP=m<br> CONFIG_NET_IPIP=y<br>
CONFIG_NET_IPGRE=m<br> CONFIG_NET_IPGRE=y<br>
# CONFIG_NET_IPGRE_GROADCAST is not set<br> # CONFIG_NET_IPGRE_BROADCAST is not set<br>
# CONFIG_IP_MROUTE is not set<br> # CONFIG_IP_MROUTE is not set<br>
# CONFIG_ARPD is not set<br> # CONFIG_ARPD is not set<br>
CONFIG_INET_ECN=y<br> CONFIG_INET_ECN=y<br>
CONFIG_SYN_COOKIES=y</p> CONFIG_SYN_COOKIES=y<br>
</font> </blockquote> </p>
</font> </blockquote>
<p>Here's a screen shot of my Netfilter configuration:</p> <p>Here's a screen shot of my Netfilter configuration:</p>
<blockquote> <blockquote>
<p><img border="0" src="images/menuconfig.jpg" width="609" <p><img src="images/menuconfig1.jpg" alt="(Netfilter Options)"
height="842"> width="589" height="849">
</p> <br>
</blockquote> </p>
<p>Here's an excerpt from the corresponding .config file.</p>
<blockquote>
<p><font size="2">#<br>
# IP: Netfilter Configuration<br>
#<br>
CONFIG_IP_NF_CONNTRACK=y<br>
CONFIG_IP_NF_FTP=m<br>
# CONFIG_IP_NF_QUEUE is not set<br>
CONFIG_IP_NF_IPTABLES=y<br>
CONFIG_IP_NF_MATCH_LIMIT=y<br>
CONFIG_IP_NF_MATCH_MAC=y<br>
CONFIG_IP_NF_MATCH_MARK=y<br>
CONFIG_IP_NF_MATCH_MULTIPORT=y<br>
CONFIG_IP_NF_MATCH_TOS=y<br>
# CONFIG_IP_NF_MATCH_TCPMSS is not set<br>
CONFIG_IP_NF_MATCH_STATE=y<br>
# CONFIG_IP_NF_MATCH_UNCLEAN is not set<br>
# CONFIG_IP_NF_MATCH_OWNER is not set<br>
CONFIG_IP_NF_FILTER=y<br>
CONFIG_IP_NF_TARGET_REJECT=y<br>
# CONFIG_IP_NF_TARGET_MIRROR is not set<br>
CONFIG_IP_NF_NAT=y<br>
CONFIG_IP_NF_NAT_NEEDED=y<br>
CONFIG_IP_NF_TARGET_MASQUERADE=y<br>
CONFIG_IP_NF_TARGET_REDIRECT=y<br>
CONFIG_IP_NF_NAT_FTP=m<br>
CONFIG_IP_NF_MANGLE=y<br>
CONFIG_IP_NF_TARGET_TOS=y<br>
CONFIG_IP_NF_TARGET_MARK=y<br>
CONFIG_IP_NF_TARGET_LOG=y<br>
CONFIG_IP_NF_TARGET_TCPMSS=y<br>
# CONFIG_IPV6 is not set</font><font face="Courier"><br>
</font></p>
</blockquote>
<p>Note that I have built everything I need into the kernel except for the
FTP connection tracking and NAT modules. I have also run successfully with
all of the options selected above built as modules:</p>
<blockquote>
<p><img border="0" src="images/menuconfig1.jpg" width="609"
height="842">
</p>
<p><font size="2">#<br>
# IP: Netfilter Configuration<br>
#<br>
CONFIG_IP_NF_CONNTRACK=m<br>
CONFIG_IP_NF_FTP=m<br>
# CONFIG_IP_NF_QUEUE is not set<br>
CONFIG_IP_NF_IPTABLES=m<br>
CONFIG_IP_NF_MATCH_LIMIT=m<br>
CONFIG_IP_NF_MATCH_MAC=m<br>
CONFIG_IP_NF_MATCH_MARK=m<br>
CONFIG_IP_NF_MATCH_MULTIPORT=m<br>
CONFIG_IP_NF_MATCH_TOS=m<br>
# CONFIG_IP_NF_MATCH_TCPMSS is not set<br>
CONFIG_IP_NF_MATCH_STATE=m<br>
# CONFIG_IP_NF_MATCH_UNCLEAN is not set<br>
# CONFIG_IP_NF_MATCH_OWNER is not set<br>
CONFIG_IP_NF_FILTER=m<br>
CONFIG_IP_NF_TARGET_REJECT=m<br>
# CONFIG_IP_NF_TARGET_MIRROR is not set<br>
CONFIG_IP_NF_NAT=m<br>
CONFIG_IP_NF_NAT_NEEDED=m<br>
CONFIG_IP_NF_TARGET_MASQUERADE=m<br>
CONFIG_IP_NF_TARGET_REDIRECT=m<br>
CONFIG_IP_NF_NAT_FTP=m<br>
CONFIG_IP_NF_MANGLE=m<br>
CONFIG_IP_NF_TARGET_TOS=m<br>
CONFIG_IP_NF_TARGET_MARK=m<br>
CONFIG_IP_NF_TARGET_LOG=m<br>
CONFIG_IP_NF_TARGET_TCPMSS=m<br>
# CONFIG_IPV6 is not set<br>
</font></p>
</blockquote> </blockquote>
<p><font size="2">Last updated 3/10/2002 - </font><font size="2"> <a <p>Note that I have built everything I need as modules. You can also build
everything into your kernel but if you want to be able to deal with FTP running
on a non-standard port then I recommend that you modularize FTP Protocol
support.<br>
</p>
<p>Here's the corresponding part of my .config file:<br>
</p>
<blockquote>
<pre>#<br>#   IP: Netfilter Configuration<br>#<br>CONFIG_IP_NF_CONNTRACK=m<br>CONFIG_IP_NF_FTP=m<br>CONFIG_IP_NF_AMANDA=m<br>CONFIG_IP_NF_TFTP=m<br># CONFIG_IP_NF_IRC is not set<br># CONFIG_IP_NF_QUEUE is not set<br>CONFIG_IP_NF_IPTABLES=m<br>CONFIG_IP_NF_MATCH_LIMIT=m<br>CONFIG_IP_NF_MATCH_MAC=m<br>CONFIG_IP_NF_MATCH_PKTTYPE=m<br>CONFIG_IP_NF_MATCH_MARK=m<br>CONFIG_IP_NF_MATCH_MULTIPORT=m<br>CONFIG_IP_NF_MATCH_TOS=m<br>CONFIG_IP_NF_MATCH_ECN=m<br>CONFIG_IP_NF_MATCH_DSCP=m<br>CONFIG_IP_NF_MATCH_AH_ESP=m<br>CONFIG_IP_NF_MATCH_LENGTH=m<br># CONFIG_IP_NF_MATCH_TTL is not set<br>CONFIG_IP_NF_MATCH_TCPMSS=m<br>CONFIG_IP_NF_MATCH_HELPER=m<br>CONFIG_IP_NF_MATCH_STATE=m<br>CONFIG_IP_NF_MATCH_CONNTRACK=m<br>CONFIG_IP_NF_MATCH_UNCLEAN=m<br># CONFIG_IP_NF_MATCH_OWNER is not set<br>CONFIG_IP_NF_FILTER=m<br>CONFIG_IP_NF_TARGET_REJECT=m<br># CONFIG_IP_NF_TARGET_MIRROR is not set<br>CONFIG_IP_NF_NAT=m<br>CONFIG_IP_NF_NAT_NEEDED=y<br>CONFIG_IP_NF_TARGET_MASQUERADE=m<br>CONFIG_IP_NF_TARGET_REDIRECT=m<br>CONFIG_IP_NF_NAT_AMANDA=m<br>CONFIG_IP_NF_NAT_LOCAL=y<br># CONFIG_IP_NF_NAT_SNMP_BASIC is not set<br>CONFIG_IP_NF_NAT_FTP=m<br>CONFIG_IP_NF_NAT_TFTP=m<br>CONFIG_IP_NF_MANGLE=m<br>CONFIG_IP_NF_TARGET_TOS=m<br>CONFIG_IP_NF_TARGET_ECN=m<br>CONFIG_IP_NF_TARGET_DSCP=m<br>CONFIG_IP_NF_TARGET_MARK=m<br>CONFIG_IP_NF_TARGET_LOG=m<br>CONFIG_IP_NF_TARGET_ULOG=m<br>CONFIG_IP_NF_TARGET_TCPMSS=m<br>CONFIG_IP_NF_ARPTABLES=m<br>CONFIG_IP_NF_ARPFILTER=m<br># CONFIG_IP_NF_COMPAT_IPCHAINS is not set<br># CONFIG_IP_NF_COMPAT_IPFWADM is not set<br></pre>
</blockquote>
<p><font size="2">Last updated 7/20/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p> href="support.htm">Tom Eastep</a></font> </p>
<a href="copyright.htm"><font size="2">Copyright</font> © <font <a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002 Thomas M. Eastep.</font></a><br> size="2">2001-2003,  Thomas M. Eastep.</font></a><br>
<br>
</body> </body>
</html> </html>

386
STABLE/documentation/mailing_list.htm
View File

@ -1,153 +1,117 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Mailing Lists</title> <title>Shorewall Mailing Lists</title>
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
<table height="90" bgcolor="#3366ff" id="AutoNumber1" width="100%" <table height="90" bgcolor="#3366ff" id="AutoNumber1" width="100%"
style="border-collapse: collapse;" cellspacing="0" cellpadding="0" style="border-collapse: collapse;" cellspacing="0" cellpadding="0"
border="0"> border="0">
<tbody> <tbody>
<tr> <tr>
<td width="33%" valign="middle" <td width="33%" valign="middle" align="left">
align="left">
<h1 align="center"><a <h1 align="center"><a
href="http://www.centralcommand.com/linux_products.html"><img href="http://www.centralcommand.com/linux_products.html"><img
src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78" src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78"
height="79" align="left"> height="79" align="left"> </a></h1>
</a></h1> <a href="http://www.gnu.org/software/mailman/mailman.html"> <img
<a
href="http://www.gnu.org/software/mailman/mailman.html"> <img
border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110" border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110"
height="35" alt=""> height="35" alt=""> </a>
</a> <p align="right"><font color="#ffffff"><b>&nbsp; </b></font><a
<p align="right"><font color="#ffffff"><b>  </b></font><a
href="http://razor.sourceforge.net/"><img src="images/razor.gif" href="http://razor.sourceforge.net/"><img src="images/razor.gif"
alt="(Razor Logo)" width="100" height="22" align="left" border="0"> alt="(Razor Logo)" width="100" height="22" align="left" border="0"> </a>
</a> </p> </p>
</td> </td>
<td valign="middle" width="34%" align="center"> <td valign="middle" width="34%" align="center">
<h1 align="center"><font color="#ffffff">Shorewall Mailing Lists</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Mailing Lists</font></h1>
</td> </td>
<td valign="middle" width="33%"> <td valign="middle" width="33%"> <a
<a href="http://www.postfix.org/"> <img href="http://www.postfix.org/"> <img src="images/postfix-white.gif"
src="images/postfix-white.gif" align="right" border="0" width="158" align="right" border="0" width="158" height="84" alt="(Postfix Logo)">
height="84" alt="(Postfix Logo)"> </a><br>
</a><br>
<div align="left"><a href="http://www.spamassassin.org"><img <div align="left"><a href="http://www.spamassassin.org"><img
src="images/ninjalogo.png" alt="" width="110" height="42" align="right" src="images/ninjalogo.png" alt="" width="110" height="42" align="right"
border="0"> border="0"> </a> </div>
</a> </div> <br>
<br>
<div align="right"><b><font color="#ffffff"><br> <div align="right"><b><font color="#ffffff"><br>
</font></b><br> </font></b><br>
</div> </div>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br>
<h1>REPORTING A PROBLEM OR ASKING FOR HELP? If you haven't already, please <big><span style="color: rgb(255, 0, 0);"><span
read the <a href="http://www.shorewall.net/support.htm">Shorewall Support style="font-weight: bold;">If you are reporting a problem or asking a
Guide</a>.<br> question, you are at the wrong place -- please see the <a
</h1> href="http://www.shorewall.net/support.htm">Shorewall Support Guide</a>.</span></span></big><br>
<br>
<p align="left">If you experience problems with any of these lists, please If you experience problems with any of these lists,
let <a href="mailto:postmaster@shorewall.net">me</a> know</p> please let <a href="mailto:postmaster@shorewall.net">me</a>
know
<h2 align="left">Not able to Post Mail to shorewall.net?</h2> <h2 align="left">Not able to Post Mail to shorewall.net?</h2>
<p align="left">You can report such problems by sending mail to
<p align="left">You can report such problems by sending mail to tmeastep tmeastep at
at hotmail dot com.</p> hotmail dot com.</p>
<h2>A Word about the SPAM Filters at Shorewall.net&nbsp;<a
<h2>A Word about the SPAM Filters at Shorewall.net <a
href="http://osirusoft.com/"> </a></h2> href="http://osirusoft.com/"> </a></h2>
<p>Please note that the mail server at shorewall.net checks
<p>Please note that the mail server at shorewall.net incoming mail:<br>
checks incoming mail:<br> </p>
</p>
<ol> <ol>
<li>against <a <li>against <a href="http://spamassassin.org">Spamassassin</a>
href="http://spamassassin.org">Spamassassin</a> (including <a (including <a href="http://razor.sourceforge.net/">Vipul's Razor</a>).<br>
href="http://razor.sourceforge.net/">Vipul's Razor</a>).<br> </li>
</li> <li>to ensure that the sender address is
<li>to ensure that the sender address is fully fully qualified.</li>
qualified.</li> <li>to verify that the sender's domain has an A or MX record in DNS.</li>
<li>to verify that the sender's domain has <li>to ensure that the host name in the HELO/EHLO command is a valid
an A or MX record in DNS.</li> fully-qualified DNS name.</li>
<li>to ensure that the host name in the HELO/EHLO
command is a valid fully-qualified DNS name that resolves.</li>
</ol> </ol>
<h2>Please post in plain text</h2> <h2>Please post in plain text</h2>
A growing number of MTAs serving list subscribers A growing number of MTAs serving list subscribers are rejecting all
are rejecting all HTML traffic. At least one MTA has gone so far HTML traffic. At least one MTA has gone so far as to blacklist
as to blacklist shorewall.net "for continuous abuse" because it has shorewall.net "for continuous abuse" because it has been my policy to
been my policy to allow HTML in list posts!!<br> allow HTML in list posts!!<br>
<br> <br>
I think that blocking all HTML is a Draconian way I think that blocking all HTML is a Draconian way to control spam and
to control spam and that the ultimate losers here are not the spammers that the ultimate losers here are not the spammers but the list
but the list subscribers whose MTAs are bouncing all shorewall.net subscribers whose MTAs are bouncing all shorewall.net mail. As one list
mail. As one list subscriber wrote to me privately "These e-mail admin's subscriber wrote to me privately "These e-mail admin's need to get a <i>(explitive
need to get a <i>(explitive deleted)</i> life instead of trying to rid deleted)</i> life instead of trying to
the planet of HTML based e-mail". Nevertheless, to allow subscribers rid the planet of HTML based e-mail". Nevertheless, to allow
to receive list posts as must as possible, I have now configured the subscribers to receive list posts as must as possible, I have now
list server at shorewall.net to strip all HTML from outgoing posts. This configured the list server at shorewall.net to strip all HTML from
means that HTML-only posts will be bounced by the list server.<br> outgoing posts.
This means that HTML-only posts will be bounced by the list server.<br>
<p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br> <p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br>
</p> </p>
<h2>Other Mail Delivery Problems</h2> <h2>Other Mail Delivery Problems</h2>
If you find that you are missing an occasional list If you find that you are missing an occasional list post, your e-mail
post, your e-mail admin may be blocking mail whose <i>Received:</i> admin may be blocking mail whose <i>Received:</i> headers contain the
headers contain the names of certain ISPs. Again, I believe that such names of certain ISPs. Again, I believe that such policies hurt more
policies hurt more than they help but I'm not prepared to go so far than they help but I'm not prepared to go so far as to start stripping <i>Received:</i>
as to start stripping <i>Received:</i> headers to circumvent those headers to circumvent those policies.<br>
policies.<br>
<h2 align="left">Mailing Lists Archive Search</h2> <h2 align="left">Mailing Lists Archive Search</h2>
<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch"> <form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
<p> <font size="-1"> Match: <p> <font size="-1"> Match:
<select name="method"> <select name="method">
<option value="and">All </option> <option value="and">All </option>
<option value="or">Any </option> <option value="or">Any </option>
<option value="boolean">Boolean </option> <option value="boolean">Boolean </option>
</select> </select>
Format: Format:
<select name="format"> <select name="format">
<option value="builtin-long">Long </option> <option value="builtin-long">Long </option>
<option value="builtin-short">Short </option> <option value="builtin-short">Short </option>
</select> </select>
Sort by: Sort by:
<select name="sort"> <select name="sort">
<option value="score">Score </option> <option value="score">Score </option>
<option value="time">Time </option> <option value="time">Time </option>
@ -156,134 +120,122 @@ policies.<br>
<option value="revtime">Reverse Time </option> <option value="revtime">Reverse Time </option>
<option value="revtitle">Reverse Title </option> <option value="revtitle">Reverse Title </option>
</select> </select>
</font> <input type="hidden" </font> <input type="hidden" name="config" value="htdig"> <input
name="config" value="htdig"> <input type="hidden" name="restrict" type="hidden" name="restrict"
value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden" value="[http://lists.shorewall.net/pipermail/.*]"> <input
name="exclude" value=""> <br> type="hidden" name="exclude" value=""> <br>
Search: <input type="text" size="30" Search: <input type="text" size="30" name="words" value=""> <input
name="words" value=""> <input type="submit" value="Search"> </p> type="submit" value="Search"> </p>
</form> </form>
<h2 align="left"><font color="#ff0000">Please do not try to download
<h2 align="left"><font color="#ff0000">Please do not try to download the the entire
entire Archive -- it is 75MB (and growing daily) and my slow DSL line simply Archive -- it is 164MB (and growing daily) and my slow DSL line simply
won't stand the traffic. If I catch you, you will be blacklisted.<br> won't
</font></h2> stand the traffic. If I catch you, you will be blacklisted.<br>
</font></h2>
<h2 align="left">Shorewall CA Certificate</h2> <h2 align="left">Shorewall CA Certificate</h2>
If you want to trust X.509 certificates issued If you want to trust X.509 certificates issued by Shoreline Firewall
by Shoreline Firewall (such as the one used on my web site), (such as the one used on my web site), you may <a
you may <a href="Shorewall_CA_html.html">download and install my CA certificate</a> href="Shorewall_CA_html.html">download and install my CA certificate</a>
in your browser. If you don't wish to trust my certificates in your browser. If you don't wish to trust my certificates then you
then you can either use unencrypted access when subscribing to can either use unencrypted access when subscribing to Shorewall mailing
Shorewall mailing lists or you can use secure access (SSL) and accept lists or you can use secure access (SSL) and
the server's certificate when prompted by your browser.<br> accept the server's certificate when prompted by your browser.<br>
<h2 align="left">Shorewall Users Mailing List</h2> <h2 align="left">Shorewall Users Mailing List</h2>
<p align="left">The Shorewall Users Mailing list provides a way for
<p align="left">The Shorewall Users Mailing list provides a way for users users to get answers to questions and to report problems. Information
to get answers to questions and to report problems. Information of general interest to the Shorewall user community is also posted to
of general interest to the Shorewall user community is also this list.</p>
posted to this list.</p> <p align="left" style="color: rgb(255, 0, 0);"><big><b>Before posting
to this list, please see the <a
<p align="left"><b>To post a problem report to this list or to subscribe href="http://www.shorewall.net/support.htm">problem
to the list, please see the <a reporting guidelines</a>.<br>
href="http://www.shorewall.net/support.htm">problem reporting guidelines</a>.</b></p> </b></big></p>
<p align="left">To subscribe: <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-users"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-users</a></p>
<ul>
</ul>
<p align="left"> To post to the list, post to <a
href="mailto:shorewall-users@lists.shorewall.net">shorewall-users@lists.shorewall.net</a>.
<br>
</p>
<p align="left">The list archives are at <a <p align="left">The list archives are at <a
href="http://lists.shorewall.net/pipermail/shorewall-users/index.html">http://lists.shorewall.net/pipermail/shorewall-users</a>.</p> href="http://lists.shorewall.net/pipermail/shorewall-users/index.html">http://lists.shorewall.net/pipermail/shorewall-users</a>.</p>
<p align="left">Note that prior to 1/1/2002, the mailing list was
<p align="left">Note that prior to 1/1/2002, the mailing list was hosted at hosted
<a href="http://sourceforge.net">Sourceforge</a>. The archives from that list at <a href="http://sourceforge.net">Sourceforge</a>. The archives from
may be found at <a that
list may be found at <a
href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p> href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p>
<h2 align="left">Shorewall Announce Mailing List</h2> <h2 align="left">Shorewall Announce Mailing List</h2>
<p align="left">This list is for announcements of general interest to
<p align="left">This list is for announcements of general interest to the the Shorewall community. <big><span style="color: rgb(255, 0, 0);"><span
Shorewall community. To subscribe:<br> style="font-weight: bold;">DO NOT USE THIS LIST FOR REPORTING PROBLEMS
</p> OR ASKING FOR HELP.</span></span></big><br>
</p>
<p align="left"></p> <p align="left">To subscribe: <a
<ul>
<li><b>Insecure:</b> <a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-announce">http://lists.shorewall.net/mailman/listinfo/shorewall-announce</a></li>
<li><b>SSL</b>: <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-announce" href="https://lists.shorewall.net/mailman/listinfo/shorewall-announce"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-announce.</a></li> target="_top">https://lists.shorewall.net/mailman/listinfo/shorewall-announce</a>.
<br>
</ul> </p>
<a
<p align="left"><br> href="https://lists.shorewall.net/mailman/listinfo/shorewall-announce"
The list archives are at <a target="_top"></a>
href="http://lists.shorewall.net/pipermail/shorewall-announce">http://lists.shorewall.net/pipermail/shorewall-announce</a>.</p>
<h2 align="left">Shorewall Development Mailing List</h2>
<p align="left">The Shorewall Development Mailing list provides a forum for
the exchange of ideas about the future of Shorewall and for
coordinating ongoing Shorewall Development.</p>
<p align="left">To subscribe to the mailing list:<br>
</p>
<ul> <ul>
<li><b>Insecure: </b><a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-devel">http://lists.shorewall.net/mailman/listinfo/shorewall-devel</a></li>
<li><b>SSL:</b> <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-devel"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-devel.</a></li>
</ul> </ul>
The list archives are at <a
<p align="left"> To post to the list, post to <a href="http://lists.shorewall.net/pipermail/shorewall-announce">http://lists.shorewall.net/pipermail/shorewall-announce</a>.
href="mailto:shorewall-devel@lists.shorewall.net">shorewall-devel@lists.shorewall.net</a>. </p> <h2 align="left">Shorewall Development Mailing List</h2>
<p align="left">The Shorewall Development Mailing list provides a forum
for the exchange of ideas about the future of Shorewall and
for coordinating ongoing Shorewall Development. <big><span
style="color: rgb(255, 0, 0);"><span style="font-weight: bold;">DO NOT
USE THIS LIST FOR REPORTING PROBLEMS OR ASKING FOR HELP.</span></span></big></p>
<p align="left">To subscribe to the mailing list: <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-devel"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-devel.</a></p>
<ul>
</ul>
<p align="left"> To post to the list, post to <a
href="mailto:shorewall-devel@lists.shorewall.net">shorewall-devel@lists.shorewall.net</a>.&nbsp;</p>
<p align="left">The list archives are at <a <p align="left">The list archives are at <a
href="http://lists.shorewall.net/pipermail/shorewall-devel">http://lists.shorewall.net/pipermail/shorewall-devel</a>.</p> href="http://lists.shorewall.net/pipermail/shorewall-devel">http://lists.shorewall.net/pipermail/shorewall-devel</a>.</p>
<h2 align="left"><a name="Unsubscribe"></a>How to Unsubscribe from one
<h2 align="left"><a name="Unsubscribe"></a>How to Unsubscribe from one of of the Mailing Lists</h2>
the Mailing Lists</h2> <p align="left">There seems to be near-universal confusion about
unsubscribing from Mailman-managed lists although Mailman 2.1 has
<p align="left">There seems to be near-universal confusion about unsubscribing attempted to make this less confusing. To unsubscribe:</p>
from Mailman-managed lists although Mailman 2.1 has attempted
to make this less confusing. To unsubscribe:</p>
<ul> <ul>
<li> <li>
<p align="left">Follow the same link above that you used to
<p align="left">Follow the same link above that you used to subscribe subscribe to the list.</p>
to the list.</p> </li>
</li> <li>
<li> <p align="left">Down at the bottom of that page is the following
text: " To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>,
<p align="left">Down at the bottom of that page is the following text: get a password reminder, or change your subscription options
" To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>, get enter your subscription email address:". Enter your email address in
a password reminder, or change your subscription options enter the box and click on the "<b>Unsubscribe</b> or edit
your subscription email address:". Enter your email address options" button.</p>
in the box and click on the "<b>Unsubscribe</b> or edit options" </li>
button.</p> <li>
</li> <p align="left">There will now be a box where you can enter your
<li> password and click on "Unsubscribe"; if you have forgotten your
password, there is another button that will cause your password
<p align="left">There will now be a box where you can enter your password to be emailed to you.</p>
and click on "Unsubscribe"; if you have forgotten your password, </li>
there is another button that will cause your password to be
emailed to you.</p>
</li>
</ul> </ul>
<hr> <hr>
<h2 align="left">Frustrated by having to Rebuild Mailman to use it with Postfix?</h2> <h2 align="left">Frustrated by having to Rebuild Mailman to use it with
Postfix?</h2>
<p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p> <p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p>
<p align="left"><font size="2">Last updated 9/17/2003 - <a
<p align="left"><font size="2">Last updated 8/1/2003 - <a
href="http://www.shorewall.net/support.htm">Tom Eastep</a></font></p> href="http://www.shorewall.net/support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font> <p align="left"><a href="copyright.htm"> <font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> ©
<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br>
</body> </body>
</html> </html>

367
STABLE/documentation/myfiles.htm
View File

File diff suppressed because one or more lines are too long

292
STABLE/documentation/ping.html
View File

@ -2,190 +2,170 @@
<html> <html>
<head> <head>
<title>ICMP Echo-request (Ping)</title> <title>ICMP Echo-request (Ping)</title>
<meta http-equiv="content-type" <meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1"> content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep"> <meta name="author" content="Tom Eastep">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90"> id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">ICMP Echo-request (Ping)</font></h1> <h1 align="center"><font color="#ffffff">ICMP Echo-request (Ping)</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br> <br>
Shorewall 'Ping' management has evolved over time with the latest Shorewall 'Ping' management has evolved over time with the latest
change coming in Shorewall version 1.4.0. To find out which version of change coming in Shorewall version 1.4.0. To find out which version of
Shorewall you are running, at a shell prompt type "<font color="#009900"><b>/sbin/shorewall Shorewall you are running, at a shell prompt type "<font color="#009900"><b>/sbin/shorewall
version</b></font>". If that command gives you an error, it's time to upgrade version</b></font>". If that command gives you an error, it's time to
since you have a very old version of Shorewall installed (1.2.4 or earlier).<br> upgrade since you have a very old version of Shorewall installed (1.2.4
or earlier).<br>
<h2>Shorewall Versions &gt;= 1.4.0</h2> <h2>Shorewall Versions &gt;= 1.4.0</h2>
In Shoreall 1.4.0 and later version, ICMP echo-request's are treated just In Shoreall 1.4.0 and later version, ICMP echo-request's are treated
like any other connection request.<br> just like any other connection request.<br>
<br> <br>
In order to accept ping requests from zone z1 to zone z2 where the policy In order to accept ping requests from zone z1 to zone z2 where the
for z1 to z2 is not ACCEPT, you need a rule in /etc/shoreall/rules of the policy for z1 to z2 is not ACCEPT, you need a rule in
form:<br> /etc/shoreall/rules of the form:<br>
<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp;
<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp; </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
</i>icmp&nbsp;&nbsp;&nbsp; 8<br> </blockquote>
</blockquote> Example: <br>
Example: <br> <br>
<br> To permit ping from the local zone to the firewall:<br>
To permit ping from the local zone to the firewall:<br> <blockquote>ACCEPT&nbsp;&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
fw&nbsp;&nbsp;&nbsp; icmp&nbsp;&nbsp;&nbsp; 8<br>
<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp; </blockquote>
icmp&nbsp;&nbsp;&nbsp; 8<br> If you would like to accept 'ping' by default even when the relevant
</blockquote> policy is DROP or REJECT, create <b>/etc/shorewall/icmpdef </b>if it
If you would like to accept 'ping' by default even when the relevant doesn't already exist and in that file place the following command:<br>
policy is DROP or REJECT, create <b>/etc/shorewall/icmpdef </b>if it doesn't
already exist and in that file place the following command:<br>
<blockquote> <blockquote>
<pre><b><font color="#009900">run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT<br></font></b></pre> <pre><b><font color="#009900">run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT<br></font></b></pre>
</blockquote> </blockquote>
With that rule in place, if you want to ignore 'ping' from z1 to z2 With that rule in place, if you want to ignore 'ping' from z1 to z2
then you need a rule of the form:<br> then you need a rule of the form:<br>
<blockquote>DROP&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp;
<blockquote>DROP&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp; </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
</i>icmp&nbsp;&nbsp;&nbsp; 8<br> </blockquote>
</blockquote> Example:<br>
Example:<br> <br>
<br> To drop ping from the internet, you would need this rule in
To drop ping from the internet, you would need this rule in /etc/shorewall/rules:<br> /etc/shorewall/rules:<br>
<br> <br>
<blockquote>DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp;
<blockquote>DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp; icmp&nbsp;&nbsp;&nbsp; 8<br>
icmp&nbsp;&nbsp;&nbsp; 8<br> </blockquote>
</blockquote> <h2>Shorewall Versions &gt;= 1.3.14 &nbsp;and &lt; 1.4.0 with
OLD_PING_HANDLING=No in /etc/shorewall/shorewall.conf</h2>
<h2>Shorewall Versions &gt;= 1.3.14 &nbsp;and &lt; 1.4.0 with OLD_PING_HANDLING=No In 1.3.14, Ping handling was put under control of the rules and
in /etc/shorewall/shorewall.conf</h2> policies just like any other connection request. In order to accept
In 1.3.14, Ping handling was put under control of the rules and policies ping requests from zone z1 to zone z2 where the policy for z1 to z2 is
just like any other connection request. In order to accept ping requests not ACCEPT, you need a rule in /etc/shoreall/rules of the form:<br>
from zone z1 to zone z2 where the policy for z1 to z2 is not ACCEPT, you <blockquote>ACCEPT&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp;
need a rule in /etc/shoreall/rules of the form:<br> z2&nbsp;&nbsp;&nbsp; </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp; Example: <br>
</i>icmp&nbsp;&nbsp;&nbsp; 8<br> <br>
</blockquote> To permit ping from the local zone to the firewall:<br>
Example: <br> <blockquote>ACCEPT&nbsp;&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
<br> fw&nbsp;&nbsp;&nbsp; icmp&nbsp;&nbsp;&nbsp; 8<br>
To permit ping from the local zone to the firewall:<br> </blockquote>
If you would like to accept 'ping' by default even when the relevant
<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp; policy is DROP or REJECT, create <b>/etc/shorewall/icmpdef </b>if it
icmp&nbsp;&nbsp;&nbsp; 8<br> doesn't already exist and in that file place the following command:<br>
</blockquote>
If you would like to accept 'ping' by default even when the relevant
policy is DROP or REJECT, create <b>/etc/shorewall/icmpdef </b>if it doesn't
already exist and in that file place the following command:<br>
<blockquote> <blockquote>
<pre><b><font color="#009900">run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT<br></font></b></pre> <pre><b><font color="#009900">run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT<br></font></b></pre>
</blockquote> </blockquote>
With that rule in place, if you want to ignore 'ping' from z1 to z2 With that rule in place, if you want to ignore 'ping' from z1 to z2
then you need a rule of the form:<br> then you need a rule of the form:<br>
<blockquote>DROP&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp;
<blockquote>DROP&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp; </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
</i>icmp&nbsp;&nbsp;&nbsp; 8<br> </blockquote>
</blockquote> Example:<br>
Example:<br> <br>
<br> To drop ping from the internet, you would need this rule in
To drop ping from the internet, you would need this rule in /etc/shorewall/rules:<br> /etc/shorewall/rules:<br>
<blockquote>DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp;
<blockquote>DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp; icmp&nbsp;&nbsp;&nbsp; 8<br>
icmp&nbsp;&nbsp;&nbsp; 8<br> </blockquote>
</blockquote> <span style="font-weight: bold;">NOTE:&nbsp; </span>There is one
exception to the above description. In 1.3.14 and 1.3.14a, ping from
<blockquote> </blockquote> the firewall itself is enabled unconditionally. This suprising
"feature" was removed in version 1.4.0.<br>
<h2>Shorewall Versions &lt; 1.3.14 or with OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf<br> <blockquote> </blockquote>
</h2> <blockquote> </blockquote>
There are several aspects to the old Shorewall Ping management:<br> <h2>Shorewall Versions &lt; 1.3.14 or with OLD_PING_HANDLING=Yes in
/etc/shorewall/shorewall.conf<br>
</h2>
There are several aspects to the old Shorewall Ping management:<br>
<ol> <ol>
<li>The <b>noping</b> and <b>filterping </b>interface options in <li>The <b>noping</b> and <b>filterping </b>interface options in <a
<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li> href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
<li>The <b>FORWARDPING</b> option in<a <li>The <b>FORWARDPING</b> option in<a href="Documentation.htm#Conf">
href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf</a>.</li> /etc/shorewall/shorewall.conf</a>.</li>
<li>Explicit rules in <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li> <li>Explicit rules in <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
</ol> </ol>
There are two cases to consider:<br> There are two cases to consider:<br>
<ol> <ol>
<li>Ping requests addressed to the firewall itself; and</li> <li>Ping requests addressed to the firewall itself; and</li>
<li>Ping requests being forwarded to another system. Included here <li>Ping requests being forwarded to another system. Included here
are all cases of packet forwarding including NAT, DNAT rule, Proxy ARP are all cases of packet forwarding including NAT, DNAT rule, Proxy ARP
and simple routing.</li> and simple routing.</li>
</ol> </ol>
These cases will be covered separately.<br> These cases will be covered separately.<br>
<h3>Ping Requests Addressed to the Firewall Itself</h3> <h3>Ping Requests Addressed to the Firewall Itself</h3>
For ping requests addressed to the firewall, the sequence is as follows:<br> For ping requests addressed to the firewall, the sequence is as follows:<br>
<ol> <ol>
<li>If neither <b>noping</b> nor <b>filterping </b>are specified <li>If neither <b>noping</b> nor <b>filterping </b>are specified
for the interface that receives the ping request then the request will for the interface that receives the ping request then the request will
be responded to with an ICMP echo-reply.</li> be responded to with an ICMP echo-reply.</li>
<li>If <b>noping</b> is specified for the interface that receives <li>If <b>noping</b> is specified for the interface that receives
the ping request then the request is ignored.</li> the ping request then the request is ignored.</li>
<li>If <b>filterping </b>is specified for the interface then the <li>If <b>filterping </b>is specified for the interface then the
request is passed to the rules/policy evaluation.</li> request is passed to the rules/policy evaluation.</li>
</ol> </ol>
<h3>Ping Requests Forwarded by the Firewall</h3> <h3>Ping Requests Forwarded by the Firewall</h3>
These requests are <b>always</b> passed to rules/policy evaluation.<br> These requests are <b>always</b> passed to rules/policy evaluation.<br>
<h3>Rules Evaluation</h3> <h3>Rules Evaluation</h3>
Ping requests are ICMP type 8. So the general rule format is:<br> Ping requests are ICMP type 8. So the general rule format is:<br>
<br> <br>
&nbsp;&nbsp;&nbsp; <i>Target&nbsp;&nbsp;&nbsp; Source&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <i>Target&nbsp;&nbsp;&nbsp;
Destination&nbsp;&nbsp;&nbsp; </i>icmp&nbsp;&nbsp;&nbsp; 8<br> Source&nbsp;&nbsp;&nbsp; Destination&nbsp;&nbsp;&nbsp; </i>icmp&nbsp;&nbsp;&nbsp;
<br> 8<br>
Example 1. Accept pings from the net to the dmz (pings are responded <br>
to with an ICMP echo-reply):<br> Example 1. Accept pings from the net to the dmz (pings are responded to
<br> with an ICMP echo-reply):<br>
&nbsp;&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; <br>
dmz&nbsp;&nbsp;&nbsp; icmp&nbsp;&nbsp;&nbsp; 8<br> &nbsp;&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp;
<br> dmz&nbsp;&nbsp;&nbsp; icmp&nbsp;&nbsp;&nbsp; 8<br>
Example 2. Drop pings from the net to the firewall<br> <br>
<br> Example 2. Drop pings from the net to the firewall<br>
&nbsp;&nbsp;&nbsp; DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp; <br>
icmp&nbsp;&nbsp;&nbsp; 8<br> &nbsp;&nbsp;&nbsp; DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp;
fw&nbsp;&nbsp;&nbsp; icmp&nbsp;&nbsp;&nbsp; 8<br>
<h3>Policy Evaluation</h3> <h3>Policy Evaluation</h3>
If no applicable rule is found, then the policy for the source to If no applicable rule is found, then the policy for the source to
the destination is applied.<br> the destination is applied.<br>
<ol> <ol>
<li>If the relevant policy is ACCEPT then the request is responded <li>If the relevant policy is ACCEPT then the request is responded to
to with an ICMP echo-reply.</li> with an ICMP echo-reply.</li>
<li>If <b>FORWARDPING</b> is set to Yes in /etc/shorewall/shorewall.conf <li>If <b>FORWARDPING</b> is set to Yes in
then the request is responded to with an ICMP echo-reply.</li> /etc/shorewall/shorewall.conf then the request is responded to with an
<li>Otherwise, the relevant REJECT or DROP policy is used and the ICMP echo-reply.</li>
request is either rejected or simply ignored.</li> <li>Otherwise, the relevant REJECT or DROP policy is used and the
request is either rejected or simply ignored.</li>
</ol> </ol>
<div style="text-align: justify;"><font size="2">Updated 8/23/2003 - <a
<p><font size="2">Updated 7/7/2003 - <a href="support.htm">Tom Eastep</a> href="support.htm">Tom Eastep</a></font></div>
</font></p> <p><font size="2"> </font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br> <br>
</body> </body>
</html> </html>

164
STABLE/documentation/samba.htm
View File

@ -1,112 +1,102 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Samba</title> <title>Samba</title>
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90"> id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Samba</font></h1> <h1 align="center"><font color="#ffffff">Samba</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p>If you wish to run Samba on your firewall and access shares between
<p>If you wish to run Samba on your firewall and access shares between the the firewall and local hosts, you need the following rules:</p>
firewall and local hosts, you need the following rules:</p>
<h4>/etc/shorewall/rules:</h4> <h4>/etc/shorewall/rules:</h4>
<blockquote> <font face="Century Gothic, Arial, Helvetica"> </font>
<blockquote> <font face="Century Gothic, Arial, Helvetica"> </font>
<table border="2" cellpadding="2" style="border-collapse: collapse;"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
<tr> <tr>
<td><b>ACTION</b></td> <td><b>ACTION</b></td>
<td><b>SOURCE</b></td> <td><b>SOURCE</b></td>
<td><b>DEST</b></td> <td><b>DEST</b></td>
<td><b> PROTO</b></td> <td><b> PROTO</b></td>
<td><b>DEST<br> <td><b>DEST<br>
PORT(S)</b></td> PORT(S)</b></td>
<td><b>SOURCE<br> <td><b>SOURCE<br>
PORT(S)</b></td> PORT(S)</b></td>
<td><b>ORIGINAL<br> <td><b>ORIGINAL<br>
DEST</b></td> DEST</b></td>
</tr> </tr>
<tr> <tr>
<td>ACCEPT</td> <td>ACCEPT</td>
<td>fw</td> <td>fw</td>
<td>loc</td> <td>loc</td>
<td>udp</td> <td>udp</td>
<td>137:139</td> <td>137:139</td>
<td> </td> <td>&nbsp;</td>
<td> </td> <td>&nbsp;</td>
</tr> </tr>
<tr> <tr>
<td>ACCEPT</td> <td>ACCEPT</td>
<td>fw</td> <td>fw</td>
<td>loc</td> <td>loc</td>
<td>tcp</td> <td>tcp</td>
<td>137,139</td> <td>137,139,445</td>
<td> </td> <td>&nbsp;</td>
<td> </td> <td>&nbsp;</td>
</tr> </tr>
<tr> <tr>
<td>ACCEPT</td> <td>ACCEPT</td>
<td>fw</td> <td>fw</td>
<td>loc</td> <td>loc</td>
<td>udp</td> <td>udp</td>
<td>1024:</td> <td>1024:</td>
<td>137</td> <td>137</td>
<td> </td> <td>&nbsp;</td>
</tr> </tr>
<tr> <tr>
<td>ACCEPT</td> <td>ACCEPT</td>
<td>loc</td> <td>loc</td>
<td>fw</td> <td>fw</td>
<td>udp</td> <td>udp</td>
<td>137:139</td> <td>137:139</td>
<td> </td> <td>&nbsp;</td>
<td> </td> <td>&nbsp;</td>
</tr> </tr>
<tr> <tr>
<td>ACCEPT</td> <td>ACCEPT</td>
<td>loc</td> <td>loc</td>
<td>fw</td> <td>fw</td>
<td>tcp</td> <td>tcp</td>
<td>137,139</td> <td>137,139,445</td>
<td> </td> <td>&nbsp;</td>
<td> </td> <td>&nbsp;</td>
</tr> </tr>
<tr> <tr>
<td>ACCEPT</td> <td>ACCEPT</td>
<td>loc</td> <td>loc</td>
<td>fw</td> <td>fw</td>
<td>udp</td> <td>udp</td>
<td>1024:</td> <td>1024:</td>
<td>137</td> <td>137</td>
<td> </td> <td>&nbsp;</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
<p><font size="2">Last modified 8/17/2002 - <a href="support.htm">Tom
<p><font size="2">Last modified 5/29/2002 - <a href="support.htm">Tom Eastep</a></font></p> Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"> <font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"> <font size="2">Copyright</font>
© <font size="2">2002 Thomas M. Eastep.</font></a></font></p> © <font size="2">2002 Thomas M. Eastep.</font></a></font></p>
<br> <br>

1078
STABLE/documentation/seattlefirewall_index.htm
View File

File diff suppressed because it is too large Load Diff

138
STABLE/documentation/shoreline.htm
View File

@ -1,119 +1,67 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>About the Shorewall Author</title> <title>About the Shorewall Author</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#3366ff" height="90"> bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Tom Eastep</font></h1> <h1 align="center"><font color="#ffffff">Tom Eastep</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p align="center"> <img border="3" src="images/Tom.jpg"
<p align="center"> <img border="3" src="images/Tom.jpg" alt="Aging Geek - June 2003" width="320" height="240"> </p>
alt="Aging Geek - June 2003" width="320" height="240"> <p align="center">"The Aging Geek" -- June 2003<br>
</p> <br>
</p>
<p align="center">Tom -- June 2003<br>
<br>
</p>
<ul> <ul>
<li>Born 1945 in <a <li>Born 1945 in <a href="http://www.experiencewashington.com">Washington
href="http://www.experiencewashington.com">Washington State</a> .</li> State</a> .</li>
<li>BA Mathematics from <a <li>BA Mathematics from <a href="http://www.wsu.edu">Washington
href="http://www.wsu.edu">Washington State University</a> 1967</li> State University</a> 1967</li>
<li>MA Mathematics from <a <li>MA Mathematics from <a href="http://www.washington.edu">University
href="http://www.washington.edu">University of Washington</a> 1969</li> of Washington</a> 1969</li>
<li>Burroughs Corporation (now <a <li>Burroughs Corporation (now <a href="http://www.unisys.com">Unisys</a>
href="http://www.unisys.com">Unisys</a> ) 1969 - 1980</li> ) 1969 - 1980</li>
<li><a href="http://www.tandem.com">Tandem <li><a href="http://www.tandem.com">Tandem Computers, Incorporated</a>
Computers, Incorporated</a> (now part of the <a (now part of the <a href="http://www.hp.com">The New HP</a>) 1980 -
href="http://www.hp.com">The New HP</a>) 1980 - present</li> present</li>
<li>Married 1969 - no children.</li> <li>Married 1969 - no children.</li>
</ul> </ul>
<p>I am currently a member of the design team for the next-generation
<p>I am currently a member of the design team for the next-generation operating operating system from the NonStop Enterprise Division of HP. </p>
system from the NonStop Enterprise Division of HP. </p> <p>I became interested in Internet Security when I established a home
office in 1999 and had DSL service installed in our home. I
<p>I became interested in Internet Security when I established a home office investigated ipchains and developed the scripts which are now
in 1999 and had DSL service installed in our home. I collectively known as <a href="http://seawall.sourceforge.net">
investigated ipchains and developed the scripts which are now Seattle Firewall</a>. Expanding on what I learned from Seattle
collectively known as <a href="http://seawall.sourceforge.net"> Seattle Firewall, I then designed and wrote Shorewall. </p>
Firewall</a>. Expanding on what I learned from Seattle
Firewall, I then designed and wrote Shorewall. </p>
<p>I telework from our <a <p>I telework from our <a
href="http://lists.shorewall.net/SeattleInTheSpring.html">home</a> in <a href="http://lists.shorewall.net/SeattleInTheSpring.html">home</a>
href="http://www.cityofshoreline.com">Shoreline, Washington</a> where in&nbsp;<a href="http://www.cityofshoreline.com">Shoreline, Washington</a>
I live with my wife Tarry.  </p> where
I live with my wife Tarry.&nbsp; </p>
<p></p> <p></p>
<ul> <ul>
</ul> </ul>
<p>For information about our home network see <a href="myfiles.htm">my
<p>For information about our home network see <a href="myfiles.htm">my Shorewall Shorewall Configuration files.</a></p>
Configuration files.</a></p> <p>All of our other systems are made by <a href="http://www.compaq.com">Compaq</a>
(part of the new <a href="http://www.hp.com/">HP</a>).</p>
<p>All of our other systems are made by <a <p><font size="2">Last updated 7/20/2003 - </font><font size="2"> <a
href="http://www.compaq.com">Compaq</a> (part of the new <a href="support.htm">Tom Eastep</a></font> </p>
href="http://www.hp.com/">HP</a>).</p> <font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
<p><a href="http://www.redhat.com"><img border="0"
src="images/poweredby.png" width="88" height="31">
</a><a href="http://www.compaq.com"><img
border="0" src="images/poweredbycompaqlog0.gif" hspace="3" width="83"
height="25">
</a><a href="http://www.pureftpd.org"><img
border="0" src="images/pure.jpg" width="88" height="31">
</a><font size="4"><a
href="http://www.apache.org"><img border="0"
src="images/apache_pb1.gif" hspace="2" width="170" height="20">
</a><a href="http://www.mandrakelinux.com"><img
src="images/medbutton.png" alt="Powered by Mandrake" width="90"
height="32">
</a><img src="images/ProtectedBy.png"
alt="Protected by Shorewall" width="200" height="42" hspace="4">
<a href="http://www.opera.com"><img src="images/opera.png"
alt="(Opera Logo)" width="102" height="39" border="0">
</a>  <a href="http://www.hp.com"><img
src="images/penquin_in_blue_racer_sm2.gif" alt="" width="120"
height="75" border="0">
</a><a href="http://www.opera.com"> </a> </font></p>
<p><font size="2">Last updated 7/20/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<font face="Trebuchet MS"><a
href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</body> </body>
</html> </html>

260
STABLE/documentation/shorewall_logging.html
View File

@ -2,155 +2,159 @@
<html> <html>
<head> <head>
<title>Shorewall Logging</title> <title>Shorewall Logging</title>
<meta http-equiv="content-type" <meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1"> content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep"> <meta name="author" content="Tom Eastep">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90"> id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Logging</font></h1> <h1 align="center"><font color="#ffffff">Logging</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br> <br>
By default, Shorewall directs NetFilter to log using syslog (8). Syslog By default, Shorewall directs NetFilter to log using syslog (8). Syslog
classifies log messages by a <i>facility</i> and a <i>priority</i> (using classifies log messages by a <i>facility</i> and a <i>priority</i>
the notation <i>facility.priority</i>). <br> (using the notation <i>facility.priority</i>). <br>
<br> <br>
The facilities defined by syslog are <i>auth, authpriv, cron, daemon, The facilities defined by syslog are <i>auth, authpriv, cron, daemon,
kern, lpr, mail, mark, news, syslog, user, uucp</i> and <i>local0</i> kern, lpr, mail, mark, news, syslog, user, uucp</i> and <i>local0</i>
through <i>local7</i>.<br> through <i>local7</i>.<br>
<br> <br>
Throughout the Shorewall documentation, I will use the term <i>level</i> Throughout the Shorewall documentation, I will use the term <i>level</i>
rather than <i>priority</i> since <i>level</i> is the term used by NetFilter. rather than <i>priority</i> since <i>level</i> is the term used by
The syslog documentation uses the term <i>priority</i>.<br> NetFilter. The syslog documentation uses the term <i>priority</i>.<br>
<h3>Syslog Levels<br> <h3>Syslog Levels<br>
</h3> </h3>
Syslog levels are a method of describing to syslog (8) the importance Syslog levels are a method of describing to syslog (8) the importance
of a message and a number of Shorewall parameters have a syslog level of a message and a number of Shorewall parameters have a syslog level
as their value.<br> as their value.<br>
<br> <br>
Valid levels are:<br> Valid levels are:<br>
<br> <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 7&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
debug<br> 7&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="font-weight: bold;">debug</span>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 6&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; (Debug-level messages)<br>
info<br> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 5&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 6&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="font-weight: bold;">info</span>
notice<br> (Informational)<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 4&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
warning<br> 5&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="font-weight: bold;">notice</span>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 3&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; (Normal but significant Condition)<br>
err<br> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 4&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<span style="font-weight: bold;">
crit<br> warning</span> (Warning Conditions)<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
alert<br> 3&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="font-weight: bold;">err</span>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; (Error Conditions)<br>
emerg<br> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<br> 2&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="font-weight: bold;">crit</span>
For most Shorewall logging, a level of 6 (info) is appropriate. (Critical Conditions)<br>
Shorewall log messages are generated by NetFilter and are logged using &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
the <i>kern</i> facility and the level that you specify. If you are 1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="font-weight: bold;">alert</span>
unsure of the level to choose, 6 (info) is a safe bet. You may specify (Must be handled immediately)<br>
levels by name or by number.<br> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<br> 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="font-weight: bold;">emerg</span>
Syslogd writes log messages to files (typically in /var/log/*) (System is unusable)<br>
based on their facility and level. The mapping of these facility/level <br>
pairs to log files is done in /etc/syslog.conf (5). If you make changes For most Shorewall logging, a level of 6 (info) is appropriate.
to this file, you must restart syslogd before the changes can take effect.<br> Shorewall log messages are generated by NetFilter and are logged using
the <i>kern</i> facility and the level that you specify. If you are
unsure of the level to choose, 6 (info) is a safe bet. You may specify
levels by name or by number.<br>
<br>
Syslogd writes log messages to files (typically in /var/log/*)
based on their facility and level. The mapping of these facility/level
pairs to log files is done in /etc/syslog.conf (5). If you make changes
to this file, you must restart syslogd before the changes can take
effect.<br>
<h3>Configuring a Separate Log for Shorewall Messages</h3> <h3>Configuring a Separate Log for Shorewall Messages</h3>
There are a couple of limitations to syslogd-based logging:<br> There are a couple of limitations to syslogd-based logging:<br>
<ol> <ol>
<li>If you give, for example, kern.info it's own log destination then <li>If you give, for example, kern.info it's own log destination then
that destination will also receive all kernel messages of levels 5 (notice) that destination will also receive all kernel messages of levels 5
through 0 (emerg).</li> (notice) through 0 (emerg).</li>
<li>All kernel.info messages will go to that destination and not just <li>All kernel.info messages will go to that destination and not just
those from NetFilter.<br> those from NetFilter.<br>
</li> </li>
</ol> </ol>
Beginning with Shorewall version 1.3.12, if your kernel has ULOG Beginning with Shorewall version 1.3.12, if your kernel has ULOG target
target support (and most vendor-supplied kernels do), you may also specify support (and most vendor-supplied kernels do), you may also specify a
a log level of ULOG (must be all caps). When ULOG is used, Shorewall will log level of ULOG (must be all caps). When ULOG is used, Shorewall will
direct netfilter to log the related messages via the ULOG target which direct netfilter to log the related messages via the ULOG target which
will send them to a process called 'ulogd'. The ulogd program is available will send them to a process called 'ulogd'. The ulogd program is
from http://www.gnumonks.org/projects/ulogd and can be configured to log available from http://www.gnumonks.org/projects/ulogd and can be
all Shorewall message to their own log file.<br> configured to log all Shorewall message to their own log file.<br>
<br> <br>
<b>Note: </b>The ULOG logging mechanism is <u>completely separate</u> <b>Note: </b>The ULOG logging mechanism is <u>completely separate</u>
from syslog. Once you switch to ULOG, the settings in /etc/syslog.conf have from syslog. Once you switch to ULOG, the settings in /etc/syslog.conf
absolutely no effect on your Shorewall logging (except for Shorewall status have
messages which still go to syslog).<br> absolutely no effect on your Shorewall logging (except for Shorewall
<br> status
You will need to have the kernel source available to compile ulogd.<br> messages which still go to syslog).<br>
<br> <br>
Download the ulod tar file and:<br> You will need to have the kernel source available to compile ulogd.<br>
<br>
Download the ulod tar file and:<br>
<ol> <ol>
<li>Be sure that /usr/src/linux is linked to your kernel source tree<br> <li>Be sure that /usr/src/linux is linked to your kernel source tree<br>
</li> </li>
<li>cd /usr/local/src (or wherever you do your builds)</li> <li>cd /usr/local/src (or wherever you do your builds)</li>
<li>tar -zxf <i>source-tarball-that-you-downloaded</i></li> <li>tar -zxf <i>source-tarball-that-you-downloaded</i></li>
<li>cd ulogd-<i>version</i><br> <li>cd ulogd-<i>version</i><br>
</li> </li>
<li>./configure</li> <li>./configure</li>
<li>make</li> <li>make</li>
<li>make install<br> <li>make install<br>
</li> </li>
</ol> </ol>
If you are like me and don't have a development environment on your If you are like me and don't have a development environment on your
firewall, you can do the first six steps on another system then either NFS firewall, you can do the first six steps on another system then either
mount your /usr/local/src directory or tar up the /usr/local/src/ulogd-<i>version</i> NFS
directory and move it to your firewall system.<br> mount your /usr/local/src directory or tar up the /usr/local/src/ulogd-<i>version</i>
<br> directory and move it to your firewall system.<br>
Now on the firewall system, edit /usr/local/etc/ulogd.conf and set:<br> <br>
Now on the firewall system, edit /usr/local/etc/ulogd.conf and set:<br>
<ol> <ol>
<li>syslogfile <i>&lt;file that you wish to log to&gt;</i></li> <li>syslogfile <i>&lt;file that you wish to log to&gt;</i></li>
<li>syslogsync 1</li> <li>syslogsync 1</li>
</ol> </ol>
Also on the firewall system:<br> Also on the firewall system:<br>
<blockquote>touch &lt;<i>file that you wish to log to</i>&gt;<br> <blockquote>touch &lt;<i>file that you wish to log to</i>&gt;<br>
</blockquote> </blockquote>
I also copied the file /usr/local/src/ulogd-<i>version</i>/ulogd.init I also copied the file /usr/local/src/ulogd-<i>version</i>/ulogd.init
to /etc/init.d/ulogd. I had to edit the line that read "daemon /usr/local/sbin/ulogd" to /etc/init.d/ulogd. I had to edit the line that read "daemon
to read daemon /usr/local/sbin/ulogd -d". On a RedHat system, a simple /usr/local/sbin/ulogd" to read daemon /usr/local/sbin/ulogd -d". On a
"chkconfig --level 3 ulogd on" starts ulogd during boot up. Your init system RedHat system, a simple
may need something else done to activate the script.<br> "chkconfig --level 3 ulogd on" starts ulogd during boot up. Your init
<br> system
You will need to change all instances of log levels (usually 'info') in may need something else done to activate the script.<br>
your configuration files to 'ULOG' - this includes entries in the policy, <br>
rules and shorewall.conf files. Here's what I have:<br> You will need to change all instances of log levels (usually 'info') in
your configuration files to 'ULOG' - this includes entries in the
policy, rules and shorewall.conf files. Here's what I have:<br>
<pre> [root@gateway shorewall]# grep ULOG *<br> policy:loc&nbsp; fw&nbsp;&nbsp; REJECT&nbsp; ULOG<br> policy:net&nbsp; all&nbsp; DROP&nbsp;&nbsp;&nbsp; ULOG&nbsp;&nbsp;&nbsp;10/sec:40<br> policy:all&nbsp; all&nbsp; REJECT&nbsp; ULOG<br> rules:REJECT:ULOG loc net tcp 6667<br> shorewall.conf:TCP_FLAGS_LOG_LEVEL=ULOG<br> shorewall.conf:RFC1918_LOG_LEVEL=ULOG<br> [root@gateway shorewall]#<br></pre> <pre> [root@gateway shorewall]# grep ULOG *<br> policy:loc&nbsp; fw&nbsp;&nbsp; REJECT&nbsp; ULOG<br> policy:net&nbsp; all&nbsp; DROP&nbsp;&nbsp;&nbsp; ULOG&nbsp;&nbsp;&nbsp;10/sec:40<br> policy:all&nbsp; all&nbsp; REJECT&nbsp; ULOG<br> rules:REJECT:ULOG loc net tcp 6667<br> shorewall.conf:TCP_FLAGS_LOG_LEVEL=ULOG<br> shorewall.conf:RFC1918_LOG_LEVEL=ULOG<br> [root@gateway shorewall]#<br></pre>
Finally edit /etc/shorewall/shorewall.conf and set LOGFILE=<i>&lt;file Finally edit /etc/shorewall/shorewall.conf and set LOGFILE=<i>&lt;file
that you wish to log to&gt;</i>. This tells the /sbin/shorewall program that you wish to log to&gt;</i>. This tells the /sbin/shorewall program
where to look for the log when processing its "show log", "logwatch" and where to look for the log when processing its "show log", "logwatch"
"monitor" commands.<br> and
"monitor" commands.<br>
<p><font size="2"> Updated 7/25/2003 - <a href="support.htm">Tom Eastep</a> <h2>Syslog-ng</h2>
</font></p> <a
href="http://marc.theaimsgroup.com/?l=gentoo-security&amp;m=106040714910563&amp;w=2">Here</a>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; is a post describing configuring syslog-ng to work with Shorewall.<br>
<font size="2">2001, 2002, 2003 Thomas M. Eastep</font></a><br> <p><font size="2"> Updated 9/29/2003 - <a href="support.htm">Tom Eastep</a>
</p> </font></p>
<br> <p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
<br> size="2">2001, 2002, 2003 Thomas M. Eastep</font></a><br>
</p>
<br>
<br>
</body> </body>
</html> </html>

