extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-26 01:23:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

Shorewall-1.3.9a

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@271 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2002-09-30 18:11:25 +00:00
parent e7c44ec80e
commit a637e72aad
37 changed files with 11064 additions and 10226 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
STABLE/changelog.txt
View File

@ -1,19 +1,18 @@
Changes since 1.3.7 Changes since 1.3.8
1. Correct rules file handling bug introduced in 1.3.7. 1. DNAT rules that remap a port but leave the IP address unchanged are
now handled properly.
2. Correct handling of DNAT rule where source is $FW 2. The use of shell variables in the LOG LEVEL or SYNPARMS columns of
the policy file now works correctly.
3. Reverse order of RFC 1918 and DHCP filtering 3. Added support for /etc/shorewall/startup_disabled.
4. "shorewall refresh" fix for FORWARDPING=Yes 4. Added support for DNS names in config files.
5. Replace tab with space in blacklist output. 5. Don't insist on state NEW for protocols other than tcp, udp and
icmp. Workaround for conntrack glitches in other protocols.
6. Added NEWNOTSYN option
7. Assume 'multi' if canonical chain exists.
8. Add PROTOCOL and PORT columns to blacklist file
6. Move 'functions', 'version' and 'firewall' to /usr/lib/shorewall.
7. Fix problems with oddball shells.

4306
STABLE/documentation/Documentation.htm
View File

File diff suppressed because it is too large Load Diff

1182
STABLE/documentation/FAQ.htm
View File

File diff suppressed because it is too large Load Diff

2061
STABLE/documentation/News.htm
View File

File diff suppressed because it is too large Load Diff

204
STABLE/documentation/Shorewall_index_frame.htm
View File

@ -1,106 +1,110 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta http-equiv="Content-Type"
<title>Shorewall Index</title> content="text/html; charset=windows-1252">
<base target="main">
<meta name="Microsoft Theme" content="none"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title>
<base target="main">
<meta name="Microsoft Theme" content="none">
</head> </head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber1" bgcolor="#4B017C" height="90"> <table border="0" cellpadding="0" cellspacing="0"
<tr> style="border-collapse: collapse;" width="100%" id="AutoNumber1"
<td width="100%" height="90"> bgcolor="#4b017c" height="90">
<h3 align="center"><font color="#FFFFFF">Shorewall</font></h3> <tbody>
</td> <tr>
</tr> <td width="100%" height="90">
<tr>
<td width="100%" bgcolor="#FFFFFF"> <h3 align="center"><font color="#ffffff">Shorewall</font></h3>
<ul> </td>
<li> </tr>
<a href="seattlefirewall_index.htm">Home</a></li> <tr>
<li> <td width="100%" bgcolor="#ffffff">
<a target="_top" href="/1.2/index.htm">Shorewall 1.2 Home</a></li>
<li> <ul>
<a href="shorewall_features.htm">Features</a></li> <li> <a href="seattlefirewall_index.htm">Home</a></li>
<li> <li> <a href="shorewall_features.htm">Features</a></li>
<a href="shorewall_prerequisites.htm">Requirements</a></li> <li> <a href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <li> <a href="download.htm">Download</a></li>
<a href="download.htm">Download</a></li> <li> <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a></li>
<li> <li> <a href="Install.htm">Installation/Upgrade/</a><br>
<a href="shorewall_quickstart_guide.htm">QuickStart Guides</a></li> <a href="Install.htm">Configuration</a></li>
<li> <li> <a href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></li>
<a href="Install.htm">Installation/Upgrade/</a><br> <li> <a href="Documentation.htm">Reference Manual</a></li>
<a href="Install.htm">Configuration</a></li> <li> <a href="FAQ.htm">FAQs</a></li>
<li> <li><a href="useful_links.html">Useful Links</a><br>
<a href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></li> </li>
<li> <li> <a href="troubleshoot.htm">Troubleshooting</a></li>
<a href="Documentation.htm">Reference Manual</a></li> <li> <a href="errata.htm">Errata</a></li>
<li> <li> <a href="upgrade_issues.htm">Upgrade Issues</a></li>
<a href="FAQ.htm">FAQs</a></li> <li> <a href="support.htm">Support</a></li>
<li> <li> <a href="mailing_list.htm">Mailing Lists</a></li>
<a href="troubleshoot.htm">Troubleshooting</a></li> <li> <a href="shorewall_mirrors.htm">Mirrors</a>
<li>
<a href="errata.htm">Errata</a></li> <ul>
<li> <li><a target="_top" href="http://slovakia.shorewall.net">Slovak
<a href="upgrade_issues.htm">Upgrade Issues</a></li> Republic</a></li>
<li> <li><a target="_top"
<a href="support.htm">Support</a></li> href="http://shorewall.infohiiway.com">Texas, USA</a></li>
<li> <li><a target="_top" href="http://germany.shorewall.net">Germany</a></li>
<a href="mailing_list.htm">Mailing Lists</a></li> <li><a target="_top"
<li> href="http://shorewall.correofuego.com.ar">Argentina</a></li>
<a href="shorewall_mirrors.htm">Mirrors</a><ul> <li><a target="_top" href="http://france.shorewall.net">France</a></li>
<li><a target="_top" href="http://slovakia.shorewall.net">Slovak Republic</a></li>
<li><a target="_top" href="http://shorewall.infohiiway.com">Texas, USA</a></li> </ul>
<li><a target="_top" href="http://germany.shorewall.net">Germany</a></li> </li>
<li><a target="_top" href="http://shorewall.correofuego.com.ar">Argentina</a></li>
<li><a target="_top" href="http://france.shorewall.net">France</a></li>
</ul> </ul>
</li>
</ul> <ul>
<ul> <li> <a href="News.htm">News Archive</a></li>
<li> <li> <a href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<a href="News.htm">News Archive</a></li> <li> <a href="quotes.htm">Quotes from Users</a></li>
<li> <li> <a href="shoreline.htm">About the Author</a></li>
<a target="_top" href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">CVS Repository</a></li> <li> <a href="seattlefirewall_index.htm#Donations">Donations</a></li>
<li>
<a href="quotes.htm">Quotes from Users</a></li> </ul>
<li> </td>
<a href="shoreline.htm">About the Author</a></li> </tr>
<li>
<a href="seattlefirewall_index.htm#Donations">Donations</a></li> </tbody>
</ul>
</td>
</tr>
</table> </table>
<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch" > <form method="post" action="http://www.shorewall.net/cgi-bin/htsearch">
<p> <strong><br>
<strong>Quick Search</strong><br> <b>Note: </b></strong>Search is unavailable Daily 0100-0200 GMT.<br>
<font face="Arial" size="-1"> <strong></strong>
<input type=text name=words size=15></font><font size="-1"> </font> <p><strong>Quick Search</strong><br>
<font face="Arial" size="-1"> <font face="Arial" size="-1"> <input type="text"
<input type=hidden name=format value=long> name="words" size="15"></font><font size="-1"> </font> <font
<input type=hidden name=method value=and> face="Arial" size="-1"> <input type="hidden" name="format"
<input type=hidden name=config value=htdig> value="long"> <input type="hidden" name="method" value="and"> <input
<input type="submit" value="Search"></font> type="hidden" name="config" value="htdig"> <input type="submit"
</p> value="Search"></font> </p>
<font face="Arial"> <font face="Arial"> <input type="hidden" name="exclude"
<input type="hidden" name="exclude" value="[http://www.shorewall.net/pipermail/*]"> value="[http://www.shorewall.net/pipermail/*]"> </font> </form>
</font>
</form> <p><b><a href="htdig/search.html">Extended Search</a></b></p>
<p><strong><a href="htdig/search.html">Extended Search Forms</a></strong></p> <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
<p><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></p> <p><a href="http://www.shorewall.net" target="_top"> <img border="1"
src="images/shorewall.jpg" width="119" height="38" hspace="0">
<p><a href="http://www.shorewall.net" target="_top"> </a></p>
<img border="1" src="images/shorewall.jpg" width="119" height="38" hspace="0"></a></p> <br>
<br>
<br>
<br>
<br>
<br>
</body> </body>
</html>
</html>

499
STABLE/documentation/configuration_file_basics.htm
View File

@ -1,233 +1,300 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta http-equiv="Content-Language" content="en-us">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<title>Configuration File Basics</title>
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Configuration File Basics</title>
</head> </head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0"
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> style="border-collapse: collapse;" bordercolor="#111111" width="100%"
<tr> id="AutoNumber1" bgcolor="#400169" height="90">
<td width="100%"> <tbody>
<h1 align="center"><font color="#FFFFFF">Configuration Files</font></h1> <tr>
</td> <td width="100%">
</tr> <h1 align="center"><font color="#ffffff">Configuration Files</font></h1>
</td>
</tr>
</tbody>
</table> </table>
<p><b><font color="#FF0000">Warning: </font>If you copy or edit your
configuration files on a system running Microsoft Windows, you <u>must</u> <p><b><font color="#ff0000">Warning: </font>If you copy or edit your
run them through <a href="http://www.megaloman.com/~hany/software/hd2u/"> configuration files on a system running Microsoft Windows, you <u>must</u>
dos2unix</a> before you use them with Shorewall.</b></p> run them through <a
href="http://www.megaloman.com/%7Ehany/software/hd2u/"> dos2unix</a>
before you use them with Shorewall.</b></p>
<h2>Files</h2>
<h2>Files</h2>
<p>Shorewall's configuration files are in the directory /etc/shorewall.</p> <p>Shorewall's configuration files are in the directory /etc/shorewall.</p>
<ul>
<ul> <li>/etc/shorewall/shorewall.conf - used to set several firewall
<li>/etc/shorewall/shorewall.conf - used to set several firewall parameters.</li>
parameters.</li> <li>/etc/shorewall/params - use this file to set shell variables
<li>/etc/shorewall/params - use this file to set shell variables that you will that you will expand in other files.</li>
expand in other files.</li> <li>/etc/shorewall/zones - partition the firewall's view of the
<li>/etc/shorewall/zones - partition the firewall's view of the world world into <i>zones.</i></li>
into <i>zones.</i></li> <li>/etc/shorewall/policy - establishes firewall high-level policy.</li>
<li>/etc/shorewall/policy - establishes firewall high-level policy.</li> <li>/etc/shorewall/interfaces - describes the interfaces on the
<li>/etc/shorewall/interfaces - describes the interfaces on the
firewall system.</li> firewall system.</li>
<li>/etc/shorewall/hosts - allows defining zones in terms of individual <li>/etc/shorewall/hosts - allows defining zones in terms of individual
hosts and subnetworks.</li> hosts and subnetworks.</li>
<li>/etc/shorewall/masq - directs the firewall where to use many-to-one <li>/etc/shorewall/masq - directs the firewall where to use many-to-one
(dynamic) Network Address Translation (a.k.a. Masquerading) and Source (dynamic) Network Address Translation (a.k.a. Masquerading) and Source
Network Address Translation (SNAT).</li> Network Address Translation (SNAT).</li>
<li>/etc/shorewall/modules - directs the firewall to load kernel modules.</li> <li>/etc/shorewall/modules - directs the firewall to load kernel
<li>/etc/shorewall/rules - defines rules that are exceptions to the modules.</li>
overall policies established in /etc/shorewall/policy.</li> <li>/etc/shorewall/rules - defines rules that are exceptions to
<li>/etc/shorewall/nat - defines static NAT rules.</li> the overall policies established in /etc/shorewall/policy.</li>
<li>/etc/shorewall/proxyarp - defines use of Proxy ARP.</li> <li>/etc/shorewall/nat - defines static NAT rules.</li>
<li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines hosts <li>/etc/shorewall/proxyarp - defines use of Proxy ARP.</li>
accessible when Shorewall is stopped.</li> <li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines
<li>/etc/shorewall/tcrules - defines marking of packets for later use by hosts accessible when Shorewall is stopped.</li>
traffic control/shaping or policy routing.</li> <li>/etc/shorewall/tcrules - defines marking of packets for later
<li>/etc/shorewall/tos - defines rules for setting the TOS field in packet use by traffic control/shaping or policy routing.</li>
headers.</li> <li>/etc/shorewall/tos - defines rules for setting the TOS field
<li>/etc/shorewall/tunnels - defines IPSEC, GRE and IPIP tunnels with end-points on in packet headers.</li>
the firewall system.</li> <li>/etc/shorewall/tunnels - defines IPSEC, GRE and IPIP tunnels
<li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC addresses.</li> with end-points on the firewall system.</li>
<li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC
addresses.</li>
</ul> </ul>
<h2>Comments</h2>
<h2>Comments</h2>
<p>You may place comments in configuration files by making the first non-whitespace <p>You may place comments in configuration files by making the first non-whitespace
character a pound sign (&quot;#&quot;). You may also place comments at the end of any line, again by character a pound sign ("#"). You may also place comments at the end
delimiting the comment from the rest of the line with a pound sign.</p> of any line, again by delimiting the comment from the rest of the line
with a pound sign.</p>
<p>Examples:</p> <p>Examples:</p>
<pre># This is a comment</pre>
<pre># This is a comment</pre><pre>ACCEPT net fw tcp www #This is an end-of-line comment</pre>
<pre>ACCEPT net fw tcp www #This is an end-of-line comment</pre>
<h2>Line Continuation</h2> <h2>Line Continuation</h2>
<p>You may continue lines in the configuration files using the usual backslash
<p>You may continue lines in the configuration files using the usual backslash (&quot;\&quot;) followed ("\") followed immediately by a new line character.</p>
immediately by a new line character.</p>
<p>Example:</p>
<p>Example:</p> <pre>ACCEPT net fw tcp \<br>smtp,www,pop3,imap #Services running on the firewall</pre>
<h2><a name="dnsnames"></a>Using DNS Names</h2>
<pre>ACCEPT net fw tcp \
smtp,www,pop3,imap #Services running on the firewall</pre> <p align="left"> </p>
<h2>Complementing an Address or Subnet</h2>
<p align="left"><b>WARNING: I personally recommend strongly <u>against</u>
<p>Where specifying an IP address, a subnet or an interface, you can using DNS names in Shorewall configuration files. If you use DNS names and
precede the item with &quot;!&quot; to specify the complement of the item. For you are called out of bed at 2:00AM because Shorewall won't start as a result
example, !192.168.1.4 means &quot;any host but 192.168.1.4&quot;.</p> of DNS problems then don't say that you were not forewarned. <br>
</b></p>
<h2>Comma-separated Lists</h2>
<p align="left"><b>    -Tom<br>
<p>Comma-separated lists are allowed in a number of contexts within the </b></p>
configuration files. A comma separated list:</p>
<p align="left">Beginning with Shorwall 1.3.9, Host addresses in Shorewall
<ul> configuration files may be specified either as IP addresses or as DNS Names.<br>
<li>Must not have any embedded white space.<br> <br>
Valid: routestopped,dhcp,norfc1918<br> DNS names in iptables rules aren't nearly as useful as they first appear.
Invalid: routestopped,&nbsp;&nbsp;&nbsp;&nbsp; dhcp,&nbsp;&nbsp;&nbsp;&nbsp; When a DNS name appears in a rule, the iptables utility resolves the name
norfc1818</li> to one or more IP addresses and inserts those addresses into the rule. So
<li>If you use line continuation to break a comma-separated list, the change in the DNS-&gt;IP address relationship that occur after the firewall
continuation line(s) must begin in column 1 (or there would be embedded has started have absolutely no effect on the firewall's ruleset. </p>
white space)</li>
<li>Entries in a comma-separated list may appear in any order.</li> <p align="left"> If your firewall rules include DNS names then:</p>
<ul>
<li>If your /etc/resolv.conf is wrong then your firewall won't start.</li>
<li>If your /etc/nsswitch.conf is wrong then your firewall won't start.</li>
<li>If your Name Server(s) is(are) down then your firewall won't start.</li>
<li>If your startup scripts try to start your firewall before starting
your DNS server then your firewall won't start.<br>
</li>
<li>Factors totally outside your control (your ISP's router is down
for example), can prevent your firewall from starting.</li>
<li>You must bring up your network interfaces prior to starting your firewall.<br>
</li>
</ul> </ul>
<h2>Port Numbers/Service Names</h2> <p align="left"> Each DNS name much be fully qualified and include a minumum
of two periods (although one may be trailing). This restriction is imposed
<p>Unless otherwise specified, when giving a port number you can use by Shorewall to insure backward compatibility with existing configuration
either an integer or a service name from /etc/services. </p> files.<br>
<br>
<h2>Port Ranges</h2> Examples of valid DNS names:<br>
</p>
<p>If you need to specify a range of ports, the proper syntax is &lt;<i>low
port number</i>&gt;:&lt;<i>high port number</i>&gt;.</p> <ul>
<li>mail.shorewall.net</li>
<h2>Using Shell Variables</h2> <li>shorewall.net.</li>
<p>You may use the file /etc/shorewall/params </ul>
file to set shell variables that you can then use in some of the other Examples of invalid DNS names:<br>
configuration files.</p>
<ul>
<p>It is suggested that variable names begin with an upper case letter<font size="1"> <li>mail (not fully qualified)</li>
</font>to distinguish them from variables used internally within the <li>shorewall.net (only one period)</li>
Shorewall programs</p>
</ul>
<p>Example:</p> DNS names may not be used as:<br>
<blockquote> <ul>
<pre>NET_IF=eth0 <li>The server address in a DNAT rule (/etc/shorewall/rules file)</li>
NET_BCAST=130.252.100.255 <li>In the ADDRESS column of an entry in /etc/shorewall/masq.</li>
NET_OPTIONS=noping,norfc1918</pre> <li>In the /etc/shorewall/nat file.</li>
</blockquote>
</ul>
<p><br> These are iptables restrictions and are not simply imposed for your inconvenience
Example (/etc/shorewall/interfaces record):</p> by Shorewall. <br>
<br>
<font face="Century Gothic, Arial, Helvetica">
<h2>Complementing an Address or Subnet</h2>
<blockquote>
<pre><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></pre> <p>Where specifying an IP address, a subnet or an interface, you can
</blockquote> precede the item with "!" to specify the complement of the item. For
example, !192.168.1.4 means "any host but 192.168.1.4".</p>
</font>
<h2>Comma-separated Lists</h2>
<p>The result will be the same as if the record had been written</p>
<p>Comma-separated lists are allowed in a number of contexts within the
<font face="Century Gothic, Arial, Helvetica"> configuration files. A comma separated list:</p>
<blockquote> <ul>
<pre>net eth0 130.252.100.255 noping,norfc1918</pre> <li>Must not have any embedded white space.<br>
</blockquote> Valid: routestopped,dhcp,norfc1918<br>
Invalid: routestopped,     dhcp,     norfc1818</li>
</font> <li>If you use line continuation to break a comma-separated list,
the continuation line(s) must begin in column 1 (or there would be
<p>Variables may be used anywhere in the embedded white space)</li>
other configuration files.</p> <li>Entries in a comma-separated list may appear in any order.</li>
<h2>Using MAC Addresses</h2> </ul>
<p>Media Access Control (MAC) <h2>Port Numbers/Service Names</h2>
addresses can be used to specify packet source in several of the
configuration files. To use this feature, your kernel must have MAC <p>Unless otherwise specified, when giving a port number you can use
Address Match support (CONFIG_IP_NF_MATCH_MAC) included.</p> either an integer or a service name from /etc/services. </p>
<p>MAC addresses are 48 bits wide and each Ethernet Controller has a
unique MAC address.<br> <h2>Port Ranges</h2>
<br>
In GNU/Linux, MAC addresses are usually written as a series of 6 hex numbers <p>If you need to specify a range of ports, the proper syntax is &lt;<i>low
separated by colons. Example:<br> port number</i>&gt;:&lt;<i>high port number</i>&gt;.</p>
<br>
&nbsp;&nbsp;&nbsp;&nbsp; [root@gateway root]# ifconfig eth0<br> <h2>Using Shell Variables</h2>
&nbsp;&nbsp;&nbsp;&nbsp; eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>
&nbsp;&nbsp;&nbsp;&nbsp; inet addr:206.124.146.176 Bcast:206.124.146.255 <p>You may use the file /etc/shorewall/params file to set shell variables
Mask:255.255.255.0<br> that you can then use in some of the other configuration files.</p>
&nbsp;&nbsp;&nbsp;&nbsp; UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br>
&nbsp;&nbsp;&nbsp;&nbsp; RX packets:2398102 errors:0 dropped:0 overruns:0 <p>It is suggested that variable names begin with an upper case letter<font
frame:0<br> size="1"> </font>to distinguish them from variables used internally
&nbsp;&nbsp;&nbsp;&nbsp; TX packets:3044698 errors:0 dropped:0 overruns:0 within the Shorewall programs</p>
carrier:0<br>
&nbsp;&nbsp;&nbsp;&nbsp; collisions:30394 txqueuelen:100<br> <p>Example:</p>
&nbsp;&nbsp;&nbsp;&nbsp; RX bytes:419871805 (400.4 Mb) TX bytes:1659782221
(1582.8 Mb)<br> <blockquote>
&nbsp;&nbsp;&nbsp;&nbsp; Interrupt:11 Base address:0x1800<br> <pre>NET_IF=eth0<br>NET_BCAST=130.252.100.255<br>NET_OPTIONS=noping,norfc1918</pre>
<br> </blockquote>
Because Shorewall uses colons as a separator for address fields, Shorewall requires
MAC addresses to be written in another way. In Shorewall, MAC addresses <p><br>
begin with a tilde (&quot;~&quot;) and consist of 6 hex numbers separated by Example (/etc/shorewall/interfaces record):</p>
hyphens. In Shorewall, the MAC address in the example above would be <font
written &quot;~02-00-08-E3-FA-55&quot;.</p> face="Century Gothic, Arial, Helvetica">
<blockquote>
<h2>Shorewall Configurations</h2> <pre><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></pre>
<p> </blockquote>
Shorewall allows you to have configuration </font>
directories other than /etc/shorewall. The <a href="#Starting">shorewall start
and restart</a> <p>The result will be the same as if the record had been written</p>
commands allow you to specify an alternate configuration directory and <font
Shorewall will use the files in the alternate directory rather than the corresponding face="Century Gothic, Arial, Helvetica">
<blockquote>
<pre>net eth0 130.252.100.255 noping,norfc1918</pre>
</blockquote>
</font>
<p>Variables may be used anywhere in the other configuration
files.</p>
<h2>Using MAC Addresses</h2>
<p>Media Access Control (MAC) addresses can be used to specify packet
source in several of the configuration files. To use this feature,
your kernel must have MAC Address Match support (CONFIG_IP_NF_MATCH_MAC)
included.</p>
<p>MAC addresses are 48 bits wide and each Ethernet Controller has a
unique MAC address.<br>
<br>
In GNU/Linux, MAC addresses are usually written as a series of 6
hex numbers separated by colons. Example:<br>
<br>
     [root@gateway root]# ifconfig eth0<br>
     eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>
     inet addr:206.124.146.176 Bcast:206.124.146.255 Mask:255.255.255.0<br>
     UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br>
     RX packets:2398102 errors:0 dropped:0 overruns:0 frame:0<br>
     TX packets:3044698 errors:0 dropped:0 overruns:0 carrier:0<br>
     collisions:30394 txqueuelen:100<br>
     RX bytes:419871805 (400.4 Mb) TX bytes:1659782221 (1582.8 Mb)<br>
     Interrupt:11 Base address:0x1800<br>
<br>
Because Shorewall uses colons as a separator for address fields,
Shorewall requires MAC addresses to be written in another way. In
Shorewall, MAC addresses begin with a tilde ("~") and consist of 6
hex numbers separated by hyphens. In Shorewall, the MAC address in
the example above would be written "~02-00-08-E3-FA-55".</p>
<h2>Shorewall Configurations</h2>
<p> Shorewall allows you to have configuration directories other than /etc/shorewall.
The <a href="starting_and_stopping_shorewall.htm">shorewall start and restart</a>
commands allow you to specify an alternate configuration directory and
Shorewall will use the files in the alternate directory rather than the corresponding
files in /etc/shorewall. The alternate directory need not contain a complete files in /etc/shorewall. The alternate directory need not contain a complete
configuration; those files not in the alternate directory will be read from configuration; those files not in the alternate directory will be read from
/etc/shorewall.</p> /etc/shorewall.</p>
<p>
This facility permits you to easily create a test or temporary configuration <p> This facility permits you to easily create a test or temporary configuration
by:</p> by:</p>
<ol>
<li> <ol>
copying the files that need modification from /etc/shorewall to a separate <li> copying the files that need modification from /etc/shorewall
directory;</li> to a separate directory;</li>
<li> <li> modify those files in the separate directory; and</li>
modify those files in the separate directory; and</li> <li> specifying the separate directory in a shorewall start or
<li> shorewall restart command (e.g., <i><b>shorewall -c /etc/testconfig restart</b></i>
specifying the separate directory in a shorewall start or shorewall ).</li>
restart command (e.g., <i><b>shorewall -c /etc/testconfig restart</b></i>
).</li> </ol>
</ol>
<p><font size="2">
Updated 8/6/2002 - <a href="support.htm">Tom <p><font size="2"> Updated 9/24/2002 - <a href="support.htm">Tom Eastep</a>
Eastep</a> </font></p>
</font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
</body> <br>
</body>
</html> </html>

