From a53dd9bc49f490c5eb8dae3e8972c7a8a3156028 Mon Sep 17 00:00:00 2001 From: teastep Date: Mon, 4 Sep 2006 17:06:17 +0000 Subject: [PATCH] A little maintenance of the FAQ -- Take 2 git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4518 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- docs/FAQ.xml | 166 ++++++++++++++++++++++++++++----------------------- 1 file changed, 91 insertions(+), 75 deletions(-) diff --git a/docs/FAQ.xml b/docs/FAQ.xml index 8dcec5717..baf2b8f76 100644 --- a/docs/FAQ.xml +++ b/docs/FAQ.xml @@ -58,6 +58,8 @@ (FAQ 37) I just installed Shorewall on Debian and the /etc/shorewall directory is empty!!! + Answer: + Once you have installed the .deb package and before you attempt to configure Shorewall, please heed the advice of Lorenzo Martignoni, @@ -258,7 +260,8 @@ DNAT net loc:<local IP address>[:< my firewall and have the firewall forward the connection to port 22 on local system 192.168.1.3. How do I do that? - In /etc/shorewall/rules: + Answer:In + /etc/shorewall/rules: #ACTION SOURCE DEST PROTO DEST PORT DNAT net loc:192.168.1.3:22 tcp 1022 @@ -332,23 +335,23 @@ DNAT net fw:192.168.1.1:22 tcp 4104 (FAQ 30) I'm confused about when to use DNAT rules and when to use ACCEPT rules. - It would be a good idea to review the QuickStart Guide - appropriate for your setup; the guides cover this topic in a tutorial - fashion. DNAT rules should be used for connections that need to go the - opposite direction from SNAT/MASQUERADE. So if you masquerade or use - SNAT from your local network to the internet then you will need to use - DNAT rules to allow connections from the internet to your local network. - In all other cases, you use ACCEPT unless you need to hijack connections - as they go through your firewall and handle them on the firewall box - itself; in that case, you use a REDIRECT rule. + Answer:It would be a good idea to + review the QuickStart + Guide appropriate for your setup; the guides cover this topic in + a tutorial fashion. DNAT rules should be used for connections that need + to go the opposite direction from SNAT/MASQUERADE. So if you masquerade + or use SNAT from your local network to the internet then you will need + to use DNAT rules to allow connections from the internet to your local + network. In all other cases, you use ACCEPT unless you need to hijack + connections as they go through your firewall and handle them on the + firewall box itself; in that case, you use a REDIRECT rule.
(FAQ 38) Where can I find more information about DNAT? - Ian Allen has written a Paper about DNAT and + Answer:Ian Allen has written a + Paper about DNAT and Linux.
@@ -356,7 +359,7 @@ DNAT net fw:192.168.1.1:22 tcp 4104 (FAQ 48) How do I Set up Transparent Proxy with Shorewall? - Answer: See Answer: See Shorewall_Squid_Usage.html. @@ -771,8 +774,8 @@ to debug/develop the newnat interface.
(FAQ 29) FTP Doesn't Work - See the Shorewall and FTP - page. + Answer:See the Shorewall and FTP page.
@@ -793,8 +796,9 @@ to debug/develop the newnat interface. interfaces are not defined to Shorewall. How do I tell Shorewall to allow traffic through the bridge? - Answer: Add the routeback option to - br0 in Answer: Add the + routeback option to br0 in /etc/shorewall/interfaces. For more information on this type of configuration, see the their connect requests. Can i exclude these error messages for this port temporarily from logging in Shorewall? - Temporarily add the following rule: + Answer:Temporarily add the + following rule: #ACTION SOURCE DEST PROTO DEST PORT(S) DROP net fw udp 10619 @@ -878,8 +883,9 @@ DROP net fw udp 10619 (FAQ 6d) Why is the MAC address in Shorewall log messages so long? I thought MAC addresses were only 6 bytes in length. - What is labeled as the MAC address in a Netfilter (Shorewall) - log message is actually the Ethernet frame header. It contains: + Answer:What is labeled as the + MAC address in a Netfilter (Shorewall) log message is actually the + Ethernet frame header. It contains: @@ -1329,8 +1335,9 @@ modprobe: Can't locate module iptable_raw (FAQ 32) My firewall has two connections to the internet from two different ISPs. How do I set this up in Shorewall? - Answer: See this article on Shorewall - and Routing. + Answer: See this article on Shorewall and + Routing.