127
STABLE/documentation/shorewall_mirrors.htm
View File

@ -1,98 +1,89 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Mirrors</title> <title>Shorewall Mirrors</title>
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90"> id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Mirrors</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Mirrors</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p align="left"><b>Remember that updates to the mirrors are often
<p align="left"><b>Remember that updates to the mirrors are often delayed delayed for 6-12 hours after an update to the primary rsync site. For
for 6-12 hours after an update to the primary rsync site. For HTML content, HTML content, the main web site (<a href="http://shorewall.sf.net">http://shorewall.sf.net</a>)
the main web site (<a href="http://shorewall.sf.net">http://shorewall.sf.net</a>) is updated at the same time as the rsync site.</b></p>
is updated at the same time as the rsync site.</b></p>
<p align="left">The main Shorewall Web Site is <a <p align="left">The main Shorewall Web Site is <a
href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a> href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>
and is located in California, USA. It is mirrored at:</p> and is located in California, USA. It is mirrored at:</p>
<ul> <ul>
<li><a target="_top" href="http://slovakia.shorewall.net"> <li><a target="_top" href="http://slovakia.shorewall.net">http://slovakia.shorewall.net</a>
http://slovakia.shorewall.net</a> (Slovak Republic).</li> (Slovak Republic).</li>
<li> <a href="http://www.infohiiway.com/shorewall" <li> <a href="http://www.infohiiway.com/shorewall" target="_top">http://shorewall.infohiiway.com</a>
target="_top"> http://shorewall.infohiiway.com</a> (Texas, USA).</li> (Texas, USA).</li>
<li><a target="_top" href="http://germany.shorewall.net"> <li><a target="_top" href="http://germany.shorewall.net">http://germany.shorewall.net</a>
http://germany.shorewall.net</a> (Hamburg, Germany)</li> - Also accessible as <a href="http://www.shorewall.de" target="_top">http://www.shorewall.de</a>
<li><a target="_top" (Hamburg, Germany)</li>
href="http://france.shorewall.net">http://france.shorewall.net</a> <li><a target="_top" href="http://france.shorewall.net">http://france.shorewall.net</a>
(Paris, France)</li> (Paris, France)</li>
<li><a href="http://shorewall.syachile.cl" target="_top">http://shorewall.syachile.cl <li><a href="http://shorewall.syachile.cl" target="_top">http://shorewall.syachile.cl
</a>(Santiago Chile)</li> </a>(Santiago Chile)</li>
<li><a href="http://shorewall.greshko.com" target="_top">http://shorewall.greshko.com</a> <li><a href="http://shorewall.greshko.com" target="_top">http://shorewall.greshko.com</a>
(Taipei, Taiwan)</li> (Taipei, Taiwan)</li>
<li><a href="http://argentina.shorewall.net" target="_top">http://argentina.shorewall.net</a> <li><a href="http://argentina.shorewall.net" target="_top">http://argentina.shorewall.net</a>
(Argentina)</li> (Argentina)</li>
<li><a href="http://shorewall.securityopensource.org.br" <li><a href="http://shorewall.securityopensource.org.br" target="_top">http://shorewall.securityopensource.org.br</a>
target="_top">http://shorewall.securityopensource.org.br</a> (Brazil)<br> (Brazil)</li>
</li> <li><a href="http://www.shorewall.com.au" target="_top">http://www.shorewall.com.au</a>
<li><a href="http://www.shorewall.net" target="_top">http://www.shorewall.net</a> (Australia)<br>
(Washington State, USA)<br> </li>
</li> <li><a href="http://www.shorewall.net" target="_top">http://www.shorewall.net</a>
(Washington State, USA)<br>
</li>
</ul> </ul>
<p align="left">The rsync site is mirrored via FTP at:</p> <p align="left">The rsync site is mirrored via FTP at:</p>
<ul> <ul>
<li><a target="_blank" <li><a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/">ftp://slovakia.shorewall.net/mirror/shorewall</a> href="ftp://slovakia.shorewall.net/mirror/shorewall/">ftp://slovakia.shorewall.net/mirror/shorewall</a>
(Slovak Republic).</li> (Slovak Republic).</li>
<li> <a <li> <a href="ftp://ftp.infohiiway.com/pub/mirrors/shorewall/"
href="ftp://ftp.infohiiway.com/pub/mirrors/shorewall/" target="_blank">ftp://ftp.infohiiway.com/pub/shorewall</a> target="_blank">ftp://ftp.infohiiway.com/pub/shorewall</a> (Texas, USA
(Texas, USA -- temporarily unavailable).</li> -- temporarily unavailable).</li>
<li><a target="_blank" <li><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall"> ftp://germany.shorewall.net/pub/shorewall</a> href="ftp://germany.shorewall.net/pub/shorewall">ftp://germany.shorewall.net/pub/shorewall</a>
(Hamburg, Germany)</li> AKA <a href="ftp://www.shorewall.de/pub/shorewall" target="_top">ftp://www.shorewall.de/pub/shorewall</a>
<li> <a target="_blank" (Hamburg, Germany)</li>
<li> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall</a> href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall</a>
(Paris, France)</li> (Paris, France)</li>
<li><a href="ftp://shorewall.greshko.com/pub/shorewall" <li><a href="ftp://shorewall.greshko.com/pub/shorewall" target="_top">ftp://shorewall.greshko.com</a>
target="_top">ftp://shorewall.greshko.com</a> (Taipei, Taiwan)</li> (Taipei, Taiwan)</li>
<li><a href="ftp://ftp.shorewall.net/pub/shorewall" <li><a href="ftp://ftp.shorewall.com.au" target="_top">ftp://ftp.shorewall.com.au</a>
target="_blank">ftp://ftp.shorewall.net </a>(Washington State, USA)<br> (Australia)<br>
</li> </li>
<li><a href="ftp://ftp.shorewall.net/pub/shorewall" target="_blank">ftp://ftp.shorewall.net
</a>(Washington State, USA)<br>
</li>
</ul> </ul>
Search results and the mailing list archives are always fetched Search results and the mailing list archives are always fetched from
from the site in Washington State.<br> the site in Washington State.<br>
<p align="left"><font size="2">Last Updated 8/27/2003 - <a
<p align="left"><font size="2">Last Updated 8/4/2003 - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep</font></a></font><br> size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M.
</p> Eastep</font></a></font><br>
<br> </p>
<br>
</body> </body>
</html> </html>

541
STABLE/documentation/shorewall_quickstart_guide.htm
View File

@ -1,373 +1,282 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shorewall QuickStart Guide</title> <title>Shorewall QuickStart Guide</title>
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#3366ff" height="90"> bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall QuickStart
Guides (HOWTO's)<br>
<h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides </font></h1>
(HOWTO's)<br> </td>
</font></h1> </tr>
</td>
</tr>
</tbody> </tbody>
</table> </table>
<p align="center">With thanks to Richard who reminded me once again
<p align="center">With thanks to Richard who reminded me once again that we that we
must all first walk before we can run.<br> must all first walk before we can run.<br>
The French Translations are courtesy of Patrice Vetsel<br> The French Translations of the single-IP guides are courtesy of Patrice
</p> Vetsel<br>
The French Translation of the Shorewall Setup Guide is courtesy of
Fabien Demassieux.<br>
</p>
<h2>The Guides</h2> <h2>The Guides</h2>
<p>These guides provide step-by-step instructions for configuring
<p>These guides provide step-by-step instructions for configuring Shorewall Shorewall in common firewall setups.</p>
in common firewall setups.</p> <p>If you have a <font color="#ff0000"><big><big><b>single public IP
address</b></big></big></font>:</p>
<p>If you have a <font color="#ff0000"><big><big><b>single public IP address</b></big></big></font>:</p>
<blockquote> <blockquote>
<ul> <ul>
<li><a href="standalone.htm">Standalone</a> <li><a href="standalone.htm">Standalone</a> Linux System (<a
Linux System (<a href="standalone_fr.html">Version Française</a>)</li> href="standalone_fr.html">Version Française</a>)</li>
<li><a href="two-interface.htm">Two-interface</a> <li><a href="two-interface.htm">Two-interface</a> Linux System
Linux System acting as a firewall/router for a small local acting as a firewall/router for a small local network (<a
network (<a href="two-interface_fr.html">Version Française</a>)</li> href="two-interface_fr.html">Version Française</a>)</li>
<li><a <li><a href="three-interface.htm">Three-interface</a> Linux System
href="three-interface.htm">Three-interface</a> Linux System acting as a firewall/router for a small local network and a DMZ. (<a
acting as a firewall/router for a small local network and href="three-interface_fr.html">Version Française</a>)</li>
a DMZ. (<a href="three-interface_fr.html">Version Française</a>)</li>
</ul> </ul>
<p>The above guides are designed to get your first firewall up and
<p>The above guides are designed to get your first firewall up and running running quickly in the three most common Shorewall configurations. If
quickly in the three most common Shorewall configurations. you want to learn more about Shorewall than is explained in the above
If you want to learn more about Shorewall than is explained in the above simple guides,&nbsp; the <a href="shorewall_setup_guide.htm">Shorewall
simple guides,  the <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> Setup Guide</a> (See Index Below) is for you.</p>
(See Index Below) is for you.</p> </blockquote>
</blockquote> <p>If you have <font color="#ff0000"><big><big><b>more than one public
IP address</b></big></big></font>:<br>
<p>If you have <font color="#ff0000"><big><big><b>more than one public IP </p>
address</b></big></big></font>:<br> <blockquote>The <a href="shorewall_setup_guide.htm">Shorewall Setup
</p> Guide</a> (See Index Below) outlines the steps necessary to set up a
firewall where there are multiple public IP
<blockquote>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> addresses involved or if you
(See Index Below) outlines the steps necessary to set up want to learn more about Shorewall than is explained in the
a firewall where there are <small><small><big><big>multiple single-address guides above (<a href="shorewall_setup_guide_fr.htm">Version
public IP addresses</big></big></small></small> involved or if you Française</a>).</blockquote>
want to learn more about Shorewall than is explained in the
single-address guides above.</blockquote>
<ul> <ul>
</ul> </ul>
<h2><b><a name="Documentation"></a></b>Documentation Index</h2> <h2><b><a name="Documentation"></a></b>Documentation Index</h2>
<p>The following documentation covers a variety of topics and <b>supplements <p>The following documentation covers a variety of topics and <b>supplements
the <a href="shorewall_quickstart_guide.htm">QuickStart the <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a>
Guides</a> described above</b>. Please review the appropriate described above</b>. Please review the appropriate guide before trying
guide before trying to use this documentation directly.</p> to use this documentation directly.</p>
<ul> <ul>
<li><a <li><a href="Accounting.html">Accounting</a><br>
href="Shorewall_and_Aliased_Interfaces.html">Aliased (virtual) Interfaces </li>
(e.g., eth0:0)</a><br> <li><a href="Shorewall_and_Aliased_Interfaces.html">Aliased (virtual)
</li> Interfaces (e.g., eth0:0)</a><br>
<li><a href="blacklisting_support.htm">Blacklisting</a> </li>
<li><a href="blacklisting_support.htm">Blacklisting</a>
<ul> <ul>
<li>Static Blacklisting using /etc/shorewall/blacklist</li> <li>Static Blacklisting using /etc/shorewall/blacklist</li>
<li>Dynamic Blacklisting using <li>Dynamic Blacklisting using
/sbin/shorewall</li> /sbin/shorewall</li>
</ul> </ul>
</li> </li>
<li><a <li><a href="starting_and_stopping_shorewall.htm">Commands</a>
href="starting_and_stopping_shorewall.htm">Commands</a> (Description of (Description of
all /sbin/shorewall commands)</li> all /sbin/shorewall commands)</li>
<li><a href="configuration_file_basics.htm">Common configuration <li><a href="configuration_file_basics.htm">Common configuration file
file features</a> </li> features</a>&nbsp;</li>
<ul> <ul>
<li><a href="configuration_file_basics.htm#Comments">Comments in configuration <li><a href="configuration_file_basics.htm#Comments">Comments in
files</a></li> configuration files</a></li>
<li><a href="configuration_file_basics.htm#Continuation">Line Continuation</a></li> <li><a href="configuration_file_basics.htm#Continuation">Line
<li><a href="configuration_file_basics.htm#INCLUDE">INCLUDE Directive</a></li> Continuation</a></li>
<li><a href="configuration_file_basics.htm#Ports">Port Numbers/Service <li><a href="configuration_file_basics.htm#INCLUDE">INCLUDE
Names</a></li> Directive</a></li>
<li><a href="configuration_file_basics.htm#Ranges">Port Ranges</a></li> <li><a href="configuration_file_basics.htm#Ports">Port
<li><a href="configuration_file_basics.htm#Variables">Using Shell Numbers/Service Names</a></li>
<li><a href="configuration_file_basics.htm#Ranges">Port Ranges</a></li>
<li><a href="configuration_file_basics.htm#Variables">Using Shell
Variables</a></li> Variables</a></li>
<li><a href="configuration_file_basics.htm#dnsnames">Using DNS Names</a></li> <li><a href="configuration_file_basics.htm#dnsnames">Using DNS Names</a></li>
<li><a href="configuration_file_basics.htm#Compliment">Complementing <li><a href="configuration_file_basics.htm#Compliment">Complementing
an IP address or Subnet</a></li> an IP address or Subnet</a></li>
<li><a href="configuration_file_basics.htm#Configs">Shorewall Configurations <li><a href="configuration_file_basics.htm#Configs">Shorewall
(making a test configuration)</a></li> Configurations (making a test configuration)</a></li>
<li><a href="configuration_file_basics.htm#MAC">Using MAC Addresses <li><a href="configuration_file_basics.htm#MAC">Using MAC Addresses
in Shorewall</a> in Shorewall</a> </li>
</li>
</ul> </ul>
<li><a href="Documentation.htm">Configuration <li><a href="Documentation.htm">Configuration File Reference Manual</a>
File Reference Manual</a>
<ul> <ul>
<li> <a <li> <a href="Documentation.htm#Variables">params</a></li>
href="Documentation.htm#Variables">params</a></li> <li><font color="#000099"><a href="Documentation.htm#Zones">zones</a></font></li>
<li><font color="#000099"><a <li><font color="#000099"><a href="Documentation.htm#Interfaces">interfaces</a></font></li>
href="Documentation.htm#Zones">zones</a></font></li> <li><font color="#000099"><a href="Documentation.htm#Hosts">hosts</a></font></li>
<li><font color="#000099"><a <li><font color="#000099"><a href="Documentation.htm#Policy">policy</a></font></li>
href="Documentation.htm#Interfaces">interfaces</a></font></li> <li><font color="#000099"><a href="Documentation.htm#Rules">rules</a></font></li>
<li><font color="#000099"><a <li><a href="Documentation.htm#Common">common</a></li>
href="Documentation.htm#Hosts">hosts</a></font></li> <li><font color="#000099"><a href="Documentation.htm#Masq">masq</a></font></li>
<li><font color="#000099"><a <li><font color="#000099"><a href="Documentation.htm#ProxyArp">proxyarp</a></font></li>
href="Documentation.htm#Policy">policy</a></font></li> <li><font color="#000099"><a href="Documentation.htm#NAT">nat</a></font></li>
<li><font color="#000099"><a <li><font color="#000099"><a href="Documentation.htm#Tunnels">tunnels</a></font></li>
href="Documentation.htm#Rules">rules</a></font></li> <li><a href="traffic_shaping.htm#tcrules">tcrules</a></li>
<li><a <li><font color="#000099"><a href="Documentation.htm#Conf">shorewall.conf</a></font></li>
href="Documentation.htm#Common">common</a></li> <li><a href="Documentation.htm#modules">modules</a></li>
<li><font color="#000099"><a <li><a href="Documentation.htm#TOS">tos</a> </li>
href="Documentation.htm#Masq">masq</a></font></li> <li><a href="Documentation.htm#Blacklist">blacklist</a></li>
<li><font color="#000099"><a <li><a href="Documentation.htm#rfc1918">rfc1918</a></li>
href="Documentation.htm#ProxyArp">proxyarp</a></font></li> <li><a href="Documentation.htm#Routestopped">routestopped</a></li>
<li><font color="#000099"><a <li><a href="Accounting.html">accounting</a></li>
href="Documentation.htm#NAT">nat</a></font></li> <li><a href="UserSets.html">usersets and users</a><br>
<li><font color="#000099"><a </li>
href="Documentation.htm#Tunnels">tunnels</a></font></li>
<li><a
href="traffic_shaping.htm#tcrules">tcrules</a></li>
<li><font color="#000099"><a
href="Documentation.htm#Conf">shorewall.conf</a></font></li>
<li><a
href="Documentation.htm#modules">modules</a></li>
<li><a
href="Documentation.htm#TOS">tos</a> </li>
<li><a
href="Documentation.htm#Blacklist">blacklist</a></li>
<li><a
href="Documentation.htm#rfc1918">rfc1918</a></li>
<li><a
href="Documentation.htm#Routestopped">routestopped</a></li>
</ul> </ul>
</li> </li>
<li><a href="CorpNetwork.htm">Corporate <li><a href="CorpNetwork.htm">Corporate Network Example</a>
Network Example</a> (Contributed by a Graeme Boyle)<br> (Contributed by a Graeme Boyle)<br>
</li> </li>
<li><a href="dhcp.htm">DHCP</a></li> <li><a href="dhcp.htm">DHCP</a></li>
<li><a href="ECN.html">ECN Disabling <li><a href="ECN.html">ECN Disabling by host or subnet</a></li>
by host or subnet</a></li> <li><a href="errata.htm">Errata</a><br>
<li><a href="errata.htm">Errata</a><br> </li>
</li> <li><font color="#000099"><a href="shorewall_extension_scripts.htm">Extension
<li><font color="#000099"><a Scripts</a></font> (How to extend Shorewall without modifying Shorewall
href="shorewall_extension_scripts.htm">Extension Scripts</a></font> code through the use of files in /etc/shorewall --
(How to extend Shorewall without modifying Shorewall code through the /etc/shorewall/start, /etc/shorewall/stopped, etc.)</li>
use of files in /etc/shorewall -- /etc/shorewall/start, /etc/shorewall/stopped, <li><a href="fallback.htm">Fallback/Uninstall</a></li>
etc.)</li> <li><a href="FAQ.htm">FAQs</a><br>
<li><a href="fallback.htm">Fallback/Uninstall</a></li> </li>
<li><a href="FAQ.htm">FAQs</a><br> <li><a href="shorewall_features.htm">Features</a><br>
</li> </li>
<li><a href="shorewall_features.htm">Features</a><br> <li><a href="shorewall_firewall_structure.htm">Firewall Structure</a></li>
</li> <li><a href="FTP.html">FTP and Shorewall</a><br>
<li><a </li>
href="shorewall_firewall_structure.htm">Firewall Structure</a></li> <li><a href="support.htm">Getting help or answers to questions</a></li>
<li><a href="FTP.html">FTP and Shorewall</a><br> <li>Greater Seattle Linux Users Group Presentation</li>
</li>
<li><a href="support.htm">Getting help or answers to questions</a></li>
<li>Greater Seattle Linux Users Group Presentation</li>
<ul> <ul>
<li><a href="GSLUG.htm">HTML</a></li> <li><a href="GSLUG.htm">HTML</a></li>
<li><a href="GSLUG.ppt">PowerPoint</a></li> <li><a href="GSLUG.ppt">PowerPoint</a></li>
</ul> </ul>
<li><a href="Install.htm">Installation/Upgrade</a><br> <li><a href="Install.htm">Installation/Upgrade</a><br>
</li> </li>
<li><font color="#000099"><a <li><font color="#000099"><a href="kernel.htm">Kernel Configuration</a></font></li>
href="kernel.htm">Kernel Configuration</a></font></li> <li><a href="shorewall_logging.html">Logging</a><br>
<li><a href="shorewall_logging.html">Logging</a><br> </li>
</li> <li><a href="MAC_Validation.html">MAC Verification</a></li>
<li><a <li><a href="http://lists.shorewall.net">Mailing Lists</a><br>
href="MAC_Validation.html">MAC Verification</a></li> </li>
<li><a href="http://lists.shorewall.net">Mailing Lists</a><br> <li><a href="myfiles.htm">My Shorewall Configuration (How I
</li> personally use Shorewall)</a></li>
<li><a href="myfiles.htm">My <li><a href="starting_and_stopping_shorewall.htm">Operating Shorewall</a><br>
Shorewall Configuration (How I personally use Shorewall)</a></li> </li>
<li><a href="starting_and_stopping_shorewall.htm">Operating Shorewall</a><br> <li><a href="ping.html">'Ping' Management</a><br>
</li> </li>
<li><a href="ping.html">'Ping' Management</a><br> <li><a href="ports.htm">Port Information</a>
</li>
<li><a href="ports.htm">Port Information</a>
<ul> <ul>
<li>Which applications use which <li>Which applications use which ports</li>
ports</li> <li>Ports used by Trojans</li>
<li>Ports used by Trojans</li>
</ul> </ul>
</li> </li>
<li><a href="ProxyARP.htm">Proxy <li><a href="ProxyARP.htm">Proxy
ARP</a></li> ARP</a></li>
<li><a href="shorewall_prerequisites.htm">Requirements</a><br> <li><a href="shorewall_prerequisites.htm">Requirements</a><br>
</li> </li>
<li><a href="samba.htm">Samba</a></li> <li><a href="samba.htm">Samba</a></li>
<li><a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a><br> <li><a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a><br>
</li> </li>
<ul> <ul>
<li><a href="shorewall_setup_guide.htm#Introduction">1.0 <li><a href="shorewall_setup_guide.htm#Introduction">1.0
Introduction</a></li> Introduction</a></li>
<li><a href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall <li><a href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall
Concepts</a></li> Concepts</a></li>
<li><a href="shorewall_setup_guide.htm#Interfaces">3.0 <li><a href="shorewall_setup_guide.htm#Interfaces">3.0 Network
Network Interfaces</a></li> Interfaces</a></li>
<li><a href="shorewall_setup_guide.htm#Addressing">4.0 <li><a href="shorewall_setup_guide.htm#Addressing">4.0 Addressing,
Addressing, Subnets and Routing</a> Subnets and Routing</a>
<ul> <ul>
<li><a href="shorewall_setup_guide.htm#Addresses">4.1 <li><a href="shorewall_setup_guide.htm#Addresses">4.1 IP
IP Addresses</a></li> Addresses</a></li>
<li><a href="shorewall_setup_guide.htm#Subnets">4.2 <li><a href="shorewall_setup_guide.htm#Subnets">4.2
Subnets</a></li> Subnets</a></li>
<li><a href="shorewall_setup_guide.htm#Routing">4.3 <li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
Routing</a></li> <li><a href="shorewall_setup_guide.htm#ARP">4.4 Address
<li><a href="shorewall_setup_guide.htm#ARP">4.4 Address Resolution Protocol (ARP)</a></li>
Resolution Protocol (ARP)</a></li>
</ul> </ul>
<ul> <ul>
<li><a href="shorewall_setup_guide.htm#RFC1918">4.5 <li><a href="shorewall_setup_guide.htm#RFC1918">4.5 RFC 1918</a></li>
RFC 1918</a></li>
</ul> </ul>
</li> </li>
<li><a href="shorewall_setup_guide.htm#Options">5.0 Setting <li><a href="shorewall_setup_guide.htm#Options">5.0 Setting up your
up your Network</a> Network</a>
<ul> <ul>
<li><a href="shorewall_setup_guide.htm#Routed">5.1 <li><a href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
Routed</a></li>
</ul> </ul>
<ul> <ul>
<li><a href="shorewall_setup_guide.htm#NonRouted">5.2 <li><a href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a>
Non-routed</a>
<ul> <ul>
<li><a href="shorewall_setup_guide.htm#SNAT">5.2.1 <li><a href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li>
SNAT</a></li> <li><a href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li>
<li><a href="shorewall_setup_guide.htm#DNAT">5.2.2 <li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3
DNAT</a></li> Proxy ARP</a></li>
<li><a <li><a href="shorewall_setup_guide.htm#NAT">5.2.4 Static NAT</a></li>
href="shorewall_setup_guide.htm#ProxyARP">5.2.3 Proxy ARP</a></li>
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4
Static NAT</a></li>
</ul> </ul>
</li>
<li><a href="shorewall_setup_guide.htm#Rules">5.3
Rules</a></li>
<li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4
Odds and Ends</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li>
<li><a
href="shorewall_setup_guide.htm#StartingAndStopping">7.0 Starting
and Stopping the Firewall</a></li>
</ul>
<li><font color="#000099"><a
href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font></li>
<ul>
<li>Description of all /sbin/shorewall
commands</li>
<li>How to safely test a Shorewall configuration
change<br>
</li>
</ul>
<li><font color="#000099"><a
href="NAT.htm">Static NAT</a></font></li>
<li><a href="Shorewall_Squid_Usage.html">Squid as
a Transparent Proxy with Shorewall</a></li>
<li><a
href="traffic_shaping.htm">Traffic Shaping/QOS</a></li>
<li><a href="troubleshoot.htm">Troubleshooting (Things to try if
it doesn't work)</a><br>
</li> </li>
<li><a href="upgrade_issues.htm">Upgrade Issues</a><br> <li><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li>
</li> <li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds
<li>VPN and Ends</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li>
<li><a href="shorewall_setup_guide.htm#StartingAndStopping">7.0
Starting and Stopping the Firewall</a></li>
</ul>
<li><font color="#000099"><a
href="starting_and_stopping_shorewall.htm">Starting/stopping the
Firewall</a></font></li>
<ul>
<li>Description of all /sbin/shorewall
commands</li>
<li>How to safely test a Shorewall configuration change<br>
</li>
</ul>
<li><font color="#000099"><a href="NAT.htm">Static NAT</a></font></li>
<li><a href="Shorewall_Squid_Usage.html">Squid as a Transparent Proxy
with Shorewall</a></li>
<li><a href="Accounting.html">Traffic Accounting</a><br>
</li>
<li><a href="traffic_shaping.htm">Traffic Shaping/QOS</a></li>
<li><a href="troubleshoot.htm">Troubleshooting (Things to try if it
doesn't work)</a></li>
<li><a href="UserSets.html">UID/GID Based Rules</a><br>
</li>
<li><a href="upgrade_issues.htm">Upgrade Issues</a><br>
</li>
<li>VPN
<ul> <ul>
<li><a href="IPSEC.htm">IPSEC</a></li> <li><a href="IPSEC.htm">IPSEC</a></li>
<li><a href="IPIP.htm">GRE and <li><a href="IPIP.htm">GRE and
IPIP</a></li> IPIP</a></li>
<li><a href="OPENVPN.html">OpenVPN</a><br> <li><a href="OPENVPN.html">OpenVPN</a><br>
</li> </li>
<li><a href="PPTP.htm">PPTP</a></li> <li><a href="PPTP.htm">PPTP</a></li>
<li><a href="6to4.htm">6t04</a><br> <li><a href="6to4.htm">6t04</a><br>
</li> </li>
<li><a href="VPN.htm">IPSEC/PPTP</a> <li><a href="VPN.htm">IPSEC/PPTP</a> from a system behind your
from a system behind your firewall to a remote network.</li> firewall to a remote network.</li>
<li><a href="GenericTunnels.html">Other VPN types</a>.<br>
</li>
</ul> </ul>
</li> </li>
<li><a <li><a href="whitelisting_under_shorewall.htm">White List Creation</a></li>
href="whitelisting_under_shorewall.htm">White List Creation</a></li>
</ul> </ul>
<p>If you use one of these guides and have a suggestion for improvement
<p>If you use one of these guides and have a suggestion for improvement <a <a href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
href="mailto:webmaster@shorewall.net">please let me know</a>.</p> <p><font size="2">Last modified 9/23/2003 - <a href="support.htm">Tom
Eastep</a></font></p>
<p><font size="2">Last modified 7/30/2003 - <a href="support.htm">Tom Eastep</a></font></p> <p><a href="copyright.htm"><font size="2">Copyright 2002, 2003 Thomas
M. Eastep</font></a><br>
<p><a href="copyright.htm"><font size="2">Copyright 2002, 2003 Thomas M. </p>
Eastep</font></a><br> <br>
</p>
<br>
</body> </body>
</html> </html>

4131
STABLE/documentation/shorewall_setup_guide.htm
View File

File diff suppressed because it is too large Load Diff

1237
STABLE/documentation/sourceforge_index.htm
View File

File diff suppressed because it is too large Load Diff

638
STABLE/documentation/standalone.htm
View File

@ -1,435 +1,375 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Standalone Firewall</title> <title>Standalone Firewall</title>
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber6" bgcolor="#3366ff" height="90"> id="AutoNumber6" bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Standalone Firewall</font></h1> <h1 align="center"><font color="#ffffff">Standalone Firewall</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p align="left">Setting up Shorewall on a standalone Linux system is
<p align="left">Setting up Shorewall on a standalone Linux system is very very easy if you understand the basics and follow the documentation.</p>
easy if you understand the basics and follow the documentation.</p> <p>This guide doesn't attempt to acquaint you with all of the features
of Shorewall. It rather focuses on what is required to configure
<p>This guide doesn't attempt to acquaint you with all of the features of Shorewall in one of its most common configurations:</p>
Shorewall. It rather focuses on what is required to configure Shorewall
in one of its most common configurations:</p>
<ul> <ul>
<li>Linux system</li> <li>Linux system</li>
<li>Single external IP address</li> <li>Single external IP address</li>
<li>Connection through Cable Modem, DSL, ISDN, Frame Relay, <li>Connection through Cable Modem, DSL, ISDN, Frame Relay,
dial-up...</li> dial-up...</li>
</ul> </ul>
<p>Shorewall requires that you have the iproute/iproute2 package
<p>Shorewall requires that you have the iproute/iproute2 package installed installed (on RedHat, the package is called <i>iproute</i>)<i>. </i>You
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell can tell if this package is installed by the presence of an <b>ip</b>
if this package is installed by the presence of an <b>ip</b> program program
on your firewall system. As root, you can use the 'which' command to on your firewall system. As root, you can use the 'which' command to
check for this program:</p> check for this program:</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre> <pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
<p>I recommend that you read through the guide first to familiarize
<p>I recommend that you read through the guide first to familiarize yourself yourself with what's involved then go back through it again making your
with what's involved then go back through it again making your configuration configuration changes.&nbsp; Points at which configuration changes are
changes.  Points at which configuration changes are recommended are recommended are
flagged with <img border="0" src="images/BD21298_.gif" width="13" flagged with <img border="0" src="images/BD21298_.gif" width="13"
height="13"> height="13"> .</p>
.</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60"> <p><img border="0" src="images/j0213519.gif" width="60" height="60">
    If you edit your configuration files on a Windows system, &nbsp;&nbsp;&nbsp; If you edit your configuration files on a Windows
you must save them as Unix files if your editor supports that option system,
or you must run them through dos2unix before trying to use them. Similarly, you must save them as Unix files if your editor supports that option
if you copy a configuration file from your Windows hard drive to a floppy or you must run them through dos2unix before trying to use them.
disk, you must run dos2unix against the copy before using it with Shorewall.</p> Similarly,
if you copy a configuration file from your Windows hard drive to a
floppy disk, you must run dos2unix against the copy before using it
with Shorewall.</p>
<ul> <ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
Version of dos2unix</a></li> of dos2unix</a></li>
<li><a <li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version Version of dos2unix</a></li>
of dos2unix</a></li>
</ul> </ul>
<h2 align="left">PPTP/ADSL</h2>
<img style="border: 0px solid ; width: 13px; height: 13px;"
src="images/BD21298_3.gif" title="" alt="">&nbsp;&nbsp;&nbsp; If you
have an ADSL Modem and you use PPTP to communicate with a server in
that modem, you must make the <a href="PPTP.htm#PPTP_ADSL">changes
recommended here</a> in addition to those described in the steps below.
ADSL with PPTP is most commonly found in Europe, notably in Austria.<br>
<h2 align="left">Shorewall Concepts</h2> <h2 align="left">Shorewall Concepts</h2>
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13" <p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
alt=""> alt=""> &nbsp;&nbsp;&nbsp; The configuration files for Shorewall are
    The configuration files for Shorewall are contained in the directory contained in the directory /etc/shorewall -- for simple setups, you
/etc/shorewall -- for simple setups, you only need to deal with a few only need to deal with a few of these as described in this guide. After
of these as described in this guide. After you have <a you have <a href="Install.htm">installed Shorewall</a>, <b>download
href="Install.htm">installed Shorewall</a>, <b>download the <a the <a href="http://www1.shorewall.net/pub/shorewall/Samples/">one-interface
href="http://www1.shorewall.net/pub/shorewall/Samples/">one-interface sample</a>, sample</a>, un-tar it (tar -zxvf one-interface.tgz) and and copy the
un-tar it (tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewall files to /etc/shorewall (they will replace files with the same names
(they will replace files with the same names that were placed in /etc/shorewall that were placed in /etc/shorewall during Shorewall installation)</b>.</p>
during Shorewall installation)</b>.</p> <p>As each file is introduced, I suggest that you look through the
actual file on your system -- each file contains detailed configuration
<p>As each file is introduced, I suggest that you look through the actual instructions and default entries.</p>
file on your system -- each file contains detailed configuration instructions <p>Shorewall views the network where it is running as being composed of
and default entries.</p> a set of <i>zones.</i> In the one-interface sample configuration, only
one zone is defined:</p>
<p>Shorewall views the network where it is running as being composed of a
set of <i>zones.</i> In the one-interface sample configuration, only
one zone is defined:</p>
<table border="0" style="border-collapse: collapse;" cellpadding="3" <table border="0" style="border-collapse: collapse;" cellpadding="3"
cellspacing="0" id="AutoNumber2"> cellspacing="0" id="AutoNumber2">
<tbody> <tbody>
<tr> <tr>
<td><u><b>Name</b></u></td> <td><u><b>Name</b></u></td>
<td><u><b>Description</b></u></td> <td><u><b>Description</b></u></td>
</tr> </tr>
<tr> <tr>
<td><b>net</b></td> <td><b>net</b></td>
<td><b>The Internet</b></td> <td><b>The Internet</b></td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p>Shorewall zones are defined in <a href="Documentation.htm#Zones">
<p>Shorewall zones are defined in <a href="Documentation.htm#Zones"> /etc/shorewall/zones</a>.</p> /etc/shorewall/zones</a>.</p>
<p>Shorewall also recognizes the firewall system as its own zone - by
<p>Shorewall also recognizes the firewall system as its own zone - by default, default, the firewall itself is known as <b>fw</b>.</p>
the firewall itself is known as <b>fw</b>.</p> <p>Rules about what traffic to allow and what traffic to deny are
expressed in terms of zones.</p>
<p>Rules about what traffic to allow and what traffic to deny are expressed
in terms of zones.</p>
<ul> <ul>
<li>You express your default policy for connections from one <li>You express your default policy for connections from one zone to
zone to another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy another zone in the<a href="Documentation.htm#Policy">
</a>file.</li> /etc/shorewall/policy </a>file.</li>
<li>You define exceptions to those default policies in the <li>You define exceptions to those default policies in the <a
<a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li> href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
</ul> </ul>
<p>For each connection request entering the firewall, the request is
<p>For each connection request entering the firewall, the request is first first checked against the /etc/shorewall/rules file. If no rule in that
checked against the /etc/shorewall/rules file. If no rule in that file file matches the connection request then the first policy in
matches the connection request then the first policy in /etc/shorewall/policy /etc/shorewall/policy that matches the request is applied. If that
that matches the request is applied. If that policy is REJECT or DROP  policy is REJECT or DROP&nbsp; the request is first checked against the
the request is first checked against the rules in /etc/shorewall/common rules in /etc/shorewall/common (the samples provide that file for you).</p>
(the samples provide that file for you).</p> <p>The /etc/shorewall/policy file included with the one-interface
sample
<p>The /etc/shorewall/policy file included with the one-interface sample has the following policies:</p>
has the following policies:</p>
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber3"> id="AutoNumber3">
<tbody> <tbody>
<tr> <tr>
<td><u><b>SOURCE ZONE</b></u></td> <td><u><b>SOURCE ZONE</b></u></td>
<td><u><b>DESTINATION ZONE</b></u></td> <td><u><b>DESTINATION ZONE</b></u></td>
<td><u><b>POLICY</b></u></td> <td><u><b>POLICY</b></u></td>
<td><u><b>LOG LEVEL</b></u></td> <td><u><b>LOG LEVEL</b></u></td>
<td><u><b>LIMIT:BURST</b></u></td> <td><u><b>LIMIT:BURST</b></u></td>
</tr> </tr>
<tr> <tr>
<td>fw</td> <td>fw</td>
<td>net</td> <td>net</td>
<td>ACCEPT</td> <td>ACCEPT</td>
<td> </td> <td>&nbsp;</td>
<td> </td> <td>&nbsp;</td>
</tr> </tr>
<tr> <tr>
<td>net</td> <td>net</td>
<td>all<br> <td>all<br>
</td> </td>
<td>DROP</td> <td>DROP</td>
<td>info</td> <td>info</td>
<td> </td> <td>&nbsp;</td>
</tr> </tr>
<tr> <tr>
<td>all</td> <td>all</td>
<td>all</td> <td>all</td>
<td>REJECT</td> <td>REJECT</td>
<td>info</td> <td>info</td>
<td> </td> <td>&nbsp;</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
<p>The above policy will:</p> <p>The above policy will:</p>
<ol> <ol>
<li>allow all connection requests from the firewall to the internet</li> <li>allow all connection requests from the firewall to the internet</li>
<li>drop (ignore) all connection requests from the internet <li>drop (ignore) all connection requests from the internet
to your firewall</li> to your firewall</li>
<li>reject all other connection requests (Shorewall requires <li>reject all other connection requests (Shorewall requires this
this catchall policy).</li> catchall policy).</li>
</ol> </ol>
<p>At this point, edit your /etc/shorewall/policy and make any changes
<p>At this point, edit your /etc/shorewall/policy and make any changes that that you wish.</p>
you wish.</p>
<h2 align="left">External Interface</h2> <h2 align="left">External Interface</h2>
<p align="left">The firewall has a single network interface. Where
<p align="left">The firewall has a single network interface. Where Internet Internet connectivity is through a cable or DSL "Modem", the <i>External
connectivity is through a cable or DSL "Modem", the <i>External Interface</i> Interface</i> will be the ethernet adapter (<b>eth0</b>) that is
will be the ethernet adapter (<b>eth0</b>) that is connected to that connected to that "Modem"&nbsp; <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint
"Modem"  <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint
<u>P</u>rotocol over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the
<u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External External Interface will be a <b>ppp0</b>. If you connect via a regular
Interface will be a <b>ppp0</b>. If you connect via a regular modem, your modem, your External Interface will also be <b>ppp0</b>. If you
External Interface will also be <b>ppp0</b>. If you connect using ISDN, connect using ISDN, your external interface will be<b> ippp0.</b></p>
your external interface will be<b> ippp0.</b></p>
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13" <p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
height="13"> height="13"> &nbsp;&nbsp;&nbsp; The Shorewall one-interface sample
    The Shorewall one-interface sample configuration assumes that configuration assumes that the external interface is <b>eth0</b>. If
the external interface is <b>eth0</b>. If your configuration is different, your configuration is different, you will have to modify the sample
you will have to modify the sample /etc/shorewall/interfaces file accordingly. /etc/shorewall/interfaces file accordingly. While you are there, you
While you are there, you may wish to review the list of options that may wish to review the list of options that are specified for the
are specified for the interface. Some hints:</p> interface. Some hints:</p>
<ul> <ul>
<li> <li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>, <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>,
you can replace the "detect" in the second column with "-". </p> you can replace the "detect" in the second column with "-". </p>
</li> </li>
<li> <li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b> <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>
or if you have a static IP address, you can remove "dhcp" from the or if you have a static IP address, you can remove "dhcp" from the
option list. </p> option list.<br>
</li> </p>
</li>
</ul> </ul>
<div align="left"> <div align="left">
<h2 align="left">IP Addresses</h2> <h2 align="left">IP Addresses</h2>
</div> </div>
<div align="left"> <div align="left">
<p align="left">RFC 1918 reserves several <i>Private </i>IP address ranges <p align="left">RFC 1918 reserves several <i>Private </i>IP address
for use in private networks:</p> ranges for use in private networks:</p>
<div align="left"> <div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre> <pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
</div> </div>
<p align="left">These addresses are sometimes referred to as <i>non-routable</i> <p align="left">These addresses are sometimes referred to as <i>non-routable</i>
because the Internet backbone routers will not forward a packet whose because the Internet backbone routers will not forward a packet whose
destination address is reserved by RFC 1918. In some cases though, destination address is reserved by RFC 1918. In some cases though,
ISPs are assigning these addresses then using <i>Network Address Translation ISPs are assigning these addresses then using <i>Network Address
</i>to rewrite packet headers when forwarding to/from the internet.</p> Translation </i>to rewrite packet headers when forwarding to/from the
internet.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" align="left" <p align="left"><img border="0" src="images/BD21298_.gif" align="left"
width="13" height="13"> width="13" height="13"> &nbsp;&nbsp;&nbsp;&nbsp; Before starting
     Before starting Shorewall, you should look at the IP address Shorewall, you should look at the IP address of your external interface
of your external interface and if it is one of the above ranges, you and if it is one of the above ranges, you should remove the 'norfc1918'
should remove the 'norfc1918' option from the entry in /etc/shorewall/interfaces.</p> option from the entry in /etc/shorewall/interfaces.</p>
</div> </div>
<div align="left"> <div align="left">
<h2 align="left">Enabling other Connections</h2> <h2 align="left">Enabling other Connections</h2>
</div> </div>
<div align="left"> <div align="left">
<p align="left">If you wish to enable connections from the internet to your <p align="left">If you wish to enable connections from the internet to
firewall, the general format is:</p> your firewall, the general format is:</p>
</div> </div>
<div align="left"> <div align="left">
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber4"> id="AutoNumber4">
<tbody> <tbody>
<tr> <tr>
<td><u><b>ACTION</b></u></td> <td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td> <td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td> <td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td> <td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td> <td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td> <td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td> <td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr> </tr>
<tr> <tr>
<td>ACCEPT</td> <td>ACCEPT</td>
<td>net</td> <td>net</td>
<td>fw</td> <td>fw</td>
<td><i>&lt;protocol&gt;</i></td> <td><i>&lt;protocol&gt;</i></td>
<td><i>&lt;port&gt;</i></td> <td><i>&lt;port&gt;</i></td>
<td> </td> <td>&nbsp;</td>
<td> </td> <td>&nbsp;</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Example - You want to run a Web Server and a POP3 Server <p align="left">Example - You want to run a Web Server and a POP3
on your firewall system:</p> Server
</div> on your firewall system:</p>
</div>
<div align="left"> <div align="left">
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber5"> id="AutoNumber5">
<tbody> <tbody>
<tr> <tr>
<td><u><b>ACTION</b></u></td> <td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td> <td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td> <td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td> <td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td> <td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td> <td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td> <td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr> </tr>
<tr> <tr>
<td>ACCEPT</td> <td>ACCEPT</td>
<td>net</td> <td>net</td>
<td>fw</td> <td>fw</td>
<td>tcp</td> <td>tcp</td>
<td>80</td> <td>80</td>
<td> </td> <td>&nbsp;</td>
<td> </td> <td>&nbsp;</td>
</tr> </tr>
<tr> <tr>
<td>ACCEPT</td> <td>ACCEPT</td>
<td>net</td> <td>net</td>
<td>fw</td> <td>fw</td>
<td>tcp</td> <td>tcp</td>
<td>110</td> <td>110</td>
<td> </td> <td>&nbsp;</td>
<td> </td> <td>&nbsp;</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
</div> </div>
<div align="left"> <div align="left">
<p align="left">If you don't know what port and protocol a particular application <p align="left">If you don't know what port and protocol a particular
uses, see <a href="ports.htm">here</a>.</p> application uses, see <a href="ports.htm">here</a>.</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left"><b>Important: </b>I don't recommend enabling telnet to/from <p align="left"><b>Important: </b>I don't recommend enabling telnet
the internet because it uses clear text (even for login!). If you to/from the internet because it uses clear text (even for login!). If
want shell access to your firewall from the internet, use SSH:</p> you
</div> want shell access to your firewall from the internet, use SSH:</p>
</div>
<div align="left"> <div align="left">
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber4"> id="AutoNumber4">
<tbody> <tbody>
<tr> <tr>
<td><u><b>ACTION</b></u></td> <td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td> <td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td> <td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td> <td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td> <td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td> <td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td> <td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr> </tr>
<tr> <tr>
<td>ACCEPT</td> <td>ACCEPT</td>
<td>net</td> <td>net</td>
<td>fw</td> <td>fw</td>
<td>tcp</td> <td>tcp</td>
<td>22</td> <td>22</td>
<td> </td> <td>&nbsp;</td>
<td> </td> <td>&nbsp;</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
</div> </div>
<div align="left"> <div align="left">
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13" <p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
height="13"> height="13"> &nbsp;&nbsp;&nbsp; At this point, edit
    At this point, edit /etc/shorewall/rules to add other connections /etc/shorewall/rules to add other connections as desired.</p>
as desired.</p> </div>
</div>
<div align="left"> <div align="left">
<h2 align="left">Starting and Stopping Your Firewall</h2> <h2 align="left">Starting and Stopping Your Firewall</h2>
</div> </div>
<div align="left"> <div align="left">
<p align="left"> <img border="0" src="images/BD21298_2.gif" <p align="left"> <img border="0" src="images/BD21298_2.gif" width="13"
width="13" height="13" alt="Arrow"> height="13" alt="Arrow"> &nbsp;&nbsp;&nbsp; The <a href="Install.htm">installation
    The <a href="Install.htm">installation procedure </a> configures procedure </a> configures your system to start Shorewall at system
your system to start Shorewall at system boot but beginning with Shorewall boot but beginning with Shorewall version 1.3.9 startup is disabled so
version 1.3.9 startup is disabled so that your system won't try to start that your system won't try to start Shorewall before configuration is
Shorewall before configuration is complete. Once you have completed configuration complete. Once you have completed configuration of your firewall, you
of your firewall, you can enable Shorewall startup by removing the file can enable Shorewall startup by removing the file
/etc/shorewall/startup_disabled.<br> /etc/shorewall/startup_disabled.<br>
</p> </p>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Users of the
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Users of the .deb .deb package must edit /etc/default/shorewall and set 'startup=1'.</font><br>
package must edit /etc/default/shorewall and set 'startup=1'.</font><br> </p>
</p> </div>
</div>
<div align="left"> <div align="left">
<p align="left">The firewall is started using the "shorewall start" command <p align="left">The firewall is started using the "shorewall start"
and stopped using "shorewall stop". When the firewall is stopped, command and stopped using "shorewall stop". When the firewall is
routing is enabled on those hosts that have an entry in <a stopped,
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A routing is enabled on those hosts that have an entry in <a
running firewall may be restarted using the "shorewall restart" command. href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
If you want to totally remove any trace of Shorewall from your Netfilter A running firewall may be restarted using the "shorewall restart"
configuration, use "shorewall clear".</p> command. If you want to totally remove any trace of Shorewall from your
</div> Netfilter configuration, use "shorewall clear".</p>
</div>
<div align="left"> <div align="left">
<p align="left"><b>WARNING: </b>If you are connected to your firewall from <p align="left"><b>WARNING: </b>If you are connected to your firewall
the internet, do not issue a "shorewall stop" command unless you from the internet, do not issue a "shorewall stop" command unless you
have added an entry for the IP address that you are connected from have added an entry for the IP address that you are connected from
to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to create Also, I don't recommend using "shorewall restart"; it is better to
an <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i> create an <i><a href="configuration_file_basics.htm#Configs">alternate
and test it using the <a configuration</a></i> and test it using the <a
href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p> href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p>
</div> </div>
<p align="left"><font size="2">Last updated 2/08/2003 - <a
<p align="left"><font size="2">Last updated 2/21/2003 - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002,
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002, 2003 2003 Thomas M. Eastep</font></a></p>
Thomas M. Eastep</font></a></p>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</body> </body>
</html> </html>