426
STABLE/documentation/download.htm
View File

@ -1,305 +1,305 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<title>Download</title> <title>Download</title>
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Download</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Download</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p><b>I strongly urge you to read and print a copy of the <a <p><b>I strongly urge you to read and print a copy of the <a
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a> href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
for the configuration that most closely matches your own.</b></p> for the configuration that most closely matches your own.</b></p>
<p>Once you've done that, download <u> one</u> of the modules:</p> <p>Once you've done that, download <u> one</u> of the modules:</p>
<ul> <ul>
<li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <b> <li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <b>
Linux PPC</b> or <b> TurboLinux</b> distribution with a 2.4 kernel, Linux PPC</b> or <b> TurboLinux</b> distribution with a 2.4 kernel,
you can use the RPM version (note: the RPM should also work you can use the RPM version (note: the RPM should also work
with other distributions that store init scripts in /etc/init.d with other distributions that store init scripts in /etc/init.d
and that include chkconfig or insserv). If you find that it works and that include chkconfig or insserv). If you find that it works
in other cases, let <a href="mailto:teastep@shorewall.net"> me</a> in other cases, let <a href="mailto:teastep@shorewall.net"> me</a>
know so that I can mention them here. See the <a know so that I can mention them here. See the <a
href="Install.htm">Installation Instructions</a> if you have problems href="Install.htm">Installation Instructions</a> if you have problems
installing the RPM.</li> installing the RPM.</li>
<li>If you are running LRP, download the .lrp file (you might also want <li>If you are running LRP, download the .lrp file (you might also want
to download the .tgz so you will have a copy of the documentation).</li> to download the .tgz so you will have a copy of the documentation).</li>
<li>If you run <a href="http://www.debian.org"><b>Debian</b></a> and would <li>If you run <a href="http://www.debian.org"><b>Debian</b></a> and
like a .deb package, Shorewall is in both the <a would like a .deb package, Shorewall is in both the <a
href="http://packages.debian.org/testing/net/shorewall.html">Debian href="http://packages.debian.org/testing/net/shorewall.html">Debian
Testing Branch</a> and the <a Testing Branch</a> and the <a
href="http://packages.debian.org/unstable/net/shorewall.html">Debian href="http://packages.debian.org/unstable/net/shorewall.html">Debian
Unstable Branch</a>.</li> Unstable Branch</a>.</li>
<li>Otherwise, download the <i>shorewall</i> module (.tgz)</li> <li>Otherwise, download the <i>shorewall</i> module (.tgz)</li>
</ul> </ul>
<p>The documentation in HTML format is included in the .tgz and .rpm files <p>The documentation in HTML format is included in the .tgz and .rpm files
and there is an documentation .deb that also contains the documentation.</p> and there is an documentation .deb that also contains the documentation.</p>
<p>Please verify the version that you have downloaded -- during the <p>Please verify the version that you have downloaded -- during the
release of a new version of Shorewall, the links below may point release of a new version of Shorewall, the links below may point
to a newer or an older version than is shown below.</p> to a newer or an older version than is shown below.</p>
<ul> <ul>
<li>RPM - "rpm -qip LATEST.rpm"</li> <li>RPM - "rpm -qip LATEST.rpm"</li>
<li>TARBALL - "tar -ztf LATEST.tgz" (the directory name will contain <li>TARBALL - "tar -ztf LATEST.tgz" (the directory name will contain
the version)</li> the version)</li>
<li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar -zxf &lt;downloaded <li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar -zxf &lt;downloaded
.lrp&gt;; cat var/lib/lrpkg/shorwall.version" </li> .lrp&gt;; cat var/lib/lrpkg/shorwall.version" </li>
</ul> </ul>
<p><font face="Arial">Once you have verified the version, check the <p><font face="Arial">Once you have verified the version, check the
</font><font color="#ff0000" face="Arial"> <a href="errata.htm"> errata</a></font><font </font><font color="#ff0000" face="Arial"> <a href="errata.htm"> errata</a></font><font
face="Arial"> to see if there are updates that apply to the version face="Arial"> to see if there are updates that apply to the version
that you have downloaded.</font></p> that you have downloaded.</font></p>
<p><font color="#ff0000" face="Arial"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY <p><font color="#ff0000" face="Arial"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY
INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
IS REQUIRED BEFORE THE FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed configuration
AND THE FIREWALL FAILS TO START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY NETWORK of your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.</b></font></p>
TRAFFIC. IF THIS HAPPENS, ISSUE A "shorewall clear" COMMAND TO RESTORE NETWORK
CONNECTIVITY.</b></font></p> <p>Download Latest Version (<b>1.3.9a</b>): <b>Remember that updates to the
mirrors occur 1-12 hours after an update to the primary site.</b></p>
<p>Download Latest Version (<b>1.3.8</b>): <b>Remember that updates to the
mirrors occur 1-12 hours after an update to the primary site.</b></p> <blockquote>
<blockquote>
<table border="2" cellspacing="3" cellpadding="3" <table border="2" cellspacing="3" cellpadding="3"
style="border-collapse: collapse;"> style="border-collapse: collapse;">
<tbody> <tbody>
<tr> <tr>
<td><b>SERVER LOCATION</b></td> <td><b>SERVER LOCATION</b></td>
<td><b>DOMAIN</b></td> <td><b>DOMAIN</b></td>
<td><b>HTTP</b></td> <td><b>HTTP</b></td>
<td><b>FTP</b></td> <td><b>FTP</b></td>
</tr> </tr>
<tr> <tr>
<td>Washington State, USA</td> <td>Washington State, USA</td>
<td>Shorewall.net</td> <td>Shorewall.net</td>
<td><a href="http://www.shorewall.net/pub/shorewall/LATEST.rpm">Download <td><a href="http://www.shorewall.net/pub/shorewall/LATEST.rpm">Download
.rpm</a><br> .rpm</a><br>
<a href="http://www.shorewall.net/pub/shorewall/LATEST.tgz">Download <a href="http://www.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br> .tgz</a> <br>
<a href="http://www.shorewall.net/pub/shorewall/LATEST.lrp">Download <a href="http://www.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a></td> .lrp</a></td>
<td><a href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.rpm" <td><a href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.rpm"
target="_blank"> Download .rpm</a> <br> target="_blank"> Download .rpm</a> <br>
<a href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.tgz" <a href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.tgz"
target="_blank">Download .tgz</a> <br> target="_blank">Download .tgz</a> <br>
<a href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.lrp" <a href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.lrp"
target="_blank">Download .lrp</a></td> target="_blank">Download .lrp</a></td>
</tr> </tr>
<tr> <tr>
<td>Slovak Republic</td> <td>Slovak Republic</td>
<td>Shorewall.net</td> <td>Shorewall.net</td>
<td><a <td><a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br> href="http://slovakia.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
<a <a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.tgz">Download href="http://slovakia.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br> .tgz</a> <br>
<a <a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.lrp">Download href="http://slovakia.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a></td> .lrp</a></td>
<td> <a target="_blank" <td> <a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.rpm">Download href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.rpm">Download
.rpm</a>  <br> .rpm</a>  <br>
<a target="_blank" <a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.tgz">Download href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.tgz">Download
.tgz</a> <br> .tgz</a> <br>
<a target="_blank" <a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.lrp">Download href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.lrp">Download
.rpm</a></td> .rpm</a></td>
</tr> </tr>
<tr> <tr>
<td>Texas, USA</td> <td>Texas, USA</td>
<td>Infohiiway.com</td> <td>Infohiiway.com</td>
<td><a <td><a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.rpm">Download href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.rpm">Download
.rpm</a><br> .rpm</a><br>
<a <a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.tgz">Download href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br> .tgz</a> <br>
<a <a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.lrp">Download href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.lrp">Download
.lrp</a></td> .lrp</a></td>
<td> <a target="_blank" <td> <a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.rpm">Download .rpm</a>  <br> href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.rpm">Download .rpm</a>  <br>
<a target="_blank" <a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.tgz">Download href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br> .tgz</a> <br>
<a target="_blank" <a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.lrp"> Download href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.lrp"> Download
.lrp</a></td> .lrp</a></td>
</tr> </tr>
<tr> <tr>
<td>Hamburg, Germany</td> <td>Hamburg, Germany</td>
<td>Shorewall.net</td> <td>Shorewall.net</td>
<td><a <td><a
href="http://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download href="http://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download
.rpm</a><br> .rpm</a><br>
<a href="http://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download <a href="http://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a><br> .tgz</a><br>
<a href="http://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download <a href="http://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a></td> .lrp</a></td>
<td> <a target="_blank" <td> <a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download href="ftp://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download
.rpm</a>  <br> .rpm</a>  <br>
<a target="_blank" <a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download href="ftp://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br> .tgz</a> <br>
<a target="_blank" <a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download href="ftp://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a></td> .lrp</a></td>
</tr> </tr>
<tr> <tr>
<td>Martinez (Zona Norte - GBA), Argentina</td> <td>Martinez (Zona Norte - GBA), Argentina</td>
<td>Correofuego.com.ar</td> <td>Correofuego.com.ar</td>
<td> <a target="_blank" <td> <a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br> .rpm</a>  <br>
<a target="_blank" <a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br> .tgz</a> <br>
<a target="_blank" <a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp"> href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
Download .lrp</a></td> Download .lrp</a></td>
<td> <a target="_blank" <td> <a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br> .rpm</a>  <br>
<a target="_blank" <a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br> .tgz</a> <br>
<a target="_blank" <a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp"> href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
Download .lrp</a></td> Download .lrp</a></td>
</tr> </tr>
<tr> <tr>
<td>Paris, France</td> <td>Paris, France</td>
<td>Shorewall.net</td> <td>Shorewall.net</td>
<td><a href="http://france.shorewall.net/pub/LATEST.rpm">Download <td><a href="http://france.shorewall.net/pub/LATEST.rpm">Download
.rpm</a><br> .rpm</a><br>
<a href="http://france.shorewall.net/pub/LATEST.tgz">Download <a href="http://france.shorewall.net/pub/LATEST.tgz">Download
.tgz</a> <br>
<a href="http://france.shorewall.net/pub/LATEST.lrp">Download
.lrp</a></td>
<td> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br> .tgz</a> <br>
<a target="_blank" <a href="http://france.shorewall.net/pub/LATEST.lrp">Download
.lrp</a></td>
<td> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.lrp">Download href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.lrp">Download
.lrp</a></td> .lrp</a></td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
<p>Browse Download Sites:</p> <p>Browse Download Sites:</p>
<blockquote> <blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
<tr> <tr>
<td><b>SERVER LOCATION</b></td> <td><b>SERVER LOCATION</b></td>
<td><b>DOMAIN</b></td> <td><b>DOMAIN</b></td>
<td><b>HTTP</b></td> <td><b>HTTP</b></td>
<td><b>FTP</b></td> <td><b>FTP</b></td>
</tr> </tr>
<tr> <tr>
<td>Washington State, USA</td> <td>Washington State, USA</td>
<td>Shorewall.net</td> <td>Shorewall.net</td>
<td><a href="http://www.shorewall.net/pub/shorewall/">Browse</a></td> <td><a href="http://www.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a href="ftp://ftp.shorewall.net/pub/shorewall/" <td><a href="ftp://ftp.shorewall.net/pub/shorewall/"
target="_blank">Browse</a></td> target="_blank">Browse</a></td>
</tr> </tr>
<tr> <tr>
<td>Slovak Republic</td> <td>Slovak Republic</td>
<td>Shorewall.net</td> <td>Shorewall.net</td>
<td><a href="http://slovakia.shorewall.net/pub/shorewall/">Browse</a></td> <td><a href="http://slovakia.shorewall.net/pub/shorewall/">Browse</a></td>
<td> <a target="_blank" <td> <a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/">Browse</a></td> href="ftp://slovakia.shorewall.net/mirror/shorewall/">Browse</a></td>
</tr> </tr>
<tr> <tr>
<td>Texas, USA</td> <td>Texas, USA</td>
<td>Infohiiway.com</td> <td>Infohiiway.com</td>
<td><a href="http://shorewall.infohiiway.com/pub/shorewall">Browse</a></td> <td><a href="http://shorewall.infohiiway.com/pub/shorewall">Browse</a></td>
<td><a target="_blank" <td><a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/">Browse</a></td> href="ftp://ftp.infohiiway.com/pub/shorewall/">Browse</a></td>
</tr> </tr>
<tr> <tr>
<td>Hamburg, Germany</td> <td>Hamburg, Germany</td>
<td>Shorewall.net</td> <td>Shorewall.net</td>
<td><a href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td> <td><a href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a target="_blank" <td><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall">Browse</a></td> href="ftp://germany.shorewall.net/pub/shorewall">Browse</a></td>
</tr> </tr>
<tr> <tr>
<td>Martinez (Zona Norte - GBA), Argentina</td> <td>Martinez (Zona Norte - GBA), Argentina</td>
<td>Correofuego.com.ar</td> <td>Correofuego.com.ar</td>
<td><a <td><a
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall">Browse</a></td> href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall">Browse</a></td>
<td> <a target="_blank" <td> <a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall"> Browse</a></td> href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall"> Browse</a></td>
</tr> </tr>
<tr> <tr>
<td>France</td> <td>France</td>
<td>Shorewall.net</td> <td>Shorewall.net</td>
<td><a <td><a
href="http://france.shorewall.net/pub/shorewall/LATEST.lrp">Browse</a></td> href="http://france.shorewall.net/pub/shorewall/LATEST.lrp">Browse</a></td>
<td> <a target="_blank" <td> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/">Browse</a></td> href="ftp://france.shorewall.net/pub/mirrors/shorewall/">Browse</a></td>
</tr> </tr>
<tr> <tr>
<td>California, USA (Incomplete)</td> <td>California, USA (Incomplete)</td>
<td>Sourceforge.net</td> <td>Sourceforge.net</td>
<td><a href="http://sourceforge.net/projects/shorewall">Browse</a></td> <td><a href="http://sourceforge.net/projects/shorewall">Browse</a></td>
<td>N/A</td> <td>N/A</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
<p align="left">CVS:</p> <p align="left">CVS:</p>
<blockquote> <blockquote>
<p align="left">The <a target="_top" <p align="left">The <a target="_top"
href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">CVS repository at href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">CVS repository at
cvs.shorewall.net</a> contains the latest snapshots of the each Shorewall cvs.shorewall.net</a> contains the latest snapshots of the each Shorewall
component. There's no guarantee that what you find there will work at all.</p> component. There's no guarantee that what you find there will work at all.</p>
</blockquote> </blockquote>
<p align="left"><font size="2">Last Updated 9/2/2002 - <a <p align="left"><font size="2">Last Updated 9/26/2002 - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br> <br>
<br>
</body> </body>
</html> </html>