@@ -1370,10 +1377,11 @@ modprobe: Can't locate module iptable_raw stop, I can't connect to anything. Why doesn't that command work? - The stop command is intended - to place your firewall into a safe state whereby only those hosts listed - in /etc/shorewall/routestopped' are activated. If - you want to totally open up your firewall, you must use the + Answer:The + stop command is intended to place your + firewall into a safe state whereby only those hosts listed in + /etc/shorewall/routestopped' are activated. If you + want to totally open up your firewall, you must use the shorewall[-lite] clear command.
@@ -1454,7 +1462,8 @@ Creating input Chains... (FAQ 22) I have some iptables commands that I want to run when Shorewall starts. Which file do I put them in? - You can place these commands in one of the Answer:You can place these + commands in one of the Shorewall Extension Scripts. Be sure that you look at the contents of the chain(s) that you will be modifying with your commands to be sure that the @@ -1469,10 +1478,11 @@ Creating input Chains...
(FAQ 34) How can I speed up start (restart)? - Using a light-weight shell such as ash can - dramatically decrease the time required to start or restart - Shorewall. See the SHOREWALL_SHELL variable in Answer:Using a light-weight shell + such as ash can dramatically decrease the time + required to start or restart Shorewall. See the SHOREWALL_SHELL + variable in shorewall.conf . Use a fast terminal emulator -- in particular the KDE konsole @@ -1605,7 +1615,8 @@ iptables: Invalid argument (FAQ 59) After I start Shorewall, there are lots of unused Netfilter modules loaded. How do I avoid that? - Answer: Copy /usr/share/shorewall/modules (or + Answer: Copy + /usr/share/shorewall/modules (or /usr/share/shorewall/xmodules if appropriate) to /etc/shorewall/modules and modify the copy to include only the modules that you need. @@ -1658,9 +1669,9 @@ iptables: Invalid argument
(FAQ 10) What Distributions does Shorewall work with? - Shorewall works with any GNU/Linux distribution that includes the - proper - prerequisites. + Answer: Shorewall works with any + GNU/Linux distribution that includes the proper prerequisites.
@@ -1693,17 +1704,19 @@ iptables: Invalid argument
(FAQ 23) Why do you use such ugly fonts on your web site? - The Shorewall web site is almost font neutral (it doesn't - explicitly specify fonts except on a few pages) so the fonts you see are - largely the default fonts configured in your browser. If you don't like - them then reconfigure your browser. + Answer: The Shorewall web site is + almost font neutral (it doesn't explicitly specify fonts except on a few + pages) so the fonts you see are largely the default fonts configured in + your browser. If you don't like them then reconfigure your + browser.