588
STABLE/documentation/starting_and_stopping_shorewall.htm
View File

@ -1,368 +1,326 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Starting and Stopping Shorewall</title> <title>Starting and Stopping Shorewall</title>
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90"> id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Starting/Stopping and
<h1 align="center"><font color="#ffffff">Starting/Stopping and Monitoring Monitoring the Firewall</font></h1>
the Firewall</font></h1> </td>
</td> </tr>
</tr>
</tbody> </tbody>
</table> </table>
<p> If you have a permanent internet connection such as DSL or Cable, I
<p> If you have a permanent internet connection such as DSL or Cable, recommend that you start the firewall automatically at boot. Once you
I recommend that you start the firewall automatically at boot. have installed "firewall" in your init.d directory, simply type
Once you have installed "firewall" in your init.d directory, simply "chkconfig --add firewall". This will start the firewall in run levels
type "chkconfig --add firewall". This will start the firewall 2-5 and stop it in run levels 1 and 6. If you want to configure your
in run levels 2-5 and stop it in run levels 1 and 6. If you want firewall differently from this default, you can
to configure your firewall differently from this default, you can use the "--level" option in chkconfig (see "man chkconfig") or using
use the "--level" option in chkconfig (see "man chkconfig") or using your favorite graphical run-level editor.</p>
your favorite graphical run-level editor.</p> <p><strong><u> <font color="#000099"> Important Notes:</font></u></strong><br>
</p>
<p><strong><u> <font color="#000099"> Important Notes:</font></u></strong><br>
</p>
<ol> <ol>
<li>Shorewall startup is disabled by default. Once you <li>Shorewall startup is disabled by default. Once you have
have configured your firewall, you can enable startup by removing the configured your firewall, you can enable startup by removing the
file /etc/shorewall/startup_disabled. Note: Users of the .deb package file /etc/shorewall/startup_disabled. Note: Users of the .deb package
must edit /etc/default/shorewall and set 'startup=1'.<br> must edit /etc/default/shorewall and set 'startup=1'.<br>
</li> </li>
<li>If you use dialup, you may want to start the firewall <li>If you use dialup, you may want to start the firewall in your
in your /etc/ppp/ip-up.local script. I recommend just placing "shorewall /etc/ppp/ip-up.local script. I recommend just placing "shorewall
restart" in that script.</li> restart" in that script.</li>
</ol> </ol>
<p> </p>
<p> </p> <p> You can manually start and stop Shoreline Firewall using the
"shorewall" shell program. Please refer to the <a
<p> You can manually start and stop Shoreline Firewall using the "shorewall"
shell program. Please refer to the <a
href="file:///vfat/Shorewall-docs/starting_and_stopping_shorewall.htm#StateDiagram">Shorewall href="file:///vfat/Shorewall-docs/starting_and_stopping_shorewall.htm#StateDiagram">Shorewall
State Diagram</a> is shown at the bottom of this page. </p> State Diagram</a> is shown at the bottom of this page. </p>
<ul> <ul>
<li>shorewall start - starts the firewall</li> <li>shorewall start - starts the firewall</li>
<li>shorewall stop - stops the firewall; the only traffic <li>shorewall stop - stops the firewall; the only traffic permitted
permitted through the firewall is from systems listed in /etc/shorewall/routestopped through the firewall is from systems listed in
(Beginning with version 1.4.7, if ADMINISABSENTMINDED=Yes in /etc/shorewall/shorewall.conf /etc/shorewall/routestopped
then in addition, all existing connections are permitted and any new connections (Beginning with version 1.4.7, if ADMINISABSENTMINDED=Yes in
/etc/shorewall/shorewall.conf
then in addition, all existing connections are permitted and any new
connections
originating from the firewall itself are allowed).</li> originating from the firewall itself are allowed).</li>
<li>shorewall restart - stops the firewall (if it's <li>shorewall restart - stops the firewall (if it's running) and then
running) and then starts it again</li> starts it again</li>
<li>shorewall reset - reset the packet and byte counters <li>shorewall reset - reset the packet and byte counters in the
in the firewall</li> firewall</li>
<li>shorewall clear - remove all rules and chains <li>shorewall clear - remove all rules and chains installed by
installed by Shoreline Firewall. The firewall is "wide open"</li> Shoreline Firewall. The firewall is "wide open"</li>
<li>shorewall refresh - refresh the rules involving <li>shorewall refresh - refresh the rules involving
the broadcast addresses of firewall interfaces, <a the broadcast addresses of firewall interfaces, <a
href="blacklisting_support.htm">the black list</a>, <a href="blacklisting_support.htm">the black list</a>, <a
href="traffic_shaping.htm">traffic control rules</a> and <a href="traffic_shaping.htm">traffic control rules</a> and <a
href="ECN.html">ECN control rules</a>.</li> href="ECN.html">ECN control rules</a>.</li>
</ul> </ul>
If you include the keyword <i>debug</i> as the first argument, If you include the keyword <i>debug</i> as the first argument, then a
then a shell trace of the command is produced as in:<br> shell trace of the command is produced as in:<br>
<pre> <font color="#009900"><b>shorewall debug start 2&gt; /tmp/trace</b></font><br></pre> <pre> <font color="#009900"><b>shorewall debug start 2&gt; /tmp/trace</b></font><br></pre>
<p>The above command would trace the 'start' command and place the
<p>The above command would trace the 'start' command and place the trace information trace information
in the file /tmp/trace<br> in the file /tmp/trace<br>
</p> </p>
<p>Beginning with version 1.4.7, shorewall can give detailed help about
<p>Beginning with version 1.4.7, shorewall can give detailed help about each each of its commands:<br>
of its commands:<br> </p>
</p>
<ul> <ul>
<li>shorewall help [ <i>command</i> | host | address ]<br> <li>shorewall help [ <i>command</i> | host | address ]<br>
</li> </li>
</ul> </ul>
<p>The "shorewall" program may also be used to monitor the firewall.</p>
<p>The "shorewall" program may also be used to monitor the firewall.</p>
<ul> <ul>
<li>shorewall status - produce a verbose report about <li>shorewall status - produce a verbose report about the firewall
the firewall (iptables -L -n -v)</li> (iptables -L -n -v)</li>
<li>shorewall show <i>chain</i> - produce a verbose <li>shorewall show <i>chain</i>1 [ <span style="font-style: italic;">chain2
report about <i>chain </i>(iptables -L <i>chain</i> ... </span>] - produce a verbose
-n -v)</li> report about the listed <i>chains </i>(iptables -L <i>chain</i>
<li>shorewall show nat - produce a verbose report about -n -v) <span style="font-weight: bold;">Note: </span>You may only
the nat table (iptables -t nat -L -n -v)</li> list one chain in the <span style="font-weight: bold;">show</span>
<li>shorewall show tos - produce a verbose report about command when running Shorewall version 1.4.6 and earlier.&nbsp; Version
the mangle table (iptables -t mangle -L -n -v)</li> 1.4.7 and later allow you to list multiple chains in one command.<br>
<li>shorewall show log - display the last 20 packet </li>
log entries.</li> <li>shorewall show nat - produce a verbose report about the nat table
<li>shorewall show connections - displays the IP connections (iptables -t nat -L -n -v)</li>
currently being tracked by the firewall.</li> <li>shorewall show tos - produce a verbose report about the mangle
<li>shorewall table (iptables -t mangle -L -n -v)</li>
show tc <li>shorewall show log - display the last 20 packet
- displays information about the traffic control/shaping configuration.</li> log entries.</li>
<li>shorewall monitor [ delay ] - Continuously display <li>shorewall show connections - displays the IP connections
the firewall status, last 20 log entries and nat. When the currently being tracked by the firewall.</li>
log entry display changes, an audible alarm is sounded.</li> <li>shorewall show tc - displays information about the traffic
<li>shorewall hits - Produces several reports about control/shaping configuration.</li>
the Shorewall packet log messages in the current /var/log/messages <li>shorewall monitor [ delay ] - Continuously display the firewall
file.</li> status, last 20 log entries and nat. When the log entry display
<li>shorewall version - Displays the installed changes, an audible alarm is sounded.</li>
version number.</li> <li>shorewall hits - Produces several reports about
<li>shorewall check - Performs a <u>cursory</u> validation of the Shorewall packet log messages in the current /var/log/messages file.</li>
the zones, interfaces, hosts, rules and policy files.<br> <li>shorewall version - Displays the installed version number.</li>
<br> <li>shorewall check - Performs a <u>cursory</u> validation of the
<font size="4" color="#ff6666"><b>The "check" command is totally zones, interfaces, hosts, rules and policy files.<br>
unsuppored and does not parse and validate the generated iptables <br>
commands. Even though the "check" command completes successfully, <font size="4" color="#ff6666"><b>The "check" command is totally
the configuration may fail to start. Problem reports that complain about unsuppored and does not parse and validate the generated iptables
errors that the 'check' command does not detect will not be accepted.<br> commands. Even though the "check" command completes successfully,
<br> the configuration may fail to start. Problem reports that complain
See the recommended way to make configuration changes described about
below.</b></font><br> errors that the 'check' command does not detect will not be accepted.<br>
<br> <br>
</li> See the recommended way to make configuration changes described below.</b></font><br>
<li>shorewall try<i> configuration-directory</i> [<i> <br>
timeout</i> ] - Restart shorewall using the specified configuration </li>
and if an error occurs or if the<i> timeout </i> option is given <li>shorewall try<i> configuration-directory</i> [<i> timeout</i> ] -
and the new configuration has been up for that many seconds then Restart shorewall using the specified configuration and if an error
shorewall is restarted using the standard configuration.</li> occurs or if the<i> timeout </i> option is given
<li>shorewall deny, shorewall reject, shorewall accept and the new configuration has been up for that many seconds then
and shorewall save implement <a shorewall is restarted using the standard configuration.</li>
href="blacklisting_support.htm">dynamic blacklisting</a>.</li> <li>shorewall logwatch (added in version 1.3.2) - Monitors the <a
<li>shorewall logwatch (added in version 1.3.2) - Monitors href="#Conf">LOGFILE </a>and produces an audible alarm when new
the <a href="#Conf">LOGFILE </a>and produces an audible alarm Shorewall messages are logged.</li>
when new Shorewall messages are logged.</li>
</ul> </ul>
Beginning with Shorewall 1.4.6, /sbin/shorewall supports a couple of Beginning with Shorewall 1.4.6, /sbin/shorewall supports a couple of
commands for dealing with IP addresses and IP address ranges:<br> commands for dealing with IP addresses and IP address ranges:<br>
<ul> <ul>
<li>shorewall ipcalc [ <i>address mask </i>| <i>address/vlsm</i> ] <li>shorewall ipcalc [ <i>address mask </i>| <i>address/vlsm</i> ]
- displays the network address, broadcast address, network in CIDR notation - displays the network address, broadcast address, network in CIDR
and netmask corresponding to the input[s].</li> notation and netmask corresponding to the input[s].</li>
<li>shorewall iprange <i>address1-address2</i> - Decomposes the specified <li>shorewall iprange <i>address1-address2</i> - Decomposes the
range of IP addresses into the equivalent list of network/host addresses. specified range of IP addresses into the equivalent list of
<br> network/host addresses. <br>
</li> </li>
</ul> </ul>
There is a set of commands dealing with <a There is a set of commands dealing with <a
href="blacklisting_support.htm">dynamic blacklisting</a>:<br> href="blacklisting_support.htm">dynamic blacklisting</a>:<br>
<ul> <ul>
<li>shorewall drop <i>&lt;ip address list&gt; </i>- causes packets from <li>shorewall drop <i>&lt;ip address list&gt; </i>- causes packets
the listed IP addresses to be silently dropped by the firewall.</li> from the listed IP addresses to be silently dropped by the firewall.</li>
<li>shorewall reject <i>&lt;ip address list&gt; </i>- causes packets from <li>shorewall reject <i>&lt;ip address list&gt; </i>- causes
the listed IP addresses to be rejected by the firewall.</li> packets from the listed IP addresses to be rejected by the firewall.</li>
<li>shorewall allow <i>&lt;ip address list&gt; </i>- re-enables receipt <li>shorewall allow <i>&lt;ip address list&gt; </i>- re-enables
of packets from hosts previously blacklisted by a <i>drop</i> or <i>reject</i> receipt of packets from hosts previously blacklisted by a <i>drop</i>
command.</li> or <i>reject</i> command.</li>
<li>shorewall save - save the dynamic blacklisting configuration so that <li>shorewall save - save the dynamic blacklisting configuration so
it will be automatically restored the next time that the firewall is that it will be automatically restored the next time that the firewall
restarted.</li> is restarted.</li>
<li>show dynamic - displays the dynamic blacklisting chain.<br> <li>show dynamic - displays the dynamic blacklisting chain.<br>
</li> </li>
</ul> </ul>
Finally, the "shorewall" program may be used to dynamically alter the Finally, the "shorewall" program may be used to dynamically alter the
contents of a zone.<br> contents of a zone.<br>
<ul> <ul>
<li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone <li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone </i>-
</i>- Adds the specified interface (and host if included) to the Adds the specified interface (and host if included) to the specified
specified zone.</li> zone.</li>
<li>shorewall delete <i>interface</i>[:<i>host]</i> <i>zone <li>shorewall delete <i>interface</i>[:<i>host]</i> <i>zone </i>-
</i>- Deletes the specified interface (and host if included) from Deletes the specified interface (and host if included) from the
the specified zone.</li> specified zone.</li>
</ul> </ul>
<blockquote>Examples:<br> <blockquote>Examples:<br>
<blockquote><font color="#009900"><b>shorewall add ipsec0:192.0.2.24
<blockquote><font color="#009900"><b>shorewall add ipsec0:192.0.2.24 vpn1</b></font> vpn1</b></font> -- adds the address 192.0.2.24 from interface ipsec0 to
-- adds the address 192.0.2.24 from interface ipsec0 to the zone vpn1<br> the zone vpn1<br>
<font color="#009900"><b> shorewall delete ipsec0:192.0.2.24 <font color="#009900"><b> shorewall delete ipsec0:192.0.2.24 vpn1</b></font>
vpn1</b></font> -- deletes the address 192.0.2.24 from interface ipsec0 -- deletes the address 192.0.2.24 from interface ipsec0 from zone vpn1<br>
from zone vpn1<br> </blockquote>
</blockquote> </blockquote>
</blockquote> <p> The <b>shorewall start</b>, <b>shorewall restart, shorewall
check, </b>and <b>shorewall try </b>commands allow you to specify
<p> The <b>shorewall start</b>, <b>shorewall restart, shorewall check, </b>and which <a href="configuration_file_basics.htm#Configs"> Shorewall
<b>shorewall try </b>commands allow you to specify which <a configuration</a> to use:</p>
href="configuration_file_basics.htm#Configs"> Shorewall configuration</a>
to use:</p>
<blockquote> <blockquote>
<p> shorewall [ -c <i>configuration-directory</i> ] {start|restart|check}<br> <p> shorewall [ -c <i>configuration-directory</i> ]
shorewall try <i>configuration-directory</i></p> {start|restart|check}<br>
</blockquote> shorewall try <i>configuration-directory</i></p>
</blockquote>
<p> If a <i>configuration-directory</i> is specified, each time that Shorewall <p> If a <i>configuration-directory</i> is specified, each time that
is going to use a file in /etc/shorewall it will first look in the Shorewall is going to use a file in /etc/shorewall it will first look
<i>configuration-directory</i> . If the file is present in the <i>configuration-directory</i>, in the <i>configuration-directory</i> . If the file is present in the <i>configuration-directory</i>,
that file will be used; otherwise, the file in /etc/shorewall will that file will be used; otherwise, the file in /etc/shorewall will be
be used.</p> used.</p>
<p> When changing the configuration of a production firewall, I
<p> When changing the configuration of a production firewall, I recommend recommend the following:</p>
the following:</p>
<ul> <ul>
<li><font color="#009900"><b>mkdir /etc/test</b></font></li> <li><font color="#009900"><b>mkdir /etc/test</b></font></li>
<li><font color="#009900"><b>cd /etc/test</b></font></li> <li><font color="#009900"><b>cd /etc/test</b></font></li>
<li>&lt;copy any files that you need to change <li>&lt;copy any files that you need to change from /etc/shorewall to
from /etc/shorewall to . and change them here&gt;</li> . and change them here&gt;</li>
<li><font color="#009900"><b>shorewall -c . check</b></font></li> <li><font color="#009900"><b>shorewall -c . check</b></font></li>
<li>&lt;correct any errors found by check and check again&gt;</li> <li>&lt;correct any errors found by check and check again&gt;</li>
<li><font <li><font color="#009900"><b>/sbin/shorewall try .</b></font></li>
color="#009900"><b>/sbin/shorewall try .</b></font></li>
</ul> </ul>
<p> If the configuration starts but doesn't work, just "shorewall
<p> If the configuration starts but doesn't work, just "shorewall restart" restart" to restore the old configuration. If the new configuration
to restore the old configuration. If the new configuration fails fails to start, the "try" command will automatically start the old one
to start, the "try" command will automatically start the old one for for you.</p>
you.</p> <p> When the new configuration works then just </p>
<p> When the new configuration works then just </p>
<ul> <ul>
<li><font color="#009900"><b>cp * /etc/shorewall</b></font></li> <li><font color="#009900"><b>cp * /etc/shorewall</b></font></li>
<li><font color="#009900"><b>cd</b></font></li> <li><font color="#009900"><b>cd</b></font></li>
<li><font color="#009900"><b>rm -rf /etc/test</b></font></li> <li><font color="#009900"><b>rm -rf /etc/test</b></font></li>
</ul> </ul>
<p><a name="StateDiagram"></a>The Shorewall State Diargram is depicted
<p><a name="StateDiagram"></a>The Shorewall State Diargram is depicted below.<br> below.<br>
</p> </p>
<div align="center"><img src="images/State_Diagram.png" <div align="center"><img src="images/State_Diagram.png"
alt="(State Diagram)" width="747" height="714" align="middle"> alt="(State Diagram)" width="747" height="714" align="middle"> <br>
<br> </div>
</div> <p>&nbsp; <br>
</p>
<p>  <br> You will note that the commands that result in state transitions use
</p> the word "firewall" rather than "shorewall". That is because the actual
You will note that the commands that result in state transitions transitions are done by /usr/share/shorewall/firewall; /sbin/shorewall
use the word "firewall" rather than "shorewall". That is because the runs 'firewall" according to the following table:<br>
actual transitions are done by /usr/share/shorewall/firewall; /sbin/shorewall <br>
runs 'firewall" according to the following table:<br>
<br>
<table cellpadding="2" cellspacing="2" border="1"> <table cellpadding="2" cellspacing="2" border="1">
<tbody> <tbody>
<tr> <tr>
<td valign="top"><u><b>/sbin/shorewall Command</b><br> <td valign="top"><u><b>/sbin/shorewall Command</b><br>
</u></td> </u></td>
<td valign="top"><u><b>Resulting /usr/share/shorewall/firewall Command</b><br> <td valign="top"><u><b>Resulting /usr/share/shorewall/firewall
</u></td> Command</b><br>
<td valign="top"><u><b>Effect if the Command Succeeds</b><br> </u></td>
</u></td> <td valign="top"><u><b>Effect if the Command Succeeds</b><br>
</tr> </u></td>
<tr> </tr>
<td valign="top">shorewall start<br> <tr>
</td> <td valign="top">shorewall start<br>
<td valign="top">firewall start<br> </td>
</td> <td valign="top">firewall start<br>
<td valign="top">The system filters packets based on your current </td>
<td valign="top">The system filters packets based on your current
Shorewall Configuration<br> Shorewall Configuration<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">shorewall stop<br> <td valign="top">shorewall stop<br>
</td> </td>
<td valign="top">firewall stop<br> <td valign="top">firewall stop<br>
</td> </td>
<td valign="top">Only traffic to/from hosts listed in /etc/shorewall/hosts <td valign="top">Only traffic to/from hosts listed in
is passed to/from/through the firewall. For Shorewall versions beginning /etc/shorewall/hosts is passed to/from/through the firewall. For
with 1.4.7, if ADMINISABSENTMINDED=Yes in /etc/shorewall/shorewall.conf then Shorewall versions beginning
in addition, all existing connections are retained and all connection requests with 1.4.7, if ADMINISABSENTMINDED=Yes in /etc/shorewall/shorewall.conf
then
in addition, all existing connections are retained and all connection
requests
from the firewall are accepted.<br> from the firewall are accepted.<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">shorewall restart<br> <td valign="top">shorewall restart<br>
</td> </td>
<td valign="top">firewall restart<br> <td valign="top">firewall restart<br>
</td> </td>
<td valign="top">Logically equivalent to "firewall stop;firewall <td valign="top">Logically equivalent to "firewall stop;firewall
start"<br> start"<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">shorewall add<br> <td valign="top">shorewall add<br>
</td> </td>
<td valign="top">firewall add<br> <td valign="top">firewall add<br>
</td> </td>
<td valign="top">Adds a host or subnet to a dynamic zone<br> <td valign="top">Adds a host or subnet to a dynamic zone<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">shorewall delete<br> <td valign="top">shorewall delete<br>
</td> </td>
<td valign="top">firewall delete<br> <td valign="top">firewall delete<br>
</td> </td>
<td valign="top">Deletes a host or subnet from a dynamic zone<br> <td valign="top">Deletes a host or subnet from a dynamic zone<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">shorewall refresh<br> <td valign="top">shorewall refresh<br>
</td> </td>
<td valign="top">firewall refresh<br> <td valign="top">firewall refresh<br>
</td> </td>
<td valign="top">Reloads rules dealing with static blacklisting, <td valign="top">Reloads rules dealing with static blacklisting,
traffic control and ECN.<br> traffic control and ECN.<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">shorewall clear<br> <td valign="top">shorewall clear<br>
</td> </td>
<td valign="top">firewall clear<br> <td valign="top">firewall clear<br>
</td> </td>
<td valign="top">Removes all Shorewall rules, chains, addresses, <td valign="top">Removes all Shorewall rules, chains, addresses,
routes and ARP entries.<br> routes and ARP entries.<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">shorewall try<br> <td valign="top">shorewall try<br>
</td> </td>
<td valign="top">firewall -c &lt;new configuration&gt; <td valign="top">firewall -c &lt;new configuration&gt; restart<br>
restart<br> If unsuccessful then firewall start (standard configuration)<br>
If unsuccessful then firewall start (standard configuration)<br> If timeout then firewall restart (standard configuration)<br>
If timeout then firewall restart (standard configuration)<br> </td>
</td> <td valign="top"><br>
<td valign="top"><br> </td>
</td> </tr>
</tr>
</tbody> </tbody>
</table> </table>
<br> <br>
<p><font size="2"> Updated 8/25/2003 - <a href="support.htm">Tom Eastep</a>
<p><font size="2"> Updated 7/31/2003 - <a href="support.htm">Tom Eastep</a> </font></p>
</font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p> </p>
<br> <br>
</body> </body>
</html> </html>

435
STABLE/documentation/support.htm
View File

@ -1,92 +1,62 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shorewall Support Guide</title> <title>Shorewall Support Guide</title>
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#3366ff" height="90"> bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr>
<tr> <td width="100%">
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Support Guide<img <h1 align="center"><font color="#ffffff">Shorewall Support Guide<img
src="images/obrasinf.gif" alt="" width="90" height="90" align="middle"> src="images/obrasinf.gif" alt="" width="90" height="90" align="middle">
</font></h1> </font></h1>
</td>
</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<h2>Before Reporting a Problem or Asking a Question<br> <h2>Before Reporting a Problem or Asking a Question<br>
</h2> </h2>
There are a number of sources of Shorewall information. Please try
There are a number of sources of Shorewall information. Please these before you post.
try these before you post.
<ul> <ul>
<li>Shorewall versions <li>Shorewall versions earlier that 1.3.0 are no longer supported.<br>
earlier that 1.3.0 are no longer supported.<br> </li>
</li> <li>More than half of the questions posted on the support list have
<li>More than half of the questions posted on the support answers directly accessible from the <a
list have answers directly accessible from the <a
href="http://www.shorewall.net/shorewall_quickstart_guide.htm#Documentation">Documentation href="http://www.shorewall.net/shorewall_quickstart_guide.htm#Documentation">Documentation
Index</a><br> Index</a><br>
</li> </li>
<li> <li> The <a href="http://www.shorewall.net/FAQ.htm">FAQ</a> has
The <a href="http://www.shorewall.net/FAQ.htm">FAQ</a> solutions to more than 20 common problems. </li>
has solutions to more than 20 common problems. <li> The <a href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a>
</li> Information contains a number of tips
<li> to help you solve common problems. </li>
The <a href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a> <li> The <a href="http://www.shorewall.net/errata.htm"> Errata</a>
Information contains a number of tips has links to download updated components. </li>
to help you solve common problems. </li> <li> The Site and Mailing List Archives search facility can locate
<li> documents and posts about similar problems: </li>
The <a href="http://www.shorewall.net/errata.htm"> Errata</a>
has links to download updated components. </li>
<li>
The Site and Mailing List Archives search facility
can locate documents and posts about similar problems:
</li>
</ul> </ul>
<h2>Site and Mailing List Archive Search</h2> <h2>Site and Mailing List Archive Search</h2>
<blockquote> <blockquote>
<form method="post" <form method="post"
action="http://lists.shorewall.net/cgi-bin/htsearch"> <font size="-1"> Match: action="http://lists.shorewall.net/cgi-bin/htsearch"> <font size="-1">Match:
<select name="method"> <select name="method">
<option value="and">All </option> <option value="and">All </option>
<option value="or">Any </option> <option value="or">Any </option>
<option value="boolean">Boolean </option> <option value="boolean">Boolean </option>
</select> </select>
Format: Format:
<select name="format"> <select name="format">
<option value="builtin-long">Long </option> <option value="builtin-long">Long </option>
<option value="builtin-short">Short </option> <option value="builtin-short">Short </option>
</select> </select>
Sort by: Sort by:
<select name="sort"> <select name="sort">
<option value="score">Score </option> <option value="score">Score </option>
<option value="time">Time </option> <option value="time">Time </option>
@ -95,250 +65,193 @@ can locate documents and posts about similar problems:
<option value="revtime">Reverse Time </option> <option value="revtime">Reverse Time </option>
<option value="revtitle">Reverse Title </option> <option value="revtitle">Reverse Title </option>
</select> </select>
</font><input type="hidden" name="config" </font><input type="hidden" name="config" value="htdig"><input
value="htdig"><input type="hidden" name="restrict" value=""><font type="hidden" name="restrict" value=""><font size="-1"> Include
size="-1"> Include Mailing List Archives: Mailing List Archives:
<select size="1" name="exclude"> <select size="1" name="exclude">
<option value="">Yes</option> <option value="">Yes</option>
<option value="[http://lists.shorewall.net/pipermail/.*]">No</option> <option value="[http://lists.shorewall.net/pipermail/.*]">No</option>
</select> </select>
</font><br> </font><br>
Search: <input type="text" size="30" Search: <input type="text" size="30" name="words" value=""> <input
name="words" value=""> <input type="submit" value="Search"><br> type="submit" value="Search"><br>
</form> </form>
</blockquote> </blockquote>
<h2>Problem Reporting Guidelines<br> <h2>Problem Reporting Guidelines<br>
</h2> </h2>
<ul> <ul>
<li>Please remember we only <li>Please remember we only know what is posted in your message. Do
know what is posted in your message. Do not leave out not leave out
any information that appears to be correct, or was mentioned any information that appears to be correct, or was mentioned in a
in a previous post. There have been countless posts by people previous post. There have been countless posts by people who were sure
who were sure that some part of their configuration was correct that some part of their configuration was correct when it actually
when it actually contained a small error. We tend to be skeptics contained a small error. We tend to be skeptics where detail is lacking.<br>
where detail is lacking.<br> <br>
<br> </li>
</li> <li>Please keep in mind that you're asking for <strong>free</strong>
<li>Please keep in mind that technical support. Any help we offer is an act of generosity, not an
you're asking for <strong>free</strong> technical obligation. Try to make it easy for us to help you. Follow good,
support. Any help we offer is an act of generosity, not an obligation. courteous practices in writing and formatting your e-mail. Provide
Try to make it easy for us to help you. Follow good, courteous details
practices in writing and formatting your e-mail. Provide details that we need if you expect good answers. <em>Exact quoting </em> of
that we need if you expect good answers. <em>Exact quoting </em> error messages, log entries, command output, and other output is
of error messages, log entries, command output, and other output is better than a paraphrase or summary.<br>
better than a paraphrase or summary.<br> <br>
<br> </li>
</li> <li> Please don't describe your environment and then ask us to send
<li> you custom configuration files. We're here to answer your questions but
Please don't describe your environment and then we can't do your job for you.<br>
ask us to send you custom configuration files. <br>
We're here to answer your questions but we can't </li>
do your job for you.<br> <li>When reporting a problem, <strong>ALWAYS</strong> include this
<br> information:</li>
</li>
<li>When reporting a problem,
<strong>ALWAYS</strong> include this information:</li>
</ul> </ul>
<ul> <ul>
<ul> <ul>
<li>the exact version of <li>the exact version of Shorewall you are running.<br>
Shorewall you are running.<br> <br>
<br> <b><font color="#009900">shorewall version</font><br>
<b><font </b> <br>
color="#009900">shorewall version</font><br> </li>
</b> <br>
</li>
</ul> </ul>
<ul> <ul>
</ul> </ul>
<ul> <ul>
<li>the complete, exact <li>the complete, exact
output of<br> output of<br>
<br> <br>
<font color="#009900"><b>ip <font color="#009900"><b>ip addr show<br>
addr show<br> <br>
<br> </b></font></li>
</b></font></li>
</ul> </ul>
<ul> <ul>
<li>the complete, exact <li>the complete, exact
output of<br> output of<br>
<br> <br>
<font color="#009900"><b>ip <font color="#009900"><b>ip route show<br>
route show<br> </b></font></li>
</b></font></li>
</ul> </ul>
<ul> <ul>
</ul> </ul>
</ul> </ul>
<ul> <ul>
<ul> <ul>
<li><small><small><font color="#ff0000"><u><i><big><b>THIS <li><small><small><font color="#ff0000"><u><i><big><b>THIS
IS IMPORTANT!</b></big></i></u></font></small></small><big> </big>If your IS IMPORTANT!</b></big></i></u></font></small></small><big> </big>If
problem is that some type of connection to/from or through your firewall your
isn't working then please perform the following four steps:<br> problem is that some type of connection to/from or through your
<br> firewall
1. <b><font color="#009900">/sbin/shorewall reset</font></b><br> isn't working then please perform the following four steps:<br>
<br> <br>
2. Try making the connection that is failing.<br> 1. <b><font color="#009900">/sbin/shorewall reset</font></b><br>
<br> <br>
3.<b><font color="#009900"> /sbin/shorewall 2. Try making the connection that is failing.<br>
status &gt; /tmp/status.txt</font></b><br> <br>
<br> 3.<b><font color="#009900"> /sbin/shorewall status &gt; /tmp/status.txt</font></b><br>
4. Post the /tmp/status.txt file as an <br>
attachment (you may compress it if you like).<br> 4. Post the /tmp/status.txt file as an
<br> attachment (you may compress it if you like).<br>
</li> <br>
<li>the exact wording of any <code </li>
<li>the exact wording of any <code
style="color: green; font-weight: bold;">ping</code> failure responses<br> style="color: green; font-weight: bold;">ping</code> failure responses<br>
<br> <br>
</li> </li>
<li>If you installed Shorewall using one of the QuickStart <li>If you installed Shorewall using one of the QuickStart Guides,
Guides, please indicate which one. <br> please indicate which one. <br>
<br> <br>
</li> </li>
<li><b>If you are running Shorewall under Mandrake <li><b>If you are running Shorewall under Mandrake
using the Mandrake installation of Shorewall, please say so.<br> using the Mandrake installation of Shorewall, please say so.<br>
<br> <br>
</b></li> </b></li>
</ul> </ul>
<li>As a general matter, please <strong>do not edit the diagnostic
<li>As a general matter, please <strong>do not edit the information</strong> in an attempt to conceal your IP address, netmask,
diagnostic information</strong> in an attempt to conceal nameserver addresses, domain name, etc. These aren't secrets, and
your IP address, netmask, nameserver addresses, domain name, concealing them often misleads us (and 80% of the time, a hacker could
etc. These aren't secrets, and concealing them often misleads derive them anyway from information contained in the SMTP headers of
us (and 80% of the time, a hacker could derive them anyway your post).<br>
from information contained in the SMTP headers of your post).<br> <br>
<br> <strong></strong></li>
<strong></strong></li> <li>Do you see any "Shorewall" messages ("<b><font color="#009900">/sbin/shorewall
<li>Do you see any "Shorewall" messages show log</font></b>") when you exercise the function that is giving you
("<b><font color="#009900">/sbin/shorewall show log</font></b>") problems? If so, include the message(s) in your post along with a copy
when you exercise the function that is giving you problems? of your /etc/shorewall/interfaces file.<br>
If so, include the message(s) in your post along with a copy of <br>
your /etc/shorewall/interfaces file.<br> </li>
<br> <li>Please include any of the Shorewall configuration files
</li> (especially the /etc/shorewall/hosts file if you have modified that
<li>Please include any of the Shorewall configuration file) that you think are relevant. If you include /etc/shorewall/rules,
files (especially the /etc/shorewall/hosts file please include /etc/shorewall/policy as well (rules are meaningless
if you have modified that file) that you think are unless one also knows the policies).<br>
relevant. If you include /etc/shorewall/rules, please include <br>
/etc/shorewall/policy as well (rules are meaningless unless </li>
one also knows the policies).<br> <li>If an error occurs when you try to "<font color="#009900"><b>shorewall
<br> start</b></font>", include a trace (See the <a
</li>
<li>If an error occurs when you try
to "<font color="#009900"><b>shorewall start</b></font>", include
a trace (See the <a
href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a> href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a>
section for instructions).<br> section for instructions).<br>
<br> <br>
</li> </li>
<li><b>The list server limits posts to 120kb <li><b>The list server limits posts to 120kb so don't post GIFs of
so don't post GIFs of your network your network
layout, etc. to the Mailing List -- your post will be layout, etc. to the Mailing List -- your post will be
rejected.</b></li> rejected.</b></li>
</ul> </ul>
<blockquote> The author gratefully acknowleges that the above list was
<blockquote> The author gratefully acknowleges that the above list was heavily plagiarized from the excellent LEAF document by <i>Ray</i> <em>Olszewski</em>
heavily plagiarized from the excellent LEAF document by <i>Ray</i> found at <a
<em>Olszewski</em> found at <a
href="http://leaf-project.org/pub/doc/docmanager/docid_1891.html">http://leaf-project.org/pub/doc/docmanager/docid_1891.html</a>.<br> href="http://leaf-project.org/pub/doc/docmanager/docid_1891.html">http://leaf-project.org/pub/doc/docmanager/docid_1891.html</a>.<br>
</blockquote> </blockquote>
<h2>When using the mailing list, please post in plain text</h2> <h2>When using the mailing list, please post in plain text</h2>
<blockquote> A growing number of MTAs serving list subscribers are
<blockquote> A growing number of MTAs serving list subscribers are rejecting all HTML traffic. At least one MTA has gone so far as to
rejecting all HTML traffic. At least one MTA has gone so far as to blacklist shorewall.net "for continuous abuse" because it has been
blacklist shorewall.net "for continuous abuse" because it has been my policy to allow HTML in list posts!!<br>
my policy to allow HTML in list posts!!<br> <br>
<br> I think that blocking all HTML is a Draconian way to control spam and
I think that blocking all that the ultimate losers here are not the spammers but the list
HTML is a Draconian way to control spam and that the subscribers whose MTAs are bouncing all shorewall.net mail. As one list
ultimate losers here are not the spammers but the list subscribers subscriber wrote to me privately "These e-mail admin's need to get a <i>(expletive
whose MTAs are bouncing all shorewall.net mail. As one list deleted)</i> life instead of trying to rid the planet of HTML based
subscriber wrote to me privately "These e-mail admin's need e-mail". Nevertheless, to allow
to get a <i>(expletive deleted)</i> life instead of trying to subscribers to receive list posts as must as possible, I have now
rid the planet of HTML based e-mail". Nevertheless, to allow configured the list server at shorewall.net to convert all HTML to
subscribers to receive list posts as must as possible, I have now plain text. These converted posts are difficult to read so all of us
configured the list server at shorewall.net to strip all HTML from will appreciate it if you just post in plain text to begin with.<br>
outgoing posts.<br> </blockquote>
</blockquote>
<h2>Where to Send your Problem Report or to Ask for Help</h2> <h2>Where to Send your Problem Report or to Ask for Help</h2>
<blockquote> <blockquote>
<h4>If you run Shorewall under Bering -- <span <h4>If you run Shorewall under Bering -- <span
style="font-weight: 400;">please post your question or problem style="font-weight: 400;">please post your question or problem to the <a
to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing list</a>.</span></h4>
href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing <b>If you run Shorewall under MandrakeSoft Multi Network Firewall
list</a>.</span></h4> (MNF) and you have not purchased an MNF license from MandrakeSoft then
<b>If you run Shorewall you can post non MNF-specific Shorewall questions to the </b><a
under MandrakeSoft Multi Network Firewall (MNF) and href="mailto:shorewall-users@lists.shorewall.net">Shorewall users
you have not purchased an MNF license from MandrakeSoft then mailing list</a>. <b>Do not expect to get free MNF support on the list</b>
you can post non MNF-specific Shorewall questions to the </b><a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
list</a>. <b>Do not expect to get free MNF support on the list</b>
<p>Otherwise, please post your question or problem to the <a <p>Otherwise, please post your question or problem to the <a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing href="mailto:shorewall-users@lists.shorewall.net">Shorewall users
list.</a> </p> mailing list.</a> </p>
</blockquote> </blockquote>
<h2>Subscribing to the Users Mailing List<br> <h2>Subscribing to the Users Mailing List<br>
</h2> </h2>
<blockquote> <blockquote>
<p> To Subscribe to the mailing list go to <a <p> To Subscribe to the mailing list go to <a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a>
<br>
Secure: <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-users" href="https://lists.shorewall.net/mailman/listinfo/shorewall-users"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-users</a>.<br> target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-users</a>.<br>
</p> </p>
</blockquote> </blockquote>
<p>For information on other Shorewall mailing lists, go to <a <p>For information on other Shorewall mailing lists, go to <a
href="http://lists.shorewall.net">http://lists.shorewall.net</a><br> href="http://lists.shorewall.net">http://lists.shorewall.net</a><br>
</p> </p>
<p align="left"><font size="2">Last Updated 9/17/2003 - Tom Eastep</font></p>
<p align="left"><font size="2">Last Updated 8/1/2003 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br> size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M.
</p> Eastep.</font></a></font><br>
<br> </p>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

1870
STABLE/documentation/three-interface.htm
View File

File diff suppressed because it is too large Load Diff

336
STABLE/documentation/troubleshoot.htm
View File

@ -1,226 +1,208 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shorewall Troubleshooting</title> <title>Shorewall Troubleshooting</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90"> id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Troubleshooting<img <h1 align="center"><font color="#ffffff">Shorewall Troubleshooting<img
src="images/obrasinf.gif" alt="Beating head on table" width="90" src="images/obrasinf.gif" alt="Beating head on table" width="90"
height="90" align="middle"> height="90" align="middle"> </font></h1>
</font></h1> </td>
</td> </tr>
</tr>
</tbody> </tbody>
</table> </table>
<h3 style="text-align: center;"><span style="font-style: italic;">"If
you think you can you can; if you think you can't you're right.<br>
If you don't believe that you can, why should someone else?" -- Gunnar
Tapper<br>
</span></h3>
<h3 align="left">Check the Errata</h3> <h3 align="left">Check the Errata</h3>
<p align="left">Check the <a href="errata.htm">Shorewall Errata</a> to
<p align="left">Check the <a href="errata.htm">Shorewall Errata</a> to be be sure that there isn't an update that you are missing for your
sure that there isn't an update that you are missing for your version version of the firewall.</p>
of the firewall.</p>
<h3 align="left">Check the FAQs</h3> <h3 align="left">Check the FAQs</h3>
<p align="left">Check the <a href="FAQ.htm">FAQs</a> for solutions to
<p align="left">Check the <a href="FAQ.htm">FAQs</a> for solutions to common common problems.</p>
problems.</p>
<h3 align="left">If the firewall fails to start</h3> <h3 align="left">If the firewall fails to start</h3>
If you receive an error message when starting or restarting If you receive an error message when starting or restarting the
the firewall and you can't determine the cause, then do the following: firewall and you can't determine the cause, then do the following:
<ul> <ul>
<li>Make a note of the error message that you see.<br> <li>Make a note of the error message that you see.<br>
</li> </li>
<li>shorewall debug start 2&gt; /tmp/trace</li> <li>shorewall debug start 2&gt; /tmp/trace</li>
<li>Look at the /tmp/trace file and see if that helps you <li>Look at the /tmp/trace file and see if that helps you determine
determine what the problem is. Be sure you find the place in the log what the problem is. Be sure you find the place in the log where the
where the error message you saw is generated -- If you are using Shorewall error message you saw is generated -- If you are using Shorewall 1.4.0
1.4.0 or later, you should find the message near the end of the log.</li> or later, you should find the message near the end of the log.</li>
<li>If you still can't determine what's wrong then see the <li>If you still can't determine what's wrong then see the <a
<a href="support.htm">support page</a>.</li> href="support.htm">support page</a>.</li>
</ul> </ul>
Here's an example. During startup, a user sees the following:<br> Here's an example. During startup, a user sees the following:<br>
<blockquote> <blockquote>
<pre>Adding Common Rules<br>iptables: No chain/target/match by that name<br>Terminated<br></pre> <pre>Adding Common Rules<br>iptables: No chain/target/match by that name<br>Terminated<br></pre>
</blockquote> </blockquote>
A search through the trace for "No chain/target/match by that name" A search through the trace for "No chain/target/match by that name"
turned up the following:  turned up the following:&nbsp;
<blockquote> <blockquote>
<pre>+ echo 'Adding Common Rules'<br>+ add_common_rules<br>+ run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset<br>++ echo -A reject -p tcp -j REJECT --reject-with tcp-reset<br>++ sed 's/!/! /g'<br>+ iptables -A reject -p tcp -j REJECT --reject-with tcp-reset<br>iptables: No chain/target/match by that name<br></pre> <pre>+ echo 'Adding Common Rules'<br>+ add_common_rules<br>+ run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset<br>++ echo -A reject -p tcp -j REJECT --reject-with tcp-reset<br>++ sed 's/!/! /g'<br>+ iptables -A reject -p tcp -j REJECT --reject-with tcp-reset<br>iptables: No chain/target/match by that name<br></pre>
</blockquote> </blockquote>
The command that failed was: "iptables -A reject -p tcp -j REJECT --reject-with The command that failed was: "iptables -A reject -p tcp -j REJECT
tcp-reset". In this case, the user had compiled his own kernel and had --reject-with tcp-reset". In this case, the user had compiled his own
forgotten to include REJECT target support (see <a href="kernel.htm">kernel.htm</a>) kernel and had
forgotten to include REJECT target support (see <a href="kernel.htm">kernel.htm</a>)
<h3>Your network environment</h3> <h3>Your network environment</h3>
<p>Many times when people have problems with Shorewall, the problem is
<p>Many times when people have problems with Shorewall, the problem is actually actually an ill-conceived network setup. Here are several popular
an ill-conceived network setup. Here are several popular snafus: </p> snafus: </p>
<ul> <ul>
<li>Port Forwarding where client and server are <li>Port Forwarding where client and server are in the same subnet.
in the same subnet. See <a href="FAQ.htm">FAQ 2.</a></li> See <a href="FAQ.htm">FAQ 2.</a></li>
<li>Changing the IP address of a local system to be in the <li>Changing the IP address of a local system to be in the external
external subnet, thinking that Shorewall will suddenly believe subnet, thinking that Shorewall will suddenly believe
that the system is in the 'net' zone.</li> that the system is in the 'net' zone.</li>
<li>Multiple interfaces connected to the same HUB or Switch. <li>Multiple interfaces connected to the same HUB or Switch. Given
Given the way that the Linux kernel respond to ARP "who-has" requests, the way that the Linux kernel respond to ARP "who-has" requests, this
this type of setup does NOT work the way that you expect it to.</li> type of setup does NOT work the way that you expect it to. If you
are running Shorewall version 1.4.7 or later, you can test using this
kind of configuration if you specify
the <span style="font-weight: bold;">arp_filter</span>
option in /etc/shorewall/interfaces for all interfaces connected to the
common hub/switch. Using such a setup with a production firewall is
strongly recommended against.</li>
</ul> </ul>
<h3 align="left">If you are having connection problems:</h3> <h3 align="left">If you are having connection problems:</h3>
<p align="left">If the appropriate policy for the connection that you
<p align="left">If the appropriate policy for the connection that you are are trying to make is ACCEPT, please DO NOT ADD ADDITIONAL ACCEPT RULES
trying to make is ACCEPT, please DO NOT ADD ADDITIONAL ACCEPT RULES TRYING TO MAKE IT WORK. Such additional rules will NEVER make it work,
TRYING TO MAKE IT WORK. Such additional rules will NEVER make it work, they add clutter to your rule set and they represent a big security
they add clutter to your rule set and they represent a big security hole hole
in the event that you forget to remove them later.</p> in the event that you forget to remove them later.</p>
<p align="left">I also recommend against setting all of your policies
<p align="left">I also recommend against setting all of your policies to to ACCEPT in an effort to make something work. That robs you of one of
ACCEPT in an effort to make something work. That robs you of one of your best diagnostic tools - the "Shorewall" messages that Netfilter
your best diagnostic tools - the "Shorewall" messages that Netfilter will generate when you try to connect in a way that isn't permitted by
will generate when you try to connect in a way that isn't permitted your rule set.</p>
by your rule set.</p> <p align="left">Check your log ("/sbin/shorewall show log"). If you
don't see Shorewall messages, then your problem is probably NOT a
<p align="left">Check your log ("/sbin/shorewall show log"). If you don't Shorewall problem. If you DO see packet messages, it may be an
see Shorewall messages, then your problem is probably NOT a Shorewall indication that
problem. If you DO see packet messages, it may be an indication that you are missing one or more rules -- see <a href="FAQ.htm#faq17">FAQ 17</a>.</p>
you are missing one or more rules -- see <a href="FAQ.htm#faq17">FAQ 17</a>.</p> <p align="left">While you are troubleshooting, it is a good idea to
clear two variables in /etc/shorewall/shorewall.conf:</p>
<p align="left">While you are troubleshooting, it is a good idea to clear
two variables in /etc/shorewall/shorewall.conf:</p>
<p align="left">LOGRATE=""<br> <p align="left">LOGRATE=""<br>
LOGBURST=""</p> LOGBURST=""</p>
<p align="left">This way, you will see all of the log messages being
<p align="left">This way, you will see all of the log messages being generated generated (be sure to restart shorewall after clearing these variables).</p>
(be sure to restart shorewall after clearing these variables).</p>
<p align="left">Example:</p> <p align="left">Example:</p>
<font face="Century Gothic, Arial, Helvetica"> <font face="Century Gothic, Arial, Helvetica">
<p align="left"><font face="Courier">Jun 27 15:37:56 gateway kernel: Shorewall:all2all:REJECT:IN=eth2 <p align="left"><font face="Courier">Jun 27 15:37:56 gateway kernel:
OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3 LEN=67 TOS=0x00 PREC=0x00 TTL=63 Shorewall:all2all:REJECT:IN=eth2 OUT=eth1 SRC=192.168.2.2
ID=5805 DF PROTO=UDP SPT=1803 DPT=53 LEN=47</font></p> DST=192.168.1.3 LEN=67 TOS=0x00 PREC=0x00 TTL=63 ID=5805 DF PROTO=UDP
</font> SPT=1803 DPT=53 LEN=47</font></p>
</font>
<p align="left">Let's look at the important parts of this message:</p> <p align="left">Let's look at the important parts of this message:</p>
<ul> <ul>
<li>all2all:REJECT - This packet was REJECTed out of the <li>all2all:REJECT - This packet was REJECTed out of the
all2all chain -- the packet was rejected under the "all"-&gt;"all" all2all chain -- the packet was rejected under the "all"-&gt;"all"
REJECT policy (see <a href="FAQ.htm#faq17">FAQ 17).</a></li> REJECT policy (see <a href="FAQ.htm#faq17">FAQ 17).</a></li>
<li>IN=eth2 - the packet entered the firewall via eth2</li> <li>IN=eth2 - the packet entered the firewall via eth2</li>
<li>OUT=eth1 - if accepted, the packet would be sent on eth1</li> <li>OUT=eth1 - if accepted, the packet would be sent on eth1</li>
<li>SRC=192.168.2.2 - the packet was sent by 192.168.2.2</li> <li>SRC=192.168.2.2 - the packet was sent by 192.168.2.2</li>
<li>DST=192.168.1.3 - the packet is destined for 192.168.1.3</li> <li>DST=192.168.1.3 - the packet is destined for 192.168.1.3</li>
<li>PROTO=UDP - UDP Protocol</li> <li>PROTO=UDP - UDP Protocol</li>
<li>DPT=53 - DNS</li> <li>DPT=53 - DNS</li>
</ul> </ul>
<p align="left">In this case, 192.168.2.2 was in the "dmz" zone and
<p align="left">In this case, 192.168.2.2 was in the "dmz" zone and 192.168.1.3 192.168.1.3 is in the "loc" zone. I was missing the rule:</p>
is in the "loc" zone. I was missing the rule:</p> <p align="left">ACCEPT&nbsp;&nbsp;&nbsp; dmz&nbsp;&nbsp;&nbsp;
loc&nbsp;&nbsp;&nbsp; udp&nbsp;&nbsp;&nbsp; 53<br>
<p align="left">ACCEPT    dmz    loc    udp    53<br> </p>
</p> <p align="left">See <a href="FAQ.htm#faq17">FAQ 17</a> for additional
information about how to interpret the chain name appearing in a
<p align="left">See <a href="FAQ.htm#faq17">FAQ 17</a> for additional information Shorewall log message.<br>
about how to interpret the chain name appearing in a Shorewall log message.<br> </p>
</p>
<h3 align="left">'Ping' Problems?</h3> <h3 align="left">'Ping' Problems?</h3>
Either can't ping when you think you should be able to or are able to Either can't ping when you think you should be able to or are able to
ping when you think that you shouldn't be allowed? Shorewall's 'Ping' Management<a ping when you think that you shouldn't be allowed? Shorewall's 'Ping'
href="ping.html"> is described here</a>.<br> Management<a href="ping.html"> is described here</a>.<br>
<h3 align="left">Other Gotchas</h3> <h3 align="left">Other Gotchas</h3>
<ul> <ul>
<li>Seeing rejected/dropped packets logged out of the INPUT <li>Seeing rejected/dropped packets logged out of the INPUT or
or FORWARD chains? This means that: FORWARD chains? This means that:
<ol> <ol>
<li>your zone definitions are screwed up and the host that <li>your zone definitions are screwed up and the host that is
is sending the packets or the destination host isn't in any zone sending the packets or the destination host isn't in any zone (using an
(using an <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> file
file are you?); or</li> are you?); or</li>
<li>the source and destination hosts are both connected <li>the source and destination hosts are both connected to the
to the same interface and you don't have a policy or rule for the same interface and you don't have a policy or rule for the
source zone to or from the destination zone.</li> source zone to or from the destination zone.</li>
</ol> </ol>
</li> </li>
<li>Remember that Shorewall doesn't automatically allow ICMP <li>Remember that Shorewall doesn't automatically allow ICMP type 8
type 8 ("ping") requests to be sent between zones. If you want pings ("ping") requests to be sent between zones. If you want pings to be
to be allowed between zones, you need a rule of the form:<br> allowed between zones, you need a rule of the form:<br>
<br> <br>
    ACCEPT    &lt;source zone&gt;    &lt;destination &nbsp;&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; &lt;source
zone&gt;    icmp    echo-request<br> zone&gt;&nbsp;&nbsp;&nbsp; &lt;destination zone&gt;&nbsp;&nbsp;&nbsp;
<br> icmp&nbsp;&nbsp;&nbsp; echo-request<br>
The ramifications of this can be subtle. For example, if <br>
you have the following in /etc/shorewall/nat:<br> The ramifications of this can be subtle. For example, if you have the
<br> following in /etc/shorewall/nat:<br>
    10.1.1.2    eth0    130.252.100.18<br> <br>
<br> &nbsp;&nbsp;&nbsp; 10.1.1.2&nbsp;&nbsp;&nbsp; eth0&nbsp;&nbsp;&nbsp;
and you ping 130.252.100.18, unless you have allowed icmp 130.252.100.18<br>
type 8 between the zone containing the system you are pinging from <br>
and the zone containing 10.1.1.2, the ping requests will be dropped. </li> and you ping 130.252.100.18, unless you have allowed icmp type 8
<li>If you specify "routefilter" for an interface, that between the zone containing the system you are pinging from and the
interface must be up prior to starting the firewall.</li> zone containing 10.1.1.2, the ping requests will be dropped.&nbsp;</li>
<li>Is your routing correct? For example, internal systems <li>If you specify "routefilter" for an interface, that interface
usually need to be configured with their default gateway set to must be up prior to starting the firewall.</li>
the IP address of their nearest firewall interface. One often overlooked <li>Is your routing correct? For example, internal systems usually
aspect of routing is that in order for two hosts to communicate, need to be configured with their default gateway set to
the routing between them must be set up <u>in both directions.</u> the IP address of their nearest firewall interface. One often
So when setting up routing between <b>A</b> and<b> B</b>, be sure overlooked aspect of routing is that in order for two hosts to
to verify that the route from <b>B</b> back to <b>A</b> is defined.</li> communicate,
<li>Some versions of LRP (EigerStein2Beta for example) have the routing between them must be set up <u>in both directions.</u>
a shell with broken variable expansion. <a So when setting up routing between <b>A</b> and<b> B</b>, be sure
href="ftp://ftp.shorewall.net/pub/shorewall/ash.gz"> You can get a corrected to verify that the route from <b>B</b> back to <b>A</b> is defined.</li>
shell from the Shorewall Errata download site.</a> </li> <li>Some versions of LRP (EigerStein2Beta for example) have a shell
<li>Do you have your kernel properly configured? <a with broken variable expansion. <a
href="kernel.htm">Click here to see my kernel configuration.</a> </li> href="ftp://ftp.shorewall.net/pub/shorewall/ash.gz"> You can get a
<li>Shorewall requires the "ip" program. That program corrected shell from the Shorewall Errata download site.</a> </li>
is generally included in the "iproute" package which should be included <li>Do you have your kernel properly configured? <a href="kernel.htm">Click
with your distribution (though many distributions don't install iproute here to see my kernel configuration.</a> </li>
by default). You may also download the latest source tarball from <li>Shorewall requires the "ip" program. That program is generally
<a href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank"> ftp://ftp.inr.ac.ru/ip-routing</a> included in the "iproute" package which should be included with your
.</li> distribution (though many distributions don't install iproute by
<li>Problems with NAT? Be sure that you let default). You may also download the latest source tarball from <a
Shorewall add all external addresses to be use with NAT unless you href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank">
ftp://ftp.inr.ac.ru/ip-routing</a> .</li>
<li>Problems with NAT? Be sure that you let
Shorewall add all external addresses to be use with NAT unless you
have set <a href="Documentation.htm#Aliases"> ADD_IP_ALIASES</a> =No have set <a href="Documentation.htm#Aliases"> ADD_IP_ALIASES</a> =No
in /etc/shorewall/shorewall.conf.</li> in /etc/shorewall/shorewall.conf.</li>
</ul> </ul>
<h3>Still Having Problems?</h3> <h3>Still Having Problems?</h3>
<p>See the<a href="support.htm"> support page.<br> <p>See the<a href="support.htm"> support page.<br>
</a></p> </a></p>
<font face="Century Gothic, Arial, Helvetica"> <font face="Century Gothic, Arial, Helvetica">
<blockquote> </blockquote> <blockquote> </blockquote>
</font> </font>
<p><font size="2">Last updated 4/29/2003 - Tom Eastep</font> </p> <p><font size="2">Last updated 8/29/2003 - Tom Eastep</font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
</p> </p>
<br> <br>
</body> </body>
</html> </html>

1651
STABLE/documentation/two-interface.htm
View File

File diff suppressed because it is too large Load Diff

9
STABLE/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of # shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall. # Shoreline Firewall.
VERSION=1.4.6c VERSION=1.4.7
usage() # $1 = exit status usage() # $1 = exit status
{ {
@ -82,6 +82,7 @@ restore_file /etc/shorewall/functions
restore_file /usr/lib/shorewall/functions restore_file /usr/lib/shorewall/functions
restore_file /var/lib/shorewall/functions restore_file /var/lib/shorewall/functions
restore_file /usr/lib/shorewall/firewall restore_file /usr/lib/shorewall/firewall
restore_file /usr/lib/shorewall/help
restore_file /etc/shorewall/common.def restore_file /etc/shorewall/common.def
@ -133,6 +134,12 @@ restore_file /etc/shorewall/stopped
restore_file /etc/shorewall/ecn restore_file /etc/shorewall/ecn
restore_file /etc/shorewall/accounting
restore_file /etc/shorewall/usersets
restore_file /etc/shorewall/users
if [ -f /usr/lib/shorewall/version-${VERSION}.bkout ]; then if [ -f /usr/lib/shorewall/version-${VERSION}.bkout ]; then
restore_file /usr/lib/shorewall/version restore_file /usr/lib/shorewall/version
oldversion="`cat /usr/lib/shorewall/version`" oldversion="`cat /usr/lib/shorewall/version`"

737
STABLE/firewall
View File

File diff suppressed because it is too large Load Diff

119
STABLE/functions
View File

@ -269,6 +269,13 @@ encodeaddr() {
# Enumerate the members of an IP range -- When using a shell supporting only # Enumerate the members of an IP range -- When using a shell supporting only
# 32-bit signed arithmetic, the range cannot span 128.0.0.0. # 32-bit signed arithmetic, the range cannot span 128.0.0.0.
# #
# Comes in two flavors:
#
# ip_range() - produces a mimimal list of network/host addresses that spans
# the range.
#
# ip_range_explicit() - explicitly enumerates the range.
#
ip_range() { ip_range() {
local first last l x y z vlsm local first last l x y z vlsm
@ -327,8 +334,6 @@ ip_range_explicit() {
fatal_error "Invalid IP address range: $1" fatal_error "Invalid IP address range: $1"
fi fi
l=$(( $last + 1 ))
while [ $first -le $last ]; do while [ $first -le $last ]; do
echo `encodeaddr $first` echo `encodeaddr $first`
first=$(($first + 1)) first=$(($first + 1))
@ -358,12 +363,11 @@ ip_network() {
# The following hack is supplied to compensate for the fact that many of # The following hack is supplied to compensate for the fact that many of
# the popular light-weight Bourne shell derivatives don't support XOR ("^"). # the popular light-weight Bourne shell derivatives don't support XOR ("^").
# #
# Note: 2147483647 = 0x7fffffff
ip_broadcast() { ip_broadcast() {
local x=$(( ${1#*/} - 1 )) local x=$(( 32 - ${1#*/} ))
[ $x -eq -1 ] && echo -1 || echo $(( 2147483647 >> $x )) [ $x -eq 0 ] && echo -1 || echo $(( $(( 1 $LEFTSHIFT $x )) - 1 ))
} }
# #
@ -407,3 +411,108 @@ ip_vlsm() {
fi fi
} }
#
# Chain name base for an interface -- replace all periods with underscores in the passed name.
# The result is echoed (less "+" and anything following).
#
chain_base() #$1 = interface
{
local c=${1%%+*}
while true; do
case $c in
*.*)
c="${c%.*}_${c##*.}"
;;
*)
echo ${c:=common}
return
;;
esac
done
}
#
# Remove trailing digits from a name
#
strip_trailing_digits() {
echo $1 | sed s'/[0-9].*$//'
}
#
# Loosly Match the name of an interface
#
if_match() # $1 = Name in interfaces file - may end in "+"
# $2 = Name from routing table
{
local if_file=$1
local rt_table=$2
case $if_file in
*+)
test "`strip_trailing_digits $rt_table`" = "${if_file%+}"
;;
*)
test "$rt_table" = "$if_file"
;;
esac
}
#
# Find the value 'dev' in the passed arguments then echo the next value
#
find_device() {
while [ $# -gt 1 ]; do
[ "x$1" = xdev ] && echo $2 && return
shift
done
}
#
# Find the interfaces that have a route to the passed address - the default
# route is not used.
#
find_rt_interface() {
ip route ls | while read addr rest; do
case $addr in
*/*)
in_subnet ${1%/*} $addr && echo `find_device $rest`
;;
default)
;;
*)
if [ "$addr" = "$1" -o "$addr/32" = "$1" ]; then
echo `find_device $rest`
fi
;;
esac
done
}
#
# Find the default route's interface
#
find_default_interface() {
ip route ls | while read first rest; do
[ "$first" = default ] && echo `find_device $rest` && return
done
}
#
# Echo the name of the interface(s) that will be used to send to the
# passed address
#
find_interface_by_address() {
local dev="`find_rt_interface $1`"
local first rest
[ -z "$dev" ] && dev=`find_default_interface`
[ -n "$dev" ] && echo $dev
}

42
STABLE/install.sh
View File

@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall. # /etc/rc.d/rc.local file is modified to start the firewall.
# #
VERSION=1.4.6c VERSION=1.4.7
usage() # $1 = exit status usage() # $1 = exit status
{ {
@ -316,6 +316,14 @@ install_file_with_backup functions ${PREFIX}/usr/share/shorewall/functions 0444
echo echo
echo "Common functions installed in ${PREFIX}/usr/share/shorewall/functions" echo "Common functions installed in ${PREFIX}/usr/share/shorewall/functions"
#
# Install the Help file
#
install_file_with_backup help ${PREFIX}/usr/share/shorewall/help 0544
echo
echo "Help command executor installed in ${PREFIX}/usr/share/shorewall/help"
# #
# Install the common.def file # Install the common.def file
# #
@ -545,7 +553,37 @@ if [ -f ${PREFIX}/etc/shorewall/ecn ]; then
else else
run_install -o $OWNER -g $GROUP -m 0600 ecn ${PREFIX}/etc/shorewall/ecn run_install -o $OWNER -g $GROUP -m 0600 ecn ${PREFIX}/etc/shorewall/ecn
echo echo
echo "ECN file installed as ${PREFIX}/etc/shorewall/ecn" echo "ECN file installed as ${PREFIX}/etc/shorewall/ecn"
fi
#
# Install the Accounting file
#
if [ -f ${PREFIX}/etc/shorewall/accounting ]; then
backup_file /etc/shorewall/accounting
else
run_install -o $OWNER -g $GROUP -m 0600 accounting ${PREFIX}/etc/shorewall/accounting
echo
echo "Accounting file installed as ${PREFIX}/etc/shorewall/accounting"
fi
#
# Install the User Sets file
#
if [ -f ${PREFIX}/etc/shorewall/usersets ]; then
backup_file /etc/shorewall/usersets
else
run_install -o $OWNER -g $GROUP -m 0600 usersets ${PREFIX}/etc/shorewall/usersets
echo
echo "User Sets file installed as ${PREFIX}/etc/shorewall/usersets"
fi
#
# Install the User file
#
if [ -f ${PREFIX}/etc/shorewall/users ]; then
backup_file /etc/shorewall/users
else
run_install -o $OWNER -g $GROUP -m 0600 users ${PREFIX}/etc/shorewall/users
echo
echo "Users file installed as ${PREFIX}/etc/shorewall/users"
fi fi
# #
# Backup the version file # Backup the version file

9
STABLE/interfaces
View File

@ -103,6 +103,15 @@
# This option has no effect if # This option has no effect if
# NEWNOTSYN=Yes. # NEWNOTSYN=Yes.
# #
# arp_filter - If specified, this interface will only
# respond to ARP who-has requests for IP
# addresses configured on the interface.
# If not specified, the interface can
# respond to ARP who-has requests for
# IP addresses on any of the firewall's
# interface. The interface must be up
# when Shorewall is started.
#
# The order in which you list the options is not # The order in which you list the options is not
# significant but the list should have no embedded white # significant but the list should have no embedded white
# space. # space.