849
STABLE/documentation/errata.htm
View File

@ -1,429 +1,442 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall 1.3 Errata</title> <title>Shorewall 1.3 Errata</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr> <table border="0" cellpadding="0" cellspacing="0"
<td width="100%"> style="border-collapse: collapse;" width="100%" id="AutoNumber1"
<h1 align="center"><font color="#FFFFFF">Shorewall Errata/Upgrade Issues</font></h1> bgcolor="#400169" height="90">
</td> <tbody>
</tr> <tr>
</table> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1>
<p align="center"> </td>
<b><u>IMPORTANT</u></b></p> </tr>
<ol>
<li>
<p align="left">
<b><u>I</u>f you use a Windows system to download a corrected script, be sure to
run the script through <u>
<a href="http://www.megaloman.com/%7Ehany/software/hd2u/" style="text-decoration: none">
dos2unix</a></u>
after you have moved it to your Linux system.</b></p>
</li>
<li>
<p align="left">
<b>If you are installing Shorewall for the first time and plan to use the
.tgz and install.sh script, you can untar the archive, replace the
'firewall' script in the untarred directory with the one you downloaded
below, and then run install.sh.</b></p>
</li>
<li>
<p align="left">
<b>When the instructions say to install a corrected firewall script in
/etc/shorewall/firewall or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to overwrite the
existing file. DO NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall
or /var/lib/shorewall/firewall before you do that. /etc/shorewall/firewall
and /var/lib/shorewall/firewall are symbolic links that point
to the 'shorewall' file used by your system initialization scripts to
start Shorewall during boot. It is that file that must be overwritten
with the corrected script. </b></p>
</li>
</ol>
<ul>
<li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
<li>
<b><a href="#V1.3">Problems in Version 1.3</a></b></li>
<li>
<b><a href="errata_2.htm">Problems in Version 1.2</a></b></li>
<li>
<b><font color="#660066">
<a href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
<li>
<b><font color="#660066"><a href="#iptables">
Problem with iptables version 1.2.3 on RH7.2</a></font></b></li>
<li>
<b><a href="#Debug">Problems with kernels &gt;= 2.4.18 and
RedHat iptables</a></b></li>
<li><b><a href="#SuSE">Problems installing/upgrading RPM on SuSE</a></b></li>
<li><b><a href="#Multiport">Problems with iptables version 1.2.7 and
MULTIPORT=Yes</a></b></li>
</ul>
<hr>
<h2 align="Left"><a name="V1.3"></a>Problems in Version 1.3</h2>
<h3>Version 1.3.7b</h3>
<p>DNAT rules where the source zone is 'fw' ($FW)
result in an error message. Installing
<a href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
this corrected firewall script</a> in /var/lib/shorewall/firewall
as described above corrects this problem.</p>
<h3>Version 1.3.7a</h3>
<p>&quot;shorewall refresh&quot; is not creating the proper
rule for FORWARDPING=Yes. Consequently, after
&quot;shorewall refresh&quot;, the firewall will not forward
icmp echo-request (ping) packets. Installing
<a href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
this corrected firewall script</a> in /var/lib/shorewall/firewall
as described above corrects this problem.</p>
<h3>Version &lt;= 1.3.7a</h3>
<p>If &quot;norfc1918&quot; and &quot;dhcp&quot; are both specified as
options on a given interface then RFC 1918
checking is occurring before DHCP checking. This
means that if a DHCP client broadcasts using an
RFC 1918 source address, then the firewall will
reject the broadcast (usually logging it). This
has two problems:</p>
<ol>
<li>If the firewall is running a DHCP server,
the client won't be able to obtain an IP address
lease from that server.</li>
<li>With this order of checking, the &quot;dhcp&quot;
option cannot be used as a noise-reduction
measure where there are both dynamic and static
clients on a LAN segment.</li>
</ol>
<p>
<a href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
This version of the 1.3.7a firewall script </a>
corrects the problem. It must be installed in /var/lib/shorewall
as described above.</p>
<h3>Version 1.3.7</h3>
<p>Version 1.3.7 dead on arrival -- please use
version 1.3.7a and check your version against
these md5sums -- if there's a difference, please
download again.</p>
<pre> d2fffb7fb99bcc6cb047ea34db1df10 shorewall-1.3.7a.tgz
6a7fd284c8685b2b471a2f47b469fb94 shorewall-1.3.7a-1.noarch.rpm
3decd14296effcff16853106771f7035 shorwall-1.3.7a.lrp</pre>
<p>In other words, type &quot;md5sum &lt;<i>whatever package you downloaded</i>&gt; and
compare the result with what you see above.</p>
<p>I'm embarrassed to report that 1.2.7 was also DOA -- maybe I'll skip the .7
version in each sequence from now on.</p>
<h3 align="Left">Version 1.3.6</h3>
<ul>
<li>
<p align="Left">If ADD_SNAT_ALIASES=Yes is specified in
/etc/shorewall/shorewall.conf, an error occurs when the firewall
script attempts to add an SNAT alias.</li>
<li>
<p align="Left">The <b>logunclean </b>and <b>dropunclean</b> options
cause errors during startup when Shorewall is run with iptables 1.2.7.</li>
</ul>
<p align="Left">These problems are fixed in
<a href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this correct firewall script</a> which must be installed in
/var/lib/shorewall/ as described above. These problems are also
corrected in version 1.3.7.</p>
<h3 align="Left">Two-interface Samples 1.3.6 (file two-interfaces.tgz)</h3>
<p align="Left">A line was inadvertently deleted from the &quot;interfaces
file&quot; -- this line should be added back in if the version that you
downloaded is missing it:</p>
<p align="Left">net&nbsp;&nbsp;&nbsp; eth0&nbsp;&nbsp;&nbsp; detect&nbsp;&nbsp;&nbsp;
routefilter,dhcp,norfc1918</p>
<p align="Left">If you downloaded two-interfaces-a.tgz then the above
line should already be in the file.</p>
<h3 align="Left">Version 1.3.5-1.3.5b</h3>
<p align="Left">The new 'proxyarp' interface option doesn't work :-(
This is fixed in
<a href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">
this corrected firewall script</a> which must be installed in
/var/lib/shorewall/ as described above.</p>
<h3 align="Left">Versions 1.3.4-1.3.5a</h3>
<p align="Left">Prior to version 1.3.4, host file entries such as the
following were allowed:</p>
<div align="left">
<pre> adm eth0:1.2.4.5,eth0:5.6.7.8</pre>
</div>
<div align="left">
<p align="left">That capability was lost in version 1.3.4 so that it is only
possible to&nbsp; include a single host specification on each line. This
problem is corrected by
<a href="http://www.shorewall.net/pub/shorewall/errata/1.3.5a/firewall">this
modified 1.3.5a firewall script</a>. Install the script in /var/lib/pub/shorewall/firewall
as instructed above.</div>
<div align="left">
<p align="left">This problem is corrected in version 1.3.5b.</div>
<h3 align="Left">Version 1.3.5</h3>
<p align="Left">REDIRECT rules are broken in this version. Install
<a href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">
this corrected firewall script</a> in /var/lib/pub/shorewall/firewall
as instructed above. This problem is corrected in version 1.3.5a.</p>
<h3 align="Left">Version 1.3.n, n &lt; 4</h3>
<p align="Left">The &quot;shorewall start&quot; and &quot;shorewall restart&quot; commands
to not verify that the zones named in the /etc/shorewall/policy file
have been previously defined in the /etc/shorewall/zones file. The
&quot;shorewall check&quot; command does perform this verification so it's a
good idea to run that command after you have made configuration
changes.</p>
<h3 align="Left">Version 1.3.n, n &lt; 3</h3>
<p align="Left">If you have upgraded from Shorewall 1.2 and after
&quot;Activating rules...&quot; you see the message: &quot;iptables: No
chains/target/match by that name&quot; then you probably have an entry in
/etc/shorewall/hosts that specifies an interface that you didn't
include in /etc/shorewall/interfaces. To correct this problem, you
must add an entry to /etc/shorewall/interfaces. Shorewall 1.3.3 and
later versions produce a clearer error message in this case.</p>
<h3 align="Left">Version 1.3.2</h3>
<p align="Left">Until approximately 2130 GMT on 17 June 2002, the
download sites contained an incorrect version of the .lrp file. That
file can be identified by its size (56284 bytes). The correct version
has a size of 38126 bytes.</p>
<ul>
<li>The code to detect a duplicate interface entry in
/etc/shorewall/interfaces contained a typo that prevented it from
working correctly. </li>
<li>&quot;NAT_BEFORE_RULES=No&quot; was broken; it behaved just like &quot;NAT_BEFORE_RULES=Yes&quot;.</li>
</ul>
<p align="Left">Both problems are corrected in
<a href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/firewall">
this script</a> which should be installed in <b><u>/var/lib/shorewall</u></b> as described above.</p>
<ul>
<li>
<p align="Left">The IANA have just announced the allocation of subnet
221.0.0.0/8. This
<a href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/rfc1918">
updated rfc1918</a> file reflects that allocation.</p>
</li>
</ul>
<h3 align="Left">Version 1.3.1</h3>
<ul>
<li>TCP SYN packets may be double counted when
LIMIT:BURST is included in a CONTINUE or ACCEPT policy (i.e., each
packet is sent through the limit chain twice).</li>
<li>An unnecessary jump to the policy chain is sometimes
generated for a CONTINUE policy.</li>
<li>When an option is given for more than one interface in
/etc/shorewall/interfaces then depending on the option, Shorewall
may ignore all but the first appearence of the option. For example:<br>
<br>
net&nbsp;&nbsp;&nbsp; eth0&nbsp;&nbsp;&nbsp; dhcp<br>
loc&nbsp;&nbsp;&nbsp; eth1&nbsp;&nbsp;&nbsp; dhcp<br>
<br>
Shorewall will ignore the 'dhcp' on eth1.</li>
<li>Update 17 June 2002 - The bug described in the prior bullet
affects the following options: dhcp, dropunclean, logunclean,
norfc1918, routefilter, multi, filterping and noping. An additional
bug has been found that affects only the 'routestopped' option.<br>
<br>
Users who downloaded the corrected script prior to 1850 GMT today
should download and install the corrected script again to ensure
that this second problem is corrected.</li>
</ul>
<p align="Left">These problems are corrected in
<a href="http://www.shorewall.net/pub/shorewall/errata/1.3.1/firewall">
this firewall script</a> which should be installed in
/etc/shorewall/firewall as described above.</p>
<h3 align="Left">Version 1.3.0</h3>
<ul>
<li>Folks who downloaded 1.3.0 from the links on the download page
before 23:40 GMT, 29 May 2002 may have downloaded 1.2.13 rather than
1.3.0. The &quot;shorewall version&quot; command will tell you which version
that you have installed.</li>
<li>The documentation NAT.htm file uses non-existent
wallpaper and bullet graphic files. The
<a href="http://www.shorewall.net/pub/shorewall/errata/1.3.0/NAT.htm">
corrected version is here</a>.</li>
</ul>
<hr>
<h2 align="Left"><a name="Upgrade"></a>Upgrade Issues</h2>
<p align="Left">The upgrade issues have moved to
<a href="upgrade_issues.htm">a separate page</a>.</p>
<hr>
<h3 align="Left"><a name="iptables"></a><font color="#660066">
Problem with iptables version 1.2.3</font></h3>
<blockquote>
<p align="Left">There are a couple of serious bugs in iptables 1.2.3 that
prevent it from working with Shorewall. Regrettably,
RedHat released this buggy iptables in RedHat 7.2.&nbsp;</p>
<p align="Left"> I have built a <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
corrected 1.2.3 rpm which you can download here</a>&nbsp; and I have also built
an <a href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
iptables-1.2.4 rpm which you can download here</a>. If
you are currently running RedHat 7.1, you can install either of these RPMs
<b><u>before</u> </b>you upgrade to RedHat 7.2.</p>
<p align="Left"><font color="#FF6633"><b>Update
11/9/2001: </b></font>RedHat has
released an iptables-1.2.4 RPM of their own which you can download from<font color="#FF6633">
<a href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
</font>I have installed this RPM
on my firewall and it works fine.</p>
<p align="Left">If you
would like to patch iptables 1.2.3 yourself, the patches are available
for download. This <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
which corrects a problem with parsing of the --log-level specification while
this <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
corrects a problem in handling the&nbsp; TOS target.</p>
<p align="Left">To install one of the above patches:</p>
<ul>
<li>cd iptables-1.2.3/extensions</li>
<li>patch -p0 &lt; <i>the-patch-file</i></li>
</ul>
</blockquote>
<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18 </tbody>
and RedHat iptables</h3> </table>
<blockquote>
<p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19 may <p align="center"> <b><u>IMPORTANT</u></b></p>
experience the following:</p>
<blockquote> <ol>
<pre># shorewall start <li>
Processing /etc/shorewall/shorewall.conf ... <p align="left"> <b><u>I</u>f you use a Windows system to download
Processing /etc/shorewall/params ... a corrected script, be sure to run the script through <u> <a
Starting Shorewall... href="http://www.megaloman.com/%7Ehany/software/hd2u/"
Loading Modules... style="text-decoration: none;"> dos2unix</a></u> after you have moved
Initializing... it to your Linux system.</b></p>
Determining Zones... </li>
Zones: net <li>
Validating interfaces file... <p align="left"> <b>If you are installing Shorewall for the first
Validating hosts file... time and plan to use the .tgz and install.sh script, you can untar
Determining Hosts in Zones... the archive, replace the 'firewall' script in the untarred directory
Net Zone: eth0:0.0.0.0/0 with the one you downloaded below, and then run install.sh.</b></p>
iptables: libiptc/libip4tc.c:380: do_check: Assertion </li>
`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed. <li>
Aborted (core dumped) <p align="left"> <b>When the instructions say to install a corrected
iptables: libiptc/libip4tc.c:380: do_check: Assertion firewall script in /etc/shorewall/firewall, /usr/lib/shorewall/firewall
`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed. or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to overwrite
Aborted (core dumped) the existing file. DO NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall
</pre> or /var/lib/shorewall/firewall before you do that. /etc/shorewall/firewall
</blockquote> and /var/lib/shorewall/firewall are symbolic links that point
<p>The RedHat iptables RPM is compiled with debugging enabled but the to the 'shorewall' file used by your system initialization scripts to
user-space debugging code was not updated to reflect recent changes in the start Shorewall during boot. It is that file that must be overwritten
Netfilter 'mangle' table. You can correct the problem by installing with the corrected script. </b></p>
<a href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm"> </li>
this iptables RPM</a>. If you are already running a 1.2.5 version of
iptables, you will need to specify the --oldpackage option to rpm (e.g., </ol>
&quot;iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm&quot;).</p>
</blockquote> <ul>
<li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
<li> <b><a href="#V1.3">Problems in Version
1.3</a></b></li>
<li> <b><a href="errata_2.htm">Problems
in Version 1.2</a></b></li>
<li> <b><font color="#660066"> <a
href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
<li> <b><font color="#660066"><a
href="#iptables"> Problem with iptables version 1.2.3 on RH7.2</a></font></b></li>
<li> <b><a href="#Debug">Problems with
kernels &gt;= 2.4.18 and RedHat iptables</a></b></li>
<li><b><a href="#SuSE">Problems installing/upgrading RPM on SuSE</a></b></li>
<li><b><a href="#Multiport">Problems with iptables version 1.2.7 and
MULTIPORT=Yes</a></b></li>
</ul>
<hr>
<h2 align="left"><a name="V1.3"></a>Problems in Version 1.3</h2>
<h3>Version 1.3.9</h3>
<b>TUNNELS Broken in 1.3.9!!! </b>There is an updated firewall script at
<a href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall
</a>-- copy that file to /usr/lib/shorewall/firewall as descripbed above.<br>
<br>
Version 1.3.8
<ul>
<li> Use of shell variables in the LOG LEVEL or SYNPARMS columns of the
policy file doesn't work.</li>
<li>A DNAT rule with the same original and new IP addresses but with
different port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24 tcp
25 - 10.1.1.1")<br>
</li>
</ul>
Installing <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.8/firewall">
this corrected firewall script</a> in /var/lib/shorewall/firewall
as described above corrects these problems.
<h3>Version 1.3.7b</h3>
<p>DNAT rules where the source zone is 'fw' ($FW)
result in an error message. Installing
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
this corrected firewall script</a> in /var/lib/shorewall/firewall
as described above corrects this problem.</p>
<h3>Version 1.3.7a</h3>
<p>"shorewall refresh" is not creating the proper
rule for FORWARDPING=Yes. Consequently, after
"shorewall refresh", the firewall will not forward
icmp echo-request (ping) packets. Installing
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
this corrected firewall script</a> in /var/lib/shorewall/firewall
as described above corrects this problem.</p>
<h3>Version &lt;= 1.3.7a</h3>
<p>If "norfc1918" and "dhcp" are both specified as
options on a given interface then RFC 1918
checking is occurring before DHCP checking. This
means that if a DHCP client broadcasts using an
RFC 1918 source address, then the firewall will
reject the broadcast (usually logging it). This
has two problems:</p>
<ol>
<li>If the firewall is running a DHCP
server, the client won't be able to obtain
an IP address lease from that server.</li>
<li>With this order of checking, the
"dhcp" option cannot be used as a noise-reduction
measure where there are both dynamic and
static clients on a LAN segment.</li>
</ol>
<p> <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
This version of the 1.3.7a firewall script </a>
corrects the problem. It must be installed
in /var/lib/shorewall as described above.</p>
<h3>Version 1.3.7</h3>
<p>Version 1.3.7 dead on arrival -- please use
version 1.3.7a and check your version against
these md5sums -- if there's a difference, please
download again.</p>
<pre> d2fffb7fb99bcc6cb047ea34db1df10 shorewall-1.3.7a.tgz<br> 6a7fd284c8685b2b471a2f47b469fb94 shorewall-1.3.7a-1.noarch.rpm<br> 3decd14296effcff16853106771f7035 shorwall-1.3.7a.lrp</pre>
<p>In other words, type "md5sum &lt;<i>whatever package you downloaded</i>&gt;
and compare the result with what you see above.</p>
<p>I'm embarrassed to report that 1.2.7 was also DOA -- maybe I'll skip the
.7 version in each sequence from now on.</p>
<h3><a name="SuSE"></a>Problems <h3 align="left">Version 1.3.6</h3>
installing/upgrading RPM on SuSE</h3>
<ul>
<p>If you find that rpm complains about a conflict <li>
with kernel &lt;= 2.2 yet you have a 2.4 kernel <p align="left">If ADD_SNAT_ALIASES=Yes is specified in /etc/shorewall/shorewall.conf,
installed, simply use the &quot;--nodeps&quot; option to an error occurs when the firewall script attempts to add an SNAT
rpm.</p> alias. </p>
</li>
<p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p> <li>
<p align="left">The <b>logunclean </b>and <b>dropunclean</b> options
<p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p> cause errors during startup when Shorewall is run with iptables
1.2.7. </p>
<h3><a name="Multiport"></a><b>Problems with </li>
iptables version 1.2.7 and MULTIPORT=Yes</b></h3>
</ul>
<p>The iptables 1.2.7 release of iptables has made
an incompatible change to the syntax used to <p align="left">These problems are fixed in <a
specify multiport match rules; as a consequence, href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
if you install iptables 1.2.7 you must be running this correct firewall script</a> which must be installed in
Shorewall 1.3.7a or later or:</p> /var/lib/shorewall/ as described above. These problems are also
corrected in version 1.3.7.</p>
<ul>
<li>set MULTIPORT=No in <h3 align="left">Two-interface Samples 1.3.6 (file two-interfaces.tgz)</h3>
/etc/shorewall/shorewall.conf; or </li>
<li>if you are running Shorewall 1.3.6 you may <p align="left">A line was inadvertently deleted from the "interfaces
install file" -- this line should be added back in if the version that you
<a href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall"> downloaded is missing it:</p>
this firewall script</a> in /var/lib/shorewall/firewall
as described above.</li> <p align="left">net    eth0    detect    routefilter,dhcp,norfc1918</p>
</ul>
<p><font size="2"> <p align="left">If you downloaded two-interfaces-a.tgz then the above
Last updated 9/1/2002 - line should already be in the file.</p>
<a href="support.htm">Tom Eastep</a></font> </p>
<h3 align="left">Version 1.3.5-1.3.5b</h3>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> <p align="left">The new 'proxyarp' interface option doesn't work :-(
This is fixed in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">
this corrected firewall script</a> which must be installed in
/var/lib/shorewall/ as described above.</p>
<h3 align="left">Versions 1.3.4-1.3.5a</h3>
<p align="left">Prior to version 1.3.4, host file entries such as the
following were allowed:</p>
<div align="left">
<pre> adm eth0:1.2.4.5,eth0:5.6.7.8</pre>
</div>
<div align="left">
<p align="left">That capability was lost in version 1.3.4 so that it is only
possible to  include a single host specification on each line. This
problem is corrected by <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5a/firewall">this
modified 1.3.5a firewall script</a>. Install the script in /var/lib/pub/shorewall/firewall
as instructed above.</p>
</div>
<div align="left">
<p align="left">This problem is corrected in version 1.3.5b.</p>
</div>
<h3 align="left">Version 1.3.5</h3>
<p align="left">REDIRECT rules are broken in this version. Install
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">
this corrected firewall script</a> in /var/lib/pub/shorewall/firewall
as instructed above. This problem is corrected in version 1.3.5a.</p>
<h3 align="left">Version 1.3.n, n &lt; 4</h3>
<p align="left">The "shorewall start" and "shorewall restart" commands
to not verify that the zones named in the /etc/shorewall/policy file
have been previously defined in the /etc/shorewall/zones file.
The "shorewall check" command does perform this verification so
it's a good idea to run that command after you have made configuration
changes.</p>
<h3 align="left">Version 1.3.n, n &lt; 3</h3>
<p align="left">If you have upgraded from Shorewall 1.2 and after
"Activating rules..." you see the message: "iptables: No chains/target/match
by that name" then you probably have an entry in /etc/shorewall/hosts
that specifies an interface that you didn't include in /etc/shorewall/interfaces.
To correct this problem, you must add an entry to /etc/shorewall/interfaces.
Shorewall 1.3.3 and later versions produce a clearer error message
in this case.</p>
<h3 align="left">Version 1.3.2</h3>
<p align="left">Until approximately 2130 GMT on 17 June 2002, the
download sites contained an incorrect version of the .lrp file. That
file can be identified by its size (56284 bytes). The correct version
has a size of 38126 bytes.</p>
<ul>
<li>The code to detect a duplicate interface entry in
/etc/shorewall/interfaces contained a typo that prevented it from
working correctly. </li>
<li>"NAT_BEFORE_RULES=No" was broken; it behaved just like
"NAT_BEFORE_RULES=Yes".</li>
</ul>
<p align="left">Both problems are corrected in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/firewall">
this script</a> which should be installed in <b><u>/var/lib/shorewall</u></b>
as described above.</p>
<ul>
<li>
<p align="left">The IANA have just announced the allocation of subnet
221.0.0.0/8. This <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/rfc1918">
updated rfc1918</a> file reflects that allocation.</p>
</li>
</ul>
<h3 align="left">Version 1.3.1</h3>
<ul>
<li>TCP SYN packets may be double counted when
LIMIT:BURST is included in a CONTINUE or ACCEPT policy (i.e., each
packet is sent through the limit chain twice).</li>
<li>An unnecessary jump to the policy chain is sometimes
generated for a CONTINUE policy.</li>
<li>When an option is given for more than one interface in
/etc/shorewall/interfaces then depending on the option, Shorewall
may ignore all but the first appearence of the option. For example:<br>
<br>
net    eth0    dhcp<br>
loc    eth1    dhcp<br>
<br>
Shorewall will ignore the 'dhcp' on eth1.</li>
<li>Update 17 June 2002 - The bug described in the prior
bullet affects the following options: dhcp, dropunclean, logunclean,
norfc1918, routefilter, multi, filterping and noping. An additional
bug has been found that affects only the 'routestopped' option.<br>
<br>
Users who downloaded the corrected script prior to 1850 GMT
today should download and install the corrected script again
to ensure that this second problem is corrected.</li>
</ul>
<p align="left">These problems are corrected in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.1/firewall">
this firewall script</a> which should be installed in /etc/shorewall/firewall
as described above.</p>
<h3 align="left">Version 1.3.0</h3>
<ul>
<li>Folks who downloaded 1.3.0 from the links on the download
page before 23:40 GMT, 29 May 2002 may have downloaded 1.2.13
rather than 1.3.0. The "shorewall version" command will tell
you which version that you have installed.</li>
<li>The documentation NAT.htm file uses non-existent
wallpaper and bullet graphic files. The <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.0/NAT.htm">
corrected version is here</a>.</li>
</ul>
<hr>
<h2 align="left"><a name="Upgrade"></a>Upgrade Issues</h2>
<p align="left">The upgrade issues have moved to <a
href="upgrade_issues.htm">a separate page</a>.</p>
<hr>
<h3 align="left"><a name="iptables"></a><font color="#660066"> Problem with
iptables version 1.2.3</font></h3>
<blockquote>
<p align="left">There are a couple of serious bugs in iptables 1.2.3 that
prevent it from working with Shorewall. Regrettably, RedHat released
this buggy iptables in RedHat 7.2. </p>
<p align="left"> I have built a <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
corrected 1.2.3 rpm which you can download here</a>  and I have also built
an <a
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
iptables-1.2.4 rpm which you can download here</a>. If you are currently
running RedHat 7.1, you can install either of these RPMs <b><u>before</u>
</b>you upgrade to RedHat 7.2.</p>
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
has released an iptables-1.2.4 RPM of their own which you can download
from<font color="#ff6633"> <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
</font>I have installed this RPM on my firewall and it works fine.</p>
<p align="left">If you would like to patch iptables 1.2.3 yourself,
the patches are available for download. This <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
which corrects a problem with parsing of the --log-level specification
while this <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
corrects a problem in handling the  TOS target.</p>
<p align="left">To install one of the above patches:</p>
<ul>
<li>cd iptables-1.2.3/extensions</li>
<li>patch -p0 &lt; <i>the-patch-file</i></li>
</ul>
</blockquote>
<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18
and RedHat iptables</h3>
<blockquote>
<p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19
may experience the following:</p>
<blockquote>
<pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre>
</blockquote>
<p>The RedHat iptables RPM is compiled with debugging enabled but the
user-space debugging code was not updated to reflect recent changes in
the Netfilter 'mangle' table. You can correct the problem by installing
<a
href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
this iptables RPM</a>. If you are already running a 1.2.5 version of
iptables, you will need to specify the --oldpackage option to rpm (e.g.,
"iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
</blockquote>
<h3><a name="SuSE"></a>Problems installing/upgrading
RPM on SuSE</h3>
<p>If you find that rpm complains about a conflict
with kernel &lt;= 2.2 yet you have a 2.4 kernel
installed, simply use the "--nodeps" option to
rpm.</p>
<p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<h3><a name="Multiport"></a><b>Problems with
iptables version 1.2.7 and MULTIPORT=Yes</b></h3>
<p>The iptables 1.2.7 release of iptables has made
an incompatible change to the syntax used to
specify multiport match rules; as a consequence,
if you install iptables 1.2.7 you must be running
Shorewall 1.3.7a or later or:</p>
<ul>
<li>set MULTIPORT=No in
/etc/shorewall/shorewall.conf; or </li>
<li>if you are running Shorewall 1.3.6
you may install
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this firewall script</a> in /var/lib/shorewall/firewall
as described above.</li>
</ul>
<p><font size="2"> Last updated 9/28/2002 -
<a href="support.htm">Tom Eastep</a></font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
<br>
</body> </body>
</html> </html>