(FAQ 25) How do I tell which version of Shorewall or Shorewall Lite I am running? - At the shell prompt, type: + Answer: At the shell prompt, + type: /sbin/shorewall[-lite] version
@@ -1717,7 +1730,7 @@ iptables: Invalid argument internal LAP IP address as the source address? - Answer: Yes. + Answer: Yes. @@ -1726,9 +1739,10 @@ iptables: Invalid argument fragments? - Answer: This is the responsibility of the IP stack, not the - Netfilter-based firewall since fragment reassembly occurs before - the stateful packet filter ever touches each packet. + Answer: This is the + responsibility of the IP stack, not the Netfilter-based firewall + since fragment reassembly occurs before the stateful packet filter + ever touches each packet. @@ -1737,11 +1751,11 @@ iptables: Invalid argument broadcast address as the source address? - Answer: Shorewall can be configured to do that using the - blacklisting - facility. Shorewall versions 2.0.0 and later filter these packets - under the nosmurfs interface option in - Answer: Shorewall can be + configured to do that using the blacklisting facility. + Shorewall versions 2.0.0 and later filter these packets under the + nosmurfs interface option in /etc/shorewall/interfaces. @@ -1751,7 +1765,7 @@ iptables: Invalid argument source and destination address? - Answer: Yes, if the Answer: Yes, if the routefilter interface option is selected. @@ -1761,11 +1775,11 @@ iptables: Invalid argument DOS: - SYN Dos - ICMP Dos - Per-host Dos protection - Answer: Shorewall has facilities for limiting SYN and ICMP - packets. Netfilter as included in standard Linux kernels doesn't - support per-remote-host limiting except by explicit rule that - specifies the host IP address; that form of limiting is supported - by Shorewall. + Answer: Shorewall has + facilities for limiting SYN and ICMP packets. Netfilter as + included in standard Linux kernels doesn't support per-remote-host + limiting except by explicit rule that specifies the host IP + address; that form of limiting is supported by Shorewall. @@ -1774,8 +1788,8 @@ iptables: Invalid argument
(FAQ 36) Does Shorewall Work with the 2.6 Linux Kernel? - Shorewall works with the 2.6 Kernels with a couple of - caveats: + Answer: Shorewall works with the + 2.6 Kernels with a couple of caveats: @@ -1838,8 +1852,9 @@ iptables: Invalid argument DHCP server has an RFC 1918 address. If I enable RFC 1918 filtering on my external interface, my DHCP client cannot renew its lease. - The solution is the same as above. - Simply substitute the IP address of your ISPs DHCP server. + Answer: The solution is the + same as above. Simply substitute the IP + address of your ISPs DHCP server.
@@ -1966,7 +1981,7 @@ eth0 eth1 # eth1 = interface to local netwo (FAQ 20) I have just set up a server. Do I have to change Shorewall to allow access to my server from the internet? - Yes. Consult the Answer: Yes. Consult the QuickStart guide that you used during your initial setup for information about how to set up rules for your server. @@ -1976,9 +1991,9 @@ eth0 eth1 # eth1 = interface to local netwo (FAQ 24) How can I allow conections to let's say the ssh port only from specific IP Addresses on the internet? - In the SOURCE column of the rule, follow net by a - colon and a list of the host/subnet addresses as a comma-separated - list. + Answer: In the SOURCE column of + the rule, follow net by a colon and a list of the + host/subnet addresses as a comma-separated list. net:<ip1>,<ip2>,... @@ -1994,21 +2009,21 @@ eth0 eth1 # eth1 = interface to local netwo behind the firewall, I get operation not permitted. How can I use nmap with Shorewall?" - Temporarily remove and rejNotSyn, dropNotSyn and dropInvalid rules - from /etc/shorewall/rules and restart - Shorewall. + Answer: Temporarily remove and + rejNotSyn, dropNotSyn and dropInvalid rules from + /etc/shorewall/rules and restart Shorewall.
(FAQ 27) I'm compiling a new kernel for my firewall. What should I look out for? - First take a look at the Shorewall kernel - configuration page. You probably also want to be sure that you - have selected the NAT of local connections - (READ HELP) on the Netfilter Configuration menu. - Otherwise, DNAT rules with your firewall as the source zone won't work - with your new kernel. + Answer: First take a look at the + Shorewall kernel configuration page. You + probably also want to be sure that you have selected the + NAT of local connections (READ HELP) + on the Netfilter Configuration menu. Otherwise, DNAT rules with + your firewall as the source zone won't work with your new kernel.
(FAQ 27a) I just built (or downloaded or otherwise acquired) @@ -2042,8 +2057,9 @@ iptables: Invalid argument <section id="faq28"> <title>(FAQ 28) How do I use Shorewall as a Bridging Firewall? - Shorewall Bridging Firewall support is available — check here for details. + Answer: Shorewall Bridging + Firewall support is available — check here for + details.