3
STABLE/masq
View File

@ -50,6 +50,9 @@
# #
# Example: 206.124.146.177-206.124.146.180 # Example: 206.124.146.177-206.124.146.180
# #
# Finally, you may also specify a comma-separated
# list of ranges and/or addresses in this column.
#
# This column may not contain DNS Names. # This column may not contain DNS Names.
# #
# Example 1: # Example 1:

2
STABLE/modules
View File

@ -12,8 +12,10 @@
loadmodule iptable_filter loadmodule iptable_filter
loadmodule ip_conntrack loadmodule ip_conntrack
loadmodule ip_conntrack_ftp loadmodule ip_conntrack_ftp
loadmodule ip_conntrack_tftp
loadmodule ip_conntrack_irc loadmodule ip_conntrack_irc
loadmodule iptable_nat loadmodule iptable_nat
loadmodule ip_nat_ftp loadmodule ip_nat_ftp
loadmodule ip_nat_tftp
loadmodule ip_nat_irc loadmodule ip_nat_irc

3
STABLE/nat
View File

@ -32,5 +32,6 @@
# Yes or yes, NAT will be effective from the firewall # Yes or yes, NAT will be effective from the firewall
# system # system
############################################################################## ##############################################################################
#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL #EXTERNAL INTERFACE INTERNAL ALL LOCAL
# INTERFACES
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

10
STABLE/policy
View File

@ -3,6 +3,8 @@
# #
# /etc/shorewall/policy # /etc/shorewall/policy
# #
# THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT
#
# This file determines what to do with a new connection request if we # This file determines what to do with a new connection request if we
# don't get a match from the /etc/shorewall/rules file or from the # don't get a match from the /etc/shorewall/rules file or from the
# /etc/shorewall/common[.def] file. For each source/destination pair, the # /etc/shorewall/common[.def] file. For each source/destination pair, the
@ -69,8 +71,12 @@
# d) All other connection requests are rejected and logged at level # d) All other connection requests are rejected and logged at level
# KERNEL.INFO. # KERNEL.INFO.
############################################################################### ###############################################################################
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST #SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
loc net ACCEPT loc net ACCEPT
net all DROP info net all DROP info
#
# THE FOLLOWING POLICY MUST BE LAST
#
all all REJECT info all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE #LAST LINE -- DO NOT REMOVE

423
STABLE/releasenotes.txt
View File

@ -1,38 +1,20 @@
This is a minor release of Shorewall. This is a minor release of Shorewall.
Problems Corrected: Problems Corrected since version 1.4.6:
1) A problem seen on RH7.3 systems where Shorewall encountered start 1) Corrected problem in 1.4.6 where the MANGLE_ENABLED variable was
errors when started using the "service" mechanism has been worked
around.
2) Where a list of IP addresses appears in the DEST column of a DNAT[-]
rule, Shorewall incorrectly created multiple DNAT rules in the nat
table (one for each element in the list). Shorewall now correctly
creates a single DNAT rule with multiple "--to-destination" clauses.
3) Corrected a problem in Beta 1 where DNS names containing a "-" were
mis-handled when they appeared in the DEST column of a rule.
4) The handling of z1!z2 in the SOURCE column of DNAT and REDIRECT
rules has been corrected.
5) The message "Adding rules for DHCP" is now suppressed if there are
no DHCP rules to add.
6) Corrected problem in 1.4.6 where the MANGLE_ENABLED variable was
being tested before it was set. being tested before it was set.
7) Corrected handling of MAC addresses in the SOURCE column of the 2) Corrected handling of MAC addresses in the SOURCE column of the
tcrules file. Previously, these addresses resulted in an invalid tcrules file. Previously, these addresses resulted in an invalid
iptables command. iptables command.
8) The "shorewall stop" command is now disabled when 3) The "shorewall stop" command is now disabled when
/etc/shorewall/startup_disabled exists. This prevents people from /etc/shorewall/startup_disabled exists. This prevents people from
shooting themselves in the foot prior to having configured shooting themselves in the foot prior to having configured
Shorewall. Shorewall.
9) A change introduced in version 1.4.6 caused error messages during 4) A change introduced in version 1.4.6 caused error messages during
"shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses were "shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses were
being added to a PPP interface; the addresses were successfully being added to a PPP interface; the addresses were successfully
added in spite of the messages. added in spite of the messages.
@ -40,172 +22,323 @@ Problems Corrected:
The firewall script has been modified to eliminate the error The firewall script has been modified to eliminate the error
messages. messages.
10) When ADD_SNAT_ALIASES=Yes in shorewall.conf, the following entry in 5) Interface-specific dynamic blacklisting chains are now displayed by
/etc/shorewall/masq resulted in a startup error: "shorewall monitor" on the "Dynamic Chains" page (previously named
"Dynamic Chain").
eth0 eth1 206.124.146.20-206.124.146.24 6) Thanks to Henry Yang, LOGRATE and LOGBURST now work again.
11) Shorewall previously choked over IPV6 addresses configured on 7) The 'shorewall reject' and 'shorewall drop' commands now delete any
interfaces in contexts where Shorewall needed to detect something existing rules for the subject IP address before adding a new DROP
about the interface (such as when "detect" appears in the BROADCAST or REJECT rule. Previously, there could be many rules for the same
column of the /etc/shorewall/interfaces file). IP address in the dynamic chain so that multiple 'allow' commands
were required to re-enable traffic to/from the address.
8) When ADD_SNAT_ALIASES=Yes in shorewall.conf, the following entry in
/etc/shorewall/masq resulted in a startup error:
eth0 eth1 206.124.146.20-206.124.146.24
9) Shorewall previously choked over IPV6 addresses configured on
interfaces in contexts where Shorewall needed to detect something
about the interface (such as when "detect" appears in the BROADCAST
column of the /etc/shorewall/interfaces file).
10) Shorewall will now load module files that are formed from the
module name by appending ".o.gz".
11) When Shorewall adds a route to a proxy ARP host and such a route
already exists, two routes resulted previously. This has been
corrected so that the existing route is replaced if it already
exists.
12) The rfc1918 file has been updated to reflect recent allocations.
13) The documentation of the USERSETS column in the rules file has been
corrected.
14) If there is no policy defined for the zones specified in a rule,
the firewall script previously encountered a shell syntax error:
[: NONE: unexpected operator
Now, the absence of a policy generates an error message and the
firewall is stopped:
No policy defined from zone <source> to zone <dest>
15) Previously, if neither /etc/shorewall/common nor
/etc/shorewall/common.def existed, Shorewall would fail to start
and would not remove the lock file. Failure to remove the lock file
resulted in the following during subsequent attempts to start:
Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Giving up on lock file /var/lib/shorewall/lock
Shorewall Not Started
Shorewall now reports a fatal error if neither of these two files
exist and correctly removes the lock file.
16) The order of processing the various options has been changed such
that blacklist entries now take precedence over the 'dhcp'
interface setting.
17) The log message generated from the 'logunclean' interface option
has been changed to reflect a disposition of LOG rather than DROP.
18) When a user name and/or a group name was specified in the USER SET
column and the destination zone was qualified with a IP address,
the user and/or group name was not being used to qualify the rule.
Example:
ACCEPT fw net:192.0.2.12 tcp 23 - - - vladimir:
19) The /etc/shorewall/masq file has had the spurious "/" character at
the front removed.
Migration Issues: Migration Issues:
1) In earlier versions, an undocumented feature allowed entries in 1) IP Traffic Accounting is changed from Snapshot 20030813.
the host file as follows:
z eth1:192.168.1.0/24,eth2:192.168.2.0/24 2) The Uset Set capability introduced in SnapShot 20030821 has
changed -- see the User Set page for details.
This capability was never documented and has been removed in 1.4.6 3) The per-interface dynamic blacklisting facility from previous 1.4.6
to allow entries of the following format: Snapshots has been removed. The implications of the facility for
users with dial-up internet connections were too complicated to
z eth1:192.168.1.0/24,192.168.2.0/24 document adaquately. My apologies for unleashing this half-baked
idea on the user base.
2) The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options have been
removed from /etc/shorewall/shorewall.conf. These capabilities are
now automatically detected by Shorewall (see below).
New Features: New Features:
1) A 'newnotsyn' interface option has been added. This option may be 1) The 2.6 series of Linux kernels will not support the 'unclean'
specified in /etc/shorewall/interfaces and overrides the setting match extension except in Patch-O-Matic. In keeping with the
NEWNOTSYN=No for packets arriving on the associated interface. Shorewall policy of not supporting netfilter extensions that are
only available in Patch-O-Matic, the 'dropunclean' and
'logunclean' interface options will be removed in a future
release. In the 1.4.7 release, they are flagged with a warning.
2) The means for specifying a range of IP addresses in 2) Thanks to Steve Herber, the help command can now give
/etc/shorewall/masq to use for SNAT is now command-specific help.
documented. ADD_SNAT_ALIASES=Yes is enabled for address ranges.
3) Shorewall can now add IP addresses to subnets other than the first 3) A new option "ADMINISABSENTMINDED" has been added to
one on an interface. /etc/shorewall/shorewall.conf. This option has a default value of
"No" for existing Shorewall users who are upgrading to this release.
With this setting, Shorewall's 'stopped' state continues as it has
been; namely, in the stopped state only traffic to/from hosts listed
in /etc/shorewall/routestopped is accepted.
4) DNAT[-] rules may now be used to load balance (round-robin) over a The default for new users installing Shorewall for the first time is
set of servers. Any number of servers may be specified in a range of ADMINISABSENTMINDED=Yes.With that setting, in addition to traffic
addresses given as <first address>-<last address> and multiple to/from the hosts listed in /etc/shorewall/routestopped, Shorewall
ranges or individual servers may be specified in a comma-separated will allow:
list.
a) All traffic originating from the firewall itself; and
b) All traffic that is part of or related to an already-existing
connection.
In particular, with ADMINISABSENTMINDED=Yes, a "shorewall stop"
entered through an ssh session will not kill the session.
Note though that it is still possible for people to shoot themselves
in the foot.
Example: Example:
DNAT net loc:192.168.10.2-192.168.10.5,192.168.10.44 tcp 80 /etc/shorewall/nat:
5) The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration options 206.124.146.178 eth0:0 192.168.1.5
have been removed and have been replaced by code that detects
whether these capabilities are present in the current kernel. The
output of the start, restart and check commands have been enhanced
to report the outcome:
Shorewall has detected the following iptables/netfilter capabilities: /etc/shorewall/rules:
NAT: Available
Packet Mangling: Available
Multi-port Match: Available
Verifying Configuration...
6) Support for the Connection Tracking Match Extension has been ACCEPT net loc:192.168.1.5 tcp 22
added. This extension is available in recent kernel/iptables ACCEPT loc fw tcp 22
releases and allows for rules which match against elements in
netfilter's connection tracking table.
Shorewall automatically detects the availability of this extension I ssh into 206.124.146.178 which establishes an SSH connection with
and reports its availability in the output of the start, restart and 192.168.1.5. I then create a second SSH connection from that
check commands. computer to the firewall and confidently type "shorewall
stop". As part of stopping, Shorewall removes eth0:0 which kills my
SSH connection to 192.168.1.5!!!
Shorewall has detected the following iptables/netfilter capabilities: 4) Given the wide range of VPN software, I can never hope to add
NAT: Available specific support for all of it. I have therefore decided to add
Packet Mangling: Available "generic" tunnel support.
Multi-port Match: Available
Connection Tracking Match: Available
Verifying Configuration...
If this extension is available, the ruleset generated by Shorewall Generic tunnels work pretty much like any of the other tunnel
is changed in the following ways: types. You usually add a zone to represent the systems at the other
end of the tunnel and you add the appropriate rules/policies to
implement your security policy regarding traffic to/from those
systems.
a) To handle 'norfc1918' filtering, Shorewall will not create chains In the /etc/shorewall/tunnels file, you can have entries of the
in the mangle table but will rather do all 'norfc1918' filtering in form:
the filter table (rfc1918 chain).
b) Recall that Shorewall DNAT rules generate two netfilter rules; # TYPE ZONE GATEWAY GATEWAY ZONE
one in the nat table and one in the filter table. If the Connection generic:<protocol>[:<port>] <zone> <ip address> <gateway zones>
Tracking Match Extension is available, the rule in the filter table
is extended to check that the original destination address was the
same as specified (or defaulted to) in the DNAT rule.
7) The shell used to interpret the firewall script where:
(/usr/share/shorewall/firewall) may now be specified using the
SHOREWALL_SHELL parameter in shorewall.conf.
8) An 'ipcalc' command has been added to /sbin/shorewall. <protocol> is the protocol used by the tunnel
<port> if the protocol is 'udp' or 'tcp' then this
is the destination port number used by the
tunnel.
<zone> is the zone of the remote tunnel gateway
<ip address> is the IP address of the remote tunnel
gateway.
<gateway zone> Optional. A comma-separated list of zone names.
If specified, the remote gateway is to be
considered part of these zones.
ipcalc [ <address> <netmask> | <address>/<vlsm> ] 5) An 'arp_filter' option has been added to the
/etc/shorewall/interfaces file. This option causes
/proc/sys/net/ipv4/conf/<interface>/arp_filter to be set with the
result that this interface will only answer ARP 'who-has' requests
from hosts that are routed out of that interface. Setting this
option facilitates testing of your firewall where multiple firewall
interfaces are connected to the same HUB/Switch (all interfaces
connected to the single HUB/Switch should have this option
specified). Note that using such a configuration in a production
environment is strongly recommended against.
Examples: 6) The ADDRESS column in /etc/shorewall/masq may now include a
comma-separated list of addresses and/or address ranges. Netfilter
will use all listed addresses/ranges in round-robin fashion.
[root@wookie root]# shorewall ipcalc 192.168.1.0/24 7) An /etc/shorewall/accounting file has been added to allow for
CIDR=192.168.1.0/24 traffic accounting..
NETMASK=255.255.255.0
NETWORK=192.168.1.0
BROADCAST=192.168.1.255
[root@wookie root]#
[root@wookie root]# shorewall ipcalc 192.168.1.0 255.255.255.0 The accounting rules are placed in a chain called "accounting" and
CIDR=192.168.1.0/24 can thus be displayed using "shorewall show accounting".
NETMASK=255.255.255.0
NETWORK=192.168.1.0
BROADCAST=192.168.1.255
[root@wookie root]#
Warning: The file has the following columns:
If your shell only supports 32-bit signed arithmatic (ash or ACTION - What to do when a match is found. Possible
dash), then the ipcalc command produces incorrect information for values are:
IP addresses 128.0.0.0-1 and for /1 networks. Bash should produce
correct information for all valid IP addresses.
9) An 'iprange' command has been added to /sbin/shorewall. COUNT - Simply count the match and continue
trying to match the packet with the
following accounting rules.
iprange <address>-<address> DONE - Count the match and don't attempt to
match any following accounting rules.
This command decomposes a range of IP addressses into a list of <chain> - The name of a chain to jump to.
network and host addresses. The command can be useful if you need to Shorewall will create the chain
construct an efficient set of rules that accept connections from a automatically. If the name of the
range of network addresses. chain is followed by ":COUNT" then
a COUNT rule matching this rule
will automatically be added to
<chain>
Note: If your shell only supports 32-bit signed arithmetic (ash or CHAIN - The name of the chain where the accounting
dash) then the range may not span 128.0.0.0. rule is to be added. If empty or "-" then
the "accounting" chain is assumed.
Example: SOURCE - Packet Source
[root@gateway root]# shorewall iprange 192.168.1.4-192.168.12.9 The name of an interface, an address (host or
192.168.1.4/30 net) or an interface name followed by ":"
192.168.1.8/29 and a host or net address.
192.168.1.16/28
192.168.1.32/27
192.168.1.64/26
192.168.1.128/25
192.168.2.0/23
192.168.4.0/22
192.168.8.0/22
192.168.12.0/29
192.168.12.8/31
[root@gateway root]#
10) A list of host/net addresses is now allowed in an entry in DESTINATION - Packet Destination
/etc/shorewall/hosts.
Example: Format the same as the SOURCE column.
foo eth1:192.168.1.0/24,192.168.2.0/24 PROTOCOL A protocol name (from /etc/protocols), a
protocol number.
11) The "shorewall check" command now includes the chain name when DEST PORT Destination Port number
printing the applicable policy for each pair of zones.
Example: Service name from /etc/services or port
number. May only be specified if the protocol
is TCP or UDP (6 or 17).
Policy for dmz to net is REJECT using chain all2all SOURCE PORT Source Port number
This means that the policy for connections from the dmz to the Service name from /etc/services or port
internet is REJECT and the applicable entry in the number. May only be specified if the protocol
/etc/shorewall/policy was the all->all policy. is TCP or UDP (6 or 17).
12) Support for the 2.6 Kernel series has been added. In all columns except ACTION and CHAIN, the values "-","any" and
"all" are treated as wild-cards.
The accounting rules are evaluated in the Netfilter 'filter'
table. This is the same environment where the 'rules' file rules are
evaluated and in this environment, DNAT has already occurred in
inbound packets and SNAT has not yet occurred on outbound ones.
The accounting rules are placed in a chain called "accounting" and
can thus be displayed using "shorewall show accounting".
See http://shorewall.net/Accounting.html for examples.
8) Bridge interfaces (br[0-9]) may now be used in /etc/shorewall/maclist.
9) ACCEPT, DNAT[-], REDIRECT[-] and LOG rules defined in
/etc/shorewall/rules may now be rate-limited. For DNAT and
REDIRECT rules, rate limiting occurs in the nat table DNAT rule; the
corresponding ACCEPT rule in the filter table is not rate
limited. If you want to limit the filter table rule, you will need
to create two rules; a DNAT- rule and an ACCEPT rule which can be
rate-limited separately.
To specify a rate limit, you can follow one of two approaches:
a) You may follow ACCEPT, DNAT[-], REDIRECT[-] or LOG with
< <rate>/<interval>[:<burst>] >
where
<rate> is the sustained rate per <interval>
<interval> is "sec" or "min"
<burst> is the largest burst accepted within an
<interval>. If not given, the default of 5 is
assumed.
There may be no white space between the ACTION and "<" nor there
may be any white space within the burst specification. If you want
to specify logging of a rate-limited rule, the ":" and log level
comes after the ">" (e.g., ACCEPT<2/sec:4>:info ).
b) There is a new RATE LIMIT column at the far right of the
file (beyond column 80). You may place the rate limit there in
the format:
<rate>/<interval>[:<burst>]
where <rate>, <interval> and <burst> are as above.
You may not place a rate limit in both the ACTION and RATE LIMIT
columns.
Let's take an example:
ACCEPT<2/sec:4> net dmz tcp 80
The first time this rule is reached, the packet will be accepted; in
fact, since the burst is 4, the first four packets will be
accepted. After this, it will be 500ms (1 second divided by the rate
of 2) before a packet will be accepted from this rule, regardless of
how many packets reach it. Also, every 500ms which passes without
matching a packet, one of the bursts will be regained; if no packets
hit the rule for 2 second, the burst will be fully recharged;
back where we started.
Warning: When rate limiting is specified on a rule with "all" in the
SOURCE or DEST fields, the limit will apply to each pair of
zones individually rather than as a single limit for all pairs of
zones covered by the rule.
10) Multiple chains may now be displayed in one "shorewall show"
command (e.g., shorewall show INPUT FORWARD OUTPUT).
11) Output rules (those with $FW as the SOURCE) may now be limited to
a set of local users and/or groups. See
http://shorewall.net/UserSets.html for details.
12) The RPM has been modified so that it no longer conflicts with
SuSE's bizarre kernel RPMs.

5
STABLE/rfc1918
View File

@ -22,7 +22,7 @@
255.255.255.255 RETURN # We need to allow limited broadcast 255.255.255.255 RETURN # We need to allow limited broadcast
169.254.0.0/16 DROP # DHCP autoconfig 169.254.0.0/16 DROP # DHCP autoconfig
172.16.0.0/12 logdrop # RFC 1918 172.16.0.0/12 logdrop # RFC 1918
192.0.2.0/24 logdrop # Example addresses 192.0.2.0/24 logdrop # Example addresses (RFC 3330)
192.168.0.0/16 logdrop # RFC 1918 192.168.0.0/16 logdrop # RFC 1918
# #
# The following are generated with the help of the Python program found at: # The following are generated with the help of the Python program found at:
@ -46,7 +46,6 @@
49.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98 49.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
50.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98 50.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
58.0.0.0/7 logdrop # Reserved 58.0.0.0/7 logdrop # Reserved
60.0.0.0/8 logdrop # Reserved
70.0.0.0/7 logdrop # Reserved 70.0.0.0/7 logdrop # Reserved
72.0.0.0/5 logdrop # Reserved 72.0.0.0/5 logdrop # Reserved
83.0.0.0/8 logdrop # Reserved 83.0.0.0/8 logdrop # Reserved
@ -56,7 +55,7 @@
127.0.0.0/8 logdrop # Loopback 127.0.0.0/8 logdrop # Loopback
197.0.0.0/8 logdrop # Reserved 197.0.0.0/8 logdrop # Reserved
198.18.0.0/15 logdrop # Reserved 198.18.0.0/15 logdrop # Reserved
201.0.0.0/8 logdrop # Reserved - Central & South America 223.0.0.0/8 logdrop # Reserved - Returned by APNIC in 2003
240.0.0.0/4 logdrop # Reserved 240.0.0.0/4 logdrop # Reserved
# #
# End of generated entries # End of generated entries

72
STABLE/rules
View File

@ -47,10 +47,29 @@
# (those) zone(s). # (those) zone(s).
# LOG -- Simply log the packet and continue. # LOG -- Simply log the packet and continue.
# #
# May optionally be followed by ":" and a syslog log # You may rate-limit the rule by optionally
# level (e.g, REJECT:info). This causes the packet to be # following ACCEPT, DNAT[-], REDIRECT[-] or LOG with
#
# < <rate>/<interval>[:<burst>] >
#
# where <rate> is the number of connections per
# <interval> ("sec" or "min") and <burst> is the
# largest burst permitted. If no <burst> is given,
# a value of 5 is assumed. There may be no
# no whitespace embedded in the specification.
#
# Example: ACCEPT<10/sec:20>
#
# The ACTION (and rate limit) may optionally be followed
# by ":" and a syslog log level (e.g, REJECT:info or
# DNAT<4/sec:8>:debugging). This causes the packet to be
# logged at the specified level. # logged at the specified level.
# #
# NOTE: For those of you who prefer to place the
# rate limit in a separate column, see the RATE LIMIT
# column below. If you specify a value in that column,
# you must not include a rate limit in the ACTION column
#
# You may also specify ULOG (must be in upper case) as a # You may also specify ULOG (must be in upper case) as a
# log level.This will log to the ULOG target for routing # log level.This will log to the ULOG target for routing
# to a separate log through use of ulogd # to a separate log through use of ulogd
@ -193,6 +212,39 @@
# If no source IP address is given, the original source # If no source IP address is given, the original source
# address is not altered. # address is not altered.
# #
# RATE LIMIT You may rate-limit the rule by placing a value in
# this colume:
#
# <rate>/<interval>[:<burst>]
#
# where <rate> is the number of connections per
# <interval> ("sec" or "min") and <burst> is the
# largest burst permitted. If no <burst> is given,
# a value of 5 is assumed. There may be no
# no whitespace embedded in the specification.
#
# Example: 10/sec:20
#
# If you place a rate limit in this column, you may not
# place a similar limit in the ACTION column.
#
# USER SET This column may only be non-empty if the SOURCE is
# the firewall itself and the ACTION is ACCEPT, DROP or
# REJECT.
#
# The column may contain a user set name defined in the
# /etc/shorewall/usersets file or it may contain:
#
# [<user name or number>]:[<group name or number>]
#
# When this column is non-empty, the rule applies only
# if the program generating the output is running under
# the effective <user>(s) and/or <group>(s) specified.
# When a user set name is given, a log level may not be
# present in the ACTION column; logging for such rules is
# controlled by the user set's entry in
# /etc/shorewall/usersets.
#
# Example: Accept SMTP requests from the DMZ to the internet # Example: Accept SMTP requests from the DMZ to the internet
# #
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
@ -206,6 +258,14 @@
# # PORT PORT(S) DEST # # PORT PORT(S) DEST
# DNAT net loc:192.168.1.3 tcp ssh,http # DNAT net loc:192.168.1.3 tcp ssh,http
# #
# Example: Forward all http connection requests from the internet
# to local system 192.168.1.3 with a limit of 3 per second and
# a maximum burst of 10
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# DNAT<3/sec:10> net loc:192.168.1.3 tcp http
#
# Example: Redirect all locally-originating www connection requests to # Example: Redirect all locally-originating www connection requests to
# port 3128 on the firewall (Squid running on the firewall # port 3128 on the firewall (Squid running on the firewall
# system) except when the destination address is 192.168.2.2 # system) except when the destination address is 192.168.2.2
@ -226,9 +286,9 @@
# #
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST # # PORT PORT(S) DEST
# ACCEPT net:130.252.100.69,130.252.100.70 \ # ACCEPT net:130.252.100.69,130.252.100.70 fw \
# tcp 22 # tcp 22
############################################################################## ####################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER
# PORT PORT(S) DEST # PORT PORT(S) DEST LIMIT
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

89
STABLE/shorewall
View File

@ -51,7 +51,7 @@
# compensate for a change of # compensate for a change of
# broadcast address on any "detect" # broadcast address on any "detect"
# interface. # interface.
# shorewall show <chain> Display the rules in a <chain> # shorewall show <chain> [ <chain> ... ] Display the rules in each <chain> listed
# shorewall show log Print the last 20 log messages # shorewall show log Print the last 20 log messages
# shorewall show connections Show the kernel's connection # shorewall show connections Show the kernel's connection
# tracking table # tracking table
@ -517,6 +517,15 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
done done
} }
#
# Help information
#
help()
{
[ -x $HELP ] && { export version; exec $HELP $*; }
echo "Help subsystem is not installed at $HELP"
}
# #
# Give Usage Information # Give Usage Information
# #
@ -525,27 +534,28 @@ usage() # $1 = exit status
echo "Usage: `basename $0` [debug] [nolock] [-c <directory>] <command>" echo "Usage: `basename $0` [debug] [nolock] [-c <directory>] <command>"
echo "where <command> is one of:" echo "where <command> is one of:"
echo " add <interface>[:<host>] <zone>" echo " add <interface>[:<host>] <zone>"
echo " delete <interface>[:<host>] <zone>"
echo " show [<chain>|classifiers|connections|log|nat|tc|tos]"
echo " start"
echo " stop"
echo " reset"
echo " restart"
echo " status"
echo " clear"
echo " refresh"
echo " hits"
echo " monitor [<refresh interval>]"
echo " version"
echo " check"
echo " try <directory> [ <timeout> ]"
echo " logwatch [<refresh interval>]"
echo " drop <address> ..."
echo " reject <address> ..."
echo " allow <address> ..." echo " allow <address> ..."
echo " save" echo " check"
echo " clear"
echo " delete <interface>[:<host>] <zone>"
echo " drop <address> ..."
echo " help [ <command > | host | address ]"
echo " hits"
echo " ipcalc [ <address>/<vlsm> | <address> <netmask> ]" echo " ipcalc [ <address>/<vlsm> | <address> <netmask> ]"
echo " iprange <address>-<address>" echo " iprange <address>-<address>"
echo " logwatch [<refresh interval>]"
echo " monitor [<refresh interval>]"
echo " refresh"
echo " reject <address> ..."
echo " reset"
echo " restart"
echo " save"
echo " show [<chain> [ <chain> ... ]|classifiers|connections|log|nat|tc|tos]"
echo " start"
echo " stop"
echo " status"
echo " try <directory> [ <timeout> ]"
echo " version"
exit $1 exit $1
} }
@ -611,12 +621,11 @@ fi
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
MUTEX_TIMEOUT= MUTEX_TIMEOUT=
[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
SHARED_DIR=/usr/share/shorewall SHARED_DIR=/usr/share/shorewall
FIREWALL=$SHARED_DIR/firewall FIREWALL=$SHARED_DIR/firewall
FUNCTIONS=$SHARED_DIR/functions FUNCTIONS=$SHARED_DIR/functions
VERSION_FILE=$SHARED_DIR/version VERSION_FILE=$SHARED_DIR/version
HELP=$SHARED_DIR/help
if [ -f $FUNCTIONS ]; then if [ -f $FUNCTIONS ]; then
. $FUNCTIONS . $FUNCTIONS
@ -634,6 +643,8 @@ else
exit 2 exit 2
fi fi
[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
if [ ! -f $FIREWALL ]; then if [ ! -f $FIREWALL ]; then
echo "ERROR: Shorewall is not properly installed" echo "ERROR: Shorewall is not properly installed"
if [ -L $FIREWALL ]; then if [ -L $FIREWALL ]; then
@ -687,26 +698,29 @@ case "$1" in
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1 $2 $3 exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1 $2 $3
;; ;;
show|list) show|list)
[ $# -gt 2 ] && usage 1
case "$2" in case "$2" in
connections) connections)
[ $# -gt 2 ] && usage 1
echo "Shorewall-$version Connections at $HOSTNAME - `date`" echo "Shorewall-$version Connections at $HOSTNAME - `date`"
echo echo
cat /proc/net/ip_conntrack cat /proc/net/ip_conntrack
;; ;;
nat) nat)
[ $# -gt 2 ] && usage 1
echo "Shorewall-$version NAT at $HOSTNAME - `date`" echo "Shorewall-$version NAT at $HOSTNAME - `date`"
echo echo
show_reset show_reset
iptables -t nat -L -n -v iptables -t nat -L -n -v
;; ;;
tos|mangle) tos|mangle)
[ $# -gt 2 ] && usage 1
echo "Shorewall-$version TOS at $HOSTNAME - `date`" echo "Shorewall-$version TOS at $HOSTNAME - `date`"
echo echo
show_reset show_reset
iptables -t mangle -L -n -v iptables -t mangle -L -n -v
;; ;;
log) log)
[ $# -gt 2 ] && usage 1
get_config get_config
echo "Shorewall-$version Log at $HOSTNAME - `date`" echo "Shorewall-$version Log at $HOSTNAME - `date`"
echo echo
@ -715,20 +729,30 @@ case "$1" in
packet_log 20 packet_log 20
;; ;;
tc) tc)
[ $# -gt 2 ] && usage 1
echo "Shorewall-$version Traffic Control at $HOSTNAME - `date`" echo "Shorewall-$version Traffic Control at $HOSTNAME - `date`"
echo echo
show_tc show_tc
;; ;;
classifiers) classifiers)
[ $# -gt 2 ] && usage 1
echo "Shorewall-$version Clasifiers at $HOSTNAME - `date`" echo "Shorewall-$version Clasifiers at $HOSTNAME - `date`"
echo echo
show_classifiers show_classifiers
;; ;;
*) *)
echo "Shorewall-$version Chain $2 at $HOSTNAME - `date`" shift
echo "Shorewall-$version `[ $# -gt 1 ] && echo Chains || echo Chain` $* at $HOSTNAME - `date`"
echo echo
show_reset show_reset
iptables -L $2 -n -v if [ $# -gt 0 ]; then
for chain in $*; do
iptables -L $chain -n -v
done
else
iptables -L -n -v
fi
;; ;;
esac esac
;; ;;
@ -837,6 +861,8 @@ case "$1" in
mutex_on mutex_on
while [ $# -gt 1 ]; do while [ $# -gt 1 ]; do
shift shift
qt iptables -D dynamic -s $1 -j reject
qt iptables -D dynamic -s $1 -j DROP
iptables -A dynamic -s $1 -j DROP || break 1 iptables -A dynamic -s $1 -j DROP || break 1
echo "$1 Dropped" echo "$1 Dropped"
done done
@ -847,6 +873,8 @@ case "$1" in
mutex_on mutex_on
while [ $# -gt 1 ]; do while [ $# -gt 1 ]; do
shift shift
qt iptables -D dynamic -s $1 -j reject
qt iptables -D dynamic -s $1 -j DROP
iptables -A dynamic -s $1 -j reject || break 1 iptables -A dynamic -s $1 -j reject || break 1
echo "$1 Rejected" echo "$1 Rejected"
done done
@ -857,13 +885,7 @@ case "$1" in
mutex_on mutex_on
while [ $# -gt 1 ]; do while [ $# -gt 1 ]; do
shift shift
if qt iptables -D dynamic -s $1 -j reject; then if qt iptables -D dynamic -s $1 -j reject || qt iptables -D dynamic -s $1 -j DROP; then
#
# Address was rejected -- silently remove any drop as well
#
qt iptables -D dynamic -s $1 -j DROP
echo "$1 Allowed"
elif qt iptables -D dynamic -s $1 -j DROP; then
echo "$1 Allowed" echo "$1 Allowed"
else else
echo "$1 Not Dropped or Rejected" echo "$1 Not Dropped or Rejected"
@ -927,6 +949,11 @@ case "$1" in
shift; shift;
$@ $@
;; ;;
help)
shift
[ $# -ne 1 ] && usage 1
help $@
;;
*) *)
usage 1 usage 1
;; ;;

29
STABLE/shorewall.conf
View File

@ -434,6 +434,35 @@ MUTEX_TIMEOUT=60
NEWNOTSYN=No NEWNOTSYN=No
#
# FOR ADMINS THAT REPEATEDLY SHOOT THEMSELVES IN THE FOOT
#
# Normally, when a "shorewall stop" command is issued or an error occurs during
# the execution of another shorewall command, Shorewall puts the firewall into
# a state where only traffic to/from the hosts listed in
# /etc/shorewall/routestopped is accepted.
#
# When performing remote administration on a Shorewall firewall, it is
# therefore recommended that the IP address of the computer being used for
# administration be added to the firewall's /etc/shorewall/routestopped file.
#
# Some administrators have a hard time remembering to do this with the result
# that they get to drive across town in the middle of the night to restart
# a remote firewall (or worse, they have to get someone out of bed to drive
# across town to restart a very remote firewall).
#
# For those administrators, we offer ADMINISABSENTMINDED=Yes. With this setting,
# when the firewall enters the 'stopped' state:
#
# All traffic that is part of or related to established connections is still
# allowed and all OUTPUT traffic is allowed. This is in addition to traffic
# to and from hosts listed in /etc/shorewall/routestopped.
#
# If this variable is not set or it is set to the null value then
# ADMINISABSENTMINDED=No is assumed.
#
ADMINISABSENTMINDED=Yes
################################################################################ ################################################################################
# P A C K E T D I S P O S I T I O N # P A C K E T D I S P O S I T I O N
################################################################################ ################################################################################

43
STABLE/shorewall.spec
View File

@ -1,5 +1,5 @@
%define name shorewall %define name shorewall
%define version 1.4.6c %define version 1.4.7
%define release 1 %define release 1
%define prefix /usr %define prefix /usr
@ -16,7 +16,6 @@ URL: http://www.shorewall.net/
BuildArch: noarch BuildArch: noarch
BuildRoot: %{_tmppath}/%{name}-%{version}-root BuildRoot: %{_tmppath}/%{name}-%{version}-root
Requires: iptables iproute Requires: iptables iproute
Conflicts: kernel <= 2.2
%description %description
@ -98,19 +97,47 @@ fi
%attr(0600,root,root) %config(noreplace) /etc/shorewall/stop %attr(0600,root,root) %config(noreplace) /etc/shorewall/stop
%attr(0600,root,root) %config(noreplace) /etc/shorewall/stopped %attr(0600,root,root) %config(noreplace) /etc/shorewall/stopped
%attr(0600,root,root) %config(noreplace) /etc/shorewall/ecn %attr(0600,root,root) %config(noreplace) /etc/shorewall/ecn
%attr(0600,root,root) %config(noreplace) /etc/shorewall/accounting
%attr(0600,root,root) %config(noreplace) /etc/shorewall/usersets
%attr(0600,root,root) %config(noreplace) /etc/shorewall/users
%attr(0544,root,root) /sbin/shorewall %attr(0544,root,root) /sbin/shorewall
%attr(0444,root,root) /usr/share/shorewall/functions %attr(0444,root,root) /usr/share/shorewall/functions
%attr(0544,root,root) /usr/share/shorewall/firewall %attr(0544,root,root) /usr/share/shorewall/firewall
%attr(0544,root,root) /usr/share/shorewall/help
%doc documentation %doc documentation
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog %changelog
* Wed Aug 27 2003 Tom Eastep <tom@shorewall.net> * Sat Oct 04 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.6c-1 - Changed version to 1.4.7-1
* Fri Aug 01 2003 Tom Eastep <tom@shorewall.net> - Removed conflict with 2.2 Kernels
- Changed version to 1.4.6b-1 * Mon Sep 22 2003 Tom Eastep <tom@shorewall.net>
* Tue Jul 22 2003 Tom Eastep <tom@shorewall.net> - Changed version to 1.4.7-0RC2
- Changed version to 1.4.6a-1 * Thu Sep 18 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.7-0RC1
* Mon Sep 15 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.7-0Beta2
* Mon Aug 25 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.7-0Beta1
* Sat Aug 23 2003 Tom Eastep <tom@shorewall.net>
- Added /etc/shorewall/users
- Changed version to 1.4.6_20030823-1
* Thu Aug 21 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.6_20030821-1
- Added /etc/shorewall/usersets
* Wed Aug 13 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.6_20030813-1
* Sat Aug 09 2003 Tom Eastep <tom@shorewall.net>
- Added /etc/shorewall/accounting
* Sat Aug 09 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.6_20030809-1
* Thu Jul 31 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.6_20030731-1
* Sun Jul 27 2003 Tom Eastep <tom@shorewall.net>
- Added /usr/share/shorewall/help
- Changed version to 1.4.6_20030727-1
* Sat Jul 26 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.6_20030726-1
* Sat Jul 19 2003 Tom Eastep <tom@shorewall.net> * Sat Jul 19 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.6-1 - Changed version to 1.4.6-1
* Mon Jul 14 2003 Tom Eastep <tom@shorewall.net> * Mon Jul 14 2003 Tom Eastep <tom@shorewall.net>

3
STABLE/tcrules
View File

@ -58,5 +58,6 @@
# separated list of port names, port numbers or port # separated list of port names, port numbers or port
# ranges. # ranges.
############################################################################## ##############################################################################
#MARK SOURCE DEST PROTO PORT(S) CLIENT PORT(S) #MARK SOURCE DEST PROTO PORT(S) CLIENT
# PORT(S)
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

22
STABLE/tunnels
View File

@ -10,13 +10,20 @@
# The columns are: # The columns are:
# #
# TYPE -- must start in column 1 and be "ipsec", "ipsecnat","ip" # TYPE -- must start in column 1 and be "ipsec", "ipsecnat","ip"
# "gre", "6to4", "pptpclient", "pptpserver" or "openvpn". # "gre", "6to4", "pptpclient", "pptpserver", "openvpn" or
# "generic"
# #
# If type is "openvpn", it may optionally be followed # If type is "openvpn", it may optionally be followed
# by ":" and the port number used by the tunnel. if no # by ":" and the port number used by the tunnel. if no
# ":" and port number are included, then the default port # ":" and port number are included, then the default port
# of 5000 will be used # of 5000 will be used
# #
# If type is "generic", it must be followed by ":" and
# a protocol name (from /etc/protocols) or a protocol
# number. If the protocol is "tcp" or "udp" (6 or 17),
# then it may optionally be followed by ":" and a
# port number.
#
# ZONE -- The zone of the physical interface through which # ZONE -- The zone of the physical interface through which
# tunnel traffic passes. This is normally your internet # tunnel traffic passes. This is normally your internet
# zone. # zone.
@ -30,7 +37,7 @@
# column is a standalone host then this column should # column is a standalone host then this column should
# contain a comma-separated list of the names of the # contain a comma-separated list of the names of the
# zones that the host might be in. This column only # zones that the host might be in. This column only
# applies to IPSEC tunnels. # applies to IPSEC and generic tunnels.
# #
# Example 1: # Example 1:
# #
@ -85,5 +92,14 @@
# #
# openvpn:7777 net 4.33.99.124 # openvpn:7777 net 4.33.99.124
# #
# TYPE ZONE GATEWAY GATEWAY ZONE PORT # Example 8:
#
# You have a tunnel that is not one of the supported types.
# Your tunnel uses UDP port 4444. The other end of the
# tunnel is 4.3.99.124.
#
# generic:udp:4444 net 4.3.99.124
#
# TYPE ZONE GATEWAY GATEWAY
# ZONE
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

5
STABLE/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall # shown below. Simply run this script to remove Seattle Firewall
VERSION=1.4.6c VERSION=1.4.7
usage() # $1 = exit status usage() # $1 = exit status
{ {
@ -99,7 +99,8 @@ if [ -n "$FIREWALL" ]; then
rm -f ${FIREWALL}-*.bkout rm -f ${FIREWALL}-*.bkout
fi fi
remove_file /sbin/shorewall rm -f /sbin/shorewall
rm -f /sbin/shorewall-*.bkout
if [ -n "$VERSION" ]; then if [ -n "$VERSION" ]; then
restore_file /etc/rc.d/rc.local restore_file /etc/rc.d/rc.local

5
STABLE/zones
View File

@ -7,6 +7,11 @@
# DISPLAY Display name of the zone # DISPLAY Display name of the zone
# COMMENTS Comments about the zone # COMMENTS Comments about the zone
# #
# THE ORDER OF THE ENTRIES IN THIS FILE IS IMPORTANT IF YOU HAVE NESTED OR
# OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts.
#
# See http://www.shorewall.net/Documentation.htm#Nested
#
#ZONE DISPLAY COMMENTS #ZONE DISPLAY COMMENTS
net Net Internet net Net Internet
loc Local Local networks loc Local Local networks

334
Shorewall-docs/Documentation.htm
View File

@ -105,6 +105,10 @@ packets for <a href="traffic_shaping.htm">Traffic Shaping/Control</a>.</li>
the firewall. This should be placed in /sbin or in /usr/sbin (the the firewall. This should be placed in /sbin or in /usr/sbin (the
install.sh install.sh
script and the rpm install this file in /sbin).</li> script and the rpm install this file in /sbin).</li>
<li><a href="Accounting.html"><span style="font-weight: bold;">accounting</span></a>
-- a parameter file in /etc/shorewall used to define traffic accounting
rules. This file was added in version 1.4.7.<br>
</li>
<li><b> version</b> -- a file created in /etc/shorewall/ <li><b> version</b> -- a file created in /etc/shorewall/
(/var/lib/shorewall in version 1.3.2-1.3.8 and /usr/lib/shorewall (/var/lib/shorewall in version 1.3.2-1.3.8 and /usr/lib/shorewall
beginning in version 1.3.9) that describes the version of Shorewall beginning in version 1.3.9) that describes the version of Shorewall
@ -676,7 +680,10 @@ which TCP connection requests will be accepted followed by a colon
Example: <b> 10/sec:40</b> specifies that the maximum rate of TCP Example: <b> 10/sec:40</b> specifies that the maximum rate of TCP
connection requests allowed will be connection requests allowed will be
10 per second and a burst of 40 connections will be tolerated. 10 per second and a burst of 40 connections will be tolerated.
Connection requests in excess of these limits will be dropped.</li> Connection requests in excess of these limits will be dropped. See the <a
href="#Rules">rules file documentation</a> for an explaination of how
rate limiting works.<br>
</li>
</ol> </ol>
<p> In the SOURCE and DEST columns, you can enter "all" to indicate all <p> In the SOURCE and DEST columns, you can enter "all" to indicate all
zones. </p> zones. </p>
@ -940,6 +947,13 @@ PORT(S)</b></td>
PORT(S)</b></td> PORT(S)</b></td>
<td><b>ORIGINAL<br> <td><b>ORIGINAL<br>
DEST</b></td> DEST</b></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">RATE<br>
LIMIT<br>
</span></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">USER<br>
SET</span></td>
</tr> </tr>
<tr> <tr>
<td>...</td> <td>...</td>
@ -955,6 +969,10 @@ DEST</b></td>
</td> </td>
<td> <br> <td> <br>
</td> </td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr> </tr>
<tr> <tr>
<td>DNAT</td> <td>DNAT</td>
@ -965,6 +983,10 @@ DEST</b></td>
<td>-</td> <td>-</td>
<td> <br> <td> <br>
</td> </td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr> </tr>
<tr> <tr>
<td>DNAT</td> <td>DNAT</td>
@ -975,6 +997,10 @@ DEST</b></td>
<td>-</td> <td>-</td>
<td> <br> <td> <br>
</td> </td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr> </tr>
<tr> <tr>
<td>...</td> <td>...</td>
@ -990,6 +1016,10 @@ DEST</b></td>
</td> </td>
<td> <br> <td> <br>
</td> </td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
@ -1010,7 +1040,7 @@ requires two rules as follows:</p>
<p> </p> <p> </p>
<font face="Century Gothic, Arial, Helvetica"> </font><font <font face="Century Gothic, Arial, Helvetica"> </font><font
face="Century Gothic, Arial, Helvetica"> </font> face="Century Gothic, Arial, Helvetica"> </font>
<table border="1" cellpadding="2" style="border-collapse: collapse;"> <table style="border-collapse: collapse;" cellpadding="2" border="1">
<tbody> <tbody>
<tr> <tr>
<td><b>ACTION</b></td> <td><b>ACTION</b></td>
@ -1023,6 +1053,13 @@ PORT(S)</b></td>
PORT(S)</b></td> PORT(S)</b></td>
<td><b>ORIGINAL<br> <td><b>ORIGINAL<br>
DEST</b></td> DEST</b></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">RATE<br>
LIMIT<br>
</span></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">USER<br>
SET</span></td>
</tr> </tr>
<tr> <tr>
<td> <br> <td> <br>
@ -1039,6 +1076,10 @@ DEST</b></td>
</td> </td>
<td> <br> <td> <br>
</td> </td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr> </tr>
<tr> <tr>
<td>...</td> <td>...</td>
@ -1054,6 +1095,10 @@ DEST</b></td>
</td> </td>
<td> <br> <td> <br>
</td> </td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr> </tr>
<tr> <tr>
<td>DNAT</td> <td>DNAT</td>
@ -1064,6 +1109,10 @@ DEST</b></td>
<td>-</td> <td>-</td>
<td> <br> <td> <br>
</td> </td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr> </tr>
<tr> <tr>
<td>DNAT</td> <td>DNAT</td>
@ -1074,6 +1123,10 @@ DEST</b></td>
<td>-</td> <td>-</td>
<td> <br> <td> <br>
</td> </td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr> </tr>
<tr> <tr>
<td>...</td> <td>...</td>
@ -1089,6 +1142,10 @@ DEST</b></td>
</td> </td>
<td> <br> <td> <br>
</td> </td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
@ -1134,8 +1191,46 @@ header-rewriting rule.<br>
<li>LOG - Log the packet -- requires <li>LOG - Log the packet -- requires
a syslog level (see below).</li> a syslog level (see below).</li>
</ul> </ul>
<p>The ACTION may optionally be followed by ":" and a <a <p>Beginning with Shorewall version 1.4.7, you may rate-limit the
href="shorewall_logging.html">syslog level</a> (example: REJECT:info). rule by optionally following ACCEPT, DNAT[-], REDIRECT[-] or LOG with<br>
&nbsp;<br>
&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;
&lt; &lt;rate&gt;/&lt;interval&gt;[:&lt;burst&gt;] &gt;<br>
<br>
where<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&lt;rate&gt; is the number of connections per <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&lt;interval&gt; ("sec" or "min") and &lt;burst&gt; is the largest
burst permitted. If no burst value is given, a value of 5 is assumed.<br>
<br>
There may be no whitespace embedded in the
specification.&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp; <br>
<br>
Let's take an example:<br>
<br>
&nbsp;&nbsp;&nbsp; &nbsp;ACCEPT&lt;2/sec:4&gt;&nbsp;&nbsp;&nbsp;
net&nbsp;&nbsp;&nbsp; dmz&nbsp;&nbsp;&nbsp; tcp&nbsp;&nbsp;&nbsp; 80<br>
&nbsp;&nbsp; <br>
The first time this rule is reached, the packet will be accepted; in
fact, since the burst is 4, the first four packets will be accepted.
After this, it will be 500ms (1 second divided by the rate of 2) before
a packet will be accepted from this rule, regardless of how many
packets reach it. Also, every 500ms which passes without matching a
packet, one of the bursts will be regained; if no packets hit the rule
for 2 second, the burst will be fully recharged; back where we started.<br>
<br>
<span style="font-weight: bold;">Warning: </span>When rate
limiting is specified on a rule with "all" in the SOURCE or DEST fields
below, the limit will apply to each pair of zones individually rather
than as a single limit for all pairs of zones covered by the rule.<br>
<br>
Rate limiting may also be specified in the RATE LIMIT column below; in
that case, it must not be specified as part of the ACTION column.<br>
<br>
The ACTION (and rate limit) may optionally be followed by ":" and a <a
href="shorewall_logging.html">syslog level</a> (example: REJECT:info
or ACCEPT&lt;2/sec:4&gt;:debugging).
This This
causes the packet to be logged at the specified level prior to being causes the packet to be logged at the specified level prior to being
processed according to the specified ACTION. Note: if the ACTION processed according to the specified ACTION. Note: if the ACTION
@ -1145,6 +1240,8 @@ The use of DNAT or REDIRECT requires that you have <a
href="#NatEnabled">NAT enabled</a>.<br> href="#NatEnabled">NAT enabled</a>.<br>
</p> </p>
</li> </li>
<li> <br>
</li>
<li><b>SOURCE</b> - Describes the source hosts to which the rule <li><b>SOURCE</b> - Describes the source hosts to which the rule
applies.. The contents of this field must begin with the name of a zone applies.. The contents of this field must begin with the name of a zone
defined in /etc/shorewall/zones, $FW or defined in /etc/shorewall/zones, $FW or
@ -1269,12 +1366,63 @@ scope of a rule by incoming interface. <br>
</b>If SNAT is not used (no ":" and second IP address), the </b>If SNAT is not used (no ":" and second IP address), the
original source address is used. If you want any destination address to original source address is used. If you want any destination address to
match the rule but want to specify SNAT, simply use a colon followed by match the rule but want to specify SNAT, simply use a colon followed by
the SNAT address.</li> the SNAT address.<br>
<br>
</li>
<li><span style="font-weight: bold;">RATE LIMIT </span>- Beginning
with Shorewall version 1.4.7, you may rate-limit ACCEPT, DNAT[-],
REDIRECT[-] or LOG rules with an entry in this column. Entries have the
form<br>
&nbsp;<br>
&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;
&lt;rate&gt;/&lt;interval&gt;[:&lt;burst&gt;] <br>
<br>
where<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&lt;rate&gt; is the number of connections per <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&lt;interval&gt; ("sec" or "min") and &lt;burst&gt; is the largest
burst permitted. If no burst value is given, a value of 5 is assumed.<br>
<br>
There may be no whitespace embedded in the
specification.&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp; <br>
<br>
Let's take an example:<br>
<br>
&nbsp;&nbsp;&nbsp; &nbsp;ACCEPT&lt;2/sec:4&gt;&nbsp;&nbsp;&nbsp;
net&nbsp;&nbsp;&nbsp; dmz&nbsp;&nbsp;&nbsp; tcp&nbsp;&nbsp;&nbsp; 80<br>
&nbsp;&nbsp; <br>
The first time this rule is reached, the packet will be accepted; in
fact, since the burst is 4, the first four packets will be accepted.
After this, it will be 500ms (1 second divided by the rate of 2) before
a packet will be accepted from this rule, regardless of how many
packets reach it. Also, every 500ms which passes without matching a
packet, one of the bursts will be regained; if no packets hit the rule
for 2 second, the burst will be fully recharged; back where we started.<br>
<br>
<span style="font-weight: bold;">Warning: </span>When rate
limiting is specified on a rule with "all" in the SOURCE or DEST fields
below, the limit will apply to each pair of zones individually rather
than as a single limit for all pairs of zones covered by the rule.<br>
<br>
Rate limiting may also be specified in the ACTION column above; in that
case, it must not be specified as part of the RATE LIMIT column.<br>
<br>
If you want to specify any following columns but no rate limit, place
"-" in this column.<br>
<br>
</li>
<li><span style="font-weight: bold;">USER SET </span>- Beginning
with Shorewall release 1.4.7, output rules from the firewall itself may
be restricted to a particular set of users and/or user groups. See the <a
href="UserSets.html">User Set Documentation </a>for details.<br>
</li>
</ul> </ul>
<p><b> <font face="Century Gothic, Arial, Helvetica"> <a <p><b> <font face="Century Gothic, Arial, Helvetica"> <a
name="PortForward"></a> </font>Example 1. </b> You wish to forward name="PortForward"></a> </font>Example 1. </b> You wish to forward
all ssh connection requests from the internet to local system all ssh connection requests from the internet to local system
192.168.1.3. </p> 192.168.1.3.&nbsp; You wish to limit the number of connections to
4/minute with a burst of 8 (Shorewall 1.4.7 and later only): </p>
<blockquote> <font face="Century Gothic, Arial, Helvetica"> </font> <blockquote> <font face="Century Gothic, Arial, Helvetica"> </font>
<table border="1" cellpadding="2" style="border-collapse: collapse;"> <table border="1" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
@ -1289,9 +1437,17 @@ PORT(S)</b></td>
PORT(S)</b></td> PORT(S)</b></td>
<td><b>ORIGINAL<br> <td><b>ORIGINAL<br>
DEST</b></td> DEST</b></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">RATE<br>
LIMIT<br>
</span></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">USER<br>
SET<br>
</span></td>
</tr> </tr>
<tr> <tr>
<td>DNAT</td> <td>DNAT&lt;4/min:8&gt;</td>
<td>net</td> <td>net</td>
<td>loc:192.168.1.3</td> <td>loc:192.168.1.3</td>
<td>tcp</td> <td>tcp</td>
@ -1300,6 +1456,10 @@ DEST</b></td>
</td> </td>
<td> <br> <td> <br>
</td> </td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
@ -1326,6 +1486,14 @@ PORT(S)</b></td>
PORT(S)</b></td> PORT(S)</b></td>
<td><b>ORIGINAL<br> <td><b>ORIGINAL<br>
DEST</b></td> DEST</b></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">RATE<br>
LIMIT<br>
</span></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">USER<br>
SET<br>
</span></td>
</tr> </tr>
<tr> <tr>
<td>REDIRECT</td> <td>REDIRECT</td>
@ -1336,6 +1504,10 @@ DEST</b></td>
<td> -<br> <td> -<br>
</td> </td>
<td>!206.124.146.177</td> <td>!206.124.146.177</td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr> </tr>
<tr> <tr>
<td>ACCEPT</td> <td>ACCEPT</td>
@ -1347,6 +1519,10 @@ DEST</b></td>
</td> </td>
<td> <br> <td> <br>
</td> </td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
@ -1369,6 +1545,13 @@ PORT(S)</b></td>
PORT(S)</b></td> PORT(S)</b></td>
<td><b>ORIGINAL<br> <td><b>ORIGINAL<br>
DEST</b></td> DEST</b></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">RATE<br>
LIMIT<br>
</span></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">USER<br>
SET</span></td>
</tr> </tr>
<tr> <tr>
<td>ACCEPT</td> <td>ACCEPT</td>
@ -1379,6 +1562,10 @@ DEST</b></td>
<td>-</td> <td>-</td>
<td> <br> <td> <br>
</td> </td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr> </tr>
<tr> <tr>
<td>ACCEPT</td> <td>ACCEPT</td>
@ -1390,6 +1577,10 @@ DEST</b></td>
</td> </td>
<td> <br> <td> <br>
</td> </td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
@ -1423,6 +1614,13 @@ PORT(S)</b></td>
PORT(S)</b></td> PORT(S)</b></td>
<td><b>ORIGINAL<br> <td><b>ORIGINAL<br>
DEST</b></td> DEST</b></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">RATE<br>
LIMIT<br>
</span></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">USER<br>
SET</span></td>
</tr> </tr>
<tr> <tr>
<td>DNAT</td> <td>DNAT</td>
@ -1434,6 +1632,10 @@ DEST</b></td>
</td> </td>
<td> <br> <td> <br>
</td> </td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr> </tr>
<tr> <tr>
<td>DNAT</td> <td>DNAT</td>
@ -1443,6 +1645,10 @@ DEST</b></td>
<td>ftp</td> <td>ftp</td>
<td>-</td> <td>-</td>
<td>155.186.235.151</td> <td>155.186.235.151</td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
@ -1475,6 +1681,13 @@ PORT(S)</b></td>
PORT(S)</b></td> PORT(S)</b></td>
<td><b>ORIGINAL<br> <td><b>ORIGINAL<br>
DEST</b></td> DEST</b></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">RATE<br>
LIMIT<br>
</span></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">USER<br>
SET</span></td>
</tr> </tr>
<tr> <tr>
<td>ACCEPT</td> <td>ACCEPT</td>
@ -1487,6 +1700,10 @@ DEST</b></td>
</td> </td>
<td> <br> <td> <br>
</td> </td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
@ -1511,9 +1728,16 @@ PORT(S)<br>
<td valign="top"><b>SOURCE<br> <td valign="top"><b>SOURCE<br>
PORT(S)<br> PORT(S)<br>
</b></td> </b></td>
<td valign="top"><b>ORIGINAL<br> <td style="vertical-align: top;"><b>ORIGINAL<br>
DEST<br> DEST<br>
</b></td> </b></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">RATE<br>
LIMIT<br>
</span></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">USER<br>
SET</span></td>
</tr> </tr>
<tr> <tr>
<td valign="top">ACCEPT<br> <td valign="top">ACCEPT<br>
@ -1530,6 +1754,10 @@ DEST<br>
</td> </td>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
@ -1560,9 +1788,16 @@ PORT(S)<br>
<td valign="top"><b>SOURCE<br> <td valign="top"><b>SOURCE<br>
PORT(S)<br> PORT(S)<br>
</b></td> </b></td>
<td valign="top"><b>ORIGINAL<br> <td style="vertical-align: top;"><b>ORIGINAL<br>
DEST<br> DEST<br>
</b></td> </b></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">RATE<br>
LIMIT<br>
</span></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">USER<br>
SET</span></td>
</tr> </tr>
<tr> <tr>
<td valign="top">ACCEPT<br> <td valign="top">ACCEPT<br>
@ -1579,6 +1814,10 @@ DEST<br>
</td> </td>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
@ -1606,9 +1845,16 @@ PORT(S)<br>
<td valign="top"><b>SOURCE<br> <td valign="top"><b>SOURCE<br>
PORT(S)<br> PORT(S)<br>
</b></td> </b></td>
<td valign="top"><b>ORIGINAL<br> <td style="vertical-align: top;"><b>ORIGINAL<br>
DEST<br> DEST<br>
</b></td> </b></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">RATE<br>
LIMIT<br>
</span></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">USER<br>
SET</span></td>
</tr> </tr>
<tr> <tr>
<td valign="top">DNAT-<br> <td valign="top">DNAT-<br>
@ -1625,6 +1871,10 @@ DEST<br>
</td> </td>
<td valign="top">192.0.2.178<br> <td valign="top">192.0.2.178<br>
</td> </td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr> </tr>
<tr> <tr>
<td valign="top">DNAT-<br> <td valign="top">DNAT-<br>
@ -1641,6 +1891,10 @@ DEST<br>
</td> </td>
<td valign="top">192.0.2.179<br> <td valign="top">192.0.2.179<br>
</td> </td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr> </tr>
<tr> <tr>
<td valign="top">ACCEPT<br> <td valign="top">ACCEPT<br>
@ -1657,6 +1911,10 @@ DEST<br>
</td> </td>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
@ -1687,9 +1945,16 @@ PORT(S)<br>
<td valign="top"><b>SOURCE<br> <td valign="top"><b>SOURCE<br>
PORT(S)<br> PORT(S)<br>
</b></td> </b></td>
<td valign="top"><b>ORIGINAL<br> <td style="vertical-align: top;"><b>ORIGINAL<br>
DEST<br> DEST<br>
</b></td> </b></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">RATE<br>
LIMIT<br>
</span></td>
<td style="vertical-align: top;"><span
style="font-weight: bold;">USER<br>
SET</span></td>
</tr> </tr>
<tr> <tr>
<td valign="top">DNAT<br> <td valign="top">DNAT<br>
@ -1706,6 +1971,10 @@ DEST<br>
</td> </td>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
@ -1765,9 +2034,15 @@ static IP on that interface, listing it here makes processing of output
packets a little less expensive for the firewall. If you specify an packets a little less expensive for the firewall. If you specify an
address in this column, it must be an IP address configured on the address in this column, it must be an IP address configured on the
INTERFACE or you must have INTERFACE or you must have
ADD_SNAT_ALIASES enabled in <a href="#Conf">/etc/shorewall/shorewall.conf.</a></li> ADD_SNAT_ALIASES enabled in <a href="#Conf">/etc/shorewall/shorewall.conf.</a>
Beginning with Shorewall version 1.4.6, you may include a range of IP
addresses in this column to indicate that Netfilter should use the
addresses in the range in round-robin fashion. Beginning with Shorewall
version 1.4.7, you may include a list of ranges and/or addresses in
this column; again, Netfilter will use all listed ranges/addresses in
rounde-robin fashion.</li>
</ul> </ul>
<p><b> Example 1: </b> You have eth0 connected to a cable modem and <p><b>Example 1: </b> You have eth0 connected to a cable modem and
eth1 connected to your local subnetwork 192.168.9.0/24. Your eth1 connected to your local subnetwork 192.168.9.0/24. Your
/etc/shorewall/masq file would look like: </p> /etc/shorewall/masq file would look like: </p>
<blockquote> <blockquote>
@ -1865,6 +2140,26 @@ name eth0:0. You must have ADD_SNAT_ALIASES=Yes in <a href="#Conf">/etc/shorewal
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
<span style="font-weight: bold;">Example 6 (Shorewall version &gt;=
1.4.7): </span>You want to use both 206.124.146.177 and
206.124.146.179 for SNAT of the subnet 192.168.12.0/24. Each address
will be used on alternate outbound connections.<br>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b> INTERFACE</b></td>
<td><b> SUBNET</b></td>
<td><b>ADDRESS</b></td>
</tr>
<tr>
<td>eth0</td>
<td>192.168.12.0/24</td>
<td>206.124.146.177,206.124.146.179</td>
</tr>
</tbody>
</table>
</blockquote>
<h2><font color="#660066"><b><a name="ProxyArp"></a> </b></font>/etc/shorewall/proxyarp</h2> <h2><font color="#660066"><b><a name="ProxyArp"></a> </b></font>/etc/shorewall/proxyarp</h2>
<p>If you want to use proxy ARP on an entire sub-network, I suggest <p>If you want to use proxy ARP on an entire sub-network, I suggest
that you look at <a that you look at <a
@ -2009,8 +2304,10 @@ kernel compilation errors.</p>
may be found here,</a></b> <b><a href="IPIP.htm">instructions for IPIP may be found here,</a></b> <b><a href="IPIP.htm">instructions for IPIP
and GRE tunnels are here</a></b>, <b><a href="OPENVPN.html">instructions and GRE tunnels are here</a></b>, <b><a href="OPENVPN.html">instructions
for OpenVPN tunnels are here</a></b>, <b><a href="PPTP.htm">instructions for OpenVPN tunnels are here</a></b>, <b><a href="PPTP.htm">instructions
for PPTP tunnels are here</a> and <a href="6to4.htm">instructions for for PPTP tunnels are here</a>, <a href="6to4.htm">instructions for
6to4 tunnels</a> are here.</b></p> 6to4 tunnels are here</a> and <a href="GenericTunnels.html">instructions
for integrating Shorewall with other types of tunnels are here</a>.<br>
</b></p>
<h2><a name="Conf"></a>/etc/shorewall/shorewall.conf</h2> <h2><a name="Conf"></a>/etc/shorewall/shorewall.conf</h2>
<p> This file is used to set the following firewall parameters:</p> <p> This file is used to set the following firewall parameters:</p>
<ul> <ul>
@ -2484,7 +2781,9 @@ blacklist capability.</a></p>
<p><font color="#cc6666"><b>IMPORTANT: The Shorewall blacklist file is <u>NOT</u> <p><font color="#cc6666"><b>IMPORTANT: The Shorewall blacklist file is <u>NOT</u>
designed to police your users' web browsing -- to do that, I suggest designed to police your users' web browsing -- to do that, I suggest
that you install and configure Squid (<a that you install and configure Squid (<a
href="http://www.squid-cache.org">http://www.squid-cache.org</a>). </b></font></p> href="http://www.squid-cache.org">http://www.squid-cache.org</a>) with
SquidGuard (<a href="http://www.squidguard.org/">http://www.squidguard.org/</a>).
</b></font></p>
<h2><a name="rfc1918"></a>/etc/shorewall/rfc1918 (Added in Version <h2><a name="rfc1918"></a>/etc/shorewall/rfc1918 (Added in Version
1.3.1)</h2> 1.3.1)</h2>
<p>This file lists the subnets affected by the <a href="#Interfaces"><i>norfc1918</i> <p>This file lists the subnets affected by the <a href="#Interfaces"><i>norfc1918</i>
@ -2543,7 +2842,8 @@ Validation Documentation</a>.<br>
<h2><a name="ECN"></a>/etc/shorewall/ecn (Added in Version 1.4.0)</h2> <h2><a name="ECN"></a>/etc/shorewall/ecn (Added in Version 1.4.0)</h2>
This file is described in the <a href="ECN.html">ECN Control This file is described in the <a href="ECN.html">ECN Control
Documentation</a>.<br> Documentation</a>.<br>
<p><font size="-1"> Updated 8/8/2003 - <a href="support.htm">Tom Eastep</a> <p><font size="-1"> Updated 8/21/2003 - <a href="support.htm">Tom
Eastep</a>
</font></p> </font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>