286
STABLE/documentation/mailing_list.htm
View File

@ -1,139 +1,183 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta http-equiv="Content-Type"
<title>Shorewall Mailing Lists</title> content="text/html; charset=windows-1252">
<meta name="Microsoft Theme" content="none">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Mailing Lists</title>
<meta name="Microsoft Theme" content="none">
</head> </head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0"
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> style="border-collapse: collapse;" width="100%" id="AutoNumber1"
<tr> bgcolor="#400169" height="90">
<td width="100%"> <tbody>
<h1 align="center"><a href="http://www.gnu.org/software/mailman/mailman.html"> <tr>
<img border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110" height="35"></a><a href="http://www.postfix.org/"><img src="images/small-picture.gif" align="right" border="0" width="115" height="45"></a><font color="#FFFFFF">Shorewall Mailing Lists</font></h1> <td width="100%">
<p align="right"><font color="#FFFFFF"><b>Powered by Postfix&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <h1 align="center"><a
</b></font> href="http://www.gnu.org/software/mailman/mailman.html"> <img
</td> border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110"
</tr> height="35">
</a><a href="http://www.postfix.org/"> <img
src="images/small-picture.gif" align="right" border="0" width="115"
height="45">
</a><font color="#ffffff">Shorewall Mailing Lists</font></h1>
<p align="right"><font color="#ffffff"><b>Powered by Postfix     
</b></font> </p>
</td>
</tr>
</tbody>
</table> </table>
<p align="left"> <p align="left"> <b>Note: </b>The list server limits posts to 120kb.</p>
<b>Note: </b>The list server limits posts to 120kb.</p>
<h2 align="left">Not getting List Mail? -- <a
<h2 align="left">Not getting List Mail? -- <a href="mailing_list_problems.htm">Check href="mailing_list_problems.htm">Check Here</a></h2>
Here</a></h2>
<p align="left">If you experience problems with any of these lists, please <p align="left">If you experience problems with any of these lists, please
let <a href="mailto:teastep@shorewall.net">me</a> know</p> let <a href="mailto:teastep@shorewall.net">me</a> know</p>
<h2 align="left">Not able to Post Mail to shorewall.net?</h2> <h2 align="left">Not able to Post Mail to shorewall.net?</h2>
<p align="left">You can report such problems by sending mail to tom dot eastep <p align="left">You can report such problems by sending mail to tom dot eastep
at hp dot com.</p> at hp dot com.</p>
<h2>A Word about SPAM Filters <h2>A Word about SPAM Filters <a href="http://ordb.org"> <img border="0"
<a href="http://ordb.org"> src="images/but3.png" hspace="3" width="88" height="31">
<img border="0" src="images/but3.png" hspace="3" width="88" height="31"></a><a href="http://osirusoft.com/"><img border="0" src="images/ORE.jpg" width="88" height="37"></a></h2>  </a><a href="http://osirusoft.com/"> </a></h2>
<p>Before subscribing please read my <a href="spam_filters.htm">policy <p>Before subscribing please read my <a href="spam_filters.htm">policy
about list traffic that bounces.</a> Also please note that the mail server about list traffic that bounces.</a> Also please note that the mail server
at shorewall.net checks the sender of incoming mail against the open relay at shorewall.net checks the sender of incoming mail against the open
databases at <a href="http://ordg.org">ordb.org</a> and at relay databases at <a href="http://ordb.org">ordb.org.</a></p>
<a href="http://osirusoft.com">osirusoft.com</a>.</p>
<h2></h2>
<h2>Search the Mailing List Archives</h2>
<h2 align="left">Mailing Lists Archive Search</h2>
<form method="POST" action="http://www.shorewall.net/cgi-bin/htsearch">
<p> <form method="post" action="http://www.shorewall.net/cgi-bin/htsearch">
<font size="-1"> <p> <font size="-1"> Match:
Match: <select name="method"> <select name="method">
<option value="and">All <option value="and">All </option>
<option value="or">Any <option value="or">Any </option>
<option value="boolean">Boolean <option value="boolean">Boolean </option>
</select> </select>
Format: <select name="format"> Format:
<option value="builtin-long">Long <select name="format">
<option value="builtin-short">Short <option value="builtin-long">Long </option>
</select> <option value="builtin-short">Short </option>
Sort by: <select name="sort"> </select>
<option value="score">Score Sort by:
<option value="time">Time <select name="sort">
<option value="title">Title <option value="score">Score </option>
<option value="revscore">Reverse Score <option value="time">Time </option>
<option value="revtime">Reverse Time <option value="title">Title </option>
<option value="revtitle">Reverse Title <option value="revscore">Reverse Score </option>
</select> <option value="revtime">Reverse Time </option>
</font> <option value="revtitle">Reverse Title </option>
<input type="hidden" name="config" value="htdig"> </select>
<input type="hidden" name="restrict" value="[http://www.shorewall.net/pipermail/.*]"> </font> <input type="hidden" name="config" value="htdig"> <input
<input type="hidden" name="exclude" value=""> type="hidden" name="restrict"
<br> value="[http://www.shorewall.net/pipermail/.*]"> <input type="hidden"
Search: name="exclude" value=""> <br>
<input type="text" size="30" name="words" value=""> Search: <input type="text" size="30" name="words" value=""> <input
<input type="submit" value="Search"> </p> type="submit" value="Search"> </p>
</form> </form>
<h2 align="left">Shorewall Users Mailing List</h2> <h2 align="left">Shorewall Users Mailing List</h2>
<p align="left">The Shorewall Users Mailing list provides a way for users to get
answers to questions and to report problems. <p align="left">The Shorewall Users Mailing list provides a way for users
Information of general interest to the Shorewall user community is also posted to get answers to questions and to report problems. Information of general
to this list.</p> interest to the Shorewall user community is also posted to this list.</p>
<p align="left"><b>Before posting a problem report to this list, please see the
<a href="support.htm">problem reporting guidelines</a>.</b></p> <p align="left"><b>Before posting a problem report to this list, please see
<p align="left">To subscribe to the mailing list, go to the <a href="support.htm">problem reporting guidelines</a>.</b></p>
<a href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a>.</p>
<p align="left">To post to the list, post to <a href="mailto:shorewall-users@shorewall.net">shorewall-users@shorewall.net</a>.</p> <p align="left">To subscribe to the mailing list, go to <a
<p align="left">The list archives are at <a href="http://www.shorewall.net/pipermail/shorewall-users">http://www.shorewall.net/pipermail/shorewall-users</a>.</p> href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a>.</p>
<p align="left">Note that prior to 1/1/2002, the mailing list was hosted at <a href="http://sourceforge.net">Sourceforge</a>.
The archives from that list may be found at <a href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p> <p align="left">To post to the list, post to <a
href="mailto:shorewall-users@shorewall.net">shorewall-users@shorewall.net</a>.</p>
<p align="left">The list archives are at <a
href="http://www.shorewall.net/pipermail/shorewall-users/index.html">http://www.shorewall.net/pipermail/shorewall-users</a>.</p>
<p align="left">Note that prior to 1/1/2002, the mailing list was hosted at
<a href="http://sourceforge.net">Sourceforge</a>. The archives from that list
may be found at <a
href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p>
<h2 align="left">Shorewall Announce Mailing List</h2> <h2 align="left">Shorewall Announce Mailing List</h2>
<p align="left">This list is for announcements of general interest to the <p align="left">This list is for announcements of general interest to the
Shorewall community. To subscribe, go to Shorewall community. To subscribe, go to <a
<a href="http://www.shorewall.net/mailman/listinfo/shorewall-announce">http://www.shorewall.net/mailman/listinfo/shorewall-announce</a>.</p> href="http://www.shorewall.net/mailman/listinfo/shorewall-announce">http://www.shorewall.net/mailman/listinfo/shorewall-announce</a>.</p>
<p align="left">The list archives are at <a href="http://www.shorewall.net/pipermail/shorewall-announce">http://www.shorewall.net/pipermail/shorewall-announce</a>.</p>
<p align="left">The list archives are at <a
href="http://www.shorewall.net/pipermail/shorewall-announce">http://www.shorewall.net/pipermail/shorewall-announce</a>.</p>
<h2 align="left">Shorewall Development Mailing List</h2> <h2 align="left">Shorewall Development Mailing List</h2>
<p align="left">The Shorewall Development Mailing list provides a forum for the
exchange of ideas about the future of Shorewall and for coordinating ongoing <p align="left">The Shorewall Development Mailing list provides a forum for
the exchange of ideas about the future of Shorewall and for coordinating ongoing
Shorewall Development.</p> Shorewall Development.</p>
<p align="left">To subscribe to the mailing list, go to
<a href="http://www.shorewall.net/mailman/listinfo/shorewall-devel">http://www.shorewall.net/mailman/listinfo/shorewall-devel</a>.</p> <p align="left">To subscribe to the mailing list, go to <a
<p align="left">To post to the list, post to <a href="mailto:shorewall-devel@shorewall.net">shorewall-devel@shorewall.net</a>.&nbsp;</p> href="http://www.shorewall.net/mailman/listinfo/shorewall-devel">http://www.shorewall.net/mailman/listinfo/shorewall-devel</a>.</p>
<p align="left">The list archives are at <a href="http://www.shorewall.net/pipermail/shorewall-devel">http://www.shorewall.net/pipermail/shorewall-devel</a>.</p>
<h2 align="left"><a name="Unsubscribe"></a>How to Unsubscribe from one of the <p align="left">To post to the list, post to <a
Mailing Lists</h2> href="mailto:shorewall-devel@shorewall.net">shorewall-devel@shorewall.net</a>. </p>
<p align="left">The list archives are at <a
href="http://www.shorewall.net/pipermail/shorewall-devel">http://www.shorewall.net/pipermail/shorewall-devel</a>.</p>
<h2 align="left"><a name="Unsubscribe"></a>How to Unsubscribe from one of
the Mailing Lists</h2>
<p align="left">There seems to be near-universal confusion about unsubscribing <p align="left">There seems to be near-universal confusion about unsubscribing
from Mailman-managed lists. To unsubscribe:</p> from Mailman-managed lists. To unsubscribe:</p>
<ul> <ul>
<li> <li>
<p align="left">Follow the same link above that you used to subscribe to the <p align="left">Follow the same link above that you used to subscribe
list.</p> to the list.</p>
</li> </li>
<li> <li>
<p align="left">Down at the bottom of that page is the following text: &quot;To <p align="left">Down at the bottom of that page is the following text:
change your subscription (set options like digest and delivery modes, get a "To change your subscription (set options like digest and delivery modes,
reminder of your password, <b>or unsubscribe</b> from &lt;name of list&gt;), enter get a reminder of your password, <b>or unsubscribe</b> from &lt;name of list&gt;),
your subscription email address:&quot;. Enter your email address in the box and click enter your subscription email address:". Enter your email address in the
on the &quot;Edit Options&quot; button.</p> box and click on the "Edit Options" button.</p>
</li> </li>
<li> <li>
<p align="left">There will now be a box where you can enter your password and <p align="left">There will now be a box where you can enter your password
click on &quot;Unsubscribe&quot;; if you have forgotten your password, there is another and click on "Unsubscribe"; if you have forgotten your password, there is
button that will cause your password to be emailed to you.</p> another button that will cause your password to be emailed to you.</p>
</li> </li>
</ul> </ul>
<hr>
<hr>
<h2 align="left">Frustrated by having to Rebuild Mailman to use it with Postfix?</h2> <h2 align="left">Frustrated by having to Rebuild Mailman to use it with Postfix?</h2>
<p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p> <p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p>
<p align="left"><font size="2">Last updated 7/26/2002 - <a href="support.htm">Tom
Eastep</a></font></p> <p align="left"><font size="2">Last updated 9/27/2002 - <a
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> href="support.htm">Tom Eastep</a></font></p>
<font size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
</body> </body>
</html>
</html>

219
STABLE/documentation/myfiles.htm
View File

@ -1,131 +1,133 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>My Shorewall Configuration</title> <title>My Shorewall Configuration</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">About My Network</font></h1> <h1 align="center"><font color="#ffffff">About My Network</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<blockquote> </blockquote> <blockquote> </blockquote>
<h1>My Current Network </h1> <h1>My Current Network </h1>
<blockquote> <blockquote>
<p> I have DSL service and have 5 static IP addresses (206.124.146.176-180). <p> I have DSL service and have 5 static IP addresses (206.124.146.176-180).
My DSL "modem" (<a href="http://www.fujitsu.com">Fujitsu</a> Speedport) My DSL "modem" (<a href="http://www.fujitsu.com">Fujitsu</a> Speedport)
is connected to eth0. I have a local network connected to eth2 (subnet 192.168.1.0/24) is connected to eth0. I have a local network connected to eth2 (subnet 192.168.1.0/24)
and a DMZ connected to eth1 (192.168.2.0/24). </p> and a DMZ connected to eth1 (192.168.2.0/24). </p>
<p> I use:<br> <p> I use:<br>
</p> </p>
<ul> <ul>
<li>Static NAT for ursa (my XP System) - Internal address 192.168.1.5 <li>Static NAT for ursa (my XP System) - Internal address 192.168.1.5
and external address 206.124.146.178.</li> and external address 206.124.146.178.</li>
<li>Proxy ARP for wookie (my Linux System). This system has two IP addresses: <li>Proxy ARP for wookie (my Linux System). This system has two IP addresses:
192.168.1.3/24 and 206.124.146.179/24.</li> 192.168.1.3/24 and 206.124.146.179/24.</li>
<li>SNAT through the primary gateway address (206.124.146.176) for  my <li>SNAT through the primary gateway address (206.124.146.176) for 
Wife's system (tarry) and the Wireless Access Point (wap)</li> my Wife's system (tarry) and the Wireless Access Point (wap)</li>
</ul> </ul>
<p> The firewall runs on a 128MB PII/233 with RH7.2 and Kernel 2.4.19.</p> <p> The firewall runs on a 128MB PII/233 with RH7.2 and Kernel 2.4.20-pre6.</p>
<p> Wookie runs Samba and acts as the a WINS server.  Wookie is in its <p> Wookie runs Samba and acts as the a WINS server.  Wookie is in its
own 'whitelist' zone called 'me'.</p> own 'whitelist' zone called 'me'.</p>
<p> My laptop (eastept1) is connected to eth3 using a cross-over cable. <p> My laptop (eastept1) is connected to eth3 using a cross-over cable.
It runs its own <a href="http://www.sygate.com"> Sygate</a> firewall software It runs its own <a href="http://www.sygate.com"> Sygate</a> firewall software
and is managed by Proxy ARP. It connects to the local network through the and is managed by Proxy ARP. It connects to the local network through the
PopTop server running on my firewall. </p> PopTop server running on my firewall. </p>
<p> The single system in the DMZ (address 206.124.146.177) runs postfix, <p> The single system in the DMZ (address 206.124.146.177) runs postfix,
Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP server Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP server
(Pure-ftpd). The system also runs fetchmail to fetch our email from our (Pure-ftpd). The system also runs fetchmail to fetch our email from our
old and current ISPs. That server is managed through Proxy ARP.</p> old and current ISPs. That server is managed through Proxy ARP.</p>
<p> The firewall system itself runs a DHCP server that serves the local <p> The firewall system itself runs a DHCP server that serves the local
network.</p> network.</p>
<p> All administration and publishing is done using ssh/scp.</p> <p> All administration and publishing is done using ssh/scp.</p>
<p> I run an SNMP server on my firewall to serve <a <p> I run an SNMP server on my firewall to serve <a
href="http://www.ee.ethz.ch/%7Eoetiker/webtools/mrtg/"> MRTG</a> running href="http://www.ee.ethz.ch/%7Eoetiker/webtools/mrtg/"> MRTG</a> running
in the DMZ.</p> in the DMZ.</p>
<p align="center"> <img border="0" <p align="center"> <img border="0"
src="images/network.png" width="764" height="846"> src="images/network.png" width="764" height="846">
</p> </p>
<p> </p>
<p>The ethernet interface in the Server is configured
with IP address 206.124.146.177, netmask
255.255.255.0. The server's default gateway is
206.124.146.254 (Router at my ISP. This is the same
default gateway used by the firewall itself). On the firewall,
Shorewall automatically adds a host route to
206.124.146.177 through eth1 (192.168.2.1) because
of the entry in /etc/shorewall/proxyarp (see below).</p>
<p>A similar setup is used on eth3 (192.168.3.1) which
interfaces to my laptop (206.124.146.180).</p>
<p><font color="#ff0000" size="5"> Note: My files
use features not available before Shorewall version
1.3.4.</font></p>
</blockquote>
<h3>Shorewall.conf</h3>
<pre> SUBSYSLOCK=/var/lock/subsys/shorewall<br> STATEDIR=/var/state/shorewall<br><br> LOGRATE=<br> LOGBURST=<br><br> ADD_IP_ALIASES="Yes"<br><br> CLAMPMSS=Yes<br><br> MULTIPORT=Yes</pre>
<h3>Zones File:</h3>
<pre><font face="Courier" size="2"> #ZONE DISPLAY COMMENTS<br> net Internet Internet<br> me Eastep My Workstation<br> loc Local Local networks<br> dmz DMZ Demilitarized zone<br> tx Texas Peer Network in Dallas Texas<br> #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</font></pre>
<h3>Interfaces File: </h3>
<blockquote> <p> </p>
<p> This is set up so that I can start the firewall before bringing up
my Ethernet interfaces. </p> <p>The ethernet interface in the Server is configured
</blockquote> with IP address 206.124.146.177, netmask
255.255.255.0. The server's default gateway is
206.124.146.254 (Router at my ISP. This is the same
default gateway used by the firewall itself). On the firewall,
Shorewall automatically adds a host route to
206.124.146.177 through eth1 (192.168.2.1) because
of the entry in /etc/shorewall/proxyarp (see below).</p>
<p>A similar setup is used on eth3 (192.168.3.1) which
interfaces to my laptop (206.124.146.180).</p>
<p><font color="#ff0000" size="5"> Note: My files
use features not available before Shorewall version
1.3.4.</font></p>
</blockquote>
<h3>Shorewall.conf</h3>
<pre> SUBSYSLOCK=/var/lock/subsys/shorewall<br> STATEDIR=/var/state/shorewall<br><br> LOGRATE=<br> LOGBURST=<br><br> ADD_IP_ALIASES="Yes"<br><br> CLAMPMSS=Yes<br><br> MULTIPORT=Yes</pre>
<h3>Zones File:</h3>
<pre><font face="Courier" size="2"> #ZONE DISPLAY COMMENTS<br> net Internet Internet<br> me Eastep My Workstation<br> loc Local Local networks<br> dmz DMZ Demilitarized zone<br> tx Texas Peer Network in Dallas Texas<br> #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</font></pre>
<h3>Interfaces File: </h3>
<blockquote>
<p> This is set up so that I can start the firewall before bringing up my
Ethernet interfaces. </p>
</blockquote>
<pre><font face="Courier" size="2"> #ZONE INTERFACE BROADCAST OPTIONS<br> net eth0 206.124.146.255 routefilter,norfc1918,blacklist,filterping<br> loc eth2 192.168.1.255 dhcp<br> dmz eth1 206.124.146.255 -<br> net eth3 206.124.146.255 norfc1918<br> - texas -<br> loc ppp+<br> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre> <pre><font face="Courier" size="2"> #ZONE INTERFACE BROADCAST OPTIONS<br> net eth0 206.124.146.255 routefilter,norfc1918,blacklist,filterping<br> loc eth2 192.168.1.255 dhcp<br> dmz eth1 206.124.146.255 -<br> net eth3 206.124.146.255 norfc1918<br> - texas -<br> loc ppp+<br> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
<h3>Hosts File: </h3> <h3>Hosts File: </h3>
<pre><font face="Courier" size="2"> #ZONE HOST(S) OPTIONS<br> me eth2:192.168.1.3,eth2:206.124.146.179<br> tx texas:192.168.9.0/24<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE -- DO NOT REMOVE</font></pre> <pre><font face="Courier" size="2"> #ZONE HOST(S) OPTIONS<br> me eth2:192.168.1.3,eth2:206.124.146.179<br> tx texas:192.168.9.0/24<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE -- DO NOT REMOVE</font></pre>
<h3>Routestopped File:</h3> <h3>Routestopped File:</h3>
<pre><font face="Courier" size="2"> #INTERFACE HOST(S)<br> eth1 206.124.146.177<br> eth2 -<br> eth3 206.124.146.180</font></pre> <pre><font face="Courier" size="2"> #INTERFACE HOST(S)<br> eth1 206.124.146.177<br> eth2 -<br> eth3 206.124.146.180</font></pre>
<h3>Common File: </h3> <h3>Common File: </h3>
<pre><font size="2" face="Courier"> . /etc/shorewall/common.def<br> run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP<br> run_iptables -A common -p tcp --dport 113 -j REJECT</font></pre> <pre><font size="2" face="Courier"> . /etc/shorewall/common.def<br> run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP<br> run_iptables -A common -p tcp --dport 113 -j REJECT</font></pre>
<h3>Policy File:</h3> <h3>Policy File:</h3>
<pre><font size="2" face="Courier"> <pre><font size="2" face="Courier">
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
me all ACCEPT me all ACCEPT
@ -133,33 +135,34 @@ my Ethernet interfaces. </p>
all me CONTINUE #<font all me CONTINUE #<font
color="#ff0000">WARNING: You must be running Shorewall 1.3.1 or later for<br> </font>#<font color="#ff0000">WARNING: You must be running Shorewall 1.3.1 or later for<br> </font>#<font
color="#ff0000"> this policy to work as expected!!!</font> <br> loc loc ACCEPT<br> loc net ACCEPT<br> $FW loc ACCEPT<br> $FW tx ACCEPT<br> loc tx ACCEPT<br> loc fw REJECT<br> net net ACCEPT<br> net all DROP info 10/sec:40<br> all all REJECT info<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOTE</font></pre> color="#ff0000"> this policy to work as expected!!!</font> <br> loc loc ACCEPT<br> loc net ACCEPT<br> $FW loc ACCEPT<br> $FW tx ACCEPT<br> loc tx ACCEPT<br> loc fw REJECT<br> net net ACCEPT<br> net all DROP info 10/sec:40<br> all all REJECT info<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOTE</font></pre>
<h3>Masq File: </h3> <h3>Masq File: </h3>
<blockquote> <blockquote>
<p> Although most of our internal systems use static NAT, my wife's system <p> Although most of our internal systems use static NAT, my wife's system
(192.168.1.4) uses IP Masquerading (actually SNAT) as do visitors with laptops.</p> (192.168.1.4) uses IP Masquerading (actually SNAT) as do visitors with laptops.</p>
</blockquote> </blockquote>
<pre><font size="2" face="Courier"> #INTERFACE SUBNET ADDRESS<br> eth0 192.168.1.0/24 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font></pre> <pre><font size="2" face="Courier"> #INTERFACE SUBNET ADDRESS<br> eth0 192.168.1.0/24 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font></pre>
<h3>NAT File: </h3>
<pre><font size="2" face="Courier"> #EXTERNAL INTERFACE INTERNAL ALL LOCAL<br> 206.124.146.178 eth0 192.168.1.5 No No<br> 206.124.146.179 eth0 192.168.1.3 No No<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font></pre>
<h3>Proxy ARP File:</h3>
<pre><font face="Courier" size="2"> #ADDRESS INTERFACE EXTERNAL HAVEROUTE<br> 206.124.146.177 eth1 eth0 No<br> 206.124.146.180 eth3 eth0 No<br> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
<h3>Rules File (The shell variables
are set in /etc/shorewall/params):</h3>
<h3>NAT File: </h3>
<pre><font size="2" face="Courier"> #EXTERNAL INTERFACE INTERNAL ALL LOCAL<br> 206.124.146.178 eth0 192.168.1.5 No No<br> 206.124.146.179 eth0 192.168.1.3 No No<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font></pre>
<h3>Proxy ARP File:</h3>
<pre><font face="Courier" size="2"> #ADDRESS INTERFACE EXTERNAL HAVEROUTE<br> 206.124.146.177 eth1 eth0 No<br> 206.124.146.180 eth3 eth0 No<br> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
<h3>Rules File (The shell variables
are set in /etc/shorewall/params):</h3>
<pre><font face="Courier" size="2"> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL<br> # PORT(S) PORT(S) PORT(S) DEST<br> #<br> # Local Network to Internet - Reject attempts by Trojans to call home<br> #<br> REJECT:info loc net tcp 6667<br> #<br> # Local Network to Firewall <br> #<br> ACCEPT loc fw tcp ssh<br> ACCEPT loc fw tcp time<br> #<br> # Local Network to DMZ <br> #<br> ACCEPT loc dmz udp domain<br> ACCEPT loc dmz tcp smtp<br> ACCEPT loc dmz tcp domain<br> ACCEPT loc dmz tcp ssh<br> ACCEPT loc dmz tcp auth<br> ACCEPT loc dmz tcp imap<br> ACCEPT loc dmz tcp https<br> ACCEPT loc dmz tcp imaps<br> ACCEPT loc dmz tcp cvspserver<br> ACCEPT loc dmz tcp www<br> ACCEPT loc dmz tcp ftp<br> ACCEPT loc dmz tcp pop3<br> ACCEPT loc dmz icmp echo-request<br> #<br> # Internet to DMZ <br> #<br> ACCEPT net dmz tcp www<br> ACCEPT net dmz tcp smtp<br> ACCEPT net dmz tcp ftp<br> ACCEPT net dmz tcp auth<br> ACCEPT net dmz tcp https<br> ACCEPT net dmz tcp imaps<br> ACCEPT net dmz tcp domain<br> ACCEPT net dmz tcp cvspserver<br> ACCEPT net dmz udp domain<br> ACCEPT net dmz icmp echo-request<br> ACCEPT net:$MIRRORS dmz tcp rsync<br> #<br> # Net to Me (ICQ chat and file transfers) <br> #<br> ACCEPT net me tcp 4000:4100<br> #<br> # Net to Local <br> #<br> ACCEPT net loc tcp auth<br> REJECT net loc tcp www<br> #<br> # DMZ to Internet<br> #<br> ACCEPT dmz net icmp echo-request<br> ACCEPT dmz net tcp smtp<br> ACCEPT dmz net tcp auth<br> ACCEPT dmz net tcp domain<br> ACCEPT dmz net tcp www<br> ACCEPT dmz net tcp https<br> ACCEPT dmz net tcp whois<br> ACCEPT dmz net tcp echo<br> ACCEPT dmz net udp domain<br> ACCEPT dmz net:$NTPSERVERS udp ntp<br> ACCEPT dmz net:$POPSERVERS tcp pop3<br> #<br> # The following compensates for a bug, either in some FTP clients or in the<br> # Netfilter connection tracking code that occasionally denies active mode<br> # FTP clients<br> #<br> ACCEPT:info dmz net tcp 1024: 20<br> #<br> # DMZ to Firewall -- snmp<br> #<br> ACCEPT dmz fw tcp snmp<br> ACCEPT dmz fw udp snmp<br> #<br> # DMZ to Local Network <br> #<br> ACCEPT dmz loc tcp smtp<br> ACCEPT dmz loc tcp auth<br> ACCEPT dmz loc icmp echo-request<br> # Internet to Firewall<br> #<br> ACCEPT net fw tcp 1723<br> ACCEPT net fw gre<br> REJECT net fw tcp www<br> #<br> # Firewall to Internet<br> #<br> ACCEPT fw net:$NTPSERVERS udp ntp<br> ACCEPT fw net udp domain<br> ACCEPT fw net tcp domain<br> ACCEPT fw net tcp www<br> ACCEPT fw net tcp https<br> ACCEPT fw net tcp ssh<br> ACCEPT fw net tcp whois<br> ACCEPT fw net icmp echo-request<br> #<br> # Firewall to DMZ<br> #<br> ACCEPT fw dmz tcp www<br> ACCEPT fw dmz tcp ftp<br> ACCEPT fw dmz tcp ssh<br> ACCEPT fw dmz tcp smtp<br> ACCEPT fw dmz udp domain<br> #<br> # Let Texas Ping<br> #<br> ACCEPT tx fw icmp echo-request<br> ACCEPT tx loc icmp echo-request<br><br> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre> <pre><font face="Courier" size="2"> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL<br> # PORT(S) PORT(S) PORT(S) DEST<br> #<br> # Local Network to Internet - Reject attempts by Trojans to call home<br> #<br> REJECT:info loc net tcp 6667<br> #<br> # Local Network to Firewall <br> #<br> ACCEPT loc fw tcp ssh<br> ACCEPT loc fw tcp time<br> #<br> # Local Network to DMZ <br> #<br> ACCEPT loc dmz udp domain<br> ACCEPT loc dmz tcp smtp<br> ACCEPT loc dmz tcp domain<br> ACCEPT loc dmz tcp ssh<br> ACCEPT loc dmz tcp auth<br> ACCEPT loc dmz tcp imap<br> ACCEPT loc dmz tcp https<br> ACCEPT loc dmz tcp imaps<br> ACCEPT loc dmz tcp cvspserver<br> ACCEPT loc dmz tcp www<br> ACCEPT loc dmz tcp ftp<br> ACCEPT loc dmz tcp pop3<br> ACCEPT loc dmz icmp echo-request<br> #<br> # Internet to DMZ <br> #<br> ACCEPT net dmz tcp www<br> ACCEPT net dmz tcp smtp<br> ACCEPT net dmz tcp ftp<br> ACCEPT net dmz tcp auth<br> ACCEPT net dmz tcp https<br> ACCEPT net dmz tcp imaps<br> ACCEPT net dmz tcp domain<br> ACCEPT net dmz tcp cvspserver<br> ACCEPT net dmz udp domain<br> ACCEPT net dmz icmp echo-request<br> ACCEPT net:$MIRRORS dmz tcp rsync<br> #<br> # Net to Me (ICQ chat and file transfers) <br> #<br> ACCEPT net me tcp 4000:4100<br> #<br> # Net to Local <br> #<br> ACCEPT net loc tcp auth<br> REJECT net loc tcp www<br> #<br> # DMZ to Internet<br> #<br> ACCEPT dmz net icmp echo-request<br> ACCEPT dmz net tcp smtp<br> ACCEPT dmz net tcp auth<br> ACCEPT dmz net tcp domain<br> ACCEPT dmz net tcp www<br> ACCEPT dmz net tcp https<br> ACCEPT dmz net tcp whois<br> ACCEPT dmz net tcp echo<br> ACCEPT dmz net udp domain<br> ACCEPT dmz net:$NTPSERVERS udp ntp<br> ACCEPT dmz net:$POPSERVERS tcp pop3<br> #<br> # The following compensates for a bug, either in some FTP clients or in the<br> # Netfilter connection tracking code that occasionally denies active mode<br> # FTP clients<br> #<br> ACCEPT:info dmz net tcp 1024: 20<br> #<br> # DMZ to Firewall -- snmp<br> #<br> ACCEPT dmz fw tcp snmp<br> ACCEPT dmz fw udp snmp<br> #<br> # DMZ to Local Network <br> #<br> ACCEPT dmz loc tcp smtp<br> ACCEPT dmz loc tcp auth<br> ACCEPT dmz loc icmp echo-request<br> # Internet to Firewall<br> #<br> ACCEPT net fw tcp 1723<br> ACCEPT net fw gre<br> REJECT net fw tcp www<br> #<br> # Firewall to Internet<br> #<br> ACCEPT fw net:$NTPSERVERS udp ntp<br> ACCEPT fw net udp domain<br> ACCEPT fw net tcp domain<br> ACCEPT fw net tcp www<br> ACCEPT fw net tcp https<br> ACCEPT fw net tcp ssh<br> ACCEPT fw net tcp whois<br> ACCEPT fw net icmp echo-request<br> #<br> # Firewall to DMZ<br> #<br> ACCEPT fw dmz tcp www<br> ACCEPT fw dmz tcp ftp<br> ACCEPT fw dmz tcp ssh<br> ACCEPT fw dmz tcp smtp<br> ACCEPT fw dmz udp domain<br> #<br> # Let Texas Ping<br> #<br> ACCEPT tx fw icmp echo-request<br> ACCEPT tx loc icmp echo-request<br><br> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
<p><font size="2"> Last updated 9/14/2002 - </font><font size="2"> <p><font size="2"> Last updated 9/19/2002 - </font><font size="2">
<a href="support.htm">Tom Eastep</a></font> <a href="support.htm">Tom Eastep</a></font>
</p> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
<br>
</body> </body>
</html> </html>