2272
Shorewall-docs/FAQ.htm
View File

File diff suppressed because it is too large Load Diff

350
Shorewall-docs/FTP.html
View File

@ -1,234 +1,214 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shorewall and FTP</title> <title>Shorewall and FTP</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90"> id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall and FTP</font></h1> <h1 align="center"><font color="#ffffff">Shorewall and FTP</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<h2></h2> <h2></h2>
<blockquote> </blockquote>
<blockquote> </blockquote> <p>FTP transfers involve two TCP connections. The first <u>control</u>
connection goes from the FTP client to port 21 on the FTP server. This
<p>FTP transfers involve two TCP connections. The first <u>control</u> connection connection is used for logon and to send commands and responses between
goes from the FTP client to port 21 on the FTP server. This connection is the endpoints. Data transfers (including the output of "ls" and "dir"
used for logon and to send commands and responses between the endpoints. commands) requires a second <u>data</u> connection. The data
Data transfers (including the output of "ls" and "dir" commands) requires connection is dependent on the <u>mode</u>
a second <u>data</u> connection. The data connection is dependent on the <u>mode</u>
that the client is operating in:<br> that the client is operating in:<br>
</p> </p>
<ul> <ul>
<li>Passive Mode (default for web browsers) -- The client issues a PASV <li>Passive Mode (default for web browsers) -- The client issues a
command. Upon receipt of this command, the server listens on a dynamically-allocated PASV command. Upon receipt of this command, the server listens on a
port then sends a PASV reply to the client. The PASV reply gives the IP address dynamically-allocated port then sends a PASV reply to the client. The
and port number that the server is listening on. The client then opens a PASV reply gives the IP address
and port number that the server is listening on. The client then opens
a
second connection to that IP address and port number.</li> second connection to that IP address and port number.</li>
<li>Active Mode (often the default for line-mode clients) -- The client <li>Active Mode (often the default for line-mode clients) -- The
listens on a dynamically-allocated port then sends a PORT command to the client listens on a dynamically-allocated port then sends a PORT
server. The PORT command gives the IP address and port number that the client command to the server. The PORT command gives the IP address and port
is listening on. The server then opens a connection to that IP address and number that the client is listening on. The server then opens a
port number; the <u>source port</u> for this connection is 20 (ftp-data in connection to that IP address and port number; the <u>source port</u>
/etc/services).</li> for this connection is 20 (ftp-data in /etc/services).</li>
</ul> </ul>
You can see these commands in action using your linux ftp command-line You can see these commands in action using your linux ftp command-line
client in debugging mode. Note that my ftp client defaults to passive mode client in debugging mode. Note that my ftp client defaults to passive
and that I can toggle between passive and active mode by issuing a "passive" mode and that I can toggle between passive and active mode by issuing a
command:<br> "passive" command:<br>
<blockquote> <blockquote>
<pre>[teastep@wookie Shorewall]$ <font color="#009900"><b>ftp ftp1.shorewall.net<br></b></font>Connected to lists.shorewall.net.<br>220-=(&lt;*&gt;)=-.:. (( Welcome to PureFTPd 1.0.12 )) .:.-=(&lt;*&gt;)=-<br>220-You are user number 1 of 50 allowed.<br>220-Local time is now 10:21 and the load is 0.14. Server port: 21.<br>220 You will be disconnected after 15 minutes of inactivity.<br>500 Security extensions not implemented<br>500 Security extensions not implemented<br>KERBEROS_V4 rejected as an authentication type<br>Name (ftp1.shorewall.net:teastep): ftp<br>331-Welcome to ftp.shorewall.net<br>331-<br>331 Any password will work<br>Password:<br>230 Any password will work<br>Remote system type is UNIX.<br>Using binary mode to transfer files.<br>ftp&gt; <font <pre>[teastep@wookie Shorewall]$ <font color="#009900"><b>ftp ftp1.shorewall.net<br></b></font>Connected to lists.shorewall.net.<br>220-=(&lt;*&gt;)=-.:. (( Welcome to PureFTPd 1.0.12 )) .:.-=(&lt;*&gt;)=-<br>220-You are user number 1 of 50 allowed.<br>220-Local time is now 10:21 and the load is 0.14. Server port: 21.<br>220 You will be disconnected after 15 minutes of inactivity.<br>500 Security extensions not implemented<br>500 Security extensions not implemented<br>KERBEROS_V4 rejected as an authentication type<br>Name (ftp1.shorewall.net:teastep): ftp<br>331-Welcome to ftp.shorewall.net<br>331-<br>331 Any password will work<br>Password:<br>230 Any password will work<br>Remote system type is UNIX.<br>Using binary mode to transfer files.<br>ftp&gt; <font
color="#009900"><b>debug<br></b></font>Debugging on (debug=1).<br>ftp&gt; <font color="#009900"><b>debug<br></b></font>Debugging on (debug=1).<br>ftp&gt; <font
color="#009900"><b>ls<br></b></font><b>---&gt; PASV</b><br><b>227 Entering Passive Mode (192,168,1,193,195,210)</b><br>---&gt; LIST<br>150 Accepted data connection<br>drwxr-xr-x 5 0 0 4096 Nov 9 2002 archives<br>drwxr-xr-x 2 0 0 4096 Feb 12 2002 etc<br>drwxr-sr-x 6 0 50 4096 Feb 19 15:24 pub<br>226-Options: -l<br>226 3 matches total<br>ftp&gt; <font color="#009900"><b>ls<br></b></font><b>---&gt; PASV</b><br><b>227 Entering Passive Mode (192,168,1,193,195,210)</b><br>---&gt; LIST<br>150 Accepted data connection<br>drwxr-xr-x 5 0 0 4096 Nov 9 2002 archives<br>drwxr-xr-x 2 0 0 4096 Feb 12 2002 etc<br>drwxr-sr-x 6 0 50 4096 Feb 19 15:24 pub<br>226-Options: -l<br>226 3 matches total<br>ftp&gt; <font
color="#009900"><b>passive<br></b></font>Passive mode off.<br>ftp&gt; <font color="#009900"><b>passive<br></b></font>Passive mode off.<br>ftp&gt; <font
color="#009900"><b>ls<br></b></font><b>---&gt; PORT 192,168,1,3,142,58</b><br>200 PORT command successful<br>---&gt; LIST<br>150 Connecting to port 36410<br>drwxr-xr-x 5 0 0 4096 Nov 9 2002 archives<br>drwxr-xr-x 2 0 0 4096 Feb 12 2002 etc<br>drwxr-sr-x 6 0 50 4096 Feb 19 15:24 pub<br>226-Options: -l<br>226 3 matches total<br>ftp&gt;<br></pre> color="#009900"><b>ls<br></b></font><b>---&gt; PORT 192,168,1,3,142,58</b><br>200 PORT command successful<br>---&gt; LIST<br>150 Connecting to port 36410<br>drwxr-xr-x 5 0 0 4096 Nov 9 2002 archives<br>drwxr-xr-x 2 0 0 4096 Feb 12 2002 etc<br>drwxr-sr-x 6 0 50 4096 Feb 19 15:24 pub<br>226-Options: -l<br>226 3 matches total<br>ftp&gt;<br></pre>
</blockquote> </blockquote>
Things to notice:<br> Things to notice:<br>
<ol> <ol>
<li>The commands that I issued are in <b><font color="#009900">green.</font></b><br> <li>The commands that I issued are in <b><font color="#009900">green.</font></b><br>
</li> </li>
<li>Commands sent by the client to the server are preceded by <b>---&gt;</b></li> <li>Commands sent by the client to the server are preceded by <b>---&gt;</b></li>
<li>Command responses from the server over the control connection are <li>Command responses from the server over the control connection are
numbered.<br> numbered.<br>
</li> </li>
<li>FTP uses a comma as a separator between the bytes of the IP address; <li>FTP uses a comma as a separator between the bytes of the IP
and</li> address; and</li>
<li>When sending a port number, FTP sends the MSB then the LSB and separates <li>When sending a port number, FTP sends the MSB then the LSB and
the two bytes by a comma. As shown in the PORT command, port 142,58 translates separates the two bytes by a comma. As shown in the PORT command, port
142,58 translates
to 142*256+58 = 36410.<br> to 142*256+58 = 36410.<br>
</li> </li>
</ol> </ol>
Given the normal loc-&gt;net policy of ACCEPT, passive mode access from Given the normal loc-&gt;net policy of ACCEPT, passive mode access from
local clients to remote servers will always work but active mode requires local clients to remote servers will always work but active mode
the firewall to dynamically open a "hole" for the server's connection back requires the firewall to dynamically open a "hole" for the server's
to the client. Similarly, if you are running an FTP server in your local connection back to the client. Similarly, if you are running an FTP
zone then active mode should always work but passive mode requires the firewall server in your local
to dynamically open a "hole" for the client's second connection to the server. zone then active mode should always work but passive mode requires the
This is the role of FTP connection-tracking support in the Linux kernel. firewall to dynamically open a "hole" for the client's second
connection to the server. This is the role of FTP connection-tracking
support in the Linux kernel.
<div align="left"><br> <div align="left"><br>
Where any form of NAT (SNAT, DNAT, Masquerading) on your firewall is involved, Where any form of NAT (SNAT, DNAT, Masquerading) on your firewall is
the PORT commands and PASV responses may also need to be modified by the involved, the PORT commands and PASV responses may also need to be
firewall. This is the job of the FTP nat support kernel function.<br> modified by the firewall. This is the job of the FTP nat support kernel
</div> function.<br>
</div>
<p>Including FTP connection-tracking and NAT support normally means that the <p>Including FTP connection-tracking and NAT support normally means
modules "ip_conntrack_ftp" and "ip_nat_ftp" need to be loaded. Shorewall automatically that the
modules "ip_conntrack_ftp" and "ip_nat_ftp" need to be loaded.
Shorewall automatically
loads these "helper" modules from /lib/modules/&lt;<i>kernel-version&gt;</i>/kernel/net/ipv4/netfilter/ loads these "helper" modules from /lib/modules/&lt;<i>kernel-version&gt;</i>/kernel/net/ipv4/netfilter/
and you can determine if they are loaded using the 'lsmod' command:<br> and you can determine if they are loaded using the 'lsmod' command:<br>
</p> </p>
<blockquote> <blockquote>
<p>Example:<br> <p>Example:<br>
</p> </p>
<blockquote> <blockquote>
<pre>[root@lists etc]# lsmod<br>Module Size Used by Not tainted<br>autofs 12148 0 (autoclean) (unused)<br>ipt_TOS 1560 12 (autoclean)<br>ipt_LOG 4120 5 (autoclean)<br>ipt_REDIRECT 1304 1 (autoclean)<br>ipt_REJECT 3736 4 (autoclean)<br>ipt_state 1048 13 (autoclean)<br>ip_nat_irc 3152 0 (unused)<br><b>ip_nat_ftp 3888 0 (unused)</b><br>ip_conntrack_irc 3984 1<br><b>ip_conntrack_ftp 5008 1</b><br>ipt_multiport 1144 2 (autoclean)<br>ipt_conntrack 1592 0 (autoclean)<br>iptable_filter 2316 1 (autoclean)<br>iptable_mangle 2680 1 (autoclean)<br>iptable_nat 20568 3 (autoclean) [ipt_REDIRECT ip_nat_irc ip_nat_ftp]<br>ip_conntrack 26088 5 (autoclean) [ipt_REDIRECT ipt_state ip_nat_irc ip_nat_ftp ip_conntrack_irc ip_conntrack_ftp ipt_conntrack iptable_nat]<br>ip_tables 14488 12 [ipt_TOS ipt_LOG ipt_REDIRECT ipt_REJECT ipt_state ipt_multiport ipt_conntrack iptable_filter iptable_mangle iptable_nat]<br>tulip 42464 0 (unused)<br>e100 50596 1<br>keybdev 2752 0 (unused)<br>mousedev 5236 0 (unused)<br>hid 20868 0 (unused)<br>input 5632 0 [keybdev mousedev hid]<br>usb-uhci 24684 0 (unused)<br>usbcore 73280 1 [hid usb-uhci]<br>ext3 64704 2<br>jbd 47860 2 [ext3]<br>[root@lists etc]#<br></pre> <pre>[root@lists etc]# lsmod<br>Module Size Used by Not tainted<br>autofs 12148 0 (autoclean) (unused)<br>ipt_TOS 1560 12 (autoclean)<br>ipt_LOG 4120 5 (autoclean)<br>ipt_REDIRECT 1304 1 (autoclean)<br>ipt_REJECT 3736 4 (autoclean)<br>ipt_state 1048 13 (autoclean)<br>ip_nat_irc 3152 0 (unused)<br><b>ip_nat_ftp 3888 0 (unused)</b><br>ip_conntrack_irc 3984 1<br><b>ip_conntrack_ftp 5008 1</b><br>ipt_multiport 1144 2 (autoclean)<br>ipt_conntrack 1592 0 (autoclean)<br>iptable_filter 2316 1 (autoclean)<br>iptable_mangle 2680 1 (autoclean)<br>iptable_nat 20568 3 (autoclean) [ipt_REDIRECT ip_nat_irc ip_nat_ftp]<br>ip_conntrack 26088 5 (autoclean) [ipt_REDIRECT ipt_state ip_nat_irc ip_nat_ftp ip_conntrack_irc ip_conntrack_ftp ipt_conntrack iptable_nat]<br>ip_tables 14488 12 [ipt_TOS ipt_LOG ipt_REDIRECT ipt_REJECT ipt_state ipt_multiport ipt_conntrack iptable_filter iptable_mangle iptable_nat]<br>tulip 42464 0 (unused)<br>e100 50596 1<br>keybdev 2752 0 (unused)<br>mousedev 5236 0 (unused)<br>hid 20868 0 (unused)<br>input 5632 0 [keybdev mousedev hid]<br>usb-uhci 24684 0 (unused)<br>usbcore 73280 1 [hid usb-uhci]<br>ext3 64704 2<br>jbd 47860 2 [ext3]<br>[root@lists etc]#<br></pre>
</blockquote> </blockquote>
</blockquote> </blockquote>
<blockquote> </blockquote>
<blockquote> </blockquote> <p>If you want Shorewall to load these modules from an alternate
directory, you need to set the MODULESDIR variable in
<p>If you want Shorewall to load these modules from an alternate directory, /etc/shorewall/shorewall.conf to point to that directory.<br>
you need to set the MODULESDIR variable in /etc/shorewall/shorewall.conf </p>
to point to that directory.<br>
</p>
<p>Server configuration is covered in <a href="Documentation.htm#Rules">the <p>Server configuration is covered in <a href="Documentation.htm#Rules">the
/etc/shorewall/rules documentation</a>,<br> /etc/shorewall/rules documentation</a>,<br>
</p> </p>
<p>For a client, you must open outbound TCP port 21.&nbsp;<br>
<p>For a client, you must open outbound TCP port 21. <br> </p>
</p> <p>The above discussion about commands and responses makes it clear
that the
<p>The above discussion about commands and responses makes it clear that the FTP connection-tracking and NAT helpers must scan the traffic on the
FTP connection-tracking and NAT helpers must scan the traffic on the control control
connection looking for PASV and PORT commands as well as PASV responses. If connection looking for PASV and PORT commands as well as PASV
you run an FTP server on a nonstandard port or you need to access such responses. If
a server,  you must therefore let the helpers know by specifying the port you run an FTP server on a nonstandard port or you need to access such
in /etc/shorewall/modules entries for the helpers. For example, if you a server,&nbsp; you must therefore let the helpers know by specifying
run an FTP server that listens on port 49 then you would have:<br> the port
</p> in /etc/shorewall/modules entries for the helpers. <span
style="font-weight: bold;">For example, if you
run an FTP server that listens on port 49 or you need to access a
server on the internet that listens on that port then you would have:</span><br>
</p>
<blockquote> <blockquote>
<p>loadmodule ip_conntrack_ftp ports=21,49<br> <p>loadmodule ip_conntrack_ftp ports=21,49<br>
loadmodule ip_nat_ftp ports=21,49<br> loadmodule ip_nat_ftp ports=21,49<br>
</p> </p>
</blockquote> </blockquote>
<p>Note that you MUST include port 21 in the <i>ports</i> list or you
<p>Note that you MUST include port 21 in the <i>ports</i> list or you may may have problems accessing regular FTP servers.</p>
have problems accessing regular FTP servers.</p> <p>If there is a possibility that these modules might be loaded before
Shorewall starts, then you should include the port list in
<p>If there is a possibility that these modules might be loaded before Shorewall /etc/modules.conf:<br>
starts, then you should include the port list in /etc/modules.conf:<br> </p>
</p>
<blockquote> <blockquote>
<p>options ip_conntrack_ftp ports=21,49<br> <p>options ip_conntrack_ftp ports=21,49<br>
options ip_nat_ftp ports=21,49<br> options ip_nat_ftp ports=21,49<br>
</p> </p>
</blockquote> </blockquote>
<p><b>IMPORTANT: </b>Once you have made these changes to
<p><b>IMPORTANT: </b>Once you have made these changes to /etc/shorewall/modules /etc/shorewall/modules and/or /etc/modules.conf, you must either:<br>
and/or /etc/modules.conf, you must either:<br> </p>
</p>
<ol> <ol>
<li>Unload the modules and restart shorewall: (<b><font <li>Unload the modules and restart shorewall: (<b><font
color="#009900">rmmod ip_nat_ftp; rmmod ip_conntrack_ftp; shorewall restart</font></b>); color="#009900">rmmod ip_nat_ftp; rmmod ip_conntrack_ftp; shorewall
or</li> restart</font></b>); or</li>
<li>Reboot</li> <li>Reboot</li>
</ol> </ol>
One problem that I see occasionally involves active mode and the FTP server One problem that I see occasionally involves active mode and the FTP
in my DMZ. I see the active data connection <u>to certain client IP addresses</u> server in my DMZ. I see the active data connection <u>to certain
being continuously rejected by my firewall. It is my conjecture that there client IP addresses</u> being continuously rejected by my firewall. It
is some broken client out there that is sending a PORT command that is being is my conjecture that there is some broken client out there that is
either missed or mis-interpreted by the FTP connection tracking helper yet sending a PORT command that is being either missed or mis-interpreted
it is being accepted by my FTP server. My solution is to add the following by the FTP connection tracking helper yet it is being accepted by my
rule:<br> FTP server. My solution is to add the following rule:<br>
<blockquote> <blockquote>
<table cellpadding="2" cellspacing="0" border="1"> <table cellpadding="2" cellspacing="0" border="1">
<tbody> <tbody>
<tr> <tr>
<td valign="top"><b>ACTION<br> <td valign="top"><b>ACTION<br>
</b></td> </b></td>
<td valign="top"><b>SOURCE<br> <td valign="top"><b>SOURCE<br>
</b></td> </b></td>
<td valign="top"><b>DESTINATION<br> <td valign="top"><b>DESTINATION<br>
</b></td> </b></td>
<td valign="top"><b>PROTOCOL<br> <td valign="top"><b>PROTOCOL<br>
</b></td> </b></td>
<td valign="top"><b>PORT(S)<br> <td valign="top"><b>PORT(S)<br>
</b></td> </b></td>
<td valign="top"><b>SOURCE<br> <td valign="top"><b>SOURCE<br>
PORT(S)<br> PORT(S)<br>
</b></td> </b></td>
<td valign="top"><b>ORIGINAL<br> <td valign="top"><b>ORIGINAL<br>
DESTINATION<br> DESTINATION<br>
</b></td> </b></td>
</tr> </tr>
<tr> <tr>
<td valign="top">ACCEPT:info<br> <td valign="top">ACCEPT:info<br>
</td> </td>
<td valign="top">dmz<br> <td valign="top">dmz<br>
</td> </td>
<td valign="top">net<br> <td valign="top">net<br>
</td> </td>
<td valign="top">tcp<br> <td valign="top">tcp<br>
</td> </td>
<td valign="top">-<br> <td valign="top">-<br>
</td> </td>
<td valign="top">20<br> <td valign="top">20<br>
</td> </td>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br>
</blockquote>
The above rule accepts and logs all active mode connections from my DMZ
to the net.<br>
<blockquote>
<p> </p>
</blockquote>
<blockquote> </blockquote>
<p><font size="2">Last updated 7/30/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2003 Thomas M. Eastep.</font></a><br>
<br>
<br> <br>
<br> </blockquote>
The above rule accepts and logs all active mode connections from my DMZ
to the net.<br>
<blockquote>
<p> </p>
</blockquote>
<blockquote> </blockquote>
<p><font size="2">Last updated 9/17/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2003 Thomas M. Eastep.</font></a><br>
<br>
<br>
<br>
</body> </body>
</html> </html>

1220
Shorewall-docs/IPSEC.htm
View File

File diff suppressed because it is too large Load Diff

1595
Shorewall-docs/News.htm
View File

File diff suppressed because it is too large Load Diff

4
Shorewall-docs/PPTP.htm
View File

@ -932,7 +932,7 @@ ADSL modem.<br>
</table> </table>
</blockquote> </blockquote>
<div style="margin-left: 40px;">You will of course modify the 'net' <div style="margin-left: 40px;">You will of course modify the 'net'
entry in /etc/shorewall/interfaces to specify 'pppo' as the interface entry in /etc/shorewall/interfaces to specify 'ppp0' as the interface
as described in the QuickStart Guide corresponding to your setup.<br> as described in the QuickStart Guide corresponding to your setup.<br>
</div> </div>
<br> <br>
@ -968,7 +968,7 @@ as described in the QuickStart Guide corresponding to your setup.<br>
That entry allows a PPTP tunnel to be established between your That entry allows a PPTP tunnel to be established between your
Shorewall system and the PPTP server in the modem.<br> Shorewall system and the PPTP server in the modem.<br>
</div> </div>
<p><font size="2">Last modified 8/8/2003 - <a href="support.htm">Tom <p><font size="2">Last modified 8/11/2003 - <a href="support.htm">Tom
Eastep</a></font></p> Eastep</a></font></p>
<p><a href="copyright.htm"> <font size="2">Copyright</font> © <font <p><a href="copyright.htm"> <font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></p> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></p>

67
Shorewall-docs/Shorewall_Doesnt.html
View File

@ -2,51 +2,52 @@
<html> <html>
<head> <head>
<title>What Shorewall Cannot Do</title> <title>What Shorewall Cannot Do</title>
<meta http-equiv="content-type" <meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1"> content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep"> <meta name="author" content="Tom Eastep">
</head> </head>
<body> <body>
<small> </small><small> <small> </small><small> </small><small> </small><small> </small><small>
</small><small> </small> <small> </small>
</small><small>
</small><small>
</small> <small> </small>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4" style="border-collapse: collapse;" width="100%" id="AutoNumber4"
bgcolor="#3366ff" height="90"> bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"><small> </small> <td width="100%"><small> </small>
<h1 align="center"><small><font color="#ffffff">Some things that Shorewall <h1 align="center"><small><font color="#ffffff">Some things that
<b>Cannot</b> Do</font></small></h1> Shorewall <b>Cannot</b> Do</font></small></h1>
<small> <small> </small></td>
</small></td> </tr>
</tr>
</tbody> </tbody>
</table> </table>
<small><br> <small><br>
</small>Shorewall cannot:<br> </small>Shorewall cannot:<br>
<ul> <ul>
<li>Be used on a Linux System that is functioning as a Layer 2 Bridge</li> <li>Be used to filter traffic through a Layer 2 Bridge</li>
<li>Act as a "Personal Firewall" that allows internet access by application.</li> <li>Act as a "Personal Firewall" that allows internet access by
<li>Do content filtering -- better to use <a application.</li>
href="Shorewall_Squid_Usage.html">Squid</a> for that.<br> <li>Be used with an Operating System other than Linux (version &gt;=
</li> 2.4.0)<br>
</li>
<li>Do content filtering -- better to use <a
href="Shorewall_Squid_Usage.html">Squid</a> for that.</li>
</ul> </ul>
<br> In addition:<br>
<font size="2">Last updated 7/9/2003 - <a href="support.htm">Tom Eastep</a></font> <ul>
<li>Shorewall does not contain any support for Netfilter <span
style="font-style: italic;">Patch-O-Matic</span> features -- Shorewall
only supports features from released kernels.<br>
</li>
</ul>
<br>
<font size="2">Last updated 9/28/2003 - <a href="support.htm">Tom
Eastep</a></font>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font <p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br> <br>
<br> <br>
<br> <br>
</body> </body>
</html> </html>

614
Shorewall-docs/configuration_file_basics.htm
View File

@ -1,409 +1,341 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Configuration File Basics</title> <title>Configuration File Basics</title>
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90"> id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Configuration Files</font></h1> <h1 align="center"><font color="#ffffff">Configuration Files</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p><b><font color="#ff0000">Warning: </font>If you copy or edit your
<p><b><font color="#ff0000">Warning: </font>If you copy or edit your configuration configuration files on a system running Microsoft Windows, you <u>must</u>
files on a system running Microsoft Windows, you <u>must</u> run them through <a
run them through <a href="http://www.megaloman.com/%7Ehany/software/hd2u/"> dos2unix</a>
href="http://www.megaloman.com/%7Ehany/software/hd2u/"> dos2unix</a> before you use them with Shorewall.</b></p>
before you use them with Shorewall.</b></p>
<h2><a name="Files"></a>Files</h2> <h2><a name="Files"></a>Files</h2>
<p>Shorewall's configuration files are in the directory /etc/shorewall.</p> <p>Shorewall's configuration files are in the directory /etc/shorewall.</p>
<ul> <ul>
<li>/etc/shorewall/shorewall.conf - used to <li>/etc/shorewall/shorewall.conf - used to
set several firewall parameters.</li> set several firewall parameters.</li>
<li>/etc/shorewall/params - use this file to <li>/etc/shorewall/params - use this file to set shell variables that
set shell variables that you will expand in other files.</li> you will expand in other files.</li>
<li>/etc/shorewall/zones - partition the firewall's <li>/etc/shorewall/zones - partition the firewall's view of the world
view of the world into <i>zones.</i></li> into <i>zones.</i></li>
<li>/etc/shorewall/policy - establishes firewall <li>/etc/shorewall/policy - establishes firewall high-level policy.</li>
high-level policy.</li> <li>/etc/shorewall/interfaces - describes the interfaces on the
<li>/etc/shorewall/interfaces - describes the firewall system.</li>
interfaces on the firewall system.</li> <li>/etc/shorewall/hosts - allows defining zones in terms of
<li>/etc/shorewall/hosts - allows defining zones individual hosts and subnetworks.</li>
in terms of individual hosts and subnetworks.</li> <li>/etc/shorewall/masq - directs the firewall where to use
<li>/etc/shorewall/masq - directs the firewall many-to-one (dynamic) Network Address Translation (a.k.a. Masquerading)
where to use many-to-one (dynamic) Network Address Translation and Source Network Address Translation (SNAT).</li>
(a.k.a. Masquerading) and Source Network Address Translation <li>/etc/shorewall/modules - directs the firewall to load kernel
(SNAT).</li> modules.</li>
<li>/etc/shorewall/modules - directs the firewall <li>/etc/shorewall/rules - defines rules that are exceptions to the
to load kernel modules.</li> overall policies established in /etc/shorewall/policy.</li>
<li>/etc/shorewall/rules - defines rules that <li>/etc/shorewall/nat - defines static NAT
are exceptions to the overall policies established in /etc/shorewall/policy.</li>
<li>/etc/shorewall/nat - defines static NAT
rules.</li> rules.</li>
<li>/etc/shorewall/proxyarp - defines use of <li>/etc/shorewall/proxyarp - defines use of Proxy ARP.</li>
Proxy ARP.</li> <li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines
<li>/etc/shorewall/routestopped (Shorewall 1.3.4 hosts accessible when Shorewall is stopped.</li>
and later) - defines hosts accessible when Shorewall is stopped.</li> <li>/etc/shorewall/tcrules - defines marking of packets for later use
<li>/etc/shorewall/tcrules - defines marking by traffic control/shaping or policy routing.</li>
of packets for later use by traffic control/shaping or policy <li>/etc/shorewall/tos - defines rules for setting the TOS field in
routing.</li> packet headers.</li>
<li>/etc/shorewall/tos - defines rules for setting <li>/etc/shorewall/tunnels - defines IPSEC,
the TOS field in packet headers.</li> GRE and IPIP tunnels with end-points on the firewall system.</li>
<li>/etc/shorewall/tunnels - defines IPSEC, <li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC
GRE and IPIP tunnels with end-points on the firewall system.</li> addresses.</li>
<li>/etc/shorewall/blacklist - lists blacklisted <li>/etc/shorewall/init - commands that you wish to execute at
IP/subnet/MAC addresses.</li> the beginning of a "shorewall start" or "shorewall restart".</li>
<li>/etc/shorewall/init - commands that you wish to execute at <li>/etc/shorewall/start - commands that you wish to execute at the
the beginning of a "shorewall start" or "shorewall restart".</li> completion of a "shorewall start" or "shorewall restart"</li>
<li>/etc/shorewall/start - commands that you wish to execute at <li>/etc/shorewall/stop - commands that you wish to execute at
the completion of a "shorewall start" or "shorewall restart"</li> the beginning of a "shorewall stop".</li>
<li>/etc/shorewall/stop - commands that you wish to execute at <li>/etc/shorewall/stopped - commands that you wish to execute
the beginning of a "shorewall stop".</li> at the completion of a "shorewall stop".</li>
<li>/etc/shorewall/stopped - commands that you wish to execute <li>/etc/shorewall/ecn - disable Explicit Congestion Notification
at the completion of a "shorewall stop".</li> (ECN - RFC 3168) to remote hosts or networks.</li>
<li>/etc/shorewall/ecn - disable Explicit Congestion Notification (ECN <li>/etc/shorewall/accounting - define IP traffic accounting rules</li>
- RFC 3168) to remote hosts or networks.<br> <li>/etc/shorewall/usersets and /etc/shorewall/users - define sets of
</li> users/groups with
similar access rights<br>
</li>
</ul> </ul>
<h2>Comments</h2>
<h2><a name="Comments"></a>Comments</h2> <p>You may place comments in configuration files by making the first
non-whitespace character a pound sign ("#"). You may also place
<p>You may place comments in configuration files by making the first non-whitespace comments at the end of any line, again by delimiting the comment from
character a pound sign ("#"). You may also place comments the
at the end of any line, again by delimiting the comment from the rest of the line with a pound sign.</p>
rest of the line with a pound sign.</p>
<p>Examples:</p> <p>Examples:</p>
<pre># This is a comment</pre> <pre># This is a comment</pre>
<pre>ACCEPT net fw tcp www #This is an end-of-line comment</pre> <pre>ACCEPT net fw tcp www #This is an end-of-line comment</pre>
<h2><a name="Continuation"></a>Line Continuation</h2> <h2><a name="Continuation"></a>Line Continuation</h2>
<p>You may continue lines in the configuration files using the usual
<p>You may continue lines in the configuration files using the usual backslash backslash ("\") followed immediately by a new line character.</p>
("\") followed immediately by a new line character.</p>
<p>Example:</p> <p>Example:</p>
<pre>ACCEPT net fw tcp \<br>smtp,www,pop3,imap #Services running on the firewall</pre> <pre>ACCEPT net fw tcp \<br>smtp,www,pop3,imap #Services running on the firewall</pre>
<h2><a name="INCLUDE"></a>IN<small><small></small></small>CLUDE
<h2><a name="INCLUDE"></a>IN<small><small></small></small>CLUDE Directive</h2> Directive</h2>
Beginning with Shorewall version 1.4.2, any file may contain INCLUDE directives. Beginning with Shorewall version 1.4.2, any file may contain INCLUDE
An INCLUDE directive consists of the word INCLUDE followed by a file name directives. An INCLUDE directive consists of the word INCLUDE followed
and causes the contents of the named file to be logically included into by a file name and causes the contents of the named file to be
the file containing the INCLUDE. File names given in an INCLUDE directive logically included into the file containing the INCLUDE. File names
are assumed to reside in /etc/shorewall or in an alternate configuration given in an INCLUDE directive are assumed to reside in /etc/shorewall
directory if one has been specified for the command.<br> or in an alternate configuration directory if one has been specified
<br> for the command.<br>
INCLUDE's may be nested to a level of 3 -- further nested INCLUDE directives <br>
are ignored with a warning message.<big><big><br> INCLUDE's may be nested to a level of 3 -- further nested INCLUDE
<br> directives are ignored with a warning message.<big><big><br>
</big></big> Examples:<big> </big> <br> <br>
</big></big> Examples:<big> </big> <br>
<blockquote>    shorewall/params.mgmt:<br> <blockquote> &nbsp;&nbsp; shorewall/params.mgmt:<br>
<blockquote> &nbsp;&nbsp; MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3<br>
<blockquote>    MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3<br> &nbsp;&nbsp; TIME_SERVERS=4.4.4.4<br>
   TIME_SERVERS=4.4.4.4<br> &nbsp;&nbsp; BACKUP_SERVERS=5.5.5.5<br>
   BACKUP_SERVERS=5.5.5.5<br> </blockquote>
</blockquote> &nbsp;&nbsp; ----- end params.mgmt -----<br>
   ----- end params.mgmt -----<br> </blockquote>
</blockquote> <blockquote> &nbsp;&nbsp; shorewall/params:<br>
</blockquote>
<blockquote>    shorewall/params:<br>
</blockquote>
<blockquote> <blockquote>
<blockquote>    # Shorewall 1.3 /etc/shorewall/params<br> <blockquote> &nbsp;&nbsp; # Shorewall 1.3 /etc/shorewall/params<br>
   [..]<br> &nbsp;&nbsp; [..]<br>
   #######################################<br> &nbsp;&nbsp; #######################################<br>
 <br> &nbsp;<br>
   INCLUDE params.mgmt    <br> &nbsp;&nbsp; INCLUDE params.mgmt&nbsp;&nbsp;&nbsp; <br>
  <br> &nbsp; <br>
   # params unique to this host here<br> &nbsp;&nbsp; # params unique to this host here<br>
   #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE<br> &nbsp;&nbsp; #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT
</blockquote> REMOVE<br>
</blockquote> </blockquote>
</blockquote>
<blockquote>    ----- end params -----<br> <blockquote> &nbsp;&nbsp; ----- end params -----<br>
</blockquote> </blockquote>
<blockquote> &nbsp;&nbsp; shorewall/rules.mgmt:<br>
<blockquote>    shorewall/rules.mgmt:<br> </blockquote>
</blockquote>
<blockquote> <blockquote>
<blockquote>    ACCEPT net:$MGMT_SERVERS          $FW    tcp    22<br> <blockquote> &nbsp;&nbsp; ACCEPT
   ACCEPT $FW          net:$TIME_SERVERS    udp    123<br> net:$MGMT_SERVERS&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
   ACCEPT $FW          net:$BACKUP_SERVERS  tcp    22<br> $FW&nbsp;&nbsp;&nbsp; tcp&nbsp;&nbsp;&nbsp; 22<br>
</blockquote> &nbsp;&nbsp; ACCEPT
</blockquote> $FW&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
net:$TIME_SERVERS&nbsp;&nbsp;&nbsp; udp&nbsp;&nbsp;&nbsp; 123<br>
<blockquote>    ----- end rules.mgmt -----<br> &nbsp;&nbsp; ACCEPT
</blockquote> $FW&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
net:$BACKUP_SERVERS&nbsp; tcp&nbsp;&nbsp;&nbsp; 22<br>
<blockquote>    shorewall/rules:<br> </blockquote>
</blockquote> </blockquote>
<blockquote> &nbsp;&nbsp; ----- end rules.mgmt -----<br>
</blockquote>
<blockquote> &nbsp;&nbsp; shorewall/rules:<br>
</blockquote>
<blockquote> <blockquote>
<blockquote>    # Shorewall version 1.3 - Rules File<br> <blockquote> &nbsp;&nbsp; # Shorewall version 1.3 - Rules File<br>
   [..]<br> &nbsp;&nbsp; [..]<br>
   #######################################<br> &nbsp;&nbsp; #######################################<br>
 <br> &nbsp;<br>
   INCLUDE rules.mgmt     <br> &nbsp;&nbsp; INCLUDE rules.mgmt&nbsp;&nbsp;&nbsp;&nbsp; <br>
  <br> &nbsp; <br>
   # rules unique to this host here<br> &nbsp;&nbsp; # rules unique to this host here<br>
   #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE<br> &nbsp;&nbsp; #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT
</blockquote> REMOVE<br>
</blockquote> </blockquote>
</blockquote>
<blockquote>    ----- end rules -----<br> <blockquote> &nbsp;&nbsp; ----- end rules -----<br>
</blockquote> </blockquote>
<h2><a name="dnsnames"></a>Using DNS Names</h2> <h2><a name="dnsnames"></a>Using DNS Names</h2>
<p align="left"> </p>
<p align="left"> </p>
<p align="left"><b>WARNING: I personally recommend strongly <u>against</u> <p align="left"><b>WARNING: I personally recommend strongly <u>against</u>
using DNS names in Shorewall configuration files. If you use DNS using DNS names in Shorewall configuration files. If you use DNS names
names and you are called out of bed at 2:00AM because Shorewall won't and you are called out of bed at 2:00AM because Shorewall won't start
start as a result of DNS problems then don't say that you were not forewarned. as a result of DNS problems then don't say that you were not
<br> forewarned. <br>
</b></p> </b></p>
<p align="left"><b>&nbsp;&nbsp;&nbsp; -Tom<br>
<p align="left"><b>    -Tom<br> </b></p>
</b></p> <p align="left">Beginning with Shorewall 1.3.9, Host addresses in
Shorewall configuration files may be specified as either IP addresses
<p align="left">Beginning with Shorewall 1.3.9, Host addresses in Shorewall or DNS Names.<br>
configuration files may be specified as either IP addresses or DNS <br>
Names.<br> DNS names in iptables rules aren't nearly as useful
<br> as they first appear. When a DNS name appears in a rule, the iptables
DNS names in iptables rules aren't nearly as useful utility resolves the name to one or more IP addresses and inserts those
as they first appear. When a DNS name appears in a rule, the iptables addresses into the rule. So changes in the DNS-&gt;IP address
utility resolves the name to one or more IP addresses and inserts relationship that occur after the firewall has started have absolutely
those addresses into the rule. So changes in the DNS-&gt;IP address no effect on the firewall's ruleset. </p>
relationship that occur after the firewall has started have absolutely <p align="left"> If your firewall rules include DNS names then:</p>
no effect on the firewall's ruleset. </p>
<p align="left"> If your firewall rules include DNS names then:</p>
<ul> <ul>
<li>If your /etc/resolv.conf is wrong then your firewall <li>If your /etc/resolv.conf is wrong then your firewall won't start.</li>
won't start.</li> <li>If your /etc/nsswitch.conf is wrong then your firewall won't
<li>If your /etc/nsswitch.conf is wrong then your firewall start.</li>
won't start.</li> <li>If your Name Server(s) is(are) down then your firewall won't
<li>If your Name Server(s) is(are) down then your firewall start.</li>
won't start.</li> <li>If your startup scripts try to start your firewall before
<li>If your startup scripts try to start your firewall starting your DNS server then your firewall won't start.<br>
before starting your DNS server then your firewall won't start.<br> </li>
</li> <li>Factors totally outside your control (your ISP's router is down
<li>Factors totally outside your control (your ISP's for example), can prevent your firewall from starting.</li>
router is down for example), can prevent your firewall from starting.</li> <li>You must bring up your network interfaces prior
<li>You must bring up your network interfaces prior to starting your firewall.<br>
to starting your firewall.<br> </li>
</li>
</ul> </ul>
<p align="left"> Each DNS name much be fully qualified and include a
<p align="left"> Each DNS name much be fully qualified and include a minumum minumum of two periods (although one may be trailing). This restriction
of two periods (although one may be trailing). This restriction is is imposed by Shorewall to insure backward compatibility with existing
imposed by Shorewall to insure backward compatibility with existing configuration files.<br>
configuration files.<br> <br>
<br> Examples of valid DNS names:<br>
Examples of valid DNS names:<br> </p>
</p>
<ul> <ul>
<li>mail.shorewall.net</li> <li>mail.shorewall.net</li>
<li>shorewall.net. (note the trailing period).</li> <li>shorewall.net. (note the trailing period).</li>
</ul> </ul>
Examples of invalid DNS names:<br> Examples of invalid DNS names:<br>
<ul> <ul>
<li>mail (not fully qualified)</li> <li>mail (not fully qualified)</li>
<li>shorewall.net (only one period)</li> <li>shorewall.net (only one period)</li>
</ul> </ul>
DNS names may not be used as:<br> DNS names may not be used as:<br>
<ul> <ul>
<li>The server address in a DNAT rule (/etc/shorewall/rules <li>The server address in a DNAT rule (/etc/shorewall/rules file)</li>
file)</li> <li>In the ADDRESS column of an entry in /etc/shorewall/masq.</li>
<li>In the ADDRESS column of an entry in /etc/shorewall/masq.</li> <li>In the /etc/shorewall/nat file.</li>
<li>In the /etc/shorewall/nat file.</li>
</ul> </ul>
These restrictions are not imposed by Shorewall simply These restrictions are not imposed by Shorewall simply for your
for your inconvenience but are rather limitations of iptables.<br> inconvenience but are rather limitations of iptables.<br>
<h2><a name="Compliment"></a>Complementing an Address or Subnet</h2> <h2><a name="Compliment"></a>Complementing an Address or Subnet</h2>
<p>Where specifying an IP address, a subnet or an interface, you can
<p>Where specifying an IP address, a subnet or an interface, you can precede precede the item with "!" to specify the complement of the item. For
the item with "!" to specify the complement of the item. For example, example, !192.168.1.4 means "any host but 192.168.1.4". There must be
!192.168.1.4 means "any host but 192.168.1.4". There must be no white space no white space following the "!".</p>
following the "!".</p>
<h2><a name="Lists"></a>Comma-separated Lists</h2> <h2><a name="Lists"></a>Comma-separated Lists</h2>
<p>Comma-separated lists are allowed in a number of contexts within the <p>Comma-separated lists are allowed in a number of contexts within the
configuration files. A comma separated list:</p> configuration files. A comma separated list:</p>
<ul> <ul>
<li>Must not have any embedded white space.<br> <li>Must not have any embedded white space.<br>
Valid: routefilter,dhcp,norfc1918<br> Valid: routefilter,dhcp,norfc1918<br>
Invalid: routefilter,     dhcp,     Invalid: routefilter,&nbsp;&nbsp;&nbsp;&nbsp;
norfc1818</li> dhcp,&nbsp;&nbsp;&nbsp;&nbsp; norfc1818</li>
<li>If you use line continuation to break a <li>If you use line continuation to break a
comma-separated list, the continuation line(s) must begin comma-separated list, the continuation line(s) must begin
in column 1 (or there would be embedded white space)</li> in column 1 (or there would be embedded white space)</li>
<li>Entries in a comma-separated list may appear <li>Entries in a comma-separated list may appear in any order.</li>
in any order.</li>
</ul> </ul>
<h2><a name="Ports"></a>Port Numbers/Service Names</h2> <h2><a name="Ports"></a>Port Numbers/Service Names</h2>
<p>Unless otherwise specified, when giving a port number you can use
<p>Unless otherwise specified, when giving a port number you can use either either an integer or a service name from /etc/services. </p>
an integer or a service name from /etc/services. </p>
<h2><a name="Ranges"></a>Port Ranges</h2> <h2><a name="Ranges"></a>Port Ranges</h2>
<p>If you need to specify a range of ports, the proper syntax is &lt;<i>low <p>If you need to specify a range of ports, the proper syntax is &lt;<i>low
port number</i>&gt;:&lt;<i>high port number</i>&gt;. For example, port number</i>&gt;:&lt;<i>high port number</i>&gt;. For example, if
if you want to forward the range of tcp ports 4000 through 4100 to you want to forward the range of tcp ports 4000 through 4100 to local
local host 192.168.1.3, the entry in /etc/shorewall/rules is:<br> host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
</p> </p>
<pre> DNAT net loc:192.168.1.3 tcp 4000:4100<br></pre> <pre> DNAT net loc:192.168.1.3 tcp 4000:4100<br></pre>
If you omit the low port number, a value of zero is assumed; if you If you omit the low port number, a value of zero is assumed; if you
omit the high port number, a value of 65535 is assumed.<br> omit the high port number, a value of 65535 is assumed.<br>
<h2><a name="Variables"></a>Using Shell Variables</h2> <h2><a name="Variables"></a>Using Shell Variables</h2>
<p>You may use the /etc/shorewall/params file to set shell variables
<p>You may use the /etc/shorewall/params file to set shell variables that you can then use in some of the other configuration files.</p>
that you can then use in some of the other configuration files.</p>
<p>It is suggested that variable names begin with an upper case letter<font <p>It is suggested that variable names begin with an upper case letter<font
size="1"> </font>to distinguish them from variables used internally size="1"> </font>to distinguish them from variables used internally
within the Shorewall programs</p> within the Shorewall programs</p>
<p>Example:</p> <p>Example:</p>
<blockquote> <blockquote>
<pre>NET_IF=eth0<br>NET_BCAST=130.252.100.255<br>NET_OPTIONS=routefilter,norfc1918</pre> <pre>NET_IF=eth0<br>NET_BCAST=130.252.100.255<br>NET_OPTIONS=routefilter,norfc1918</pre>
</blockquote> </blockquote>
<p><br> <p><br>
Example (/etc/shorewall/interfaces record):</p> Example (/etc/shorewall/interfaces record):</p>
<font <font face="Century Gothic, Arial, Helvetica">
face="Century Gothic, Arial, Helvetica">
<blockquote> <blockquote>
<pre><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></pre> <pre><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></pre>
</blockquote> </blockquote>
</font> </font>
<p>The result will be the same as if the record had been written</p> <p>The result will be the same as if the record had been written</p>
<font <font face="Century Gothic, Arial, Helvetica">
face="Century Gothic, Arial, Helvetica">
<blockquote> <blockquote>
<pre>net eth0 130.252.100.255 routefilter,norfc1918</pre> <pre>net eth0 130.252.100.255 routefilter,norfc1918</pre>
</blockquote> </blockquote>
</font> </font>
<p>Variables may be used anywhere in the other configuration files.</p>
<p>Variables may be used anywhere in the other configuration
files.</p>
<h2><a name="MAC"></a>Using MAC Addresses</h2> <h2><a name="MAC"></a>Using MAC Addresses</h2>
<p>Media Access Control (MAC) addresses can be used to specify packet
<p>Media Access Control (MAC) addresses can be used to specify packet source in several of the configuration files. To use this feature, your
source in several of the configuration files. To use this kernel must have MAC Address Match support
feature, your kernel must have MAC Address Match support (CONFIG_IP_NF_MATCH_MAC) included.</p>
(CONFIG_IP_NF_MATCH_MAC) included.</p> <p>MAC addresses are 48 bits wide and each Ethernet Controller has a
unique MAC address.<br>
<p>MAC addresses are 48 bits wide and each Ethernet Controller has a unique <br>
MAC address.<br> In GNU/Linux, MAC addresses are usually written as a series of 6 hex
<br> numbers separated by colons. Example:<br>
In GNU/Linux, MAC addresses are usually written <br>
as a series of 6 hex numbers separated by colons. Example:<br> &nbsp;&nbsp;&nbsp;&nbsp; [root@gateway root]# ifconfig eth0<br>
<br> &nbsp;&nbsp;&nbsp;&nbsp; eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>
     [root@gateway root]# ifconfig eth0<br> &nbsp;&nbsp;&nbsp;&nbsp; inet addr:206.124.146.176
     eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br> Bcast:206.124.146.255 Mask:255.255.255.0<br>
     inet addr:206.124.146.176 Bcast:206.124.146.255 &nbsp;&nbsp;&nbsp;&nbsp; UP BROADCAST RUNNING MULTICAST MTU:1500
Mask:255.255.255.0<br> Metric:1<br>
     UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br> &nbsp;&nbsp;&nbsp;&nbsp; RX packets:2398102 errors:0 dropped:0
     RX packets:2398102 errors:0 dropped:0 overruns:0 overruns:0 frame:0<br>
frame:0<br> &nbsp;&nbsp;&nbsp;&nbsp; TX packets:3044698 errors:0 dropped:0
     TX packets:3044698 errors:0 dropped:0 overruns:0 overruns:0 carrier:0<br>
carrier:0<br> &nbsp;&nbsp;&nbsp;&nbsp; collisions:30394 txqueuelen:100<br>
     collisions:30394 txqueuelen:100<br> &nbsp;&nbsp;&nbsp;&nbsp; RX bytes:419871805 (400.4 Mb) TX
     RX bytes:419871805 (400.4 Mb) TX bytes:1659782221 bytes:1659782221 (1582.8 Mb)<br>
(1582.8 Mb)<br> &nbsp;&nbsp;&nbsp;&nbsp; Interrupt:11 Base address:0x1800<br>
     Interrupt:11 Base address:0x1800<br> <br>
<br> Because Shorewall uses colons as a separator for address fields,
Because Shorewall uses colons as a separator for Shorewall requires MAC addresses to be written in another way. In
address fields, Shorewall requires MAC addresses to be written Shorewall, MAC addresses begin with a tilde ("~") and consist of 6 hex
in another way. In Shorewall, MAC addresses begin with a tilde numbers separated by hyphens. In Shorewall, the MAC address in the
("~") and consist of 6 hex numbers separated by hyphens. In Shorewall, example above would be written "~02-00-08-E3-FA-55".<br>
the MAC address in the example above would be written "~02-00-08-E3-FA-55".<br> </p>
</p> <p><b>Note: </b>It is not necessary to use the special Shorewall
notation in the <a href="MAC_Validation.html">/etc/shorewall/maclist</a>
<p><b>Note: </b>It is not necessary to use the special Shorewall notation file.<br>
in the <a href="MAC_Validation.html">/etc/shorewall/maclist</a> file.<br> </p>
</p>
<h2><a name="Levels"></a>Shorewall Configurations</h2> <h2><a name="Levels"></a>Shorewall Configurations</h2>
<p> Shorewall allows you to have configuration directories other than
<p> Shorewall allows you to have configuration directories other than /etc/shorewall. /etc/shorewall. The <a href="starting_and_stopping_shorewall.htm">shorewall
The <a href="starting_and_stopping_shorewall.htm">shorewall check, check, start and restart</a> commands allow you to specify an alternate
start and restart</a> commands allow you to specify an alternate configuration directory and Shorewall will use the files in the
configuration directory and Shorewall will use the files in the alternate alternate directory rather than the corresponding files in
directory rather than the corresponding files in /etc/shorewall. The /etc/shorewall. The alternate directory need not contain a complete
alternate directory need not contain a complete configuration; those configuration; those files not in the alternate directory will be read
files not in the alternate directory will be read from /etc/shorewall.</p> from /etc/shorewall.</p>
<p> This facility permits you to easily create a test or temporary
<p> This facility permits you to easily create a test or temporary configuration configuration by:</p>
by:</p>
<ol> <ol>
<li> copying the files that need modification <li> copying the files that need modification from /etc/shorewall to
from /etc/shorewall to a separate directory;</li> a separate directory;</li>
<li> modify those files in the separate directory; <li> modify those files in the separate directory; and</li>
and</li> <li> specifying the separate directory in a shorewall start or
<li> specifying the separate directory in a shorewall restart command (e.g., <i><b>shorewall -c /etc/testconfig
shorewall start or shorewall restart command (e.g., <i><b>shorewall restart</b></i> )</li>
-c /etc/testconfig restart</b></i> )</li>
</ol> </ol>
The <a href="starting_and_stopping_shorewall.htm"><b>try</b> command</a> The <a href="starting_and_stopping_shorewall.htm"><b>try</b> command</a>
allows you to attempt to restart using an alternate configuration and if an allows you to attempt to restart using an alternate configuration and
if an
error occurs to automatically restart the standard configuration.<br> error occurs to automatically restart the standard configuration.<br>
<p><font size="2"> Updated 8/22/2003 - <a href="support.htm">Tom Eastep</a>
<p><font size="2"> Updated 6/29/2003 - <a href="support.htm">Tom Eastep</a> </font></p>
</font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p> </p>
<br> <br>
</body> </body>
</html> </html>