187
STABLE/documentation/quotes.htm
View File

@ -1,96 +1,101 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta http-equiv="Content-Type"
<title>Quotes from Shorewall Users</title> content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Quotes from Shorewall Users</title>
</head> </head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0"
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> style="border-collapse: collapse;" bordercolor="#111111" width="100%"
<tr> id="AutoNumber1" bgcolor="#400169" height="90">
<td width="100%"> <tbody>
<h1 align="center"><font color="#FFFFFF">Quotes from Shorewall Users</font></h1> <tr>
</td> <td width="100%">
</tr> <h1 align="center"><font color="#ffffff">Quotes from Shorewall Users</font></h1>
</td>
</tr>
</tbody>
</table> </table>
<p>"I just installed Shorewall after weeks of messing with ipchains/iptables
<p>&quot;I just installed Shorewall after weeks of messing with and I had it up and running in under 20 minutes!" -- JL, Ohio<br>
ipchains/iptables and I had it up and running in under 20 minutes!&quot; </p>
-- JL, Ohio "My case was almost like [the one above]. Well. instead of 'weeks' it was
</p> 'months' for me, and I think I needed two minutes more:<br>
<ul>
<li>One to see that I had no Internet access from the firewall itself.</li>
<p>&quot;I downloaded Shorewall 1.2.0 and installed it on Mandrake 8.1 <li>Other to see that this was the default configuration, and it was enough
without any problems. Your documentation is great and I really appreciate to uncomment a line in /etc/shorewall/policy.<br>
your network configuration info. That really helped me out alot. </li>
THANKS!!!&quot; -- MM. </ul>
</p> Minutes instead of months! Congratulations and thanks for such a simple and
well documented thing for something as huge as iptables." -- JV, Spain.
<p>&quot;[Shorewall is a] great, great project. I've used/tested may <p>"I downloaded Shorewall 1.2.0 and installed it on Mandrake 8.1 without
firewall scripts but this one is till now the best.&quot; -- B.R, any problems. Your documentation is great and I really appreciate your
Netherlands network configuration info. That really helped me out alot. THANKS!!!"
</p> -- MM. </p>
<p>"[Shorewall is a] great, great project. I've used/tested may firewall
<p>&quot;Never in my +12 year career as a sys admin have I witnessed scripts but this one is till now the best." -- B.R, Netherlands
someone so relentless in developing a secure, state of the art, save and </p>
useful product as the Shorewall firewall package for no cost or obligation
involved.&quot; -- Mario Kericki, Toronto <p>"Never in my +12 year career as a sys admin have I witnessed someone
</p> so relentless in developing a secure, state of the art, save and useful
product as the Shorewall firewall package for no cost or obligation
involved." -- Mario Kericki, Toronto </p>
<p>&quot;one time more to report, that your great shorewall in the latest
release <p>"one time more to report, that your great shorewall in the latest
1.2.9 is working fine for me with SuSE Linux 7.3! I now have 7 machines up release 1.2.9 is working fine for me with SuSE Linux 7.3! I now
and running with shorewall on several versions - starting with 1.2.2 up to have 7 machines up and running with shorewall on several versions -
the new 1.2.9 and I never have encountered any problems!&quot; -- SM, Germany</p> starting with 1.2.2 up to the new 1.2.9 and I never have encountered
any problems!" -- SM, Germany</p>
<p>&quot;You have the best support of any other package I've ever <p>"You have the best support of any other package I've ever used."
used.&quot; -- SE, US -- SE, US </p>
</p>
<p>"Because our company has information which has been classified by the
<p>&quot;Because our company has information which has been classified by the national government as secret, our security doesn't stop by putting a fence
national government as secret, our security doesn't stop by putting a fence around our company. Information security is a hot issue. We also make use
around our company. Information security is a hot issue. We also make use of of checkpoint firewalls, but not all of the internet servers are guarded
checkpoint firewalls, but not all of the internet servers are guarded by by checkpoint, some of them are running....Shorewall." -- Name withheld
checkpoint, some of them are running....Shorewall.&quot; -- Name withheld by request, by request, Europe</p>
Europe</p>
<p>"thanx for all your efforts you put into shorewall - this product stands
<p>&quot;thanx for all your efforts you put into shorewall - this product stands out out against a lot of commercial stuff i´ve been working with in terms of
against a lot of commercial stuff i´ve been working with in terms of flexibillity, quality &amp; support" -- RM, Austria</p>
flexibillity, quality &amp; support&quot; -- RM, Austria</p>
<p>"I have never seen such a complete firewall package that is so easy to
<p>&quot;I have never seen such a complete firewall package that is so easy to configure. I searched the Debian package system for firewall scripts and
configure. I searched the Debian package system for firewall scripts and Shorewall won hands down." -- RG, Toronto</p>
Shorewall won hands down.&quot; -- RG, Toronto</p>
<p>"My respects... I've just found and installed Shorewall 1.3.3-1 and it
<p>&quot;My respects... I've just found and installed Shorewall 1.3.3-1 and it is a is a wonderful piece of software. I've just sent out an email to about 30
wonderful piece of software. I've just sent out an email to about 30 people people recommending it. :-)<br>
recommending it. :-)<br> While I had previously taken the time (maybe 40 hours) to really understand
While I had previously taken the time (maybe 40 hours) to really understand ipchains, then spent at least an hour per server customizing and carefully
ipchains, then spent at least an hour per server customizing and carefully scrutinizing firewall rules, I've got shorewall running on my home firewall,
scrutinizing firewall rules, I've got shorewall running on my home firewall, with rulesets and policies that I know make sense, in under 20 minutes."
with rulesets and policies that I know make sense, in under 20 minutes.&quot; -- RP, -- RP, Guatamala<br>
Guatamala<br> <br>
<br>  </p>
&nbsp;</p>
<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated 9/24/2002
<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated - <a href="support.htm">Tom Eastep</a> </font>
7/9/2002 - <a href="support.htm">Tom Eastep</a> </p>
</font>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
</p> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
</body> </body>
</html>
</html>

440
STABLE/documentation/seattlefirewall_index.htm
View File

@ -1,256 +1,300 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.3</title> <title>Shoreline Firewall (Shorewall) 1.3</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <base target="_self">
<meta name="ProgId" content="FrontPage.Editor.Document">
<base target="_self">
<meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="4" <table border="0" cellpadding="0" cellspacing="4"
style="border-collapse: collapse;" width="100%" id="AutoNumber3" style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%" height="90">
<h1 align="center"> <font size="4"><i> <a <h1 align="center"> <font size="4"><i> <a
href="http://www.cityofshoreline.com"> <img border="0" href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
src="images/washington.jpg" align="right" width="100" height="82"> alt="Shorwall Logo" height="70" width="85" align="left"
<img border="0" src="images/washington.jpg" align="left" src="images/washington.jpg" border="0">
width="100" height="82"> </a></i></font><font color="#ffffff">Shorewall 1.3
</a></i></font><font color="#ffffff">Shorewall 1.3 - <font - <font size="4">"<i>iptables made easy"</i></font></font></h1>
size="4">"<i>iptables made easy"</i></font></font></h1>
</td>
</tr> <div align="center"><a href="1.2" target="_top"><font
color="#ffffff">Shorewall 1.2 Site here</font></a><br>
</tbody> </div>
<br>
</td>
</tr>
</tbody>
</table> </table>
<div align="center">
<center> <div align="center">
<center>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"> style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody> <tbody>
<tr> <tr>
<td width="90%"> <td width="90%">
<h2 align="left">What is it?</h2> <h2 align="left">What is it?</h2>
<p>The Shoreline Firewall, more commonly known as "Shorewall",  is
<p>The Shoreline Firewall, more commonly known as "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
firewall that can be used on a dedicated firewall system, a multi-function firewall that can be used on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.</p> gateway/router/server or on a standalone GNU/Linux system.</p>
<p>This program is free software; you can redistribute it and/or modify <p>This program is free software; you can redistribute it and/or modify
it under the terms of <a it under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
General Public License</a> as published by the Free Software Foundation.<br> General Public License</a> as published by the Free Software Foundation.<br>
<br> <br>
This program is distributed in the hope that it will be useful, This program is distributed in the hope that
but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY it will be useful, but WITHOUT ANY WARRANTY; without even the
or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
for more details.<br> PURPOSE. See the GNU General Public License for more details.<br>
<br> <br>
You should have received a copy of the GNU General Public License You should have received a copy of the GNU General
along with this program; if not, write to the Free Software Foundation, Public License along with this program; if not, write to the
Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p> Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA
02139, USA</p>
<p><a href="copyright.htm">Copyright 2001, 2002 Thomas M. Eastep</a></p> <p><a href="copyright.htm">Copyright 2001, 2002 Thomas M. Eastep</a></p>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36"> border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques Nilo and Eric Wolzak have a LEAF distribution called </a>Jacques Nilo and Eric Wolzak have a LEAF
<i>Bering</i> that features Shorewall-1.3.3 and Kernel-2.4.18. distribution called <i>Bering</i> that features Shorewall-1.3.3
You can find their work at: <a and Kernel-2.4.18. You can find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p> href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
<h2>News</h2> <h2>News</h2>
<p><b>9/16/2002 - Shorewall 1.3.8 </b><b><img border="0"
src="file:///vfat/Shorewall/Shorewall-docs/images/new10.gif" width="28"
height="12"> <p><b>9/30/2002 - Shorewall 1.3.9a </b><b><img border="0"
</b></p> src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
Roles up the fix for broken tunnels.<br>
<p><b>9/30/2002 - TUNNELS Broken in 1.3.9!!! </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
There is an updated firewall script at <a
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
-- copy that file to /usr/lib/shorewall/firewall.<br>
<p><b>9/28/2002 - Shorewall 1.3.9 </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
<p>In this version:<br> <p>In this version:<br>
</p> </p>
<ul> <ul>
<li>A NEWNOTSYN option has been added to shorewall.conf. This option <li><a href="configuration_file_basics.htm#dnsnames">DNS Names</a>
determines whether Shorewall accepts TCP packets which are not part of an are now allowed in Shorewall config files (although I recommend against
established connection and that are not 'SYN' packets (SYN flag on and ACK using them).</li>
flag off).</li> <li>The connection SOURCE may now be qualified by both interface
<li>The need for the 'multi' option to communicate between zones and IP address in a <a href="Documentation.htm#Rules">Shorewall rule</a>.</li>
za and zb on the same interface is removed in the case where the chain 'za2zb' <li>Shorewall startup is now disabled after initial installation
and/or 'zb2za' exists. 'za2zb' will exist if:</li> until the file /etc/shorewall/startup_disabled is removed. This avoids nasty
<ul> surprises at reboot for users who install Shorewall but don't configure
<li> it.</li>
<blockquote>There is a policy for za to zb; or</blockquote> <li>The 'functions' and 'version' files and the 'firewall' symbolic
</li> link have been moved from /var/lib/shorewall to /usr/lib/shorewall to appease
<li> the LFS police at Debian.<br>
<blockquote>There is at least one rule for za to zb.</blockquote> </li>
</li>
</ul>
</ul> </ul>
<p><b>9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability
Restored</b><b> </b><br>
</p>
<img src="images/j0233056.gif" alt="Brown Paper Bag"
width="50" height="86" align="left">
A couple of recent configuration changes at www.shorewall.net broke
the Search facility:<br>
<blockquote>
<ol>
<li>Mailing List Archive Search was not available.</li>
<li>The Site Search index was incomplete</li>
<li>Only one page of matches was presented.</li>
</ol>
</blockquote>
Hopefully these problems are now corrected.
<p><b>9/18/2002 - Debian 1.3.8 Packages Available </b><b>
</b><br>
</p>
<p>Apt-get sources listed at <a
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a></p>
<b> </b>
<p><b>9/16/2002 - Shorewall 1.3.8</b><b> </b></p>
<p>In this version:<br>
</p>
<ul> <ul>
<li>The /etc/shorewall/blacklist file now contains three columns. <li>A NEWNOTSYN option has been added to shorewall.conf.
In addition to the SUBNET/ADDRESS column, there are optional PROTOCOL and This option determines whether Shorewall accepts TCP packets which
PORT columns to block only certain applications from the blacklisted addresses.<br> are not part of an established connection and that are not 'SYN' packets
</li> (SYN flag on and ACK flag off).</li>
<li>The need for the 'multi' option to communicate
between zones za and zb on the same interface is removed in the
case where the chain 'za2zb' and/or 'zb2za' exists. 'za2zb' will exist
if:
<ul>
<li>There is a policy for za to zb; or</li>
<li>There is at least one rule for za to zb.
</li>
</ul>
</li>
</ul> </ul>
<ul>
<li>The /etc/shorewall/blacklist file now contains
three columns. In addition to the SUBNET/ADDRESS column, there are
optional PROTOCOL and PORT columns to block only certain applications
from the blacklisted addresses.<br>
</li>
</ul>
<p><b>9/11/2002 - Debian 1.3.7c Packages Available </b></p> <p><b>9/11/2002 - Debian 1.3.7c Packages Available </b></p>
<p>Apt-get sources listed at <a <p>Apt-get sources listed at <a
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</p> href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</p>
<p><b>9/2/2002 - Shorewall 1.3.7c</b></p> <p><b>9/2/2002 - Shorewall 1.3.7c</b></p>
<p>This is a role up of a fix for "DNAT" rules where the source zone <p>This is a role up of a fix for "DNAT" rules where the source zone
is $FW (fw).</p> is $FW (fw).</p>
<p><b>8/26/2002 - Shorewall 1.3.7b</b></p> <p><b>8/26/2002 - Shorewall 1.3.7b</b></p>
<p>This is a role up of the "shorewall refresh" bug fix and the change <p>This is a role up of the "shorewall refresh" bug fix and the change
which reverses the order of "dhcp" and "norfc1918" checking.</p> which reverses the order of "dhcp" and "norfc1918" checking.</p>
<p><b>8/26/2002 - French FTP Mirror is Operational</b></p> <p><b>8/26/2002 - French FTP Mirror is Operational</b></p>
<p><a target="_blank" <p><a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall</a> href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall</a>
is now available.</p> is now available.</p>
<p><b>8/25/2002 - Shorewall Mirror in France </b></p> <p><b>8/25/2002 - Shorewall Mirror in France </b></p>
<p>Thanks to a Shorewall user in Paris, the Shorewall web site is now <p>Thanks to a Shorewall user in Paris, the Shorewall web site is now
mirrored at <a target="_top" href="http://france.shorewall.net">http://france.shorewall.net</a>.</p> mirrored at <a target="_top"
href="http://france.shorewall.net">http://france.shorewall.net</a>.</p>
<p><b>8/25/2002 - Shorewall 1.3.7a Debian Packages Available</b></p>
<p>Lorenzo Martignoni reports that the packages for version 1.3.7a
are available at <a
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</p>
<p><b>8/22/2002 - Shorewall 1.3.7 Wins a Brown Paper Bag Award for
its Author -- Shorewall 1.3.7a released <img border="0"
src="images/j0233056.gif" width="50" height="80" align="middle">
</b></p>
<p>1.3.7a corrects problems occurring in rules file processing when
starting Shorewall 1.3.7.</p>
<p><b>8/22/2002 - Shorewall 1.3.7 Released</b></p>
<p>Features in this release include:</p>
<ul>
<li>The 'icmp.def' file is now empty! The rules in that file were
required in ipchains firewalls but are not required in Shorewall.
Users who have ALLOWRELATED=No in <a
href="Documentation.htm#Conf"> shorewall.conf</a> should see the
<a href="errata.htm#Upgrade">Upgrade Issues</a>.</li>
<li>A 'FORWARDPING' option has been added to <a
href="Documentation.htm#Conf">shorewall.conf</a>. The effect of
setting this variable to Yes is the same as the effect of adding an
ACCEPT rule for ICMP echo-request in <a
href="shorewall_extension_scripts.htm">/etc/shorewall/icmpdef</a>.
Users who have such a rule in icmpdef are encouraged to switch to
FORWARDPING=Yes.</li>
<li>The loopback CLASS A Network (127.0.0.0/8) has been added to
the rfc1918 file.</li>
<li>Shorewall now works with iptables 1.2.7.</li>
<li>The documentation and Web site no longer use FrontPage themes.</li>
</ul>
<p>I would like to thank John Distler for his valuable input regarding
TCP SYN and ICMP treatment in Shorewall. That input has led to marked improvement
in Shorewall in the last two releases.</p>
<p><b>8/13/2002 - Documentation in the <a target="_top"
href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi"> CVS Repository</a></b></p>
<p>The Shorewall-docs project now contains just the HTML and image
files - the Frontpage files have been removed.</p>
<p><b>8/7/2002 - <i>STABLE</i></b> <b>branch added to <a
target="_top" href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi"> CVS
Repository</a></b></p>
<p>This branch will only be updated after I release a new version of
Shorewall so you can always update from this branch to get the latest stable
tree.</p>
<p><b>8/7/2002 - <a href="errata.htm#Upgrade">Upgrade Issues</a> section
added to the <a href="errata.htm">Errata Page</a></b></p>
<p>Now there is one place to go to look for issues involved with upgrading
to recent versions of Shorewall.</p>
<p><b>8/7/2002 - Shorewall 1.3.6</b></p>
<p>This is primarily a bug-fix rollup with a couple of new features:</p>
<ul>
<li>The latest <a href="shorewall_quickstart_guide.htm">QuickStart Guides
</a> including the <a href="shorewall_setup_guide.htm">Shorewall
Setup Guide.</a></li>
<li>Shorewall will now DROP TCP packets that are not part of or related
to an existing connection and that are not SYN packets. These "New not
SYN" packets may be optionally logged by setting the LOGNEWNOTSYN option
in <a href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf</a>.</li>
<li>The processing of "New not SYN" packets may be extended by commands
in the new <a href="shorewall_extension_scripts.htm">newnotsyn extension
script</a>.</li>
</ul>
<p><a href="News.htm">More News</a></p> <p><a href="News.htm">More News</a></p>
<h2><a name="Donations"></a>Donations</h2> <h2><a name="Donations"></a>Donations</h2>
</td> </td>
<td width="88" bgcolor="#4b017c" valign="top" <td width="88" bgcolor="#4b017c"
align="center"> <a href="http://sourceforge.net">M</a></td> valign="top" align="center"> <a
</tr> href="http://sourceforge.net">M</a></td>
</tr>
</tbody>
</tbody>
</table> </table>
</center> </center>
</div> </div>
<table border="0" cellpadding="5" cellspacing="0" <table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2" style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="100%" style="margin-top: 1px;"> <td width="100%" style="margin-top: 1px;">
<p align="center"><a href="http://www.starlight.org"> <img <p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left" border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10"> hspace="10">
<img border="4" src="images/newlog.gif" width="57" height="100"   </a></p>
align="right" hspace="10">
</a></p>
<p align="center"><font size="4" color="#ffffff">Shorewall is free <p align="center"><font size="4" color="#ffffff">Shorewall is free
but if you try it and find it useful, please consider making a donation but if you try it and find it useful, please consider making a donation
to <a href="http://www.starlight.org"><font color="#ffffff">Starlight to <a href="http://www.starlight.org"><font
Children's Foundation.</font></a> Thanks!</font></p> color="#ffffff">Starlight Children's Foundation.</font></a> Thanks!</font></p>
</td> </td>
</tr> </tr>
</tbody>
</tbody>
</table> </table>
<p><font size="2">Updated 9/16/2002 - <a href="support.htm">Tom Eastep</a> <p><font size="2">Updated 9/30/2002 - <a href="support.htm">Tom Eastep</a></font>
</font>
</p> <br>
<br> </p>
</body> </body>
</html> </html>

193
STABLE/documentation/shoreline.htm
View File

@ -1,108 +1,111 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>About the Shorewall Author</title> <title>About the Shorewall Author</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tr> <tbody>
<td width="100%"> <tr>
<h1 align="center"><font color="#FFFFFF">Tom Eastep</font></h1> <td width="100%">
</td> <h1 align="center"><font color="#ffffff">Tom Eastep</font></h1>
</tr> </td>
</table> </tr>
</tbody>
</table>
<p align="Center">
<img border="3" src="images/Hiking1.jpg" alt="Tom on the PCT - 1991" width="374" height="365"></p> <p align="center"> <img border="3" src="images/Hiking1.jpg"
alt="Tom on the PCT - 1991" width="374" height="365">
</p>
<p align="Center">Tom on the Pacific Crest Trail north of Stevens Pass, <p align="center">Tom on the Pacific Crest Trail north of Stevens Pass,
Washington&nbsp; -- Sept Washington  -- Sept 1991.<br>
1991.<br> <font size="2">Photo by Ken Mazawa</font></p>
<font size="2">Photo
by Ken Mazawa</font></p> <ul>
<li>Born 1945 in <a href="http://www.experiencewashington.com">Washington
State</a> .</li>
<ul> <li>BA Mathematics from <a href="http://www.wsu.edu">Washington State
<li>Born 1945 in <a href="http://www.experiencewashington.com">Washington University</a> 1967</li>
State</a> <li>MA Mathematics from <a href="http://www.washington.edu">University
.</li>
<li>BA Mathematics from <a href="http://www.wsu.edu">Washington State
University</a>
1967</li>
<li>MA Mathematics from <a href="http://www.washington.edu">University
of Washington</a> 1969</li> of Washington</a> 1969</li>
<li>Burroughs Corporation (now <a href="http://www.unisys.com">Unisys</a> <li>Burroughs Corporation (now <a href="http://www.unisys.com">Unisys</a>
) 1969 - 1980</li> ) 1969 - 1980</li>
<li><a href="http://www.tandem.com">Tandem Computers, Incorporated</a> <li><a href="http://www.tandem.com">Tandem Computers, Incorporated</a>
(now part of the <a href="http://www.hp.com">The New HP</a>) 1980 - present</li> (now part of the <a href="http://www.hp.com">The New HP</a>) 1980 - present</li>
<li>Married 1969 - no children.</li> <li>Married 1969 - no children.</li>
</ul>
</ul>
<p>I am currently a member of the design team for the next-generation
operating system from the NonStop Enterprise Division of HP. </p> <p>I am currently a member of the design team for the next-generation
operating system from the NonStop Enterprise Division of HP. </p>
<p>I became interested in Internet Security
when I established a home office in 1999 and had DSL service installed in our <p>I became interested in Internet Security when I established a home office
home. I investigated in 1999 and had DSL service installed in our home. I investigated ipchains
ipchains and developed the scripts which are now collectively known as <a href="http://seawall.sourceforge.net"> Seattle and developed the scripts which are now collectively known as <a
Firewall</a>. Expanding on what I learned from Seattle Firewall, I then href="http://seawall.sourceforge.net"> Seattle Firewall</a>. Expanding
designed and wrote Shorewall. </p> on what I learned from Seattle Firewall, I then designed and wrote
Shorewall. </p>
<p>I telework from our home in&nbsp;<a href="http://www.cityofshoreline.com">Shoreline,
Washington</a> <p>I telework from our home in <a href="http://www.cityofshoreline.com">Shoreline,
where I live with my wife Tarry. </p> Washington</a> where I live with my wife Tarry. </p>
<p>Our current home network consists of: </p> <p>Our current home network consists of: </p>
<ul> <ul>
<li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp; 8GB IDE HDs and LNE100TX <li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp; 8GB IDE HDs
(Tulip) NIC - My personal Windows system.</li> and LNE100TX (Tulip) NIC - My personal Windows system.</li>
<li>Celeron 1.4Gz, RH7.3, 384MB RAM, 60GB HD, LNE100TX(Tulip) NIC - My <li>Celeron 1.4Gz, RH7.3, 384MB RAM, 60GB HD, LNE100TX(Tulip) NIC -
personal Linux System which runs Samba configured as a WINS server. This My personal Linux System which runs Samba configured as a WINS server.
system also has <a href="http://www.vmware.com/">VMware</a> installed and This system also has <a href="http://www.vmware.com/">VMware</a> installed
can run both <a href="http://www.debian.org">Debian</a> and and can run both <a href="http://www.debian.org">Debian</a> and
<a href="http://www.suse.com">SuSE</a> in virtual machines.</li> <a href="http://www.suse.com">SuSE</a> in virtual machines.</li>
<li>K6-2/350, RH7.3, 384MB RAM, 8GB IDE HD, EEPRO100 NIC  <li>K6-2/350, RH7.3, 384MB RAM, 8GB IDE HD, EEPRO100 NIC  - Mail (Postfix
- Mail (Postfix &amp; Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd), DNS server &amp; Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd), DNS server (Bind).</li>
(Bind).</li> <li>PII/233, RH7.3 with 2.4.20-pre6 kernel, 256MB MB RAM, 2GB SCSI HD
<li>PII/233, RH7.3 with 2.4.20-pre2 kernel, 256MB MB RAM, 2GB SCSI HD - 3 - 3 LNE100TX  (Tulip) and 1 TLAN NICs  - Firewall running Shorewall
LNE100TX&nbsp; (Tulip) and 1 TLAN NICs&nbsp; - Firewall running Shorewall 1.3.6 and a DHCP 1.3.9 (Yep -- I run them before I release them) and a DHCP server.  Also
server.  Also runs PoPToP for road warrior access.</li> runs PoPToP for road warrior access.</li>
<li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My wife's personal system.</li> <li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My wife's
<li>PII/400 Laptop, Win2k SP2, 224MB RAM, 12GB HD, onboard EEPRO100 and EEPRO100 personal system.</li>
in expansion base and LinkSys WAC11 - My main work system.</li> <li>PII/400 Laptop, Win2k SP2, 224MB RAM, 12GB HD, onboard EEPRO100
</ul> and EEPRO100 in expansion base and LinkSys WAC11 - My main work system.</li>
<p>For more about our network see <a href="myfiles.htm">my Shorewall
Configuration</a>.</p> </ul>
<p>All of our <p>For more about our network see <a href="myfiles.htm">my Shorewall Configuration</a>.</p>
other systems are made by <a href="http://www.compaq.com">Compaq</a> (part
of the new <a href="http://www.hp.com/">HP</a>).. All of our Tulip NICs are <a href="http://www.netgear.com">Netgear</a> <p>All of our other systems are made by <a
FA310TXs.</p> href="http://www.compaq.com">Compaq</a> (part of the new <a
href="http://www.hp.com/">HP</a>).. All of our Tulip NICs are <a
href="http://www.netgear.com">Netgear</a> FA310TXs.</p>
<p><a href="http://www.redhat.com"><img border="0" src="images/poweredby.png" width="88" height="31"></a><a href="http://www.compaq.com"><img border="0" src="images/poweredbycompaqlog0.gif" hspace="3" width="83" height="25"></a><a href="http://www.pureftpd.org"><img border="0" src="images/pure.jpg" width="88" height="31"></a><font size="4"><a href="http://www.apache.org"><img border="0" src="images/apache_pb1.gif" hspace="2" width="170" height="20"></a>
</font></p> <p><a href="http://www.redhat.com"><img border="0"
src="images/poweredby.png" width="88" height="31">
</a><a href="http://www.compaq.com"><img border="0"
<p><font size="2">Last updated 8/16/2002 - </font><font size="2"> src="images/poweredbycompaqlog0.gif" hspace="3" width="83" height="25">
<a href="support.htm">Tom Eastep</a></font> </a><a href="http://www.pureftpd.org"><img border="0"
</p> src="images/pure.jpg" width="88" height="31">
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> </a><font size="4"><a href="http://www.apache.org"><img border="0"
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></body></html> src="images/apache_pb1.gif" hspace="2" width="170" height="20">
</a> </font></p>
<p><font size="2">Last updated 9/19/2002 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
</body>
</html>

104
STABLE/documentation/shorewall_prerequisites.htm
View File

@ -1,54 +1,68 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta http-equiv="Content-Type"
<title>Shorewall Prerequisites</title> content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Prerequisites</title>
</head> </head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0"
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> style="border-collapse: collapse;" bordercolor="#111111" width="100%"
<tr> id="AutoNumber1" bgcolor="#400169" height="90">
<td width="100%"> <tbody>
<h1 align="center"><font color="#FFFFFF">Shorewall Requirements</font></h1> <tr>
</td> <td width="100%">
</tr> <h1 align="center"><font color="#ffffff">Shorewall Requirements</font></h1>
</td>
</tr>
</tbody>
</table> </table>
<ul> <ul>
<li>A kernel that supports netfilter. I've tested with 2.4.2 - 2.4.20-pre2. <a href="kernel.htm"> <li>A kernel that supports netfilter. I've tested with 2.4.2 - 2.4.20-pre6.
Check here for kernel configuration information.</a> <a href="kernel.htm"> Check here for kernel configuration information.</a>
If you are looking for a firewall for use with 2.2 kernels, <a href="http://www.shorewall.net/seawall"> If you are looking for a firewall for use with 2.2 kernels, <a
see the Seattle Firewall site</a> href="http://www.shorewall.net/seawall"> see the Seattle Firewall
.</li> site</a> .</li>
<li>iptables 1.2 or later but beware version 1.2.3 -- see the <a href="errata.htm">Errata</a>. <li>iptables 1.2 or later but beware version 1.2.3 -- see the <a
<font color="#FF0000"><b>WARNING: </b></font>The buggy iptables version 1.2.3 href="errata.htm">Errata</a>. <font color="#ff0000"><b>WARNING: </b></font>The
is included in RedHat 7.2 and you should upgrade to iptables 1.2.4 prior to buggy iptables version 1.2.3 is included in RedHat 7.2 and you should
installing Shorewall. Version 1.2.4 is available upgrade to iptables 1.2.4 prior to installing Shorewall. Version 1.2.4
<a href="http://www.redhat.com/support/errata/RHSA-2001-144.html">from RedHat</a> is available <a
and in the <a href="errata.htm">Shorewall Errata</a>. If you are going to be href="http://www.redhat.com/support/errata/RHSA-2001-144.html">from RedHat</a>
running kernel 2.4.18 or later, NO currently-available RedHat iptables RPM and in the <a href="errata.htm">Shorewall Errata</a>. If you are going
will work -- again, see the <a href="errata.htm">Shorewall Errata</a>. </li> to be running kernel 2.4.18 or later, NO currently-available RedHat iptables
<li>Some features require iproute ("ip" utility). The iproute package is RPM will work -- again, see the <a href="errata.htm">Shorewall Errata</a>.
included with most distributions but may not be installed by default. The
official download site is <a href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank">
<font face="Century Gothic, Arial, Helvetica">f</font>tp://ftp.inr.ac.ru/ip-routing</a>.
</li> </li>
<li>A Bourne shell or derivative such as bash or ash. Must have correct <li>Some features require iproute ("ip" utility). The iproute package
support for variable expansion formats ${<i>variable</i>%<i>pattern</i> is included with most distributions but may not be installed by default.
}, ${<i>variable</i>%%<i>pattern</i>}, ${<i>variable</i>#<i>pattern</i> The official download site is <a
href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank"> <font
face="Century Gothic, Arial, Helvetica">f</font>tp://ftp.inr.ac.ru/ip-routing</a>.
</li>
<li>A Bourne shell or derivative such as bash or ash. Must have correct
support for variable expansion formats ${<i>variable</i>%<i>pattern</i>
}, ${<i>variable</i>%%<i>pattern</i>}, ${<i>variable</i>#<i>pattern</i>
} and ${<i>variable</i>##<i>pattern</i>}.</li> } and ${<i>variable</i>##<i>pattern</i>}.</li>
<li>The firewall monitoring display is greatly improved if you have awk <li>The firewall monitoring display is greatly improved if you have awk
(gawk) installed.</li> (gawk) installed.</li>
</ul> </ul>
<p align="left"><font size="2">Last updated 8/24/2002 - <a href="support.htm">Tom
Eastep</a></font></p> <p align="left"><font size="2">Last updated 9/19/2002 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm">
<font size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
</body> </body>
</html>
</html>