330
Shorewall-docs/download.htm
View File

@ -1,234 +1,196 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<title>Download</title> <title>Download</title>
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90"> id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Download</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Download</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p><b>I strongly urge you to read and print a copy of the <a
<p><b>I strongly urge you to read and print a copy of the <a
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a> href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
for the configuration that most closely matches your own.<br> for the configuration that most closely matches your own.<br>
</b></p> </b></p>
<p>The entire set of Shorewall documentation is available in PDF format
<p>The entire set of Shorewall documentation is available in PDF format at:</p> at:</p>
<p>&nbsp;&nbsp;&nbsp; <a
<p>    <a href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br> href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a &nbsp;&nbsp;&nbsp; <a
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br> href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
    <a &nbsp;&nbsp;&nbsp; <a
href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a> href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>
</p> </p>
<p>The documentation in HTML format is included in the .rpm and in the
<p>The documentation in HTML format is included in the .rpm and in the .tgz .tgz
packages below.</p> packages below.</p>
<p> Once you've printed the appropriate QuickStart Guide, download <u>
<p> Once you've printed the appropriate QuickStart Guide, download <u> one</u> of the modules:</p>
one</u> of the modules:</p>
<ul> <ul>
<li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <b> Linux
<b> Linux PPC</b> or <b> TurboLinux</b> distribution PPC</b>, <span style="font-weight: bold;">Trustix</span> or <b>
with a 2.4 kernel, you can use the RPM version (note: the TurboLinux</b> distribution with a 2.4 kernel, you can
RPM should also work with other distributions that store use the RPM version (note: the RPM should also work with other
init scripts in /etc/init.d and that include chkconfig distributions that store init scripts in /etc/init.d and that include
or insserv). If you find that it works in other cases, let <a chkconfig or insserv). If you find that it works in other cases, let <a
href="mailto:teastep@shorewall.net"> me</a> know so that href="mailto:teastep@shorewall.net"> me</a> know so that I can mention
I can mention them here. See the <a href="Install.htm">Installation them here. See the <a href="Install.htm">Installation Instructions</a>
Instructions</a> if you have problems installing the RPM.</li> if you have problems installing the RPM.</li>
<li>If you are running LRP, download the .lrp <li>If you are running LRP, download the .lrp file (you might also
file (you might also want to download the .tgz so you will want to download the .tgz so you will have a copy of the documentation).</li>
have a copy of the documentation).</li> <li>If you run <a href="http://www.debian.org"><b>Debian</b></a> and
<li>If you run <a would like a .deb package, Shorewall is included in both the <a
href="http://www.debian.org"><b>Debian</b></a> and would
like a .deb package, Shorewall is included in both the <a
href="http://packages.debian.org/testing/net/shorewall.html">Debian href="http://packages.debian.org/testing/net/shorewall.html">Debian
Testing Branch</a> and the <a Testing Branch</a> and the <a
href="http://packages.debian.org/unstable/net/shorewall.html">Debian Unstable href="http://packages.debian.org/unstable/net/shorewall.html">Debian
Branch</a>.</li> Unstable Branch</a>.</li>
<li>Otherwise, download the <i>shorewall</i> <li>Otherwise, download the <i>shorewall</i> module (.tgz)</li>
module (.tgz)</li>
</ul> </ul>
<p>The documentation in HTML format is included in the .tgz and .rpm
<p>The documentation in HTML format is included in the .tgz and .rpm files files and there is an documentation .deb that also contains the
and there is an documentation .deb that also contains the documentation.  The documentation.&nbsp;&nbsp;The .rpm will install the documentation in
.rpm will install the documentation in your default document directory your default document directory which can be obtained using the
which can be obtained using the following command:<br> following command:<br>
</p> </p>
<blockquote> <blockquote>
<p><font color="#009900"><b>rpm --eval '%{defaultdocdir}'</b></font></p> <p><font color="#009900"><b>rpm --eval '%{_defaultdocdir}'</b></font></p>
</blockquote> </blockquote>
<p>Please check the <font color="#ff0000"> <a href="errata.htm">
<p>Please check the <font color="#ff0000"> <a href="errata.htm"> errata</a></font> errata</a></font> to see if there are updates that apply to the version
to see if there are updates that apply to the version that you have downloaded.</p>
that you have downloaded.</p> <p><font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY
INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME
<p><font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY INSTALL CONFIGURATION IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have
THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION completed configuration of your firewall, you can enable startup by
IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed configuration removing the file /etc/shorewall/startup_disabled.</b></font></p>
of your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.</b></font></p>
<p><b></b></p> <p><b></b></p>
<p><b>Download Sites:</b></p> <p><b>Download Sites:</b></p>
<blockquote> <blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
<tr> <tr>
<td><b>SERVER LOCATION</b></td> <td><b>SERVER LOCATION</b></td>
<td><b>DOMAIN</b></td> <td><b>DOMAIN</b></td>
<td><b>HTTP</b></td> <td><b>HTTP</b></td>
<td><b>FTP</b></td> <td><b>FTP</b></td>
</tr> </tr>
<tr> <tr>
<td>SourceForge<br> <td>SourceForge<br>
</td> </td>
<td>sf.net</td> <td>sf.net</td>
<td><a <td><a
href="http://sourceforge.net/project/showfiles.php?group_id=22587">Browse</a></td> href="http://sourceforge.net/project/showfiles.php?group_id=22587">Browse</a></td>
<td>N/A</td> <td>N/A</td>
</tr> </tr>
<tr> <tr>
<td>Slovak Republic</td> <td>Slovak Republic</td>
<td>Shorewall.net</td> <td>Shorewall.net</td>
<td><a <td><a href="http://slovakia.shorewall.net/pub/shorewall/">Browse</a></td>
href="http://slovakia.shorewall.net/pub/shorewall/">Browse</a></td> <td> <a target="_blank"
<td> <a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/">Browse</a></td> href="ftp://slovakia.shorewall.net/mirror/shorewall/">Browse</a></td>
</tr> </tr>
<tr> <tr>
<td>Texas, USA</td> <td>Texas, USA</td>
<td>Infohiiway.com</td> <td>Infohiiway.com</td>
<td><a <td><a href="http://shorewall.infohiiway.com/pub/shorewall">Browse</a></td>
href="http://shorewall.infohiiway.com/pub/shorewall">Browse</a></td> <td><a target="_blank"
<td><a target="_blank" href="ftp://ftp.infohiiway.com/pub/shorewall/">Browse (Temporarily
href="ftp://ftp.infohiiway.com/pub/shorewall/">Browse (Temporarily Unavailable)</a></td> Unavailable)</a></td>
</tr> </tr>
<tr> <tr>
<td>Hamburg, Germany</td> <td>Hamburg, Germany</td>
<td>Shorewall.net</td> <td>Shorewall.net</td>
<td><a <td><a href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td>
href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td> <td><a target="_blank"
<td><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall">Browse</a></td> href="ftp://germany.shorewall.net/pub/shorewall">Browse</a></td>
</tr> </tr>
<tr> <tr>
<td>France</td> <td>France</td>
<td>Shorewall.net</td> <td>Shorewall.net</td>
<td><a <td><a
href="http://france.shorewall.net/pub/shorewall/LATEST.lrp">Browse</a></td> href="http://france.shorewall.net/pub/shorewall/LATEST.lrp">Browse</a></td>
<td> <a target="_blank" <td> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/">Browse</a></td> href="ftp://france.shorewall.net/pub/mirrors/shorewall/">Browse</a></td>
</tr> </tr>
<tr> <tr>
<td valign="top">Taiwan<br> <td valign="top">Taiwan<br>
</td> </td>
<td valign="top">Greshko.com<br> <td valign="top">Greshko.com<br>
</td> </td>
<td valign="top"><a <td valign="top"><a
href="http://shorewall.greshko.com/pub/shorewall/">Browse<br> href="http://shorewall.greshko.com/pub/shorewall/">Browse<br>
</a></td> </a></td>
<td valign="top"><a <td valign="top"><a
href="ftp://shorewall.greshko.com/pub/shorewall/" target="_top">Browse</a><br> href="ftp://shorewall.greshko.com/pub/shorewall/" target="_top">Browse</a><br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">Argentina<br> <td valign="top">Argentina<br>
</td> </td>
<td valign="top">Shorewall.net<br> <td valign="top">Shorewall.net<br>
</td> </td>
<td valign="top"><a <td valign="top"><a
href="http://argentina.shorewall.net/pub/shorewall/shorewall">Browse</a><br> href="http://argentina.shorewall.net/pub/shorewall/shorewall">Browse</a><br>
</td> </td>
<td valign="top">N/A<br> <td valign="top">N/A<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">Brazil<br> <td valign="top">Brazil<br>
</td> </td>
<td valign="top">securityopensource.org.br<br> <td valign="top">securityopensource.org.br<br>
</td> </td>
<td valign="top"><a <td valign="top"><a
href="http://shorewall.securityopensource.org.br/pub/shorewall/">Browse</a><br> href="http://shorewall.securityopensource.org.br/pub/shorewall/">Browse</a><br>
</td> </td>
<td valign="top">N/A<br> <td valign="top">N/A<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td>Washington State, USA</td> <td>Washington State, USA</td>
<td>Shorewall.net</td> <td>Shorewall.net</td>
<td><a <td><a href="http://www.shorewall.net/pub/shorewall/">Browse</a></td>
href="http://www.shorewall.net/pub/shorewall/">Browse</a></td> <td><a href="ftp://ftp.shorewall.net/pub/shorewall/"
<td><a target="_blank">Browse</a></td>
href="ftp://ftp.shorewall.net/pub/shorewall/" target="_blank">Browse</a></td> </tr>
</tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
<p align="left"><b>CVS:</b></p> <p align="left"><b>CVS:</b></p>
<blockquote> <blockquote>
<p align="left">The <a target="_top" <p align="left">The <a target="_top"
href="http://cvs.shorewall.net/Shorewall_CVS_Access.html">CVS repository href="http://cvs.shorewall.net/Shorewall_CVS_Access.html">CVS
at cvs.shorewall.net</a> contains the latest snapshots of the repository at cvs.shorewall.net</a> contains the latest snapshots of
each Shorewall component. There's no guarantee that what you find the each Shorewall component. There's no guarantee that what you find
there will work at all.<br> there will work at all.<br>
</p> </p>
</blockquote> </blockquote>
<p align="left"><b>Shapshots:<br> <p align="left"><b>Shapshots:<br>
</b></p> </b></p>
<blockquote> <blockquote>
<p align="left">Periodic snapshots from CVS may be found at <a <p align="left">Periodic snapshots from CVS may be found at <a
href="http://shorewall.net/pub/shorewall/Snapshots/">http://shorewall.net/pub/shorewall/Snapshots</a> href="http://shorewall.net/pub/shorewall/Snapshots/">http://shorewall.net/pub/shorewall/Snapshots</a>
(<a href="ftp://shorewall.net/pub/shorewall/Snapshots/" target="_top">FTP</a>). (<a href="ftp://shorewall.net/pub/shorewall/Snapshots/" target="_top">FTP</a>).
These snapshots have undergone initial testing and will have been installed These snapshots have undergone initial testing and will have been
and run at shorewall.net.<br> installed and run at shorewall.net.<br>
</p> </p>
</blockquote> </blockquote>
<p align="left"><font size="2">Last Updated 9/25/2003 - <a
<p align="left"><font size="2">Last Updated 8/4/2003 - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</body> </body>
</html> </html>

508
Shorewall-docs/errata.htm
View File

@ -1,391 +1,319 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shorewall 1.4 Errata</title> <title>Shorewall 1.4 Errata</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
<meta name="author" content="Tom Eastep"> <meta name="author" content="Tom Eastep">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#3366ff" height="90"> bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade
Issues</font></h1>
<h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1> </td>
</td> </tr>
</tr>
</tbody> </tbody>
</table> </table>
<p align="center"> <b><u>IMPORTANT</u></b></p>
<p align="center"> <b><u>IMPORTANT</u></b></p>
<ol> <ol>
<li> <li>
<p align="left"> <b><u>I</u>f you use a Windows system to download
<p align="left"> <b><u>I</u>f you use a Windows system to download a corrected script, be sure to run the script through <u> <a
a corrected script, be sure to run the script through
<u> <a
href="http://www.megaloman.com/%7Ehany/software/hd2u/" href="http://www.megaloman.com/%7Ehany/software/hd2u/"
style="text-decoration: none;"> dos2unix</a></u> after you have moved style="text-decoration: none;"> dos2unix</a></u> after you have moved
it to your Linux system.</b></p> it to your Linux system.</b></p>
</li> </li>
<li> <li>
<p align="left"> <b>If you are installing Shorewall for the first
<p align="left"> <b>If you are installing Shorewall for the first time and plan to use the .tgz and install.sh script, you can untar
time and plan to use the .tgz and install.sh script, you can untar the archive, replace the 'firewall' script in the untarred directory
the archive, replace the 'firewall' script in the untarred directory with the one you downloaded below, and then run install.sh.</b></p>
with the one you downloaded below, and then run install.sh.</b></p> </li>
</li> <li>
<li> <p align="left"> <b>When the instructions say to install a
corrected firewall script in /usr/share/shorewall/firewall,
<p align="left"> <b>When the instructions say to install a corrected you may rename the existing file before copying in the new file.</b></p>
firewall script in /usr/share/shorewall/firewall, </li>
you may rename the existing file before copying in the new file.</b></p> <li>
</li> <p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED
<li> COMPONENTS ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER
BELOW. For example, do NOT install the 1.3.9a firewall script
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS if you are running 1.3.7c.</font></b><br>
ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER </p>
BELOW. For example, do NOT install the 1.3.9a firewall script </li>
if you are running 1.3.7c.</font></b><br>
</p>
</li>
</ol> </ol>
<ul> <ul>
<li><b><a <li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
href="upgrade_issues.htm">Upgrade Issues</a></b></li> <li><b><a href="#V1.4">Problems in Version 1.4</a></b><br>
<li><b><a href="#V1.4">Problems in Version 1.4</a></b><br> </li>
</li> <li> <b><a href="errata_3.html">Problems in Version 1.3</a></b></li>
<li> <b><a <li> <b><a href="errata_2.htm">Problems in Version 1.2</a></b></li>
href="errata_3.html">Problems in Version 1.3</a></b></li> <li> <b><font color="#660066"> <a href="errata_1.htm">Problems in
<li> <b><a Version 1.1</a></font></b></li>
href="errata_2.htm">Problems in Version 1.2</a></b></li> <li> <b><font color="#660066"><a href="#iptables"> Problem with
<li> <b><font iptables version 1.2.3 on RH7.2</a></font></b></li>
color="#660066"> <a href="errata_1.htm">Problems in Version 1.1</a></font></b></li> <li> <b><a href="#Debug">Problems with kernels &gt;= 2.4.18 and
<li> <b><font RedHat
color="#660066"><a href="#iptables"> Problem with iptables version 1.2.3
on RH7.2</a></font></b></li>
<li> <b><a
href="#Debug">Problems with kernels &gt;= 2.4.18 and RedHat
iptables</a></b></li> iptables</a></b></li>
<li><b><a href="#SuSE">Problems installing/upgrading <li><b><a href="#SuSE">Problems installing/upgrading RPM on SuSE</a></b></li>
RPM on SuSE</a></b></li> <li><b><a href="#Multiport">Problems with iptables version 1.2.7 and
<li><b><a href="#Multiport">Problems MULTIPORT=Yes</a></b></li>
with iptables version 1.2.7 and MULTIPORT=Yes</a></b></li> <li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10 and NAT</a></b></li>
<li><b><a href="#NAT">Problems with RH Kernel <li><b><a href="#REJECT">Problems with RH Kernels after 2.4.20-9 and
2.4.18-10 and NAT</a></b></li> REJECT (also applies to 2.4.21-RC1) <img src="images/new10.gif"
<li><b><a href="#REJECT">Problems with RH Kernels after 2.4.20-9 and alt="(New)" width="28" height="12" border="0"> </a><br>
REJECT (also applies to 2.4.21-RC1) <img src="images/new10.gif" </b></li>
alt="(New)" width="28" height="12" border="0">
</a><br>
</b></li>
</ul> </ul>
<hr> <hr>
<h2 align="left"><a name="V1.4"></a>Problems in Version 1.4</h2> <h2 align="left"><a name="V1.4"></a>Problems in Version 1.4</h2>
<h3></h3> <h3></h3>
<h3>1.4.6</h3> <h3>1.4.6</h3>
<ul> <ul>
<li>If TC_ENABLED is set to yes in shorewall.conf then Shorewall would <li>If TC_ENABLED is set to yes in shorewall.conf then Shorewall
fail to start with the error "ERROR:  Traffic Control requires Mangle"; would fail to start with the error "ERROR:&nbsp; Traffic Control
that problem has been corrected in <a requires Mangle";
href="http://shorewall.net/pub/shorewall/errata/1.4.6/firewall">this firewall that problem has been corrected in <a
script</a> which may be installed in /var/share/shorewall/firewall as described href="http://shorewall.net/pub/shorewall/errata/1.4.6/firewall">this
above. This problem is also corrected in bugfix release 1.4.6a.</li> firewall script</a> which may be installed in
<li>This problem occurs in all versions supporting traffic control. If /var/share/shorewall/firewall as described above. This problem is also
a MAC address is used in the SOURCE column, an error occurs as follows:<br> corrected in bugfix release 1.4.6a.</li>
<br> <li>This problem occurs in all versions supporting traffic control.
     <font size="3"><tt>iptables v1.2.8: Bad mac adress `00:08:B5:35:52:E7-d`</tt></font><br> If a MAC address is used in the SOURCE column, an error occurs as
<br> follows:<br>
For Shorewall 1.4.6 and 1.4.6a users, this problem has been corrected in <br>
<a href="http://shorewall.net/pub/shorewall/errata/1.4.6/firewall">this &nbsp; &nbsp; &nbsp;<font size="3"><tt>iptables v1.2.8: Bad mac adress
firewall script</a> which may be installed in /var/share/shorewall/firewall `00:08:B5:35:52:E7-d`</tt></font><br>
as described above. For all other versions, you will have to edit your 'firewall' <br>
script (in versions 1.4.*, it is located in /usr/share/shorewall/firewall). For Shorewall 1.4.6 and 1.4.6a users, this problem has been corrected
Locate the function add_tcrule_() and in that function, replace this line:<br> in <a href="http://shorewall.net/pub/shorewall/errata/1.4.6/firewall">this
<br> firewall script</a> which may be installed in
    r=`mac_match $source` <br> /var/share/shorewall/firewall
<br> as described above. For all other versions, you will have to edit your
with<br> 'firewall'
<br> script (in versions 1.4.*, it is located in
     r="`mac_match $source` "<br> /usr/share/shorewall/firewall).
<br> Locate the function add_tcrule_() and in that function, replace this
Note that there must be a space before the ending quote!<br> line:<br>
</li> <br>
&nbsp; &nbsp; <span style="font-family: monospace;">r=`mac_match
$source`&nbsp;</span><br>
<br>
with<br>
<br>
&nbsp; &nbsp; &nbsp;<span style="font-family: monospace;">r="`mac_match
$source` "</span><br>
<br>
Note that there must be a space before the ending quote!<br>
</li>
</ul> </ul>
<h3>1.4.4b</h3> <h3>1.4.4b</h3>
<ul> <ul>
<li>Shorewall is ignoring records in /etc/shorewall/routestopped <li>Shorewall is ignoring records in /etc/shorewall/routestopped
that have an empty second column (HOSTS). This problem may be corrected that have an empty second column (HOSTS). This problem may be corrected
by installing <a by installing <a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4b/firewall" href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4b/firewall"
target="_top">this firewall script</a> in /usr/share/shorewall/firewall as target="_top">this firewall script</a> in
/usr/share/shorewall/firewall as
described above.</li> described above.</li>
<li>The INCLUDE directive doesn't work when placed in the /etc/shorewall/zones <li>The INCLUDE directive doesn't work when placed in the
file. This problem may be corrected by installing <a /etc/shorewall/zones file. This problem may be corrected by installing <a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4b/functions" href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4b/functions"
target="_top">this functions script</a> in /usr/share/shorewall/functions.<br> target="_top">this functions script</a> in
</li> /usr/share/shorewall/functions.<br>
</li>
</ul> </ul>
<h3>1.4.4-1.4.4a</h3> <h3>1.4.4-1.4.4a</h3>
<ul> <ul>
<li>Log messages are being displayed on the system console even <li>Log messages are being displayed on the system console even
though the log level for the console is set properly according to <a though the log level for the console is set properly according to <a
href="FAQ.htm#faq16">FAQ 16</a>. This problem may be corrected by installing href="FAQ.htm#faq16">FAQ 16</a>. This problem may be corrected by
<a installing <a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4a/firewall" href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4a/firewall"
target="_top">this firewall script</a> in /usr/share/shorewall/firewall as target="_top">this firewall script</a> in
/usr/share/shorewall/firewall as
described above.<br> described above.<br>
</li> </li>
</ul> </ul>
<h3>1.4.4<br> <h3>1.4.4<br>
</h3> </h3>
<ul> <ul>
<li> If you have zone names that are 5 characters long, you may <li> If you have zone names that are 5 characters long, you may
experience problems starting Shorewall because the --log-prefix in a logging experience problems starting Shorewall because the --log-prefix in a
rule is too long. Upgrade to Version 1.4.4a to fix this problem..</li> logging rule is too long. Upgrade to Version 1.4.4a to fix this
problem..</li>
</ul> </ul>
<h3>1.4.3</h3> <h3>1.4.3</h3>
<ul> <ul>
<li>The LOGMARKER variable introduced in version 1.4.3 was intended <li>The LOGMARKER variable introduced in version 1.4.3 was intended
to allow integration of Shorewall with Fireparse (http://www.firewparse.com). to allow integration of Shorewall with Fireparse
Unfortunately, LOGMARKER only solved part of the integration problem. (http://www.firewparse.com). Unfortunately, LOGMARKER only solved part
I have implimented a new LOGFORMAT variable which will replace LOGMARKER of the integration problem. I have implimented a new LOGFORMAT variable
which has completely solved this problem and is currently in production which will replace LOGMARKER which has completely solved this problem
with fireparse here at shorewall.net. The updated files may be found at and is currently in production with fireparse here at shorewall.net.
<a The updated files may be found at <a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/" href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/"
target="_top">ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/</a>. target="_top">ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/</a>.
See the 0README.txt file for details.<br> See the 0README.txt file for details.<br>
</li> </li>
</ul> </ul>
<h3>1.4.2</h3> <h3>1.4.2</h3>
<ul> <ul>
<li>When an 'add' or 'delete' command is executed, a temporary <li>When an 'add' or 'delete' command is executed, a temporary
directory created in /tmp is not being removed. This problem may be corrected directory created in /tmp is not being removed. This problem may be
by installing <a corrected by installing <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.2/firewall" href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.2/firewall"
target="_top">this firewall script</a> in /usr/share/shorewall/firewall as target="_top">this firewall script</a> in
/usr/share/shorewall/firewall as
described above. <br> described above. <br>
</li> </li>
</ul> </ul>
<h3>1.4.1a, 1.4.1 and 1.4.0</h3> <h3>1.4.1a, 1.4.1 and 1.4.0</h3>
<ul> <ul>
<li>Some TCP requests are rejected in the 'common' chain with <li>Some TCP requests are rejected in the 'common' chain with an ICMP
an ICMP port-unreachable response rather than the more appropriate TCP port-unreachable response rather than the more appropriate TCP RST
RST response. This problem is corrected in <a response. This problem is corrected in <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1a/common.def" href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1a/common.def"
target="_top">this updated common.def file</a> which may be installed in target="_top">this updated common.def file</a> which may be installed
/etc/shorewall/common.def.<br> in /etc/shorewall/common.def.<br>
</li> </li>
</ul> </ul>
<h3>1.4.1</h3> <h3>1.4.1</h3>
<ul> <ul>
<li>When a "shorewall check" command is executed, each "rule" <li>When a "shorewall check" command is executed, each "rule"
produces the harmless additional message:<br> produces the harmless additional message:<br>
<br> <br>
     /usr/share/shorewall/firewall: line 2174: [: =: unary operator &nbsp; &nbsp; &nbsp;/usr/share/shorewall/firewall: line 2174: [: =:
expected<br> unary operator expected<br>
<br> <br>
You may correct the problem by installing <a You may correct the problem by installing <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1/firewall" href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1/firewall"
target="_top">this corrected script</a> in /usr/share/shorewall/firewall target="_top">this corrected script</a> in
as described above.<br> /usr/share/shorewall/firewall as described above.<br>
</li> </li>
</ul> </ul>
<h3>1.4.0</h3> <h3>1.4.0</h3>
<ul> <ul>
<li>When running under certain shells Shorewall will attempt <li>When running under certain shells Shorewall will attempt to
to create ECN rules even when /etc/shorewall/ecn is empty. You may create ECN rules even when /etc/shorewall/ecn is empty. You may
either just remove /etc/shorewall/ecn or you can install <a either just remove /etc/shorewall/ecn or you can install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.4.0/firewall">this href="http://www.shorewall.net/pub/shorewall/errata/1.4.0/firewall">this
correct script</a> in /usr/share/shorewall/firewall as described above.<br> correct script</a> in /usr/share/shorewall/firewall as described above.<br>
</li> </li>
</ul> </ul>
<hr width="100%" size="2"> <hr width="100%" size="2">
<h2 align="left"><a name="Upgrade"></a>Upgrade Issues</h2> <h2 align="left"><a name="Upgrade"></a>Upgrade Issues</h2>
<p align="left">The upgrade issues have moved to <a
<p align="left">The upgrade issues have moved to <a
href="upgrade_issues.htm">a separate page</a>.</p> href="upgrade_issues.htm">a separate page</a>.</p>
<hr> <hr>
<h3 align="left"><a name="iptables"></a><font color="#660066"> Problem with <h3 align="left"><a name="iptables"></a><font color="#660066"> Problem
iptables version 1.2.3</font></h3> with iptables version 1.2.3</font></h3>
<blockquote> <blockquote>
<p align="left">There are a couple of serious bugs in iptables 1.2.3 that <p align="left">There are a couple of serious bugs in iptables 1.2.3
prevent it from working with Shorewall. Regrettably, that prevent it from working with Shorewall. Regrettably, RedHat
RedHat released this buggy iptables in RedHat 7.2. </p> released this buggy iptables in RedHat 7.2.&nbsp;</p>
<p align="left"> I have built a <a <p align="left"> I have built a <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm"> href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
corrected 1.2.3 rpm which you can download here</a>  and corrected 1.2.3 rpm which you can download here</a>&nbsp; and I have
I have also built an <a also built an <a
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm"> href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
iptables-1.2.4 rpm which you can download here</a>. If you are currently iptables-1.2.4 rpm which you can download here</a>. If you are
running RedHat 7.1, you can install either of these RPMs currently running RedHat 7.1, you can install either of these RPMs <b><u>before</u>
<b><u>before</u> </b>you upgrade to RedHat 7.2.</p> </b>you upgrade to RedHat 7.2.</p>
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat has released an iptables-1.2.4 RPM of their own which
has released an iptables-1.2.4 RPM of their own which you can download from<font color="#ff6633"> <a
you can download from<font color="#ff6633"> <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>. href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
</font>I have installed this RPM on my firewall and </font>I have installed this RPM on my firewall and
it works fine.</p> it works fine.</p>
<p align="left">If you would like to patch iptables 1.2.3 yourself,
<p align="left">If you would like to patch iptables 1.2.3 yourself, the patches are available for download. This <a
the patches are available for download. This <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a> href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
which corrects a problem with parsing of the --log-level which corrects a problem with parsing of the --log-level specification
specification while this <a while this <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a> href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
corrects a problem in handling the  TOS target.</p> corrects a problem in handling the&nbsp; TOS target.</p>
<p align="left">To install one of the above patches:</p> <p align="left">To install one of the above patches:</p>
<ul> <ul>
<li>cd iptables-1.2.3/extensions</li> <li>cd iptables-1.2.3/extensions</li>
<li>patch -p0 &lt; <i>the-patch-file</i></li> <li>patch -p0 &lt; <i>the-patch-file</i></li>
</ul> </ul>
</blockquote> </blockquote>
<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18 and
<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18 and
RedHat iptables</h3> RedHat iptables</h3>
<blockquote> <blockquote>
<p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19 <p>Users who use RedHat iptables RPMs and who upgrade to kernel
may experience the following:</p> 2.4.18/19 may experience the following:</p>
<blockquote> <blockquote>
<pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre> <pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre>
</blockquote> </blockquote>
<p>The RedHat iptables RPM is compiled with debugging enabled but the <p>The RedHat iptables RPM is compiled with debugging enabled but the
user-space debugging code was not updated to reflect recent changes in user-space debugging code was not updated to reflect recent changes in
the Netfilter 'mangle' table. You can correct the problem by the Netfilter 'mangle' table. You can correct the problem by installing
installing <a <a
href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm"> href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
this iptables RPM</a>. If you are already running a this iptables RPM</a>. If you are already running a
1.2.5 version of iptables, you will need to specify the 1.2.5 version of iptables, you will need to specify the
--oldpackage option to rpm (e.g., "iptables -Uvh --oldpackage --oldpackage option to rpm (e.g., "iptables -Uvh --oldpackage
iptables-1.2.5-1.i386.rpm").</p> iptables-1.2.5-1.i386.rpm").</p>
</blockquote> </blockquote>
<h3><a name="SuSE"></a>Problems installing/upgrading RPM on SuSE</h3>
<h3><a name="SuSE"></a>Problems installing/upgrading <p>If you find that rpm complains about a conflict with kernel &lt;=
RPM on SuSE</h3> 2.2 yet you have a 2.4 kernel installed, simply use the "--nodeps"
option to rpm.</p>
<p>If you find that rpm complains about a conflict with kernel &lt;=
2.2 yet you have a 2.4 kernel installed, simply use the
"--nodeps" option to rpm.</p>
<p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p> <p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p> <p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<h3><a name="Multiport"></a><b>Problems with iptables version 1.2.7 and
<h3><a name="Multiport"></a><b>Problems with iptables version 1.2.7 and MULTIPORT=Yes</b></h3>
MULTIPORT=Yes</b></h3> <p>The iptables 1.2.7 release of iptables has made an incompatible
change to the syntax used to specify multiport match rules; as a
<p>The iptables 1.2.7 release of iptables has made an incompatible consequence, if you install iptables 1.2.7 you must be running
change to the syntax used to specify multiport match rules; Shorewall 1.3.7a or later or:</p>
as a consequence, if you install iptables 1.2.7 you
must be running Shorewall 1.3.7a or later or:</p>
<ul> <ul>
<li>set <li>set MULTIPORT=No in /etc/shorewall/shorewall.conf; or </li>
MULTIPORT=No in /etc/shorewall/shorewall.conf; <li>if you are running Shorewall 1.3.6 you may install <a
or </li>
<li>if
you are running Shorewall 1.3.6 you may
install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this firewall script</a> in /var/lib/shorewall/firewall this firewall script</a> in /var/lib/shorewall/firewall as described
as described above.</li> above.</li>
</ul> </ul>
<h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br> <h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br>
</h3> </h3>
/etc/shorewall/nat entries of the following /etc/shorewall/nat entries of the following form will result in
form will result in Shorewall being unable to start:<br> Shorewall being unable to start:<br>
<br> <br>
<pre>#EXTERNAL&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; INTERFACE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; INTERNAL&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ALL INTERFACES&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LOCAL<br>192.0.2.22&nbsp;&nbsp;&nbsp; eth0&nbsp;&nbsp;&nbsp; 192.168.9.22&nbsp;&nbsp; yes&nbsp;&nbsp;&nbsp;&nbsp; yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22    eth0    192.168.9.22   yes     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre> Error message is:<br>
Error message is:<br>
<pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre> <pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
The solution is to put "no" in the LOCAL column. The solution is to put "no" in the LOCAL column. Kernel support for
Kernel support for LOCAL=yes has never worked properly and 2.4.18-10 LOCAL=yes has never worked properly and 2.4.18-10 has disabled it. The
has disabled it. The 2.4.19 kernel contains corrected support 2.4.19 kernel contains corrected support
under a new kernel configuraiton option; see <a under a new kernel configuraiton option; see <a
href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br> href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
<br> <br>
<h3><a name="REJECT"></a><b> Problems with RH Kernels after 2.4.20-9
<h3><a name="REJECT"></a><b> Problems with RH Kernels after 2.4.20-9 and REJECT and REJECT
(also applies to 2.4.21-RC1)</b></h3> (also applies to 2.4.21-RC1)</b></h3>
Beginning with errata kernel 2.4.20-13.9, "REJECT --reject-with tcp-reset" Beginning with errata kernel 2.4.20-13.9, "REJECT --reject-with
is broken. The symptom most commonly seen is that REJECT rules act just tcp-reset" is broken. The symptom most commonly seen is that REJECT
like DROP rules when dealing with TCP. A kernel patch and precompiled modules rules act just like DROP rules when dealing with TCP. A kernel patch
to fix this problem are available at <a and precompiled modules to fix this problem are available at <a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel" href="ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel"
target="_top">ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel</a>.<br> target="_top">ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel</a>.<br>
<hr> <hr>
<p><font size="2"> Last updated 7/23/2003 - <a href="support.htm">Tom Eastep</a></font> <p><font size="2"> Last updated 7/23/2003 - <a href="support.htm">Tom
Eastep</a></font>
</p> </p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br> <br>
<br> <br>
</body> </body>
</html> </html>

BIN
Shorewall-docs/images/network.png
View File

Binary file not shown.

BIN
Shorewall-docs/images/network.vsd
View File

Binary file not shown.

373
Shorewall-docs/mailing_list.htm
View File

@ -1,147 +1,117 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Mailing Lists</title> <title>Shorewall Mailing Lists</title>
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
<table height="90" bgcolor="#3366ff" id="AutoNumber1" width="100%" <table height="90" bgcolor="#3366ff" id="AutoNumber1" width="100%"
style="border-collapse: collapse;" cellspacing="0" cellpadding="0" style="border-collapse: collapse;" cellspacing="0" cellpadding="0"
border="0"> border="0">
<tbody> <tbody>
<tr> <tr>
<td width="33%" valign="middle" <td width="33%" valign="middle" align="left">
align="left">
<h1 align="center"><a <h1 align="center"><a
href="http://www.centralcommand.com/linux_products.html"><img href="http://www.centralcommand.com/linux_products.html"><img
src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78" src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78"
height="79" align="left"> height="79" align="left"> </a></h1>
</a></h1> <a href="http://www.gnu.org/software/mailman/mailman.html"> <img
<a
href="http://www.gnu.org/software/mailman/mailman.html"> <img
border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110" border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110"
height="35" alt=""> height="35" alt=""> </a>
</a> <p align="right"><font color="#ffffff"><b>&nbsp; </b></font><a
<p align="right"><font color="#ffffff"><b>  </b></font><a
href="http://razor.sourceforge.net/"><img src="images/razor.gif" href="http://razor.sourceforge.net/"><img src="images/razor.gif"
alt="(Razor Logo)" width="100" height="22" align="left" border="0"> alt="(Razor Logo)" width="100" height="22" align="left" border="0"> </a>
</a> </p> </p>
</td> </td>
<td valign="middle" width="34%" align="center"> <td valign="middle" width="34%" align="center">
<h1 align="center"><font color="#ffffff">Shorewall Mailing Lists</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Mailing Lists</font></h1>
</td> </td>
<td valign="middle" width="33%"> <td valign="middle" width="33%"> <a
<a href="http://www.postfix.org/"> <img href="http://www.postfix.org/"> <img src="images/postfix-white.gif"
src="images/postfix-white.gif" align="right" border="0" width="158" align="right" border="0" width="158" height="84" alt="(Postfix Logo)">
height="84" alt="(Postfix Logo)"> </a><br>
</a><br>
<div align="left"><a href="http://www.spamassassin.org"><img <div align="left"><a href="http://www.spamassassin.org"><img
src="images/ninjalogo.png" alt="" width="110" height="42" align="right" src="images/ninjalogo.png" alt="" width="110" height="42" align="right"
border="0"> border="0"> </a> </div>
</a> </div> <br>
<br>
<div align="right"><b><font color="#ffffff"><br> <div align="right"><b><font color="#ffffff"><br>
</font></b><br> </font></b><br>
</div> </div>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
If you experience problems with any of these lists, <br>
please let <a href="mailto:postmaster@shorewall.net">me</a> <big><span style="color: rgb(255, 0, 0);"><span
style="font-weight: bold;">If you are reporting a problem or asking a
question, you are at the wrong place -- please see the <a
href="http://www.shorewall.net/support.htm">Shorewall Support Guide</a>.</span></span></big><br>
<br>
If you experience problems with any of these lists,
please let <a href="mailto:postmaster@shorewall.net">me</a>
know know
<h2 align="left">Not able to Post Mail to shorewall.net?</h2> <h2 align="left">Not able to Post Mail to shorewall.net?</h2>
<p align="left">You can report such problems by sending mail to
<p align="left">You can report such problems by sending mail to tmeastep at tmeastep at
hotmail dot com.</p> hotmail dot com.</p>
<h2>A Word about the SPAM Filters at Shorewall.net&nbsp;<a
<h2>A Word about the SPAM Filters at Shorewall.net <a
href="http://osirusoft.com/"> </a></h2> href="http://osirusoft.com/"> </a></h2>
<p>Please note that the mail server at shorewall.net checks
<p>Please note that the mail server at shorewall.net checks
incoming mail:<br> incoming mail:<br>
</p> </p>
<ol> <ol>
<li>against <a <li>against <a href="http://spamassassin.org">Spamassassin</a>
href="http://spamassassin.org">Spamassassin</a> (including <a (including <a href="http://razor.sourceforge.net/">Vipul's Razor</a>).<br>
href="http://razor.sourceforge.net/">Vipul's Razor</a>).<br> </li>
</li> <li>to ensure that the sender address is
<li>to ensure that the sender address is fully qualified.</li>
fully qualified.</li> <li>to verify that the sender's domain has an A or MX record in DNS.</li>
<li>to verify that the sender's domain has <li>to ensure that the host name in the HELO/EHLO command is a valid
an A or MX record in DNS.</li> fully-qualified DNS name.</li>
<li>to ensure that the host name in the HELO/EHLO
command is a valid fully-qualified DNS name.</li>
</ol> </ol>
<h2>Please post in plain text</h2> <h2>Please post in plain text</h2>
A growing number of MTAs serving list subscribers A growing number of MTAs serving list subscribers are rejecting all
are rejecting all HTML traffic. At least one MTA has gone so far HTML traffic. At least one MTA has gone so far as to blacklist
as to blacklist shorewall.net "for continuous abuse" because it has shorewall.net "for continuous abuse" because it has been my policy to
been my policy to allow HTML in list posts!!<br> allow HTML in list posts!!<br>
<br> <br>
I think that blocking all HTML is a Draconian way I think that blocking all HTML is a Draconian way to control spam and
to control spam and that the ultimate losers here are not the spammers that the ultimate losers here are not the spammers but the list
but the list subscribers whose MTAs are bouncing all shorewall.net subscribers whose MTAs are bouncing all shorewall.net mail. As one list
mail. As one list subscriber wrote to me privately "These e-mail admin's subscriber wrote to me privately "These e-mail admin's need to get a <i>(explitive
need to get a <i>(explitive deleted)</i> life instead of trying to deleted)</i> life instead of trying to
rid the planet of HTML based e-mail". Nevertheless, to allow subscribers rid the planet of HTML based e-mail". Nevertheless, to allow
to receive list posts as must as possible, I have now configured the subscribers to receive list posts as must as possible, I have now
list server at shorewall.net to strip all HTML from outgoing posts. configured the list server at shorewall.net to strip all HTML from
This means that HTML-only posts will be bounced by the list server.<br> outgoing posts.
This means that HTML-only posts will be bounced by the list server.<br>
<p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br> <p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br>
</p> </p>
<h2>Other Mail Delivery Problems</h2> <h2>Other Mail Delivery Problems</h2>
If you find that you are missing an occasional list If you find that you are missing an occasional list post, your e-mail
post, your e-mail admin may be blocking mail whose <i>Received:</i> admin may be blocking mail whose <i>Received:</i> headers contain the
headers contain the names of certain ISPs. Again, I believe that such names of certain ISPs. Again, I believe that such policies hurt more
policies hurt more than they help but I'm not prepared to go so far than they help but I'm not prepared to go so far as to start stripping <i>Received:</i>
as to start stripping <i>Received:</i> headers to circumvent those headers to circumvent those policies.<br>
policies.<br>
<h2 align="left">Mailing Lists Archive Search</h2> <h2 align="left">Mailing Lists Archive Search</h2>
<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch"> <form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
<p> <font size="-1"> Match: <p> <font size="-1"> Match:
<select name="method"> <select name="method">
<option value="and">All </option> <option value="and">All </option>
<option value="or">Any </option> <option value="or">Any </option>
<option value="boolean">Boolean </option> <option value="boolean">Boolean </option>
</select> </select>
Format: Format:
<select name="format"> <select name="format">
<option value="builtin-long">Long </option> <option value="builtin-long">Long </option>
<option value="builtin-short">Short </option> <option value="builtin-short">Short </option>
</select> </select>
Sort by: Sort by:
<select name="sort"> <select name="sort">
<option value="score">Score </option> <option value="score">Score </option>
<option value="time">Time </option> <option value="time">Time </option>
@ -150,135 +120,122 @@ policies.<br>
<option value="revtime">Reverse Time </option> <option value="revtime">Reverse Time </option>
<option value="revtitle">Reverse Title </option> <option value="revtitle">Reverse Title </option>
</select> </select>
</font> <input type="hidden" </font> <input type="hidden" name="config" value="htdig"> <input
name="config" value="htdig"> <input type="hidden" name="restrict" type="hidden" name="restrict"
value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden" value="[http://lists.shorewall.net/pipermail/.*]"> <input
name="exclude" value=""> <br> type="hidden" name="exclude" value=""> <br>
Search: <input type="text" size="30" Search: <input type="text" size="30" name="words" value=""> <input
name="words" value=""> <input type="submit" value="Search"> </p> type="submit" value="Search"> </p>
</form> </form>
<h2 align="left"><font color="#ff0000">Please do not try to download
<h2 align="left"><font color="#ff0000">Please do not try to download the entire the entire
Archive -- it is 75MB (and growing daily) and my slow DSL line simply won't Archive -- it is 164MB (and growing daily) and my slow DSL line simply
won't
stand the traffic. If I catch you, you will be blacklisted.<br> stand the traffic. If I catch you, you will be blacklisted.<br>
</font></h2> </font></h2>
<h2 align="left">Shorewall CA Certificate</h2> <h2 align="left">Shorewall CA Certificate</h2>
If you want to trust X.509 certificates issued If you want to trust X.509 certificates issued by Shoreline Firewall
by Shoreline Firewall (such as the one used on my web site), (such as the one used on my web site), you may <a
you may <a href="Shorewall_CA_html.html">download and install my CA certificate</a> href="Shorewall_CA_html.html">download and install my CA certificate</a>
in your browser. If you don't wish to trust my certificates in your browser. If you don't wish to trust my certificates then you
then you can either use unencrypted access when subscribing to can either use unencrypted access when subscribing to Shorewall mailing
Shorewall mailing lists or you can use secure access (SSL) and lists or you can use secure access (SSL) and
accept the server's certificate when prompted by your browser.<br> accept the server's certificate when prompted by your browser.<br>
<h2 align="left">Shorewall Users Mailing List</h2> <h2 align="left">Shorewall Users Mailing List</h2>
<p align="left">The Shorewall Users Mailing list provides a way for
<p align="left">The Shorewall Users Mailing list provides a way for users users to get answers to questions and to report problems. Information
to get answers to questions and to report problems. Information of general interest to the Shorewall user community is also posted to
of general interest to the Shorewall user community is also this list.</p>
posted to this list.</p> <p align="left" style="color: rgb(255, 0, 0);"><big><b>Before posting
to this list, please see the <a
<p align="left"><b>To post a problem report to this list or to subscribe to href="http://www.shorewall.net/support.htm">problem
the list, please see the <a reporting guidelines</a>.<br>
href="http://www.shorewall.net/support.htm">problem reporting guidelines</a>.</b></p> </b></big></p>
<p align="left">To subscribe: <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-users"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-users</a></p>
<ul>
</ul>
<p align="left"> To post to the list, post to <a
href="mailto:shorewall-users@lists.shorewall.net">shorewall-users@lists.shorewall.net</a>.
<br>
</p>
<p align="left">The list archives are at <a <p align="left">The list archives are at <a
href="http://lists.shorewall.net/pipermail/shorewall-users/index.html">http://lists.shorewall.net/pipermail/shorewall-users</a>.</p> href="http://lists.shorewall.net/pipermail/shorewall-users/index.html">http://lists.shorewall.net/pipermail/shorewall-users</a>.</p>
<p align="left">Note that prior to 1/1/2002, the mailing list was
<p align="left">Note that prior to 1/1/2002, the mailing list was hosted hosted
at <a href="http://sourceforge.net">Sourceforge</a>. The archives from that at <a href="http://sourceforge.net">Sourceforge</a>. The archives from
that
list may be found at <a list may be found at <a
href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p> href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p>
<h2 align="left">Shorewall Announce Mailing List</h2> <h2 align="left">Shorewall Announce Mailing List</h2>
<p align="left">This list is for announcements of general interest to
<p align="left">This list is for announcements of general interest to the the Shorewall community. <big><span style="color: rgb(255, 0, 0);"><span
Shorewall community. To subscribe:<br> style="font-weight: bold;">DO NOT USE THIS LIST FOR REPORTING PROBLEMS
</p> OR ASKING FOR HELP.</span></span></big><br>
</p>
<p align="left"></p> <p align="left">To subscribe: <a
<ul>
<li><b>Insecure:</b> <a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-announce">http://lists.shorewall.net/mailman/listinfo/shorewall-announce</a></li>
<li><b>SSL</b>: <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-announce" href="https://lists.shorewall.net/mailman/listinfo/shorewall-announce"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-announce.</a></li> target="_top">https://lists.shorewall.net/mailman/listinfo/shorewall-announce</a>.
<br>
</ul> </p>
<a
<p align="left"><br> href="https://lists.shorewall.net/mailman/listinfo/shorewall-announce"
The list archives are at <a target="_top"></a>
href="http://lists.shorewall.net/pipermail/shorewall-announce">http://lists.shorewall.net/pipermail/shorewall-announce</a>.</p>
<h2 align="left">Shorewall Development Mailing List</h2>
<p align="left">The Shorewall Development Mailing list provides a forum for
the exchange of ideas about the future of Shorewall and
for coordinating ongoing Shorewall Development.</p>
<p align="left">To subscribe to the mailing list:<br>
</p>
<ul> <ul>
<li><b>Insecure: </b><a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-devel">http://lists.shorewall.net/mailman/listinfo/shorewall-devel</a></li>
<li><b>SSL:</b> <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-devel"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-devel.</a></li>
</ul> </ul>
The list archives are at <a
<p align="left"> To post to the list, post to <a href="http://lists.shorewall.net/pipermail/shorewall-announce">http://lists.shorewall.net/pipermail/shorewall-announce</a>.
href="mailto:shorewall-devel@lists.shorewall.net">shorewall-devel@lists.shorewall.net</a>. </p> <h2 align="left">Shorewall Development Mailing List</h2>
<p align="left">The Shorewall Development Mailing list provides a forum
for the exchange of ideas about the future of Shorewall and
for coordinating ongoing Shorewall Development. <big><span
style="color: rgb(255, 0, 0);"><span style="font-weight: bold;">DO NOT
USE THIS LIST FOR REPORTING PROBLEMS OR ASKING FOR HELP.</span></span></big></p>
<p align="left">To subscribe to the mailing list: <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-devel"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-devel.</a></p>
<ul>
</ul>
<p align="left"> To post to the list, post to <a
href="mailto:shorewall-devel@lists.shorewall.net">shorewall-devel@lists.shorewall.net</a>.&nbsp;</p>
<p align="left">The list archives are at <a <p align="left">The list archives are at <a
href="http://lists.shorewall.net/pipermail/shorewall-devel">http://lists.shorewall.net/pipermail/shorewall-devel</a>.</p> href="http://lists.shorewall.net/pipermail/shorewall-devel">http://lists.shorewall.net/pipermail/shorewall-devel</a>.</p>
<h2 align="left"><a name="Unsubscribe"></a>How to Unsubscribe from one
<h2 align="left"><a name="Unsubscribe"></a>How to Unsubscribe from one of of the Mailing Lists</h2>
the Mailing Lists</h2> <p align="left">There seems to be near-universal confusion about
unsubscribing from Mailman-managed lists although Mailman 2.1 has
<p align="left">There seems to be near-universal confusion about unsubscribing attempted to make this less confusing. To unsubscribe:</p>
from Mailman-managed lists although Mailman 2.1 has attempted
to make this less confusing. To unsubscribe:</p>
<ul> <ul>
<li> <li>
<p align="left">Follow the same link above that you used to
<p align="left">Follow the same link above that you used to subscribe subscribe to the list.</p>
to the list.</p> </li>
</li> <li>
<li> <p align="left">Down at the bottom of that page is the following
text: " To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>,
<p align="left">Down at the bottom of that page is the following text: get a password reminder, or change your subscription options
" To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>, enter your subscription email address:". Enter your email address in
get a password reminder, or change your subscription options the box and click on the "<b>Unsubscribe</b> or edit
enter your subscription email address:". Enter your email options" button.</p>
address in the box and click on the "<b>Unsubscribe</b> or edit </li>
options" button.</p> <li>
</li> <p align="left">There will now be a box where you can enter your
<li> password and click on "Unsubscribe"; if you have forgotten your
password, there is another button that will cause your password
<p align="left">There will now be a box where you can enter your password to be emailed to you.</p>
and click on "Unsubscribe"; if you have forgotten your </li>
password, there is another button that will cause your password
to be emailed to you.</p>
</li>
</ul> </ul>
<hr> <hr>
<h2 align="left">Frustrated by having to Rebuild Mailman to use it with Postfix?</h2> <h2 align="left">Frustrated by having to Rebuild Mailman to use it with
Postfix?</h2>
<p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p> <p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p>
<p align="left"><font size="2">Last updated 9/17/2003 - <a
<p align="left"><font size="2">Last updated 8/7/2003 - <a
href="http://www.shorewall.net/support.htm">Tom Eastep</a></font></p> href="http://www.shorewall.net/support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font>
<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font> © ©
<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br> <br>
</body> </body>
</html> </html>

367
Shorewall-docs/myfiles.htm
View File

File diff suppressed because one or more lines are too long

292
Shorewall-docs/ping.html
View File

@ -2,190 +2,170 @@
<html> <html>
<head> <head>
<title>ICMP Echo-request (Ping)</title> <title>ICMP Echo-request (Ping)</title>
<meta http-equiv="content-type" <meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1"> content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep"> <meta name="author" content="Tom Eastep">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90"> id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">ICMP Echo-request (Ping)</font></h1> <h1 align="center"><font color="#ffffff">ICMP Echo-request (Ping)</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br> <br>
Shorewall 'Ping' management has evolved over time with the latest Shorewall 'Ping' management has evolved over time with the latest
change coming in Shorewall version 1.4.0. To find out which version of change coming in Shorewall version 1.4.0. To find out which version of
Shorewall you are running, at a shell prompt type "<font color="#009900"><b>/sbin/shorewall Shorewall you are running, at a shell prompt type "<font color="#009900"><b>/sbin/shorewall
version</b></font>". If that command gives you an error, it's time to upgrade version</b></font>". If that command gives you an error, it's time to
since you have a very old version of Shorewall installed (1.2.4 or earlier).<br> upgrade since you have a very old version of Shorewall installed (1.2.4
or earlier).<br>
<h2>Shorewall Versions &gt;= 1.4.0</h2> <h2>Shorewall Versions &gt;= 1.4.0</h2>
In Shoreall 1.4.0 and later version, ICMP echo-request's are treated just In Shoreall 1.4.0 and later version, ICMP echo-request's are treated
like any other connection request.<br> just like any other connection request.<br>
<br> <br>
In order to accept ping requests from zone z1 to zone z2 where the policy In order to accept ping requests from zone z1 to zone z2 where the
for z1 to z2 is not ACCEPT, you need a rule in /etc/shoreall/rules of the policy for z1 to z2 is not ACCEPT, you need a rule in
form:<br> /etc/shoreall/rules of the form:<br>
<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp;
<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp; </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
</i>icmp&nbsp;&nbsp;&nbsp; 8<br> </blockquote>
</blockquote> Example: <br>
Example: <br> <br>
<br> To permit ping from the local zone to the firewall:<br>
To permit ping from the local zone to the firewall:<br> <blockquote>ACCEPT&nbsp;&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
fw&nbsp;&nbsp;&nbsp; icmp&nbsp;&nbsp;&nbsp; 8<br>
<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp; </blockquote>
icmp&nbsp;&nbsp;&nbsp; 8<br> If you would like to accept 'ping' by default even when the relevant
</blockquote> policy is DROP or REJECT, create <b>/etc/shorewall/icmpdef </b>if it
If you would like to accept 'ping' by default even when the relevant doesn't already exist and in that file place the following command:<br>
policy is DROP or REJECT, create <b>/etc/shorewall/icmpdef </b>if it doesn't
already exist and in that file place the following command:<br>
<blockquote> <blockquote>
<pre><b><font color="#009900">run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT<br></font></b></pre> <pre><b><font color="#009900">run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT<br></font></b></pre>
</blockquote> </blockquote>
With that rule in place, if you want to ignore 'ping' from z1 to z2 With that rule in place, if you want to ignore 'ping' from z1 to z2
then you need a rule of the form:<br> then you need a rule of the form:<br>
<blockquote>DROP&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp;
<blockquote>DROP&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp; </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
</i>icmp&nbsp;&nbsp;&nbsp; 8<br> </blockquote>
</blockquote> Example:<br>
Example:<br> <br>
<br> To drop ping from the internet, you would need this rule in
To drop ping from the internet, you would need this rule in /etc/shorewall/rules:<br> /etc/shorewall/rules:<br>
<br> <br>
<blockquote>DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp;
<blockquote>DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp; icmp&nbsp;&nbsp;&nbsp; 8<br>
icmp&nbsp;&nbsp;&nbsp; 8<br> </blockquote>
</blockquote> <h2>Shorewall Versions &gt;= 1.3.14 &nbsp;and &lt; 1.4.0 with
OLD_PING_HANDLING=No in /etc/shorewall/shorewall.conf</h2>
<h2>Shorewall Versions &gt;= 1.3.14 &nbsp;and &lt; 1.4.0 with OLD_PING_HANDLING=No In 1.3.14, Ping handling was put under control of the rules and
in /etc/shorewall/shorewall.conf</h2> policies just like any other connection request. In order to accept
In 1.3.14, Ping handling was put under control of the rules and policies ping requests from zone z1 to zone z2 where the policy for z1 to z2 is
just like any other connection request. In order to accept ping requests not ACCEPT, you need a rule in /etc/shoreall/rules of the form:<br>
from zone z1 to zone z2 where the policy for z1 to z2 is not ACCEPT, you <blockquote>ACCEPT&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp;
need a rule in /etc/shoreall/rules of the form:<br> z2&nbsp;&nbsp;&nbsp; </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp; Example: <br>
</i>icmp&nbsp;&nbsp;&nbsp; 8<br> <br>
</blockquote> To permit ping from the local zone to the firewall:<br>
Example: <br> <blockquote>ACCEPT&nbsp;&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
<br> fw&nbsp;&nbsp;&nbsp; icmp&nbsp;&nbsp;&nbsp; 8<br>
To permit ping from the local zone to the firewall:<br> </blockquote>
If you would like to accept 'ping' by default even when the relevant
<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp; policy is DROP or REJECT, create <b>/etc/shorewall/icmpdef </b>if it
icmp&nbsp;&nbsp;&nbsp; 8<br> doesn't already exist and in that file place the following command:<br>
</blockquote>
If you would like to accept 'ping' by default even when the relevant
policy is DROP or REJECT, create <b>/etc/shorewall/icmpdef </b>if it doesn't
already exist and in that file place the following command:<br>
<blockquote> <blockquote>
<pre><b><font color="#009900">run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT<br></font></b></pre> <pre><b><font color="#009900">run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT<br></font></b></pre>
</blockquote> </blockquote>
With that rule in place, if you want to ignore 'ping' from z1 to z2 With that rule in place, if you want to ignore 'ping' from z1 to z2
then you need a rule of the form:<br> then you need a rule of the form:<br>
<blockquote>DROP&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp;
<blockquote>DROP&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp; </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
</i>icmp&nbsp;&nbsp;&nbsp; 8<br> </blockquote>
</blockquote> Example:<br>
Example:<br> <br>
<br> To drop ping from the internet, you would need this rule in
To drop ping from the internet, you would need this rule in /etc/shorewall/rules:<br> /etc/shorewall/rules:<br>
<blockquote>DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp;
<blockquote>DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp; icmp&nbsp;&nbsp;&nbsp; 8<br>
icmp&nbsp;&nbsp;&nbsp; 8<br> </blockquote>
</blockquote> <span style="font-weight: bold;">NOTE:&nbsp; </span>There is one
exception to the above description. In 1.3.14 and 1.3.14a, ping from
<blockquote> </blockquote> the firewall itself is enabled unconditionally. This suprising
"feature" was removed in version 1.4.0.<br>
<h2>Shorewall Versions &lt; 1.3.14 or with OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf<br> <blockquote> </blockquote>
</h2> <blockquote> </blockquote>
There are several aspects to the old Shorewall Ping management:<br> <h2>Shorewall Versions &lt; 1.3.14 or with OLD_PING_HANDLING=Yes in
/etc/shorewall/shorewall.conf<br>
</h2>
There are several aspects to the old Shorewall Ping management:<br>
<ol> <ol>
<li>The <b>noping</b> and <b>filterping </b>interface options in <li>The <b>noping</b> and <b>filterping </b>interface options in <a
<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li> href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
<li>The <b>FORWARDPING</b> option in<a <li>The <b>FORWARDPING</b> option in<a href="Documentation.htm#Conf">
href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf</a>.</li> /etc/shorewall/shorewall.conf</a>.</li>
<li>Explicit rules in <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li> <li>Explicit rules in <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
</ol> </ol>
There are two cases to consider:<br> There are two cases to consider:<br>
<ol> <ol>
<li>Ping requests addressed to the firewall itself; and</li> <li>Ping requests addressed to the firewall itself; and</li>
<li>Ping requests being forwarded to another system. Included here <li>Ping requests being forwarded to another system. Included here
are all cases of packet forwarding including NAT, DNAT rule, Proxy ARP are all cases of packet forwarding including NAT, DNAT rule, Proxy ARP
and simple routing.</li> and simple routing.</li>
</ol> </ol>
These cases will be covered separately.<br> These cases will be covered separately.<br>
<h3>Ping Requests Addressed to the Firewall Itself</h3> <h3>Ping Requests Addressed to the Firewall Itself</h3>
For ping requests addressed to the firewall, the sequence is as follows:<br> For ping requests addressed to the firewall, the sequence is as follows:<br>
<ol> <ol>
<li>If neither <b>noping</b> nor <b>filterping </b>are specified <li>If neither <b>noping</b> nor <b>filterping </b>are specified
for the interface that receives the ping request then the request will for the interface that receives the ping request then the request will
be responded to with an ICMP echo-reply.</li> be responded to with an ICMP echo-reply.</li>
<li>If <b>noping</b> is specified for the interface that receives <li>If <b>noping</b> is specified for the interface that receives
the ping request then the request is ignored.</li> the ping request then the request is ignored.</li>
<li>If <b>filterping </b>is specified for the interface then the <li>If <b>filterping </b>is specified for the interface then the
request is passed to the rules/policy evaluation.</li> request is passed to the rules/policy evaluation.</li>
</ol> </ol>
<h3>Ping Requests Forwarded by the Firewall</h3> <h3>Ping Requests Forwarded by the Firewall</h3>
These requests are <b>always</b> passed to rules/policy evaluation.<br> These requests are <b>always</b> passed to rules/policy evaluation.<br>
<h3>Rules Evaluation</h3> <h3>Rules Evaluation</h3>
Ping requests are ICMP type 8. So the general rule format is:<br> Ping requests are ICMP type 8. So the general rule format is:<br>
<br> <br>
&nbsp;&nbsp;&nbsp; <i>Target&nbsp;&nbsp;&nbsp; Source&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <i>Target&nbsp;&nbsp;&nbsp;
Destination&nbsp;&nbsp;&nbsp; </i>icmp&nbsp;&nbsp;&nbsp; 8<br> Source&nbsp;&nbsp;&nbsp; Destination&nbsp;&nbsp;&nbsp; </i>icmp&nbsp;&nbsp;&nbsp;
<br> 8<br>
Example 1. Accept pings from the net to the dmz (pings are responded <br>
to with an ICMP echo-reply):<br> Example 1. Accept pings from the net to the dmz (pings are responded to
<br> with an ICMP echo-reply):<br>
&nbsp;&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; <br>
dmz&nbsp;&nbsp;&nbsp; icmp&nbsp;&nbsp;&nbsp; 8<br> &nbsp;&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp;
<br> dmz&nbsp;&nbsp;&nbsp; icmp&nbsp;&nbsp;&nbsp; 8<br>
Example 2. Drop pings from the net to the firewall<br> <br>
<br> Example 2. Drop pings from the net to the firewall<br>
&nbsp;&nbsp;&nbsp; DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp; <br>
icmp&nbsp;&nbsp;&nbsp; 8<br> &nbsp;&nbsp;&nbsp; DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp;
fw&nbsp;&nbsp;&nbsp; icmp&nbsp;&nbsp;&nbsp; 8<br>
<h3>Policy Evaluation</h3> <h3>Policy Evaluation</h3>
If no applicable rule is found, then the policy for the source to If no applicable rule is found, then the policy for the source to
the destination is applied.<br> the destination is applied.<br>
<ol> <ol>
<li>If the relevant policy is ACCEPT then the request is responded <li>If the relevant policy is ACCEPT then the request is responded to
to with an ICMP echo-reply.</li> with an ICMP echo-reply.</li>
<li>If <b>FORWARDPING</b> is set to Yes in /etc/shorewall/shorewall.conf <li>If <b>FORWARDPING</b> is set to Yes in
then the request is responded to with an ICMP echo-reply.</li> /etc/shorewall/shorewall.conf then the request is responded to with an
<li>Otherwise, the relevant REJECT or DROP policy is used and the ICMP echo-reply.</li>
request is either rejected or simply ignored.</li> <li>Otherwise, the relevant REJECT or DROP policy is used and the
request is either rejected or simply ignored.</li>
</ol> </ol>
<div style="text-align: justify;"><font size="2">Updated 8/23/2003 - <a
<p><font size="2">Updated 7/7/2003 - <a href="support.htm">Tom Eastep</a> href="support.htm">Tom Eastep</a></font></div>
</font></p> <p><font size="2"> </font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br> <br>
</body> </body>
</html> </html>

164
Shorewall-docs/samba.htm
View File

@ -1,112 +1,102 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Samba</title> <title>Samba</title>
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90"> id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Samba</font></h1> <h1 align="center"><font color="#ffffff">Samba</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p>If you wish to run Samba on your firewall and access shares between
<p>If you wish to run Samba on your firewall and access shares between the the firewall and local hosts, you need the following rules:</p>
firewall and local hosts, you need the following rules:</p>
<h4>/etc/shorewall/rules:</h4> <h4>/etc/shorewall/rules:</h4>
<blockquote> <font face="Century Gothic, Arial, Helvetica"> </font>
<blockquote> <font face="Century Gothic, Arial, Helvetica"> </font>
<table border="2" cellpadding="2" style="border-collapse: collapse;"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
<tr> <tr>
<td><b>ACTION</b></td> <td><b>ACTION</b></td>
<td><b>SOURCE</b></td> <td><b>SOURCE</b></td>
<td><b>DEST</b></td> <td><b>DEST</b></td>
<td><b> PROTO</b></td> <td><b> PROTO</b></td>
<td><b>DEST<br> <td><b>DEST<br>
PORT(S)</b></td> PORT(S)</b></td>
<td><b>SOURCE<br> <td><b>SOURCE<br>
PORT(S)</b></td> PORT(S)</b></td>
<td><b>ORIGINAL<br> <td><b>ORIGINAL<br>
DEST</b></td> DEST</b></td>
</tr> </tr>
<tr> <tr>
<td>ACCEPT</td> <td>ACCEPT</td>
<td>fw</td> <td>fw</td>
<td>loc</td> <td>loc</td>
<td>udp</td> <td>udp</td>
<td>137:139</td> <td>137:139</td>
<td> </td> <td>&nbsp;</td>
<td> </td> <td>&nbsp;</td>
</tr> </tr>
<tr> <tr>
<td>ACCEPT</td> <td>ACCEPT</td>
<td>fw</td> <td>fw</td>
<td>loc</td> <td>loc</td>
<td>tcp</td> <td>tcp</td>
<td>137,139</td> <td>137,139,445</td>
<td> </td> <td>&nbsp;</td>
<td> </td> <td>&nbsp;</td>
</tr> </tr>
<tr> <tr>
<td>ACCEPT</td> <td>ACCEPT</td>
<td>fw</td> <td>fw</td>
<td>loc</td> <td>loc</td>
<td>udp</td> <td>udp</td>
<td>1024:</td> <td>1024:</td>
<td>137</td> <td>137</td>
<td> </td> <td>&nbsp;</td>
</tr> </tr>
<tr> <tr>
<td>ACCEPT</td> <td>ACCEPT</td>
<td>loc</td> <td>loc</td>
<td>fw</td> <td>fw</td>
<td>udp</td> <td>udp</td>
<td>137:139</td> <td>137:139</td>
<td> </td> <td>&nbsp;</td>
<td> </td> <td>&nbsp;</td>
</tr> </tr>
<tr> <tr>
<td>ACCEPT</td> <td>ACCEPT</td>
<td>loc</td> <td>loc</td>
<td>fw</td> <td>fw</td>
<td>tcp</td> <td>tcp</td>
<td>137,139</td> <td>137,139,445</td>
<td> </td> <td>&nbsp;</td>
<td> </td> <td>&nbsp;</td>
</tr> </tr>
<tr> <tr>
<td>ACCEPT</td> <td>ACCEPT</td>
<td>loc</td> <td>loc</td>
<td>fw</td> <td>fw</td>
<td>udp</td> <td>udp</td>
<td>1024:</td> <td>1024:</td>
<td>137</td> <td>137</td>
<td> </td> <td>&nbsp;</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
<p><font size="2">Last modified 8/17/2002 - <a href="support.htm">Tom
<p><font size="2">Last modified 5/29/2002 - <a href="support.htm">Tom Eastep</a></font></p> Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"> <font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"> <font size="2">Copyright</font>
© <font size="2">2002 Thomas M. Eastep.</font></a></font></p> © <font size="2">2002 Thomas M. Eastep.</font></a></font></p>
<br> <br>

218
Shorewall-docs/seattlefirewall_index.htm
View File

@ -98,15 +98,12 @@ uninstalling what you have and installing a setup that matches the
documentation on this site. See the <a href="two-interface.htm">Two-interface documentation on this site. See the <a href="two-interface.htm">Two-interface
QuickStart Guide</a> for details.<br> QuickStart Guide</a> for details.<br>
<h2>News</h2> <h2>News</h2>
<p><b>8/9/2003 - Snapshot 1.4.6_20030809</b><b> <img <p><b>10/06/2003 - Shorewall 1.4.7</b><b> <img
style="border: 0px solid ; width: 28px; height: 12px;" style="border: 0px solid ; width: 28px; height: 12px;"
src="images/new10.gif" alt="(New)" title=""></b><b> </b></p> src="images/new10.gif" alt="(New)" title=""><br>
<blockquote> </b></p>
<p><a href="http://shorewall.net/pub/shorewall/Snapshots/">http://shorewall.net/pub/shorewall/Snapshots/</a><br> <b>Problems Corrected since version 1.4.6 (Those in bold font
<a href="ftp://shorewall.net/pub/shorewall/Snapshots/" were corrected since 1.4.7 RC2)</b><br>
target="_top">ftp://shorewall.net/pub/shorewall/Snapshots/</a></p>
</blockquote>
<b>Problems Corrected since version 1.4.6</b><br>
<ol> <ol>
<li>Corrected problem in 1.4.6 where the MANGLE_ENABLED <li>Corrected problem in 1.4.6 where the MANGLE_ENABLED
variable was being tested before it was set.</li> variable was being tested before it was set.</li>
@ -121,29 +118,108 @@ during "shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses
were being added to a PPP interface; the addresses were successfully were being added to a PPP interface; the addresses were successfully
added in spite of the messages.<br> added in spite of the messages.<br>
&nbsp;&nbsp;&nbsp; <br> &nbsp;&nbsp;&nbsp; <br>
The firewall script has been modified to eliminate the error messages<br> The firewall script has been modified to eliminate the error messages</li>
<li>Interface-specific dynamic blacklisting chains are
now displayed by "shorewall monitor" on the "Dynamic Chains" page
(previously named "Dynamic Chain").</li>
<li>Thanks to Henry Yang, LOGRATE and LOGBURST now work again.</li>
<li>The 'shorewall reject' and
'shorewall drop' commands now delete any existing rules for the subject
IP address before adding a new DROP or REJECT rule. Previously, there
could be many rules for the same IP address in the dynamic chain so
that multiple 'allow' commands were required to re-enable traffic
to/from the address.</li>
<li>When ADD_SNAT_ALIASES=Yes in
shorewall.conf, the following entry in /etc/shorewall/masq resulted in
a startup error:<br>
&nbsp;<br>
&nbsp;&nbsp; eth0 eth1&nbsp;&nbsp;&nbsp;&nbsp;
206.124.146.20-206.124.146.24<br>
<br>
</li> </li>
<li>Shorewall previously choked over
IPV6 addresses configured on interfaces in contexts where Shorewall
needed to detect something about the interface (such as when "detect"
appears in the BROADCAST column of the /etc/shorewall/interfaces file).</li>
<li>Shorewall will now load
module files that are formed from the module name by appending ".o.gz".</li>
<li>When Shorewall adds a route to a
proxy ARP host and such a route already exists, two routes resulted
previously. This has been corrected so that the existing route is
replaced if it already exists.</li>
<li>The rfc1918 file has been
updated to reflect recent allocations.</li>
<li>The documentation of the
USER SET column in the rules file has been corrected.</li>
<li>If there is no policy
defined for
the zones specified in a rule, the firewall script previously
encountered a shell syntax error:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [: NONE: unexpected operator<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<br>
Now, the absence of a policy generates an error message and the
firewall is stopped:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; No policy defined from zone
&lt;source&gt; to zone &lt;dest&gt;<br>
<br>
</li>
<li>Previously, if neither
/etc/shorewall/common nor /etc/shorewall/common.def existed, Shorewall
would fail to start and would not remove the lock file. Failure to
remove the lock file resulted in the following during subsequent
attempts to start:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<br>
&nbsp;&nbsp;&nbsp; Loading /usr/share/shorewall/functions...<br>
&nbsp;&nbsp;&nbsp; Processing /etc/shorewall/params ...<br>
&nbsp;&nbsp;&nbsp; Processing /etc/shorewall/shorewall.conf...<br>
&nbsp;&nbsp;&nbsp; Giving up on lock file /var/lib/shorewall/lock<br>
&nbsp;&nbsp;&nbsp; Shorewall Not Started<br>
<br>
Shorewall now reports a fatal error if neither of these two files exist
and correctly removes the lock fille.</li>
<li>The order of processing
the
various options has been changed such that blacklist entries now take
precedence over the 'dhcp' interface setting.</li>
<li>The log message generated
from the
'logunclean' interface option has been changed to reflect a disposition
of LOG rather than DROP.</li>
<li><span style="font-weight: bold;">When a user name and/or a
group
name was specified in the USER SET column and the destination zone was
qualified with a IP address, the user and/or group name was not being
used to qualify the rule.<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp; Example:<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp; ACCEPT fw&nbsp; net:192.0.2.12 tcp 23 - - - vladimir:<br>
<br>
</span></li>
<li><span style="font-weight: bold;">The /etc/shorewall/masq
file has had the spurious "/" character at the front removed.</span></li>
</ol> </ol>
<b>Migration Issues:</b><br> <b>Migration Issues:</b><br>
<ol> <ol>
<li>Once you have installed this version of Shorewall, you must <li>Shorewall IP Traffic Accounting has changed since snapshot
restart Shorewall before you may use the 'drop', 'reject', 'allow' or 20030813 -- see the <a href="Accounting.html">Accounting Page</a> for
'save' commands.</li> details.</li>
<li>To maintain strict compatibility with previous versions, <li>The Uset Set capability introduced in SnapShot 20030821 has
current uses of "shorewall drop" and "shorewall reject" should be changed -- see the <a href="UserSets.html">User Set page</a> for
replaced with "shorewall dropall" and "shorewall rejectall" </li> details.</li>
<li>The per-interface Dynamic Blacklisting facility introduced
in the first post-1.4.6 Snapshot has been removed. The facility had too
many idiosyncrasies for dial-up users to be a viable part of Shorewall.<br>
</li>
</ol> </ol>
<b>New Features:</b><br> <b>New Features:</b><br>
<ol> <ol>
<li>Shorewall now creates a dynamic blacklisting chain for each
interface defined in /etc/shorewall/interfaces. The 'drop' and 'reject'
commands use the routing table to determine which of these chains is to
be used for blacklisting the specified IP address(es).<br>
<br>
Two new commands ('dropall' and 'rejectall') have been introduced that
do what 'drop' and 'reject' used to do; namely, when an address is
blacklisted using these new commands, it will be blacklisted on all of
your firewall's interfaces.</li>
<li>Thanks to Steve Herber, the 'help' command can now give <li>Thanks to Steve Herber, the 'help' command can now give
command-specific help (e.g., shorewall help &lt;command&gt;).</li> command-specific help (e.g., shorewall help &lt;command&gt;).</li>
<li>A new option "ADMINISABSENTMINDED" has been added to <li>A new option "ADMINISABSENTMINDED" has been added to
@ -225,11 +301,97 @@ facilitates testing of your firewall where multiple firewall interfaces
are connected to the same HUB/Switch (all interfaces connected to the are connected to the same HUB/Switch (all interfaces connected to the
single HUB/Switch should have this option specified). Note that using single HUB/Switch should have this option specified). Note that using
such a configuration in a production environment is strongly such a configuration in a production environment is strongly
recommended against.<br> recommended against.</li>
<li>The ADDRESS column in /etc/shorewall/masq may now include a
comma-separated list of addresses and/or address ranges. Netfilter will
use all listed addresses/ranges in round-robin fashion. \</li>
<li>An /etc/shorewall/accounting file has been added to allow
for traffic accounting.&nbsp; See the <a href="Accounting.html">accounting
documentation</a> for a description of this facility.</li>
<li>Bridge interfaces (br[0-9]) may now be used in
/etc/shorewall/maclist.</li>
<li>ACCEPT, DNAT[-], REDIRECT[-] and LOG rules defined in
/etc/shorewall/rules may now be rate-limited. For DNAT and REDIRECT
rules, rate limiting occurs in the nat table DNAT rule; the
corresponding ACCEPT rule in the filter table is not rate limited. If
you want to limit the filter table rule, you will need o create two
rules; a DNAT- rule and an ACCEPT rule which can be rate-limited
separately.<br>
&nbsp;<br>
<span style="font-weight: bold;">Warning: </span>When rate
limiting is specified on a rule with "all" in the SOURCE or DEST
fields, the limit will apply to each pair of zones individually rather
than as a single limit for all pairs of covered by the rule.<br>
&nbsp;<br>
To specify a rate limit, <br>
<br>
a) Follow ACCEPT, DNAT[-], REDIRECT[-] or LOG with<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;
&lt;rate&gt;/&lt;interval&gt;[:&lt;burst&gt;] &gt;<br>
&nbsp;<br>
&nbsp;
where<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;rate&gt; is the sustained rate per
&lt;interval&gt;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;interval&gt; is "sec" or "min"<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;burst&gt; is the largest burst
accepted within an &lt;interval&gt;. If not given, the default of 5 is
assumed.<br>
&nbsp;<br>
There may be no white space between the ACTION and "&lt;" nor there may
be any white space within the burst specification. If you want to
specify logging of a rate-limited rule, the ":" and log level comes
after the "&gt;" (e.g., ACCEPT&lt;2/sec:4&gt;:info ).<br>
<br>
b) A new RATE LIMIT column has been added to the /etc/shorewall/rules
file. You may specify the rate limit there in the format:<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&lt;rate&gt;/&lt;interval&gt;[:&lt;burst&gt;]<br>
&nbsp;<br>
Let's take an example:<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
ACCEPT&lt;2/sec:4&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
net&nbsp;&nbsp;&nbsp;&nbsp; dmz&nbsp;&nbsp;&nbsp;&nbsp;
tcp&nbsp;&nbsp;&nbsp;&nbsp; 80<br>
&nbsp;&nbsp;&nbsp; <br>
The first time this rule is reached, the packet will be accepted; in
fact, since the burst is 4, the first four packets will be accepted.
After this, it will be 500ms (1 second divided by the rate<br>
of 2) before a packet will be accepted from this rule, regardless of
how many packets reach it. Also, every 500ms which passes without
matching a packet, one of the bursts will be regained; if no packets
hit the rule for 2 second, the burst will be fully recharged; back
where we started.<br>
</li>
<li>Multiple chains may now be displayed in one "shorewall
show" command (e.g., shorewall show INPUT FORWARD OUTPUT).</li>
<li>Output rules (those with $FW as the SOURCE) may now be
limited to a set of local users and/or groups. See <a
href="UserSets.html">http://shorewall.net/UserSets.html</a>
for details.<br>
<br>
</li> </li>
</ol> </ol>
<p><b>8/5/2003 - Shorewall-1.4.6b</b><b> <img border="0" <p><b>8/27/2003 - Shorewall Mirror in Australia&nbsp;</b></p>
src="images/new10.gif" width="28" height="12" alt="(New)"> <br> <p>Thanks to Dave Kempe and Solutions First (<a
href="http://www.solutionsfirst.com.au"><font size="3">http://www.solutionsfirst.com.au</font></a>),
there is now a Shorewall Mirror in Australia:</p>
<p style="margin-left: 40px;"><a
href="http://www.shorewall.com.au" target="_top"><font size="3">http://www.shorewall.com.au</font></a><font
size="3"><br>
<a href="ftp://ftp.shorewall.com.au">ftp://ftp.shorewall.com.au</a></font><br>
</p>
<p><b>8/26/2003 - French Version of the Shorewall Setup
Guide&nbsp;</b></p>
Thanks to Fabien <font size="3">Demassieux, there is now a <a
href="shorewall_setup_guide_fr.htm">French translation of the
Shorewall Setup Guide</a>. Merci Beacoup, Fabien!<br>
</font>
<p><b>8/5/2003 - Shorewall-1.4.6b</b><b>&nbsp; <br>
</b></p> </b></p>
<b>Problems Corrected since version 1.4.6:</b><br> <b>Problems Corrected since version 1.4.6:</b><br>
<ol> <ol>
@ -317,7 +479,7 @@ Children's Foundation.</font></a> Thanks!</font></font></p>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p><font size="2">Updated 8/9/2003 - <a href="support.htm">Tom Eastep</a></font> <p><font size="2">Updated 10/06/2003 - <a href="support.htm">Tom Eastep</a></font>
<br> <br>
</p> </p>
<br> <br>

138
Shorewall-docs/shoreline.htm
View File

@ -1,119 +1,67 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>About the Shorewall Author</title> <title>About the Shorewall Author</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#3366ff" height="90"> bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Tom Eastep</font></h1> <h1 align="center"><font color="#ffffff">Tom Eastep</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p align="center"> <img border="3" src="images/Tom.jpg"
<p align="center"> <img border="3" src="images/Tom.jpg" alt="Aging Geek - June 2003" width="320" height="240"> </p>
alt="Aging Geek - June 2003" width="320" height="240"> <p align="center">"The Aging Geek" -- June 2003<br>
</p> <br>
</p>
<p align="center">Tom -- June 2003<br>
<br>
</p>
<ul> <ul>
<li>Born 1945 in <a <li>Born 1945 in <a href="http://www.experiencewashington.com">Washington
href="http://www.experiencewashington.com">Washington State</a> .</li> State</a> .</li>
<li>BA Mathematics from <a <li>BA Mathematics from <a href="http://www.wsu.edu">Washington
href="http://www.wsu.edu">Washington State University</a> 1967</li> State University</a> 1967</li>
<li>MA Mathematics from <a <li>MA Mathematics from <a href="http://www.washington.edu">University
href="http://www.washington.edu">University of Washington</a> 1969</li> of Washington</a> 1969</li>
<li>Burroughs Corporation (now <a <li>Burroughs Corporation (now <a href="http://www.unisys.com">Unisys</a>
href="http://www.unisys.com">Unisys</a> ) 1969 - 1980</li> ) 1969 - 1980</li>
<li><a href="http://www.tandem.com">Tandem <li><a href="http://www.tandem.com">Tandem Computers, Incorporated</a>
Computers, Incorporated</a> (now part of the <a (now part of the <a href="http://www.hp.com">The New HP</a>) 1980 -
href="http://www.hp.com">The New HP</a>) 1980 - present</li> present</li>
<li>Married 1969 - no children.</li> <li>Married 1969 - no children.</li>
</ul> </ul>
<p>I am currently a member of the design team for the next-generation
<p>I am currently a member of the design team for the next-generation operating operating system from the NonStop Enterprise Division of HP. </p>
system from the NonStop Enterprise Division of HP. </p> <p>I became interested in Internet Security when I established a home
office in 1999 and had DSL service installed in our home. I
<p>I became interested in Internet Security when I established a home office investigated ipchains and developed the scripts which are now
in 1999 and had DSL service installed in our home. I collectively known as <a href="http://seawall.sourceforge.net">
investigated ipchains and developed the scripts which are now Seattle Firewall</a>. Expanding on what I learned from Seattle
collectively known as <a href="http://seawall.sourceforge.net"> Seattle Firewall, I then designed and wrote Shorewall. </p>
Firewall</a>. Expanding on what I learned from Seattle
Firewall, I then designed and wrote Shorewall. </p>
<p>I telework from our <a <p>I telework from our <a
href="http://lists.shorewall.net/SeattleInTheSpring.html">home</a> in <a href="http://lists.shorewall.net/SeattleInTheSpring.html">home</a>
href="http://www.cityofshoreline.com">Shoreline, Washington</a> where in&nbsp;<a href="http://www.cityofshoreline.com">Shoreline, Washington</a>
I live with my wife Tarry.  </p> where
I live with my wife Tarry.&nbsp; </p>
<p></p> <p></p>
<ul> <ul>
</ul> </ul>
<p>For information about our home network see <a href="myfiles.htm">my
<p>For information about our home network see <a href="myfiles.htm">my Shorewall Shorewall Configuration files.</a></p>
Configuration files.</a></p> <p>All of our other systems are made by <a href="http://www.compaq.com">Compaq</a>
(part of the new <a href="http://www.hp.com/">HP</a>).</p>
<p>All of our other systems are made by <a <p><font size="2">Last updated 7/20/2003 - </font><font size="2"> <a
href="http://www.compaq.com">Compaq</a> (part of the new <a href="support.htm">Tom Eastep</a></font> </p>
href="http://www.hp.com/">HP</a>).</p> <font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
<p><a href="http://www.redhat.com"><img border="0"
src="images/poweredby.png" width="88" height="31">
</a><a href="http://www.compaq.com"><img
border="0" src="images/poweredbycompaqlog0.gif" hspace="3" width="83"
height="25">
</a><a href="http://www.pureftpd.org"><img
border="0" src="images/pure.jpg" width="88" height="31">
</a><font size="4"><a
href="http://www.apache.org"><img border="0"
src="images/apache_pb1.gif" hspace="2" width="170" height="20">
</a><a href="http://www.mandrakelinux.com"><img
src="images/medbutton.png" alt="Powered by Mandrake" width="90"
height="32">
</a><img src="images/ProtectedBy.png"
alt="Protected by Shorewall" width="200" height="42" hspace="4">
<a href="http://www.opera.com"><img src="images/opera.png"
alt="(Opera Logo)" width="102" height="39" border="0">
</a>  <a href="http://www.hp.com"><img
src="images/penquin_in_blue_racer_sm2.gif" alt="" width="120"
height="75" border="0">
</a><a href="http://www.opera.com"> </a> </font></p>
<p><font size="2">Last updated 7/20/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<font face="Trebuchet MS"><a
href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</body> </body>
</html> </html>

260
Shorewall-docs/shorewall_logging.html
View File

@ -2,155 +2,159 @@
<html> <html>
<head> <head>
<title>Shorewall Logging</title> <title>Shorewall Logging</title>
<meta http-equiv="content-type" <meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1"> content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep"> <meta name="author" content="Tom Eastep">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90"> id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Logging</font></h1> <h1 align="center"><font color="#ffffff">Logging</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br> <br>
By default, Shorewall directs NetFilter to log using syslog (8). Syslog By default, Shorewall directs NetFilter to log using syslog (8). Syslog
classifies log messages by a <i>facility</i> and a <i>priority</i> (using classifies log messages by a <i>facility</i> and a <i>priority</i>
the notation <i>facility.priority</i>). <br> (using the notation <i>facility.priority</i>). <br>
<br> <br>
The facilities defined by syslog are <i>auth, authpriv, cron, daemon, The facilities defined by syslog are <i>auth, authpriv, cron, daemon,
kern, lpr, mail, mark, news, syslog, user, uucp</i> and <i>local0</i> kern, lpr, mail, mark, news, syslog, user, uucp</i> and <i>local0</i>
through <i>local7</i>.<br> through <i>local7</i>.<br>
<br> <br>
Throughout the Shorewall documentation, I will use the term <i>level</i> Throughout the Shorewall documentation, I will use the term <i>level</i>
rather than <i>priority</i> since <i>level</i> is the term used by NetFilter. rather than <i>priority</i> since <i>level</i> is the term used by
The syslog documentation uses the term <i>priority</i>.<br> NetFilter. The syslog documentation uses the term <i>priority</i>.<br>
<h3>Syslog Levels<br> <h3>Syslog Levels<br>
</h3> </h3>
Syslog levels are a method of describing to syslog (8) the importance Syslog levels are a method of describing to syslog (8) the importance
of a message and a number of Shorewall parameters have a syslog level of a message and a number of Shorewall parameters have a syslog level
as their value.<br> as their value.<br>
<br> <br>
Valid levels are:<br> Valid levels are:<br>
<br> <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 7&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
debug<br> 7&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="font-weight: bold;">debug</span>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 6&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; (Debug-level messages)<br>
info<br> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 5&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 6&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="font-weight: bold;">info</span>
notice<br> (Informational)<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 4&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
warning<br> 5&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="font-weight: bold;">notice</span>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 3&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; (Normal but significant Condition)<br>
err<br> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 4&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<span style="font-weight: bold;">
crit<br> warning</span> (Warning Conditions)<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
alert<br> 3&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="font-weight: bold;">err</span>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; (Error Conditions)<br>
emerg<br> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<br> 2&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="font-weight: bold;">crit</span>
For most Shorewall logging, a level of 6 (info) is appropriate. (Critical Conditions)<br>
Shorewall log messages are generated by NetFilter and are logged using &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
the <i>kern</i> facility and the level that you specify. If you are 1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="font-weight: bold;">alert</span>
unsure of the level to choose, 6 (info) is a safe bet. You may specify (Must be handled immediately)<br>
levels by name or by number.<br> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<br> 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="font-weight: bold;">emerg</span>
Syslogd writes log messages to files (typically in /var/log/*) (System is unusable)<br>
based on their facility and level. The mapping of these facility/level <br>
pairs to log files is done in /etc/syslog.conf (5). If you make changes For most Shorewall logging, a level of 6 (info) is appropriate.
to this file, you must restart syslogd before the changes can take effect.<br> Shorewall log messages are generated by NetFilter and are logged using
the <i>kern</i> facility and the level that you specify. If you are
unsure of the level to choose, 6 (info) is a safe bet. You may specify
levels by name or by number.<br>
<br>
Syslogd writes log messages to files (typically in /var/log/*)
based on their facility and level. The mapping of these facility/level
pairs to log files is done in /etc/syslog.conf (5). If you make changes
to this file, you must restart syslogd before the changes can take
effect.<br>
<h3>Configuring a Separate Log for Shorewall Messages</h3> <h3>Configuring a Separate Log for Shorewall Messages</h3>
There are a couple of limitations to syslogd-based logging:<br> There are a couple of limitations to syslogd-based logging:<br>
<ol> <ol>
<li>If you give, for example, kern.info it's own log destination then <li>If you give, for example, kern.info it's own log destination then
that destination will also receive all kernel messages of levels 5 (notice) that destination will also receive all kernel messages of levels 5
through 0 (emerg).</li> (notice) through 0 (emerg).</li>
<li>All kernel.info messages will go to that destination and not just <li>All kernel.info messages will go to that destination and not just
those from NetFilter.<br> those from NetFilter.<br>
</li> </li>
</ol> </ol>
Beginning with Shorewall version 1.3.12, if your kernel has ULOG Beginning with Shorewall version 1.3.12, if your kernel has ULOG target
target support (and most vendor-supplied kernels do), you may also specify support (and most vendor-supplied kernels do), you may also specify a
a log level of ULOG (must be all caps). When ULOG is used, Shorewall will log level of ULOG (must be all caps). When ULOG is used, Shorewall will
direct netfilter to log the related messages via the ULOG target which direct netfilter to log the related messages via the ULOG target which
will send them to a process called 'ulogd'. The ulogd program is available will send them to a process called 'ulogd'. The ulogd program is
from http://www.gnumonks.org/projects/ulogd and can be configured to log available from http://www.gnumonks.org/projects/ulogd and can be
all Shorewall message to their own log file.<br> configured to log all Shorewall message to their own log file.<br>
<br> <br>
<b>Note: </b>The ULOG logging mechanism is <u>completely separate</u> <b>Note: </b>The ULOG logging mechanism is <u>completely separate</u>
from syslog. Once you switch to ULOG, the settings in /etc/syslog.conf have from syslog. Once you switch to ULOG, the settings in /etc/syslog.conf
absolutely no effect on your Shorewall logging (except for Shorewall status have
messages which still go to syslog).<br> absolutely no effect on your Shorewall logging (except for Shorewall
<br> status
You will need to have the kernel source available to compile ulogd.<br> messages which still go to syslog).<br>
<br> <br>
Download the ulod tar file and:<br> You will need to have the kernel source available to compile ulogd.<br>
<br>
Download the ulod tar file and:<br>
<ol> <ol>
<li>Be sure that /usr/src/linux is linked to your kernel source tree<br> <li>Be sure that /usr/src/linux is linked to your kernel source tree<br>
</li> </li>
<li>cd /usr/local/src (or wherever you do your builds)</li> <li>cd /usr/local/src (or wherever you do your builds)</li>
<li>tar -zxf <i>source-tarball-that-you-downloaded</i></li> <li>tar -zxf <i>source-tarball-that-you-downloaded</i></li>
<li>cd ulogd-<i>version</i><br> <li>cd ulogd-<i>version</i><br>
</li> </li>
<li>./configure</li> <li>./configure</li>
<li>make</li> <li>make</li>
<li>make install<br> <li>make install<br>
</li> </li>
</ol> </ol>
If you are like me and don't have a development environment on your If you are like me and don't have a development environment on your
firewall, you can do the first six steps on another system then either NFS firewall, you can do the first six steps on another system then either
mount your /usr/local/src directory or tar up the /usr/local/src/ulogd-<i>version</i> NFS
directory and move it to your firewall system.<br> mount your /usr/local/src directory or tar up the /usr/local/src/ulogd-<i>version</i>
<br> directory and move it to your firewall system.<br>
Now on the firewall system, edit /usr/local/etc/ulogd.conf and set:<br> <br>
Now on the firewall system, edit /usr/local/etc/ulogd.conf and set:<br>
<ol> <ol>
<li>syslogfile <i>&lt;file that you wish to log to&gt;</i></li> <li>syslogfile <i>&lt;file that you wish to log to&gt;</i></li>
<li>syslogsync 1</li> <li>syslogsync 1</li>
</ol> </ol>
Also on the firewall system:<br> Also on the firewall system:<br>
<blockquote>touch &lt;<i>file that you wish to log to</i>&gt;<br> <blockquote>touch &lt;<i>file that you wish to log to</i>&gt;<br>
</blockquote> </blockquote>
I also copied the file /usr/local/src/ulogd-<i>version</i>/ulogd.init I also copied the file /usr/local/src/ulogd-<i>version</i>/ulogd.init
to /etc/init.d/ulogd. I had to edit the line that read "daemon /usr/local/sbin/ulogd" to /etc/init.d/ulogd. I had to edit the line that read "daemon
to read daemon /usr/local/sbin/ulogd -d". On a RedHat system, a simple /usr/local/sbin/ulogd" to read daemon /usr/local/sbin/ulogd -d". On a
"chkconfig --level 3 ulogd on" starts ulogd during boot up. Your init system RedHat system, a simple
may need something else done to activate the script.<br> "chkconfig --level 3 ulogd on" starts ulogd during boot up. Your init
<br> system
You will need to change all instances of log levels (usually 'info') in may need something else done to activate the script.<br>
your configuration files to 'ULOG' - this includes entries in the policy, <br>
rules and shorewall.conf files. Here's what I have:<br> You will need to change all instances of log levels (usually 'info') in
your configuration files to 'ULOG' - this includes entries in the
policy, rules and shorewall.conf files. Here's what I have:<br>
<pre> [root@gateway shorewall]# grep ULOG *<br> policy:loc&nbsp; fw&nbsp;&nbsp; REJECT&nbsp; ULOG<br> policy:net&nbsp; all&nbsp; DROP&nbsp;&nbsp;&nbsp; ULOG&nbsp;&nbsp;&nbsp;10/sec:40<br> policy:all&nbsp; all&nbsp; REJECT&nbsp; ULOG<br> rules:REJECT:ULOG loc net tcp 6667<br> shorewall.conf:TCP_FLAGS_LOG_LEVEL=ULOG<br> shorewall.conf:RFC1918_LOG_LEVEL=ULOG<br> [root@gateway shorewall]#<br></pre> <pre> [root@gateway shorewall]# grep ULOG *<br> policy:loc&nbsp; fw&nbsp;&nbsp; REJECT&nbsp; ULOG<br> policy:net&nbsp; all&nbsp; DROP&nbsp;&nbsp;&nbsp; ULOG&nbsp;&nbsp;&nbsp;10/sec:40<br> policy:all&nbsp; all&nbsp; REJECT&nbsp; ULOG<br> rules:REJECT:ULOG loc net tcp 6667<br> shorewall.conf:TCP_FLAGS_LOG_LEVEL=ULOG<br> shorewall.conf:RFC1918_LOG_LEVEL=ULOG<br> [root@gateway shorewall]#<br></pre>
Finally edit /etc/shorewall/shorewall.conf and set LOGFILE=<i>&lt;file Finally edit /etc/shorewall/shorewall.conf and set LOGFILE=<i>&lt;file
that you wish to log to&gt;</i>. This tells the /sbin/shorewall program that you wish to log to&gt;</i>. This tells the /sbin/shorewall program
where to look for the log when processing its "show log", "logwatch" and where to look for the log when processing its "show log", "logwatch"
"monitor" commands.<br> and
"monitor" commands.<br>
<p><font size="2"> Updated 7/25/2003 - <a href="support.htm">Tom Eastep</a> <h2>Syslog-ng</h2>
</font></p> <a
href="http://marc.theaimsgroup.com/?l=gentoo-security&amp;m=106040714910563&amp;w=2">Here</a>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; is a post describing configuring syslog-ng to work with Shorewall.<br>
<font size="2">2001, 2002, 2003 Thomas M. Eastep</font></a><br> <p><font size="2"> Updated 9/29/2003 - <a href="support.htm">Tom Eastep</a>
</p> </font></p>
<br> <p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
<br> size="2">2001, 2002, 2003 Thomas M. Eastep</font></a><br>
</p>
<br>
<br>
</body> </body>
</html> </html>

127
Shorewall-docs/shorewall_mirrors.htm
View File

@ -1,98 +1,89 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Mirrors</title> <title>Shorewall Mirrors</title>
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90"> id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Mirrors</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Mirrors</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p align="left"><b>Remember that updates to the mirrors are often
<p align="left"><b>Remember that updates to the mirrors are often delayed delayed for 6-12 hours after an update to the primary rsync site. For
for 6-12 hours after an update to the primary rsync site. For HTML content, HTML content, the main web site (<a href="http://shorewall.sf.net">http://shorewall.sf.net</a>)
the main web site (<a href="http://shorewall.sf.net">http://shorewall.sf.net</a>) is updated at the same time as the rsync site.</b></p>
is updated at the same time as the rsync site.</b></p>
<p align="left">The main Shorewall Web Site is <a <p align="left">The main Shorewall Web Site is <a
href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a> href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>
and is located in California, USA. It is mirrored at:</p> and is located in California, USA. It is mirrored at:</p>
<ul> <ul>
<li><a target="_top" href="http://slovakia.shorewall.net"> <li><a target="_top" href="http://slovakia.shorewall.net">http://slovakia.shorewall.net</a>
http://slovakia.shorewall.net</a> (Slovak Republic).</li> (Slovak Republic).</li>
<li> <a href="http://www.infohiiway.com/shorewall" <li> <a href="http://www.infohiiway.com/shorewall" target="_top">http://shorewall.infohiiway.com</a>
target="_top"> http://shorewall.infohiiway.com</a> (Texas, USA).</li> (Texas, USA).</li>
<li><a target="_top" href="http://germany.shorewall.net"> <li><a target="_top" href="http://germany.shorewall.net">http://germany.shorewall.net</a>
http://germany.shorewall.net</a> (Hamburg, Germany)</li> - Also accessible as <a href="http://www.shorewall.de" target="_top">http://www.shorewall.de</a>
<li><a target="_top" (Hamburg, Germany)</li>
href="http://france.shorewall.net">http://france.shorewall.net</a> <li><a target="_top" href="http://france.shorewall.net">http://france.shorewall.net</a>
(Paris, France)</li> (Paris, France)</li>
<li><a href="http://shorewall.syachile.cl" target="_top">http://shorewall.syachile.cl <li><a href="http://shorewall.syachile.cl" target="_top">http://shorewall.syachile.cl
</a>(Santiago Chile)</li> </a>(Santiago Chile)</li>
<li><a href="http://shorewall.greshko.com" target="_top">http://shorewall.greshko.com</a> <li><a href="http://shorewall.greshko.com" target="_top">http://shorewall.greshko.com</a>
(Taipei, Taiwan)</li> (Taipei, Taiwan)</li>
<li><a href="http://argentina.shorewall.net" target="_top">http://argentina.shorewall.net</a> <li><a href="http://argentina.shorewall.net" target="_top">http://argentina.shorewall.net</a>
(Argentina)</li> (Argentina)</li>
<li><a href="http://shorewall.securityopensource.org.br" <li><a href="http://shorewall.securityopensource.org.br" target="_top">http://shorewall.securityopensource.org.br</a>
target="_top">http://shorewall.securityopensource.org.br</a> (Brazil)<br> (Brazil)</li>
</li> <li><a href="http://www.shorewall.com.au" target="_top">http://www.shorewall.com.au</a>
<li><a href="http://www.shorewall.net" target="_top">http://www.shorewall.net</a> (Australia)<br>
(Washington State, USA)<br> </li>
</li> <li><a href="http://www.shorewall.net" target="_top">http://www.shorewall.net</a>
(Washington State, USA)<br>
</li>
</ul> </ul>
<p align="left">The rsync site is mirrored via FTP at:</p> <p align="left">The rsync site is mirrored via FTP at:</p>
<ul> <ul>
<li><a target="_blank" <li><a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/">ftp://slovakia.shorewall.net/mirror/shorewall</a> href="ftp://slovakia.shorewall.net/mirror/shorewall/">ftp://slovakia.shorewall.net/mirror/shorewall</a>
(Slovak Republic).</li> (Slovak Republic).</li>
<li> <a <li> <a href="ftp://ftp.infohiiway.com/pub/mirrors/shorewall/"
href="ftp://ftp.infohiiway.com/pub/mirrors/shorewall/" target="_blank">ftp://ftp.infohiiway.com/pub/shorewall</a> target="_blank">ftp://ftp.infohiiway.com/pub/shorewall</a> (Texas, USA
(Texas, USA -- temporarily unavailable).</li> -- temporarily unavailable).</li>
<li><a target="_blank" <li><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall"> ftp://germany.shorewall.net/pub/shorewall</a> href="ftp://germany.shorewall.net/pub/shorewall">ftp://germany.shorewall.net/pub/shorewall</a>
(Hamburg, Germany)</li> AKA <a href="ftp://www.shorewall.de/pub/shorewall" target="_top">ftp://www.shorewall.de/pub/shorewall</a>
<li> <a target="_blank" (Hamburg, Germany)</li>
<li> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall</a> href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall</a>
(Paris, France)</li> (Paris, France)</li>
<li><a href="ftp://shorewall.greshko.com/pub/shorewall" <li><a href="ftp://shorewall.greshko.com/pub/shorewall" target="_top">ftp://shorewall.greshko.com</a>
target="_top">ftp://shorewall.greshko.com</a> (Taipei, Taiwan)</li> (Taipei, Taiwan)</li>
<li><a href="ftp://ftp.shorewall.net/pub/shorewall" <li><a href="ftp://ftp.shorewall.com.au" target="_top">ftp://ftp.shorewall.com.au</a>
target="_blank">ftp://ftp.shorewall.net </a>(Washington State, USA)<br> (Australia)<br>
</li> </li>
<li><a href="ftp://ftp.shorewall.net/pub/shorewall" target="_blank">ftp://ftp.shorewall.net
</a>(Washington State, USA)<br>
</li>
</ul> </ul>
Search results and the mailing list archives are always fetched Search results and the mailing list archives are always fetched from
from the site in Washington State.<br> the site in Washington State.<br>
<p align="left"><font size="2">Last Updated 8/27/2003 - <a
<p align="left"><font size="2">Last Updated 8/4/2003 - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep</font></a></font><br> size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M.
</p> Eastep</font></a></font><br>
<br> </p>
<br>
</body> </body>
</html> </html>

24
Shorewall-docs/shorewall_quickstart_guide.htm
View File

@ -26,7 +26,10 @@ Guides (HOWTO's)<br>
<p align="center">With thanks to Richard who reminded me once again <p align="center">With thanks to Richard who reminded me once again
that we that we
must all first walk before we can run.<br> must all first walk before we can run.<br>
The French Translations are courtesy of Patrice Vetsel<br> The French Translations of the single-IP guides are courtesy of Patrice
Vetsel<br>
The French Translation of the Shorewall Setup Guide is courtesy of
Fabien Demassieux.<br>
</p> </p>
<h2>The Guides</h2> <h2>The Guides</h2>
<p>These guides provide step-by-step instructions for configuring <p>These guides provide step-by-step instructions for configuring
@ -55,10 +58,11 @@ IP address</b></big></big></font>:<br>
</p> </p>
<blockquote>The <a href="shorewall_setup_guide.htm">Shorewall Setup <blockquote>The <a href="shorewall_setup_guide.htm">Shorewall Setup
Guide</a> (See Index Below) outlines the steps necessary to set up a Guide</a> (See Index Below) outlines the steps necessary to set up a
firewall where there are <small><small><big><big>multiple public IP firewall where there are multiple public IP
addresses</big></big></small></small> involved or if you addresses involved or if you
want to learn more about Shorewall than is explained in the want to learn more about Shorewall than is explained in the
single-address guides above.</blockquote> single-address guides above (<a href="shorewall_setup_guide_fr.htm">Version
Française</a>).</blockquote>
<ul> <ul>
</ul> </ul>
<h2><b><a name="Documentation"></a></b>Documentation Index</h2> <h2><b><a name="Documentation"></a></b>Documentation Index</h2>
@ -67,6 +71,8 @@ the <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a>
described above</b>. Please review the appropriate guide before trying described above</b>. Please review the appropriate guide before trying
to use this documentation directly.</p> to use this documentation directly.</p>
<ul> <ul>
<li><a href="Accounting.html">Accounting</a><br>
</li>
<li><a href="Shorewall_and_Aliased_Interfaces.html">Aliased (virtual) <li><a href="Shorewall_and_Aliased_Interfaces.html">Aliased (virtual)
Interfaces (e.g., eth0:0)</a><br> Interfaces (e.g., eth0:0)</a><br>
</li> </li>
@ -122,6 +128,9 @@ in Shorewall</a> </li>
<li><a href="Documentation.htm#Blacklist">blacklist</a></li> <li><a href="Documentation.htm#Blacklist">blacklist</a></li>
<li><a href="Documentation.htm#rfc1918">rfc1918</a></li> <li><a href="Documentation.htm#rfc1918">rfc1918</a></li>
<li><a href="Documentation.htm#Routestopped">routestopped</a></li> <li><a href="Documentation.htm#Routestopped">routestopped</a></li>
<li><a href="Accounting.html">accounting</a></li>
<li><a href="UserSets.html">usersets and users</a><br>
</li>
</ul> </ul>
</li> </li>
<li><a href="CorpNetwork.htm">Corporate Network Example</a> <li><a href="CorpNetwork.htm">Corporate Network Example</a>
@ -234,9 +243,12 @@ commands</li>
<li><font color="#000099"><a href="NAT.htm">Static NAT</a></font></li> <li><font color="#000099"><a href="NAT.htm">Static NAT</a></font></li>
<li><a href="Shorewall_Squid_Usage.html">Squid as a Transparent Proxy <li><a href="Shorewall_Squid_Usage.html">Squid as a Transparent Proxy
with Shorewall</a></li> with Shorewall</a></li>
<li><a href="Accounting.html">Traffic Accounting</a><br>
</li>
<li><a href="traffic_shaping.htm">Traffic Shaping/QOS</a></li> <li><a href="traffic_shaping.htm">Traffic Shaping/QOS</a></li>
<li><a href="troubleshoot.htm">Troubleshooting (Things to try if it <li><a href="troubleshoot.htm">Troubleshooting (Things to try if it
doesn't work)</a><br> doesn't work)</a></li>
<li><a href="UserSets.html">UID/GID Based Rules</a><br>
</li> </li>
<li><a href="upgrade_issues.htm">Upgrade Issues</a><br> <li><a href="upgrade_issues.htm">Upgrade Issues</a><br>
</li> </li>
@ -260,7 +272,7 @@ firewall to a remote network.</li>
</ul> </ul>
<p>If you use one of these guides and have a suggestion for improvement <p>If you use one of these guides and have a suggestion for improvement
<a href="mailto:webmaster@shorewall.net">please let me know</a>.</p> <a href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
<p><font size="2">Last modified 8/9/2003 - <a href="support.htm">Tom <p><font size="2">Last modified 9/23/2003 - <a href="support.htm">Tom
Eastep</a></font></p> Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright 2002, 2003 Thomas <p><a href="copyright.htm"><font size="2">Copyright 2002, 2003 Thomas
M. Eastep</font></a><br> M. Eastep</font></a><br>

232
Shorewall-docs/sourceforge_index.htm
View File

@ -99,44 +99,131 @@ QuickStart Guide</a> for
details. details.
<h2></h2> <h2></h2>
<h2><b>News</b></h2> <h2><b>News</b></h2>
<p><b>8/9/2003 - Snapshot 1.4.6_20030809</b><b> <img <b>10/06/2003 - Shorewall 1.4.7</b><b> <img
style="border: 0px solid ; width: 28px; height: 12px;" style="border: 0px solid ; width: 28px; height: 12px;"
src="images/new10.gif" alt="(New)" title=""></b><b> </b></p> src="images/new10.gif" alt="(New)" title=""></b><br>
<blockquote> <b><br>
<p><a href="http://shorewall.net/pub/shorewall/Snapshots/">http://shorewall.net/pub/shorewall/Snapshots/</a><br> Problems Corrected since version 1.4.6 (Those in bold font
<a href="ftp://shorewall.net/pub/shorewall/Snapshots/" were corrected since 1.4.7 RC2).</b><br>
target="_top">ftp://shorewall.net/pub/shorewall/Snapshots/</a></p>
</blockquote>
<b>Problems Corrected since version 1.4.6</b><br>
<ol> <ol>
<li>Corrected problem in 1.4.6 where the MANGLE_ENABLED <li>Corrected problem in 1.4.6 where the MANGLE_ENABLED
variable was being tested before it was set.</li> variable was being tested before it was set.</li>
<li>Corrected handling of MAC addresses in the SOURCE column of <li>Corrected handling of MAC addresses in the SOURCE column of
the tcrules file. Previously, these addresses resulted in an invalid the tcrules file. Previously, these addresses resulted in an invalid
iptables command.</li> iptables command.</li>
<li>The <li>The "shorewall stop" command is now disabled when
"shorewall stop" command is now disabled when
/etc/shorewall/startup_disabled exists. This prevents people from /etc/shorewall/startup_disabled exists. This prevents people from
shooting themselves in the foot prior to having configured Shorewall.</li> shooting themselves in the foot prior to having configured Shorewall.</li>
<li>A change introduced in version 1.4.6 caused error messages <li>A change introduced in version 1.4.6 caused error messages
during during "shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses
"shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses were were being added to a PPP interface; the addresses were successfully
being added to a PPP interface; the addresses were successfully added added in spite of the messages.<br>
in spite of the messages.<br>
&nbsp;&nbsp;&nbsp; <br> &nbsp;&nbsp;&nbsp; <br>
The firewall script has been modified to eliminate the error messages<br> The firewall script has been modified to eliminate the error messages</li>
<li>Interface-specific dynamic blacklisting chains are
now displayed by "shorewall monitor" on the "Dynamic Chains" page
(previously named "Dynamic Chain").</li>
<li>Thanks to Henry Yang, LOGRATE and LOGBURST now work again.</li>
<li value="7">The 'shorewall reject'
and
'shorewall drop' commands now delete any existing rules for the subject
IP address before adding a new DROP or REJECT rule. Previously, there
could be many rules for the same IP address in the dynamic chain so
that multiple 'allow' commands were required to re-enable traffic
to/from the address.</li>
<li>When ADD_SNAT_ALIASES=Yes in
shorewall.conf, the following entry in /etc/shorewall/masq resulted in
a startup error:<br>
&nbsp;<br>
&nbsp;&nbsp; eth0 eth1&nbsp;&nbsp;&nbsp;&nbsp;
206.124.146.20-206.124.146.24<br>
<br>
</li> </li>
<li>Shorewall previously choked over
IPV6
addresses configured on interfaces in contexts where Shorewall needed
to detect something about the interface (such as when "detect" appears
in the BROADCAST column of the /etc/shorewall/interfaces file).</li>
<li>Shorewall will now load
module files that are formed from the module name by appending ".o.gz".</li>
<li>When Shorewall adds a route to a
proxy
ARP host and such a route already exists, two routes resulted
previously. This has been corrected so that the existing route is
replaced if it already exists.</li>
<li>The rfc1918 file has been
updated to reflect recent allocations.</li>
<li>The documentation of the
USER SET column in the rules file has been corrected.</li>
<li>If there is no policy
defined for
the zones specified in a rule, the firewall script previously
encountered a shell syntax error:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [: NONE: unexpected operator<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<br>
Now, the absence of a policy generates an error message and the
firewall is stopped:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; No policy defined from zone
&lt;source&gt; to zone &lt;dest&gt;<br>
<br>
</li>
<li>Previously, if neither
/etc/shorewall/common nor /etc/shorewall/common.def existed, Shorewall
would fail to start and would not remove the lock file. Failure to
remove the lock file resulted in the following during subsequent
attempts to start:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<br>
&nbsp;&nbsp;&nbsp; Loading /usr/share/shorewall/functions...<br>
&nbsp;&nbsp;&nbsp; Processing /etc/shorewall/params ...<br>
&nbsp;&nbsp;&nbsp; Processing /etc/shorewall/shorewall.conf...<br>
&nbsp;&nbsp;&nbsp; Giving up on lock file /var/lib/shorewall/lock<br>
&nbsp;&nbsp;&nbsp; Shorewall Not Started<br>
<br>
Shorewall now reports a fatal error if neither of these two files exist
and correctly removes the lock fille.</li>
<li>The order of processing
the
various options has been changed such that blacklist entries now take
precedence over the 'dhcp' interface setting.</li>
<li>The log message generated
from the
'logunclean' interface option has been changed to reflect a disposition
of LOG rather than DROP.</li>
<li><span style="font-weight: bold;">When a user name and/or a
group
name was specified in the USER SET column and the destination zone was
qualified with a IP address, the user and/or group name was not being
used to qualify the rule.<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp; Example:<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp; ACCEPT fw&nbsp; net:192.0.2.12 tcp 23 - - - vladimir:<br>
<br>
</span></li>
<li><span style="font-weight: bold;">The /etc/shorewall/masq
file has had the spurious "/" character at the front removed.</span></li>
</ol> </ol>
<b>Migration Issues:</b><br> <b>Migration Issues:</b><br>
<ol> <ol>
<li>Once you have installed this version of Shorewall, you must <li>Shorewall IP Traffic Accounting has changed since snapshot
restart Shorewall before you may use the 'drop', 'reject', 'allow' or 20030813 -- see the <a href="Accounting.html">Accounting Page</a> for
'save' commands.</li> details.</li>
<li>To maintain strict compatibility with previous versions, <li>The Uset Set capability introduced in SnapShot 20030821 has
current uses of "shorewall drop" and "shorewall reject" should be changed -- see the <a href="UserSets.html">User Set page</a> for
replaced with "shorewall dropall" and "shorewall rejectall" </li> details.</li>
<li>The
per-interface Dynamic Blacklisting facility introduced in the first
post-1.4.6 Snapshot has been removed. The facility had too many
idiosyncrasies for dial-up users to be a viable part of Shorewall.<br>
</li>
</ol> </ol>
<b>New Features:</b><br> <b></b><b>New Features:</b><br>
<ol> <ol>
<li>Shorewall now creates a dynamic blacklisting chain for each <li>Shorewall now creates a dynamic blacklisting chain for each
interface defined in /etc/shorewall/interfaces. The 'drop' and 'reject' interface defined in /etc/shorewall/interfaces. The 'drop' and 'reject'
@ -191,10 +278,9 @@ stop".
As part of its stop processing, Shorewall removes eth0:0 which kills my As part of its stop processing, Shorewall removes eth0:0 which kills my
SSH SSH
connection to 192.168.1.5!!!</li> connection to 192.168.1.5!!!</li>
<li>Given <li>Given the wide range of VPN software, I can never hope to
the wide range of VPN software, I can never hope to add specific add specific support for all of it. I have therefore decided to add
support for all of it. I have therefore decided to add "generic" tunnel "generic" tunnel support.<br>
support.<br>
&nbsp;<br> &nbsp;<br>
Generic tunnels work pretty much like any of the other tunnel types. Generic tunnels work pretty much like any of the other tunnel types.
You usually add a zone to represent the systems at the other end of the You usually add a zone to represent the systems at the other end of the
@ -218,9 +304,8 @@ the remote tunnel gateway<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;ip address&gt; is the IP &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;ip address&gt; is the IP
address of the remote tunnel gateway.<br> address of the remote tunnel gateway.<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;gateway zone&gt;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;gateway zone&gt;&nbsp;&nbsp;
Optional. A comma-separated list of zone Optional. A comma-separated list of zone names. If specified, the
names. If specified, the remote gateway is to be considered part of remote gateway is to be considered part of these zones.</li>
these zones.</li>
<li>An 'arp_filter' option has been added to the <li>An 'arp_filter' option has been added to the
/etc/shorewall/interfaces file. This option causes /etc/shorewall/interfaces file. This option causes
/proc/sys/net/ipv4/conf/&lt;interface&gt;/arp_filter to be set with the /proc/sys/net/ipv4/conf/&lt;interface&gt;/arp_filter to be set with the
@ -230,9 +315,94 @@ facilitates testing of your firewall where multiple firewall interfaces
are connected to the same HUB/Switch (all interfaces connected to the are connected to the same HUB/Switch (all interfaces connected to the
single HUB/Switch should have this option specified). Note that using single HUB/Switch should have this option specified). Note that using
such a configuration in a production environment is strongly such a configuration in a production environment is strongly
recommended against.<br> recommended against.</li>
<li>The ADDRESS column in /etc/shorewall/masq may now include a
comma-separated list of addresses and/or address ranges. Netfilter will
use all listed addresses/ranges in round-robin fashion. \</li>
<li>An /etc/shorewall/accounting file has been added to allow
for traffic accounting.&nbsp; See the <a href="Accounting.html">accounting
documentation</a> for a description of this facility.</li>
<li>Bridge interfaces (br[0-9]) may now be used in
/etc/shorewall/maclist.</li>
<li>ACCEPT, DNAT[-], REDIRECT[-] and LOG rules defined in
/etc/shorewall/rules may now be rate-limited. For DNAT and REDIRECT
rules, rate limiting occurs in the nat table DNAT rule; the
corresponding ACCEPT rule in the filter table is not rate limited. If
you want to limit the filter table rule, you will need o create two
rules; a DNAT- rule and an ACCEPT rule which can be rate-limited
separately.<br>
&nbsp;<br>
<span style="font-weight: bold;">Warning: </span>When rate
limiting is specified on a rule with "all" in the SOURCE or DEST
fields, the limit will apply to each pair of zones individually rather
than as a single limit for all pairs of covered by the rule.<br>
&nbsp;<br>
To specify a rate limit, <br>
<br>
a) Follow ACCEPT, DNAT[-], REDIRECT[-] or LOG with<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;
&lt;rate&gt;/&lt;interval&gt;[:&lt;burst&gt;] &gt;<br>
&nbsp;<br>
&nbsp;
where<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;rate&gt; is the sustained rate per
&lt;interval&gt;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;interval&gt; is "sec" or "min"<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;burst&gt; is the largest burst
accepted within an &lt;interval&gt;. If not given, the default of 5 is
assumed.<br>
&nbsp;<br>
There may be no white space between the ACTION and "&lt;" nor there may
be any white space within the burst specification. If you want to
specify logging of a rate-limited rule, the ":" and log level comes
after the "&gt;" (e.g., ACCEPT&lt;2/sec:4&gt;:info ).<br>
<br>
b) A new RATE LIMIT column has been added to the /etc/shorewall/rules
file. You may specify the rate limit there in the format:<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&lt;rate&gt;/&lt;interval&gt;[:&lt;burst&gt;]<br>
&nbsp;<br>
Let's take an example:<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
ACCEPT&lt;2/sec:4&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
net&nbsp;&nbsp;&nbsp;&nbsp; dmz&nbsp;&nbsp;&nbsp;&nbsp;
tcp&nbsp;&nbsp;&nbsp;&nbsp; 80<br>
&nbsp;&nbsp;&nbsp; <br>
The first time this rule is reached, the packet will be accepted; in
fact, since the burst is 4, the first four packets will be accepted.
After this, it will be 500ms (1 second divided by the rate<br>
of 2) before a packet will be accepted from this rule, regardless of
how many packets reach it. Also, every 500ms which passes without
matching a packet, one of the bursts will be regained; if no packets
hit the rule for 2 second, the burst will be fully recharged; back
where we started.<br>
</li> </li>
<li>Multiple chains may now be displayed in one "shorewall
show" command (e.g., shorewall show INPUT FORWARD OUTPUT).</li>
<li>Output rules (those with $FW as the SOURCE) may now be
limited to a set of local users and/or groups. See <a
href="UserSets.html">http://shorewall.net/UserSets.html</a> for
details.</li>
</ol> </ol>
<p><b>8/27/2003 - Shorewall Mirror in Australia&nbsp;</b></p>
<p>Thanks to Dave Kempe and Solutions First (<a
href="http://www.solutionsfirst.com.au"><font size="3">http://www.solutionsfirst.com.au</font></a>),
there is now a Shorewall Mirror in Australia:</p>
<div style="margin-left: 40px;"><a
href="http://www.shorewall.com.au" target="_top"><font size="3">http://www.shorewall.com.au</font></a><br>
<font size="3"><a href="ftp://ftp.shorewall.com.au">ftp://ftp.shorewall.com.au</a></font></div>
<p><b>8/26/2003 - French Version of the Shorewall Setup
Guide&nbsp;</b></p>
Thanks to Fabien <font size="3">Demassieux, there is now a <a
href="shorewall_setup_guide_fr.htm">French translation of the
Shorewall Setup Guide</a>. Merci Beacoup, Fabien!</font> <b>9/15/2003
- Shorewall 1.4.7 Beta 2</b><b> <img
style="border: 0px solid ; width: 28px; height: 12px;"
src="file:///vfat/Shorewall-docs/images/new10.gif" alt="(New)" title=""></b>
<p><b>8/5/2003 - Shorewall-1.4.6b</b><b> <img <p><b>8/5/2003 - Shorewall-1.4.6b</b><b> <img
style="border: 0px solid ; width: 28px; height: 12px;" style="border: 0px solid ; width: 28px; height: 12px;"
src="images/new10.gif" alt="(New)" title=""> <br> src="images/new10.gif" alt="(New)" title=""> <br>
@ -333,7 +503,7 @@ Children's Foundation.</font></a> Thanks!</font></font></p>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p><font size="2">Updated 8/9/2003 - <a href="support.htm">Tom Eastep</a></font> <p><font size="2">Updated 10/06/2003 - <a href="support.htm">Tom Eastep</a></font>
<br> <br>
</p> </p>
</body> </body>

588
Shorewall-docs/starting_and_stopping_shorewall.htm
View File

@ -1,368 +1,326 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Starting and Stopping Shorewall</title> <title>Starting and Stopping Shorewall</title>
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90"> id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Starting/Stopping and
<h1 align="center"><font color="#ffffff">Starting/Stopping and Monitoring Monitoring the Firewall</font></h1>
the Firewall</font></h1> </td>
</td> </tr>
</tr>
</tbody> </tbody>
</table> </table>
<p> If you have a permanent internet connection such as DSL or Cable, I
<p> If you have a permanent internet connection such as DSL or Cable, recommend that you start the firewall automatically at boot. Once you
I recommend that you start the firewall automatically at boot. have installed "firewall" in your init.d directory, simply type
Once you have installed "firewall" in your init.d directory, simply "chkconfig --add firewall". This will start the firewall in run levels
type "chkconfig --add firewall". This will start the firewall 2-5 and stop it in run levels 1 and 6. If you want to configure your
in run levels 2-5 and stop it in run levels 1 and 6. If you want firewall differently from this default, you can
to configure your firewall differently from this default, you can use the "--level" option in chkconfig (see "man chkconfig") or using
use the "--level" option in chkconfig (see "man chkconfig") or using your favorite graphical run-level editor.</p>
your favorite graphical run-level editor.</p> <p><strong><u> <font color="#000099"> Important Notes:</font></u></strong><br>
</p>
<p><strong><u> <font color="#000099"> Important Notes:</font></u></strong><br>
</p>
<ol> <ol>
<li>Shorewall startup is disabled by default. Once you <li>Shorewall startup is disabled by default. Once you have
have configured your firewall, you can enable startup by removing the configured your firewall, you can enable startup by removing the
file /etc/shorewall/startup_disabled. Note: Users of the .deb package file /etc/shorewall/startup_disabled. Note: Users of the .deb package
must edit /etc/default/shorewall and set 'startup=1'.<br> must edit /etc/default/shorewall and set 'startup=1'.<br>
</li> </li>
<li>If you use dialup, you may want to start the firewall <li>If you use dialup, you may want to start the firewall in your
in your /etc/ppp/ip-up.local script. I recommend just placing "shorewall /etc/ppp/ip-up.local script. I recommend just placing "shorewall
restart" in that script.</li> restart" in that script.</li>
</ol> </ol>
<p> </p>
<p> </p> <p> You can manually start and stop Shoreline Firewall using the
"shorewall" shell program. Please refer to the <a
<p> You can manually start and stop Shoreline Firewall using the "shorewall"
shell program. Please refer to the <a
href="file:///vfat/Shorewall-docs/starting_and_stopping_shorewall.htm#StateDiagram">Shorewall href="file:///vfat/Shorewall-docs/starting_and_stopping_shorewall.htm#StateDiagram">Shorewall
State Diagram</a> is shown at the bottom of this page. </p> State Diagram</a> is shown at the bottom of this page. </p>
<ul> <ul>
<li>shorewall start - starts the firewall</li> <li>shorewall start - starts the firewall</li>
<li>shorewall stop - stops the firewall; the only traffic <li>shorewall stop - stops the firewall; the only traffic permitted
permitted through the firewall is from systems listed in /etc/shorewall/routestopped through the firewall is from systems listed in
(Beginning with version 1.4.7, if ADMINISABSENTMINDED=Yes in /etc/shorewall/shorewall.conf /etc/shorewall/routestopped
then in addition, all existing connections are permitted and any new connections (Beginning with version 1.4.7, if ADMINISABSENTMINDED=Yes in
/etc/shorewall/shorewall.conf
then in addition, all existing connections are permitted and any new
connections
originating from the firewall itself are allowed).</li> originating from the firewall itself are allowed).</li>
<li>shorewall restart - stops the firewall (if it's <li>shorewall restart - stops the firewall (if it's running) and then
running) and then starts it again</li> starts it again</li>
<li>shorewall reset - reset the packet and byte counters <li>shorewall reset - reset the packet and byte counters in the
in the firewall</li> firewall</li>
<li>shorewall clear - remove all rules and chains <li>shorewall clear - remove all rules and chains installed by
installed by Shoreline Firewall. The firewall is "wide open"</li> Shoreline Firewall. The firewall is "wide open"</li>
<li>shorewall refresh - refresh the rules involving <li>shorewall refresh - refresh the rules involving
the broadcast addresses of firewall interfaces, <a the broadcast addresses of firewall interfaces, <a
href="blacklisting_support.htm">the black list</a>, <a href="blacklisting_support.htm">the black list</a>, <a
href="traffic_shaping.htm">traffic control rules</a> and <a href="traffic_shaping.htm">traffic control rules</a> and <a
href="ECN.html">ECN control rules</a>.</li> href="ECN.html">ECN control rules</a>.</li>
</ul> </ul>
If you include the keyword <i>debug</i> as the first argument, If you include the keyword <i>debug</i> as the first argument, then a
then a shell trace of the command is produced as in:<br> shell trace of the command is produced as in:<br>
<pre> <font color="#009900"><b>shorewall debug start 2&gt; /tmp/trace</b></font><br></pre> <pre> <font color="#009900"><b>shorewall debug start 2&gt; /tmp/trace</b></font><br></pre>
<p>The above command would trace the 'start' command and place the
<p>The above command would trace the 'start' command and place the trace information trace information
in the file /tmp/trace<br> in the file /tmp/trace<br>
</p> </p>
<p>Beginning with version 1.4.7, shorewall can give detailed help about
<p>Beginning with version 1.4.7, shorewall can give detailed help about each each of its commands:<br>
of its commands:<br> </p>
</p>
<ul> <ul>
<li>shorewall help [ <i>command</i> | host | address ]<br> <li>shorewall help [ <i>command</i> | host | address ]<br>
</li> </li>
</ul> </ul>
<p>The "shorewall" program may also be used to monitor the firewall.</p>
<p>The "shorewall" program may also be used to monitor the firewall.</p>
<ul> <ul>
<li>shorewall status - produce a verbose report about <li>shorewall status - produce a verbose report about the firewall
the firewall (iptables -L -n -v)</li> (iptables -L -n -v)</li>
<li>shorewall show <i>chain</i> - produce a verbose <li>shorewall show <i>chain</i>1 [ <span style="font-style: italic;">chain2
report about <i>chain </i>(iptables -L <i>chain</i> ... </span>] - produce a verbose
-n -v)</li> report about the listed <i>chains </i>(iptables -L <i>chain</i>
<li>shorewall show nat - produce a verbose report about -n -v) <span style="font-weight: bold;">Note: </span>You may only
the nat table (iptables -t nat -L -n -v)</li> list one chain in the <span style="font-weight: bold;">show</span>
<li>shorewall show tos - produce a verbose report about command when running Shorewall version 1.4.6 and earlier.&nbsp; Version
the mangle table (iptables -t mangle -L -n -v)</li> 1.4.7 and later allow you to list multiple chains in one command.<br>
<li>shorewall show log - display the last 20 packet </li>
log entries.</li> <li>shorewall show nat - produce a verbose report about the nat table
<li>shorewall show connections - displays the IP connections (iptables -t nat -L -n -v)</li>
currently being tracked by the firewall.</li> <li>shorewall show tos - produce a verbose report about the mangle
<li>shorewall table (iptables -t mangle -L -n -v)</li>
show tc <li>shorewall show log - display the last 20 packet
- displays information about the traffic control/shaping configuration.</li> log entries.</li>
<li>shorewall monitor [ delay ] - Continuously display <li>shorewall show connections - displays the IP connections
the firewall status, last 20 log entries and nat. When the currently being tracked by the firewall.</li>
log entry display changes, an audible alarm is sounded.</li> <li>shorewall show tc - displays information about the traffic
<li>shorewall hits - Produces several reports about control/shaping configuration.</li>
the Shorewall packet log messages in the current /var/log/messages <li>shorewall monitor [ delay ] - Continuously display the firewall
file.</li> status, last 20 log entries and nat. When the log entry display
<li>shorewall version - Displays the installed changes, an audible alarm is sounded.</li>
version number.</li> <li>shorewall hits - Produces several reports about
<li>shorewall check - Performs a <u>cursory</u> validation of the Shorewall packet log messages in the current /var/log/messages file.</li>
the zones, interfaces, hosts, rules and policy files.<br> <li>shorewall version - Displays the installed version number.</li>
<br> <li>shorewall check - Performs a <u>cursory</u> validation of the
<font size="4" color="#ff6666"><b>The "check" command is totally zones, interfaces, hosts, rules and policy files.<br>
unsuppored and does not parse and validate the generated iptables <br>
commands. Even though the "check" command completes successfully, <font size="4" color="#ff6666"><b>The "check" command is totally
the configuration may fail to start. Problem reports that complain about unsuppored and does not parse and validate the generated iptables
errors that the 'check' command does not detect will not be accepted.<br> commands. Even though the "check" command completes successfully,
<br> the configuration may fail to start. Problem reports that complain
See the recommended way to make configuration changes described about
below.</b></font><br> errors that the 'check' command does not detect will not be accepted.<br>
<br> <br>
</li> See the recommended way to make configuration changes described below.</b></font><br>
<li>shorewall try<i> configuration-directory</i> [<i> <br>
timeout</i> ] - Restart shorewall using the specified configuration </li>
and if an error occurs or if the<i> timeout </i> option is given <li>shorewall try<i> configuration-directory</i> [<i> timeout</i> ] -
and the new configuration has been up for that many seconds then Restart shorewall using the specified configuration and if an error
shorewall is restarted using the standard configuration.</li> occurs or if the<i> timeout </i> option is given
<li>shorewall deny, shorewall reject, shorewall accept and the new configuration has been up for that many seconds then
and shorewall save implement <a shorewall is restarted using the standard configuration.</li>
href="blacklisting_support.htm">dynamic blacklisting</a>.</li> <li>shorewall logwatch (added in version 1.3.2) - Monitors the <a
<li>shorewall logwatch (added in version 1.3.2) - Monitors href="#Conf">LOGFILE </a>and produces an audible alarm when new
the <a href="#Conf">LOGFILE </a>and produces an audible alarm Shorewall messages are logged.</li>
when new Shorewall messages are logged.</li>
</ul> </ul>
Beginning with Shorewall 1.4.6, /sbin/shorewall supports a couple of Beginning with Shorewall 1.4.6, /sbin/shorewall supports a couple of
commands for dealing with IP addresses and IP address ranges:<br> commands for dealing with IP addresses and IP address ranges:<br>
<ul> <ul>
<li>shorewall ipcalc [ <i>address mask </i>| <i>address/vlsm</i> ] <li>shorewall ipcalc [ <i>address mask </i>| <i>address/vlsm</i> ]
- displays the network address, broadcast address, network in CIDR notation - displays the network address, broadcast address, network in CIDR
and netmask corresponding to the input[s].</li> notation and netmask corresponding to the input[s].</li>
<li>shorewall iprange <i>address1-address2</i> - Decomposes the specified <li>shorewall iprange <i>address1-address2</i> - Decomposes the
range of IP addresses into the equivalent list of network/host addresses. specified range of IP addresses into the equivalent list of
<br> network/host addresses. <br>
</li> </li>
</ul> </ul>
There is a set of commands dealing with <a There is a set of commands dealing with <a
href="blacklisting_support.htm">dynamic blacklisting</a>:<br> href="blacklisting_support.htm">dynamic blacklisting</a>:<br>
<ul> <ul>
<li>shorewall drop <i>&lt;ip address list&gt; </i>- causes packets from <li>shorewall drop <i>&lt;ip address list&gt; </i>- causes packets
the listed IP addresses to be silently dropped by the firewall.</li> from the listed IP addresses to be silently dropped by the firewall.</li>
<li>shorewall reject <i>&lt;ip address list&gt; </i>- causes packets from <li>shorewall reject <i>&lt;ip address list&gt; </i>- causes
the listed IP addresses to be rejected by the firewall.</li> packets from the listed IP addresses to be rejected by the firewall.</li>
<li>shorewall allow <i>&lt;ip address list&gt; </i>- re-enables receipt <li>shorewall allow <i>&lt;ip address list&gt; </i>- re-enables
of packets from hosts previously blacklisted by a <i>drop</i> or <i>reject</i> receipt of packets from hosts previously blacklisted by a <i>drop</i>
command.</li> or <i>reject</i> command.</li>
<li>shorewall save - save the dynamic blacklisting configuration so that <li>shorewall save - save the dynamic blacklisting configuration so
it will be automatically restored the next time that the firewall is that it will be automatically restored the next time that the firewall
restarted.</li> is restarted.</li>
<li>show dynamic - displays the dynamic blacklisting chain.<br> <li>show dynamic - displays the dynamic blacklisting chain.<br>
</li> </li>
</ul> </ul>
Finally, the "shorewall" program may be used to dynamically alter the Finally, the "shorewall" program may be used to dynamically alter the
contents of a zone.<br> contents of a zone.<br>
<ul> <ul>
<li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone <li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone </i>-
</i>- Adds the specified interface (and host if included) to the Adds the specified interface (and host if included) to the specified
specified zone.</li> zone.</li>
<li>shorewall delete <i>interface</i>[:<i>host]</i> <i>zone <li>shorewall delete <i>interface</i>[:<i>host]</i> <i>zone </i>-
</i>- Deletes the specified interface (and host if included) from Deletes the specified interface (and host if included) from the
the specified zone.</li> specified zone.</li>
</ul> </ul>
<blockquote>Examples:<br> <blockquote>Examples:<br>
<blockquote><font color="#009900"><b>shorewall add ipsec0:192.0.2.24
<blockquote><font color="#009900"><b>shorewall add ipsec0:192.0.2.24 vpn1</b></font> vpn1</b></font> -- adds the address 192.0.2.24 from interface ipsec0 to
-- adds the address 192.0.2.24 from interface ipsec0 to the zone vpn1<br> the zone vpn1<br>
<font color="#009900"><b> shorewall delete ipsec0:192.0.2.24 <font color="#009900"><b> shorewall delete ipsec0:192.0.2.24 vpn1</b></font>
vpn1</b></font> -- deletes the address 192.0.2.24 from interface ipsec0 -- deletes the address 192.0.2.24 from interface ipsec0 from zone vpn1<br>
from zone vpn1<br> </blockquote>
</blockquote> </blockquote>
</blockquote> <p> The <b>shorewall start</b>, <b>shorewall restart, shorewall
check, </b>and <b>shorewall try </b>commands allow you to specify
<p> The <b>shorewall start</b>, <b>shorewall restart, shorewall check, </b>and which <a href="configuration_file_basics.htm#Configs"> Shorewall
<b>shorewall try </b>commands allow you to specify which <a configuration</a> to use:</p>
href="configuration_file_basics.htm#Configs"> Shorewall configuration</a>
to use:</p>
<blockquote> <blockquote>
<p> shorewall [ -c <i>configuration-directory</i> ] {start|restart|check}<br> <p> shorewall [ -c <i>configuration-directory</i> ]
shorewall try <i>configuration-directory</i></p> {start|restart|check}<br>
</blockquote> shorewall try <i>configuration-directory</i></p>
</blockquote>
<p> If a <i>configuration-directory</i> is specified, each time that Shorewall <p> If a <i>configuration-directory</i> is specified, each time that
is going to use a file in /etc/shorewall it will first look in the Shorewall is going to use a file in /etc/shorewall it will first look
<i>configuration-directory</i> . If the file is present in the <i>configuration-directory</i>, in the <i>configuration-directory</i> . If the file is present in the <i>configuration-directory</i>,
that file will be used; otherwise, the file in /etc/shorewall will that file will be used; otherwise, the file in /etc/shorewall will be
be used.</p> used.</p>
<p> When changing the configuration of a production firewall, I
<p> When changing the configuration of a production firewall, I recommend recommend the following:</p>
the following:</p>
<ul> <ul>
<li><font color="#009900"><b>mkdir /etc/test</b></font></li> <li><font color="#009900"><b>mkdir /etc/test</b></font></li>
<li><font color="#009900"><b>cd /etc/test</b></font></li> <li><font color="#009900"><b>cd /etc/test</b></font></li>
<li>&lt;copy any files that you need to change <li>&lt;copy any files that you need to change from /etc/shorewall to
from /etc/shorewall to . and change them here&gt;</li> . and change them here&gt;</li>
<li><font color="#009900"><b>shorewall -c . check</b></font></li> <li><font color="#009900"><b>shorewall -c . check</b></font></li>
<li>&lt;correct any errors found by check and check again&gt;</li> <li>&lt;correct any errors found by check and check again&gt;</li>
<li><font <li><font color="#009900"><b>/sbin/shorewall try .</b></font></li>
color="#009900"><b>/sbin/shorewall try .</b></font></li>
</ul> </ul>
<p> If the configuration starts but doesn't work, just "shorewall
<p> If the configuration starts but doesn't work, just "shorewall restart" restart" to restore the old configuration. If the new configuration
to restore the old configuration. If the new configuration fails fails to start, the "try" command will automatically start the old one
to start, the "try" command will automatically start the old one for for you.</p>
you.</p> <p> When the new configuration works then just </p>
<p> When the new configuration works then just </p>
<ul> <ul>
<li><font color="#009900"><b>cp * /etc/shorewall</b></font></li> <li><font color="#009900"><b>cp * /etc/shorewall</b></font></li>
<li><font color="#009900"><b>cd</b></font></li> <li><font color="#009900"><b>cd</b></font></li>
<li><font color="#009900"><b>rm -rf /etc/test</b></font></li> <li><font color="#009900"><b>rm -rf /etc/test</b></font></li>
</ul> </ul>
<p><a name="StateDiagram"></a>The Shorewall State Diargram is depicted
<p><a name="StateDiagram"></a>The Shorewall State Diargram is depicted below.<br> below.<br>
</p> </p>
<div align="center"><img src="images/State_Diagram.png" <div align="center"><img src="images/State_Diagram.png"
alt="(State Diagram)" width="747" height="714" align="middle"> alt="(State Diagram)" width="747" height="714" align="middle"> <br>
<br> </div>
</div> <p>&nbsp; <br>
</p>
<p>  <br> You will note that the commands that result in state transitions use
</p> the word "firewall" rather than "shorewall". That is because the actual
You will note that the commands that result in state transitions transitions are done by /usr/share/shorewall/firewall; /sbin/shorewall
use the word "firewall" rather than "shorewall". That is because the runs 'firewall" according to the following table:<br>
actual transitions are done by /usr/share/shorewall/firewall; /sbin/shorewall <br>
runs 'firewall" according to the following table:<br>
<br>
<table cellpadding="2" cellspacing="2" border="1"> <table cellpadding="2" cellspacing="2" border="1">
<tbody> <tbody>
<tr> <tr>
<td valign="top"><u><b>/sbin/shorewall Command</b><br> <td valign="top"><u><b>/sbin/shorewall Command</b><br>
</u></td> </u></td>
<td valign="top"><u><b>Resulting /usr/share/shorewall/firewall Command</b><br> <td valign="top"><u><b>Resulting /usr/share/shorewall/firewall
</u></td> Command</b><br>
<td valign="top"><u><b>Effect if the Command Succeeds</b><br> </u></td>
</u></td> <td valign="top"><u><b>Effect if the Command Succeeds</b><br>
</tr> </u></td>
<tr> </tr>
<td valign="top">shorewall start<br> <tr>
</td> <td valign="top">shorewall start<br>
<td valign="top">firewall start<br> </td>
</td> <td valign="top">firewall start<br>
<td valign="top">The system filters packets based on your current </td>
<td valign="top">The system filters packets based on your current
Shorewall Configuration<br> Shorewall Configuration<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">shorewall stop<br> <td valign="top">shorewall stop<br>
</td> </td>
<td valign="top">firewall stop<br> <td valign="top">firewall stop<br>
</td> </td>
<td valign="top">Only traffic to/from hosts listed in /etc/shorewall/hosts <td valign="top">Only traffic to/from hosts listed in
is passed to/from/through the firewall. For Shorewall versions beginning /etc/shorewall/hosts is passed to/from/through the firewall. For
with 1.4.7, if ADMINISABSENTMINDED=Yes in /etc/shorewall/shorewall.conf then Shorewall versions beginning
in addition, all existing connections are retained and all connection requests with 1.4.7, if ADMINISABSENTMINDED=Yes in /etc/shorewall/shorewall.conf
then
in addition, all existing connections are retained and all connection
requests
from the firewall are accepted.<br> from the firewall are accepted.<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">shorewall restart<br> <td valign="top">shorewall restart<br>
</td> </td>
<td valign="top">firewall restart<br> <td valign="top">firewall restart<br>
</td> </td>
<td valign="top">Logically equivalent to "firewall stop;firewall <td valign="top">Logically equivalent to "firewall stop;firewall
start"<br> start"<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">shorewall add<br> <td valign="top">shorewall add<br>
</td> </td>
<td valign="top">firewall add<br> <td valign="top">firewall add<br>
</td> </td>
<td valign="top">Adds a host or subnet to a dynamic zone<br> <td valign="top">Adds a host or subnet to a dynamic zone<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">shorewall delete<br> <td valign="top">shorewall delete<br>
</td> </td>
<td valign="top">firewall delete<br> <td valign="top">firewall delete<br>
</td> </td>
<td valign="top">Deletes a host or subnet from a dynamic zone<br> <td valign="top">Deletes a host or subnet from a dynamic zone<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">shorewall refresh<br> <td valign="top">shorewall refresh<br>
</td> </td>
<td valign="top">firewall refresh<br> <td valign="top">firewall refresh<br>
</td> </td>
<td valign="top">Reloads rules dealing with static blacklisting, <td valign="top">Reloads rules dealing with static blacklisting,
traffic control and ECN.<br> traffic control and ECN.<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">shorewall clear<br> <td valign="top">shorewall clear<br>
</td> </td>
<td valign="top">firewall clear<br> <td valign="top">firewall clear<br>
</td> </td>
<td valign="top">Removes all Shorewall rules, chains, addresses, <td valign="top">Removes all Shorewall rules, chains, addresses,
routes and ARP entries.<br> routes and ARP entries.<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">shorewall try<br> <td valign="top">shorewall try<br>
</td> </td>
<td valign="top">firewall -c &lt;new configuration&gt; <td valign="top">firewall -c &lt;new configuration&gt; restart<br>
restart<br> If unsuccessful then firewall start (standard configuration)<br>
If unsuccessful then firewall start (standard configuration)<br> If timeout then firewall restart (standard configuration)<br>
If timeout then firewall restart (standard configuration)<br> </td>
</td> <td valign="top"><br>
<td valign="top"><br> </td>
</td> </tr>
</tr>
</tbody> </tbody>
</table> </table>
<br> <br>
<p><font size="2"> Updated 8/25/2003 - <a href="support.htm">Tom Eastep</a>
<p><font size="2"> Updated 7/31/2003 - <a href="support.htm">Tom Eastep</a> </font></p>
</font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p> </p>
<br> <br>
</body> </body>
</html> </html>

435
Shorewall-docs/support.htm
View File

@ -1,92 +1,62 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shorewall Support Guide</title> <title>Shorewall Support Guide</title>
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#3366ff" height="90"> bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr>
<tr> <td width="100%">
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Support Guide<img <h1 align="center"><font color="#ffffff">Shorewall Support Guide<img
src="images/obrasinf.gif" alt="" width="90" height="90" align="middle"> src="images/obrasinf.gif" alt="" width="90" height="90" align="middle">
</font></h1> </font></h1>
</td>
</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<h2>Before Reporting a Problem or Asking a Question<br> <h2>Before Reporting a Problem or Asking a Question<br>
</h2> </h2>
There are a number of sources of Shorewall information. Please try
There are a number of sources of Shorewall information. Please these before you post.
try these before you post.
<ul> <ul>
<li>Shorewall versions <li>Shorewall versions earlier that 1.3.0 are no longer supported.<br>
earlier that 1.3.0 are no longer supported.<br> </li>
</li> <li>More than half of the questions posted on the support list have
<li>More than half of the questions posted on the support answers directly accessible from the <a
list have answers directly accessible from the <a
href="http://www.shorewall.net/shorewall_quickstart_guide.htm#Documentation">Documentation href="http://www.shorewall.net/shorewall_quickstart_guide.htm#Documentation">Documentation
Index</a><br> Index</a><br>
</li> </li>
<li> <li> The <a href="http://www.shorewall.net/FAQ.htm">FAQ</a> has
The <a href="http://www.shorewall.net/FAQ.htm">FAQ</a> solutions to more than 20 common problems. </li>
has solutions to more than 20 common problems. <li> The <a href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a>
</li> Information contains a number of tips
<li> to help you solve common problems. </li>
The <a href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a> <li> The <a href="http://www.shorewall.net/errata.htm"> Errata</a>
Information contains a number of tips has links to download updated components. </li>
to help you solve common problems. </li> <li> The Site and Mailing List Archives search facility can locate
<li> documents and posts about similar problems: </li>
The <a href="http://www.shorewall.net/errata.htm"> Errata</a>
has links to download updated components. </li>
<li>
The Site and Mailing List Archives search facility
can locate documents and posts about similar problems:
</li>
</ul> </ul>
<h2>Site and Mailing List Archive Search</h2> <h2>Site and Mailing List Archive Search</h2>
<blockquote> <blockquote>
<form method="post" <form method="post"
action="http://lists.shorewall.net/cgi-bin/htsearch"> <font size="-1"> Match: action="http://lists.shorewall.net/cgi-bin/htsearch"> <font size="-1">Match:
<select name="method"> <select name="method">
<option value="and">All </option> <option value="and">All </option>
<option value="or">Any </option> <option value="or">Any </option>
<option value="boolean">Boolean </option> <option value="boolean">Boolean </option>
</select> </select>
Format: Format:
<select name="format"> <select name="format">
<option value="builtin-long">Long </option> <option value="builtin-long">Long </option>
<option value="builtin-short">Short </option> <option value="builtin-short">Short </option>
</select> </select>
Sort by: Sort by:
<select name="sort"> <select name="sort">
<option value="score">Score </option> <option value="score">Score </option>
<option value="time">Time </option> <option value="time">Time </option>
@ -95,250 +65,193 @@ can locate documents and posts about similar problems:
<option value="revtime">Reverse Time </option> <option value="revtime">Reverse Time </option>
<option value="revtitle">Reverse Title </option> <option value="revtitle">Reverse Title </option>
</select> </select>
</font><input type="hidden" name="config" </font><input type="hidden" name="config" value="htdig"><input
value="htdig"><input type="hidden" name="restrict" value=""><font type="hidden" name="restrict" value=""><font size="-1"> Include
size="-1"> Include Mailing List Archives: Mailing List Archives:
<select size="1" name="exclude"> <select size="1" name="exclude">
<option value="">Yes</option> <option value="">Yes</option>
<option value="[http://lists.shorewall.net/pipermail/.*]">No</option> <option value="[http://lists.shorewall.net/pipermail/.*]">No</option>
</select> </select>
</font><br> </font><br>
Search: <input type="text" size="30" Search: <input type="text" size="30" name="words" value=""> <input
name="words" value=""> <input type="submit" value="Search"><br> type="submit" value="Search"><br>
</form> </form>
</blockquote> </blockquote>
<h2>Problem Reporting Guidelines<br> <h2>Problem Reporting Guidelines<br>
</h2> </h2>
<ul> <ul>
<li>Please remember we only <li>Please remember we only know what is posted in your message. Do
know what is posted in your message. Do not leave out not leave out
any information that appears to be correct, or was mentioned any information that appears to be correct, or was mentioned in a
in a previous post. There have been countless posts by people previous post. There have been countless posts by people who were sure
who were sure that some part of their configuration was correct that some part of their configuration was correct when it actually
when it actually contained a small error. We tend to be skeptics contained a small error. We tend to be skeptics where detail is lacking.<br>
where detail is lacking.<br> <br>
<br> </li>
</li> <li>Please keep in mind that you're asking for <strong>free</strong>
<li>Please keep in mind that technical support. Any help we offer is an act of generosity, not an
you're asking for <strong>free</strong> technical obligation. Try to make it easy for us to help you. Follow good,
support. Any help we offer is an act of generosity, not an obligation. courteous practices in writing and formatting your e-mail. Provide
Try to make it easy for us to help you. Follow good, courteous details
practices in writing and formatting your e-mail. Provide details that we need if you expect good answers. <em>Exact quoting </em> of
that we need if you expect good answers. <em>Exact quoting </em> error messages, log entries, command output, and other output is
of error messages, log entries, command output, and other output is better than a paraphrase or summary.<br>
better than a paraphrase or summary.<br> <br>
<br> </li>
</li> <li> Please don't describe your environment and then ask us to send
<li> you custom configuration files. We're here to answer your questions but
Please don't describe your environment and then we can't do your job for you.<br>
ask us to send you custom configuration files. <br>
We're here to answer your questions but we can't </li>
do your job for you.<br> <li>When reporting a problem, <strong>ALWAYS</strong> include this
<br> information:</li>
</li>
<li>When reporting a problem,
<strong>ALWAYS</strong> include this information:</li>
</ul> </ul>
<ul> <ul>
<ul> <ul>
<li>the exact version of <li>the exact version of Shorewall you are running.<br>
Shorewall you are running.<br> <br>
<br> <b><font color="#009900">shorewall version</font><br>
<b><font </b> <br>
color="#009900">shorewall version</font><br> </li>
</b> <br>
</li>
</ul> </ul>
<ul> <ul>
</ul> </ul>
<ul> <ul>
<li>the complete, exact <li>the complete, exact
output of<br> output of<br>
<br> <br>
<font color="#009900"><b>ip <font color="#009900"><b>ip addr show<br>
addr show<br> <br>
<br> </b></font></li>
</b></font></li>
</ul> </ul>
<ul> <ul>
<li>the complete, exact <li>the complete, exact
output of<br> output of<br>
<br> <br>
<font color="#009900"><b>ip <font color="#009900"><b>ip route show<br>
route show<br> </b></font></li>
</b></font></li>
</ul> </ul>
<ul> <ul>
</ul> </ul>
</ul> </ul>
<ul> <ul>
<ul> <ul>
<li><small><small><font color="#ff0000"><u><i><big><b>THIS <li><small><small><font color="#ff0000"><u><i><big><b>THIS
IS IMPORTANT!</b></big></i></u></font></small></small><big> </big>If your IS IMPORTANT!</b></big></i></u></font></small></small><big> </big>If
problem is that some type of connection to/from or through your firewall your
isn't working then please perform the following four steps:<br> problem is that some type of connection to/from or through your
<br> firewall
1. <b><font color="#009900">/sbin/shorewall reset</font></b><br> isn't working then please perform the following four steps:<br>
<br> <br>
2. Try making the connection that is failing.<br> 1. <b><font color="#009900">/sbin/shorewall reset</font></b><br>
<br> <br>
3.<b><font color="#009900"> /sbin/shorewall 2. Try making the connection that is failing.<br>
status &gt; /tmp/status.txt</font></b><br> <br>
<br> 3.<b><font color="#009900"> /sbin/shorewall status &gt; /tmp/status.txt</font></b><br>
4. Post the /tmp/status.txt file as an <br>
attachment (you may compress it if you like).<br> 4. Post the /tmp/status.txt file as an
<br> attachment (you may compress it if you like).<br>
</li> <br>
<li>the exact wording of any <code </li>
<li>the exact wording of any <code
style="color: green; font-weight: bold;">ping</code> failure responses<br> style="color: green; font-weight: bold;">ping</code> failure responses<br>
<br> <br>
</li> </li>
<li>If you installed Shorewall using one of the QuickStart <li>If you installed Shorewall using one of the QuickStart Guides,
Guides, please indicate which one. <br> please indicate which one. <br>
<br> <br>
</li> </li>
<li><b>If you are running Shorewall under Mandrake <li><b>If you are running Shorewall under Mandrake
using the Mandrake installation of Shorewall, please say so.<br> using the Mandrake installation of Shorewall, please say so.<br>
<br> <br>
</b></li> </b></li>
</ul> </ul>
<li>As a general matter, please <strong>do not edit the diagnostic
<li>As a general matter, please <strong>do not edit the information</strong> in an attempt to conceal your IP address, netmask,
diagnostic information</strong> in an attempt to conceal nameserver addresses, domain name, etc. These aren't secrets, and
your IP address, netmask, nameserver addresses, domain name, concealing them often misleads us (and 80% of the time, a hacker could
etc. These aren't secrets, and concealing them often misleads derive them anyway from information contained in the SMTP headers of
us (and 80% of the time, a hacker could derive them anyway your post).<br>
from information contained in the SMTP headers of your post).<br> <br>
<br> <strong></strong></li>
<strong></strong></li> <li>Do you see any "Shorewall" messages ("<b><font color="#009900">/sbin/shorewall
<li>Do you see any "Shorewall" messages show log</font></b>") when you exercise the function that is giving you
("<b><font color="#009900">/sbin/shorewall show log</font></b>") problems? If so, include the message(s) in your post along with a copy
when you exercise the function that is giving you problems? of your /etc/shorewall/interfaces file.<br>
If so, include the message(s) in your post along with a copy of <br>
your /etc/shorewall/interfaces file.<br> </li>
<br> <li>Please include any of the Shorewall configuration files
</li> (especially the /etc/shorewall/hosts file if you have modified that
<li>Please include any of the Shorewall configuration file) that you think are relevant. If you include /etc/shorewall/rules,
files (especially the /etc/shorewall/hosts file please include /etc/shorewall/policy as well (rules are meaningless
if you have modified that file) that you think are unless one also knows the policies).<br>
relevant. If you include /etc/shorewall/rules, please include <br>
/etc/shorewall/policy as well (rules are meaningless unless </li>
one also knows the policies).<br> <li>If an error occurs when you try to "<font color="#009900"><b>shorewall
<br> start</b></font>", include a trace (See the <a
</li>
<li>If an error occurs when you try
to "<font color="#009900"><b>shorewall start</b></font>", include
a trace (See the <a
href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a> href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a>
section for instructions).<br> section for instructions).<br>
<br> <br>
</li> </li>
<li><b>The list server limits posts to 120kb <li><b>The list server limits posts to 120kb so don't post GIFs of
so don't post GIFs of your network your network
layout, etc. to the Mailing List -- your post will be layout, etc. to the Mailing List -- your post will be
rejected.</b></li> rejected.</b></li>
</ul> </ul>
<blockquote> The author gratefully acknowleges that the above list was
<blockquote> The author gratefully acknowleges that the above list was heavily plagiarized from the excellent LEAF document by <i>Ray</i> <em>Olszewski</em>
heavily plagiarized from the excellent LEAF document by <i>Ray</i> found at <a
<em>Olszewski</em> found at <a
href="http://leaf-project.org/pub/doc/docmanager/docid_1891.html">http://leaf-project.org/pub/doc/docmanager/docid_1891.html</a>.<br> href="http://leaf-project.org/pub/doc/docmanager/docid_1891.html">http://leaf-project.org/pub/doc/docmanager/docid_1891.html</a>.<br>
</blockquote> </blockquote>
<h2>When using the mailing list, please post in plain text</h2> <h2>When using the mailing list, please post in plain text</h2>
<blockquote> A growing number of MTAs serving list subscribers are
<blockquote> A growing number of MTAs serving list subscribers are rejecting all HTML traffic. At least one MTA has gone so far as to
rejecting all HTML traffic. At least one MTA has gone so far as to blacklist shorewall.net "for continuous abuse" because it has been
blacklist shorewall.net "for continuous abuse" because it has been my policy to allow HTML in list posts!!<br>
my policy to allow HTML in list posts!!<br> <br>
<br> I think that blocking all HTML is a Draconian way to control spam and
I think that blocking all that the ultimate losers here are not the spammers but the list
HTML is a Draconian way to control spam and that the subscribers whose MTAs are bouncing all shorewall.net mail. As one list
ultimate losers here are not the spammers but the list subscribers subscriber wrote to me privately "These e-mail admin's need to get a <i>(expletive
whose MTAs are bouncing all shorewall.net mail. As one list deleted)</i> life instead of trying to rid the planet of HTML based
subscriber wrote to me privately "These e-mail admin's need e-mail". Nevertheless, to allow
to get a <i>(expletive deleted)</i> life instead of trying to subscribers to receive list posts as must as possible, I have now
rid the planet of HTML based e-mail". Nevertheless, to allow configured the list server at shorewall.net to convert all HTML to
subscribers to receive list posts as must as possible, I have now plain text. These converted posts are difficult to read so all of us
configured the list server at shorewall.net to strip all HTML from will appreciate it if you just post in plain text to begin with.<br>
outgoing posts.<br> </blockquote>
</blockquote>
<h2>Where to Send your Problem Report or to Ask for Help</h2> <h2>Where to Send your Problem Report or to Ask for Help</h2>
<blockquote> <blockquote>
<h4>If you run Shorewall under Bering -- <span <h4>If you run Shorewall under Bering -- <span
style="font-weight: 400;">please post your question or problem style="font-weight: 400;">please post your question or problem to the <a
to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing list</a>.</span></h4>
href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing <b>If you run Shorewall under MandrakeSoft Multi Network Firewall
list</a>.</span></h4> (MNF) and you have not purchased an MNF license from MandrakeSoft then
<b>If you run Shorewall you can post non MNF-specific Shorewall questions to the </b><a
under MandrakeSoft Multi Network Firewall (MNF) and href="mailto:shorewall-users@lists.shorewall.net">Shorewall users
you have not purchased an MNF license from MandrakeSoft then mailing list</a>. <b>Do not expect to get free MNF support on the list</b>
you can post non MNF-specific Shorewall questions to the </b><a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
list</a>. <b>Do not expect to get free MNF support on the list</b>
<p>Otherwise, please post your question or problem to the <a <p>Otherwise, please post your question or problem to the <a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing href="mailto:shorewall-users@lists.shorewall.net">Shorewall users
list.</a> </p> mailing list.</a> </p>
</blockquote> </blockquote>
<h2>Subscribing to the Users Mailing List<br> <h2>Subscribing to the Users Mailing List<br>
</h2> </h2>
<blockquote> <blockquote>
<p> To Subscribe to the mailing list go to <a <p> To Subscribe to the mailing list go to <a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a>
<br>
Secure: <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-users" href="https://lists.shorewall.net/mailman/listinfo/shorewall-users"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-users</a>.<br> target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-users</a>.<br>
</p> </p>
</blockquote> </blockquote>
<p>For information on other Shorewall mailing lists, go to <a <p>For information on other Shorewall mailing lists, go to <a
href="http://lists.shorewall.net">http://lists.shorewall.net</a><br> href="http://lists.shorewall.net">http://lists.shorewall.net</a><br>
</p> </p>
<p align="left"><font size="2">Last Updated 9/17/2003 - Tom Eastep</font></p>
<p align="left"><font size="2">Last Updated 8/1/2003 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br> size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M.
</p> Eastep.</font></a></font><br>
<br> </p>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

7
Shorewall-docs/troubleshoot.htm
View File

@ -21,6 +21,11 @@
</tr> </tr>
</tbody> </tbody>
</table> </table>
<h3 style="text-align: center;"><span style="font-style: italic;">"If
you think you can you can; if you think you can't you're right.<br>
If you don't believe that you can, why should someone else?" -- Gunnar
Tapper<br>
</span></h3>
<h3 align="left">Check the Errata</h3> <h3 align="left">Check the Errata</h3>
<p align="left">Check the <a href="errata.htm">Shorewall Errata</a> to <p align="left">Check the <a href="errata.htm">Shorewall Errata</a> to
be sure that there isn't an update that you are missing for your be sure that there isn't an update that you are missing for your
@ -194,7 +199,7 @@ in /etc/shorewall/shorewall.conf.</li>
<font face="Century Gothic, Arial, Helvetica"> <font face="Century Gothic, Arial, Helvetica">
<blockquote> </blockquote> <blockquote> </blockquote>
</font> </font>
<p><font size="2">Last updated 8/8/2003 - Tom Eastep</font> </p> <p><font size="2">Last updated 8/29/2003 - Tom Eastep</font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
</p> </p>