355
STABLE/documentation/shorewall_quickstart_guide.htm
View File

@ -1,202 +1,209 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shorewall QuickStart Guide</title> <title>Shorewall QuickStart Guide</title>
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides<br> <h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides<br>
Version 3.1</font></h1> Version 3.1</font></h1>
</td> </td>
</tr> </tr>
</tbody>
</table>
<p align="center">With thanks to Richard who reminded me once again that
we must all first walk before we can run.</p>
<h2>The Guides</h2>
<p>These guides provide step-by-step instructions for configuring Shorewall
in common firewall setups.</p>
<p>The following guides are for users who have a single public IP address:</p>
<ul>
<li><a href="standalone.htm">Standalone</a> Linux System</li>
<li><a href="two-interface.htm">Two-interface</a> Linux System acting
as a firewall/router for a small local network</li>
<li><a href="three-interface.htm">Three-interface</a> Linux System acting
as a firewall/router for a small local network and a DMZ.</li>
</ul>
<p>The above guides are designed to get your first firewall up and running
quickly in the three most common Shorewall configurations.</p>
<p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> outlines
the steps necessary to set up a firewall where there are multiple public
IP addresses involved or if you want to learn more about Shorewall than
is explained in the single-address guides above.</p>
<ul>
<li><a href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li>
<li><a href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall Concepts</a></li>
<li><a href="shorewall_setup_guide.htm#Interfaces">3.0 Network Interfaces</a></li>
<li><a href="shorewall_setup_guide.htm#Addressing">4.0 Addressing, Subnets
and Routing</a>
<ul>
<li><a href="shorewall_setup_guide.htm#Addresses">4.1 IP Addresses</a></li>
<li><a href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
<li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
<li><a href="shorewall_setup_guide.htm#ARP">4.4 Address Resolution Protocol</a></li>
</ul>
<ul>
<li><a href="shorewall_setup_guide.htm#RFC1918">4.5 RFC 1918</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Options">5.0 Setting up your Network</a>
<ul>
<li><a href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
</ul>
<ul>
<li><a href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a>
<ul>
<li><a href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li>
<li><a href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li>
<li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3 Proxy ARP</a></li>
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4 Static NAT</a></li>
</ul> </tbody>
</li> </table>
<li><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li>
<li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds and Ends</a></li> <p align="center">With thanks to Richard who reminded me once again that we
must all first walk before we can run.</p>
<h2>The Guides</h2>
<p>These guides provide step-by-step instructions for configuring Shorewall
in common firewall setups.</p>
<p>The following guides are for users who have a single public IP address:</p>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li>
<li><a href="shorewall_setup_guide.htm#StartingAndStopping">7.0 Starting
and Stopping the Firewall</a></li>
</ul>
<h2><a name="Documentation"></a>Additional Documentation</h2>
<p>The following documentation covers a variety of topics and supplements
the <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a> described
above.</p>
<ul> <ul>
<li><a href="blacklisting_support.htm">Blacklisting</a> <li><a href="standalone.htm">Standalone</a> Linux System</li>
<ul> <li><a href="two-interface.htm">Two-interface</a> Linux System acting
<li>Static Blacklisting using /etc/shorewall/blacklist</li> as a firewall/router for a small local network</li>
<li>Dynamic Blacklisting using /sbin/shorewall</li> <li><a href="three-interface.htm">Three-interface</a> Linux System acting
as a firewall/router for a small local network and a DMZ.</li>
</ul>
</li>
<li><a href="configuration_file_basics.htm">Common configuration file
features</a>
<ul>
<li>Comments in configuration files</li>
<li>Line Continuation</li>
<li>Port Numbers/Service Names</li>
<li>Port Ranges</li>
<li>Using Shell Variables</li>
<li>Complementing an IP address or Subnet</li>
<li>Shorewall Configurations (making a test configuration)</li>
<li>Using MAC Addresses in Shorewall</li>
</ul>
</li>
<li><a href="Documentation.htm">Configuration File Reference Manual</a>
<ul>
<li> <a href="Documentation.htm#Variables">params</a></li>
<li><font color="#000099"><a href="Documentation.htm#Zones">zones</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Interfaces">interfaces</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Hosts">hosts</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Policy">policy</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Rules">rules</a></font></li>
<li><a href="Documentation.htm#Common">common</a></li>
<li><font color="#000099"><a href="Documentation.htm#Masq">masq</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#ProxyArp">proxyarp</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#NAT">nat</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Tunnels">tunnels</a></font></li>
<li><a href="traffic_shaping.htm#tcrules">tcrules</a></li>
<li><font color="#000099"><a href="Documentation.htm#Conf">shorewall.conf</a></font></li>
<li><a href="Documentation.htm#modules">modules</a></li>
<li><a href="Documentation.htm#TOS">tos</a> </li>
<li><a href="Documentation.htm#Blacklist">blacklist</a></li>
<li><a href="Documentation.htm#rfc1918">rfc1918</a></li>
<li><a href="Documentation.htm#Routestopped">routestopped</a></li>
</ul>
</li>
<li><a href="dhcp.htm">DHCP</a></li>
<li><font color="#000099"><a href="shorewall_extension_scripts.htm">Extension
Scripts</a></font> (How to extend Shorewall without modifying Shorewall
code)</li>
<li><a href="fallback.htm">Fallback/Uninstall</a></li>
<li><a href="shorewall_firewall_structure.htm">Firewall Structure</a></li>
<li><font color="#000099"><a href="kernel.htm">Kernel Configuration</a></font></li>
<li><a href="myfiles.htm">My Configuration Files</a> (How I personally
use Shorewall)</li>
<li><a href="ports.htm">Port Information</a>
<ul>
<li>Which applications use which ports</li>
<li>Ports used by Trojans</li>
</ul>
</li>
<li><a href="ProxyARP.htm">Proxy ARP</a></li>
<li><a href="samba.htm">Samba</a></li>
<li><font color="#000099"><a
href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font></li>
<li><font color="#000099"><a href="NAT.htm">Static NAT</a></font></li>
<li><a href="traffic_shaping.htm">Traffic Shaping/Control</a></li>
<li>VPN
<ul>
<li><a href="IPSEC.htm">IPSEC</a></li>
<li><a href="IPIP.htm">GRE and IPIP</a></li>
<li><a href="PPTP.htm">PPTP</a></li>
<li><a href="VPN.htm">IPSEC/PPTP</a> from a system behind your firewall
to a remote network.</li>
</ul>
</li>
<li><a href="whitelisting_under_shorewall.htm">White List Creation</a></li>
</ul> </ul>
<p>The above guides are designed to get your first firewall up and running
quickly in the three most common Shorewall configurations.</p>
<p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> outlines
the steps necessary to set up a firewall where there are multiple public
IP addresses involved or if you want to learn more about Shorewall than is
explained in the single-address guides above.</p>
<ul>
<li><a href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li>
<li><a href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall Concepts</a></li>
<li><a href="shorewall_setup_guide.htm#Interfaces">3.0 Network Interfaces</a></li>
<li><a href="shorewall_setup_guide.htm#Addressing">4.0 Addressing, Subnets
and Routing</a>
<ul>
<li><a href="shorewall_setup_guide.htm#Addresses">4.1 IP Addresses</a></li>
<li><a href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
<li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
<li><a href="shorewall_setup_guide.htm#ARP">4.4 Address Resolution
Protocol</a></li>
</ul>
<ul>
<li><a href="shorewall_setup_guide.htm#RFC1918">4.5 RFC 1918</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Options">5.0 Setting up your Network</a>
<ul>
<li><a href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
</ul>
<ul>
<li><a href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a>
<ul>
<li><a href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li>
<li><a href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li>
<li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3 Proxy ARP</a></li>
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4 Static NAT</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li>
<li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds and Ends</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li>
<li><a href="shorewall_setup_guide.htm#StartingAndStopping">7.0 Starting
and Stopping the Firewall</a></li>
</ul>
<h2><a name="Documentation"></a>Additional Documentation</h2>
<p>The following documentation covers a variety of topics and supplements
the <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a> described
above.</p>
<ul>
<li><a href="blacklisting_support.htm">Blacklisting</a>
<ul>
<li>Static Blacklisting using /etc/shorewall/blacklist</li>
<li>Dynamic Blacklisting using /sbin/shorewall</li>
</ul>
</li>
<li><a href="configuration_file_basics.htm">Common configuration file
features</a>
<ul>
<li>Comments in configuration files</li>
<li>Line Continuation</li>
<li>Port Numbers/Service Names</li>
<li>Port Ranges</li>
<li>Using Shell Variables</li>
<li>Using DNS Names<br>
</li>
<li>Complementing an IP address or Subnet</li>
<li>Shorewall Configurations (making a test configuration)</li>
<li>Using MAC Addresses in Shorewall</li>
</ul>
</li>
<li><a href="Documentation.htm">Configuration File Reference Manual</a>
<ul>
<li> <a href="Documentation.htm#Variables">params</a></li>
<li><font color="#000099"><a href="Documentation.htm#Zones">zones</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Interfaces">interfaces</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Hosts">hosts</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Policy">policy</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Rules">rules</a></font></li>
<li><a href="Documentation.htm#Common">common</a></li>
<li><font color="#000099"><a href="Documentation.htm#Masq">masq</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#ProxyArp">proxyarp</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#NAT">nat</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Tunnels">tunnels</a></font></li>
<li><a href="traffic_shaping.htm#tcrules">tcrules</a></li>
<li><font color="#000099"><a href="Documentation.htm#Conf">shorewall.conf</a></font></li>
<li><a href="Documentation.htm#modules">modules</a></li>
<li><a href="Documentation.htm#TOS">tos</a> </li>
<li><a href="Documentation.htm#Blacklist">blacklist</a></li>
<li><a href="Documentation.htm#rfc1918">rfc1918</a></li>
<li><a href="Documentation.htm#Routestopped">routestopped</a></li>
</ul>
</li>
<li><a href="dhcp.htm">DHCP</a></li>
<li><font color="#000099"><a href="shorewall_extension_scripts.htm">Extension
Scripts</a></font> (How to extend Shorewall without modifying Shorewall
code)</li>
<li><a href="fallback.htm">Fallback/Uninstall</a></li>
<li><a href="shorewall_firewall_structure.htm">Firewall Structure</a></li>
<li><font color="#000099"><a href="kernel.htm">Kernel Configuration</a></font></li>
<li><a href="myfiles.htm">My Configuration Files</a> (How I personally
use Shorewall)</li>
<li><a href="ports.htm">Port Information</a>
<ul>
<li>Which applications use which ports</li>
<li>Ports used by Trojans</li>
</ul>
</li>
<li><a href="ProxyARP.htm">Proxy ARP</a></li>
<li><a href="samba.htm">Samba</a></li>
<li><font color="#000099"><a
href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font></li>
<li><font color="#000099"><a href="NAT.htm">Static NAT</a></font></li>
<li><a href="traffic_shaping.htm">Traffic Shaping/Control</a></li>
<li>VPN
<ul>
<li><a href="IPSEC.htm">IPSEC</a></li>
<li><a href="IPIP.htm">GRE and IPIP</a></li>
<li><a href="PPTP.htm">PPTP</a></li>
<li><a href="VPN.htm">IPSEC/PPTP</a> from a system behind your firewall
to a remote network.</li>
</ul>
</li>
<li><a href="whitelisting_under_shorewall.htm">White List Creation</a></li>
</ul>
<p>If you use one of these guides and have a suggestion for improvement <a <p>If you use one of these guides and have a suggestion for improvement <a
href="mailto:webmaster@shorewall.net">please let me know</a>.</p> href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
<p><font size="2">Last modified 9/16/2002 - <a <p><font size="2">Last modified 9/16/2002 - <a
href="file:///J:/Shorewall/Shorewall-docs/support.htm">Tom Eastep</a></font></p> href="file:///J:/Shorewall/Shorewall-docs/support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright 2002 Thomas M. Eastep</font></a></p> <p><a href="copyright.htm"><font size="2">Copyright 2002 Thomas M. Eastep</font></a></p>
<br> <br>
<br>
</body> </body>
</html> </html>

4683
STABLE/documentation/shorewall_setup_guide.htm
View File

File diff suppressed because it is too large Load Diff

712
STABLE/documentation/standalone.htm
View File

@ -1,320 +1,426 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta http-equiv="Content-Language" content="en-us">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<title>Standalone Firewall</title>
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Standalone Firewall</title>
</head> </head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0"
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber6" bgcolor="#400169" height="90"> style="border-collapse: collapse;" bordercolor="#111111" width="100%"
<tr> id="AutoNumber6" bgcolor="#400169" height="90">
<td width="100%"> <tbody>
<tr>
<h1 align="center"><font color="#FFFFFF">Standalone Firewall</font></h1> <td width="100%">
<h1 align="center"><font color="#ffffff">Standalone Firewall</font></h1>
</td> </td>
</tr> </tr>
</tbody>
</table> </table>
<h2 align="center">Version 2.0.1</h2> <h2 align="center">Version 2.0.1</h2>
<p align="left">Setting up Shorewall on a standalone Linux system is very easy if you understand the basics and follow the
documentation.</p> <p align="left">Setting up Shorewall on a standalone Linux system is very
easy if you understand the basics and follow the documentation.</p>
<p>This guide doesn't attempt to acquaint you with all of the features of <p>This guide doesn't attempt to acquaint you with all of the features of
Shorewall. It rather focuses on what is required to configure Shorewall in one Shorewall. It rather focuses on what is required to configure Shorewall in
of its one of its most common configurations:</p>
most common configurations:</p>
<ul> <ul>
<li>Linux system</li> <li>Linux system</li>
<li>Single external IP address</li> <li>Single external IP address</li>
<li>Connection through Cable Modem, DSL, ISDN, Frame Relay, dial-up...</li> <li>Connection through Cable Modem, DSL, ISDN, Frame Relay, dial-up...</li>
</ul> </ul>
<p>This guide assumes that you have the iproute/iproute2 package installed (on
RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell if this <p>This guide assumes that you have the iproute/iproute2 package installed
package is installed by the presence of an <b>ip</b> program on your firewall (on RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell if
system. As root, you can use the 'which' command to check for this program:</p> this package is installed by the presence of an <b>ip</b> program on your
<pre> [root@gateway root]# which ip firewall system. As root, you can use the 'which' command to check for this
/sbin/ip program:</p>
[root@gateway root]#</pre><p>I recommend that you read through the guide
first to familiarize yourself with what's involved then go back through it again <pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
making your configuration changes.&nbsp; Points at which configuration changes
are recommended are flagged with <img border="0" src="images/BD21298_.gif" width="13" height="13">.</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60">&nbsp;&nbsp;&nbsp;
If you edit your configuration files on a Windows system, you must save them as
Unix files if your editor supports that option or you must run them through
dos2unix before trying to use them. Similarly, if you copy a configuration file
from your Windows hard drive to a floppy disk, you must run dos2unix against the
copy before using it with Shorewall.</p>
<ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version of
dos2unix</a></li>
<li><a href="http://www.megaloman.com/~hany/software/hd2u/">Linux Version of
dos2unix</a></li>
</ul>
<h2 align="left">Shorewall Concepts</h2>
<p>The configuration files for Shorewall are contained in the directory
/etc/shorewall -- for simple setups, you only need to deal with a few of
these as described in this guide. After you have <a href="Install.htm">installed Shorewall</a>,
download the <a href="/pub/shorewall/LATEST.samples/one-interface.tgz">one-interface sample</a>, un-tar it
(tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewall
(they will replace files with the same names that were placed in /etc/shorewall
during Shorewall installation).</p>
<p>As each file is introduced, I suggest that you
look through the actual file on your system -- each file contains detailed
configuration instructions and default entries.</p>
<p>Shorewall views the network where it is running as being composed of a set of
<i>zones.</i> In the one-interface sample configuration, only one zone is
defined:</p>
<table border="0" style="border-collapse: collapse" cellpadding="3" cellspacing="0" id="AutoNumber2">
<tr>
<td><u><b>Name</b></u></td>
<td><u><b>Description</b></u></td>
</tr>
<tr>
<td><b>net</b></td>
<td><b>The Internet</b></td>
</tr>
</table>
<p>Shorewall zones are defined in <a href="Documentation.htm#Zones">
/etc/shorewall/zones</a>.</p>
<p>Shorewall also recognizes the firewall system as its own zone - by default,
the firewall itself is known as <b>fw</b>.</p>
<p>Rules about what traffic to allow and what traffic to deny are expressed in
terms of zones.</p>
<ul>
<li>You express your default policy for connections from one zone to another
zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy </a>file.</li>
<li>You define exceptions to those default policies in the
<a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
</ul>
<p>For each connection request entering the firewall, the request is first checked against the
/etc/shorewall/rules file. If no rule in that file matches the connection
request then the first policy in /etc/shorewall/policy that matches the
request is applied. If that policy is REJECT or DROP&nbsp; the request is first <p>I recommend that you read through the guide first to familiarize yourself
checked against the rules in /etc/shorewall/common (the samples provide that with what's involved then go back through it again making your configuration
file for you).</p> changes.  Points at which configuration changes are recommended are flagged
<p>The /etc/shorewall/policy file included with the one-interface sample has the with <img border="0" src="images/BD21298_.gif" width="13" height="13">
following policies:</p> .</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber3"> <p><img border="0" src="images/j0213519.gif" width="60" height="60">
<tr>     If you edit your configuration files on a Windows system, you must
<td><u><b>SOURCE ZONE</b></u></td> save them as Unix files if your editor supports that option or you must
<td><u><b>DESTINATION ZONE</b></u></td> run them through dos2unix before trying to use them. Similarly, if you copy
<td><u><b>POLICY</b></u></td> a configuration file from your Windows hard drive to a floppy disk, you
<td><u><b>LOG LEVEL</b></u></td> must run dos2unix against the copy before using it with Shorewall.</p>
<td><u><b>LIMIT:BURST</b></u></td>
</tr>
<tr>
<td>fw</td>
<td>net</td>
<td>ACCEPT</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>net</td>
<td>net</td>
<td>DROP</td>
<td>info</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>all</td>
<td>all</td>
<td>REJECT</td>
<td>info</td>
<td>&nbsp;</td>
</tr>
</table>
</blockquote>
<pre> fw net ACCEPT
net all DROP info
all all REJECT info</pre>
<p>The above policy will:</p>
<ol>
<li>allow all connection requests from the firewall to the internet</li>
<li>drop (ignore) all connection requests from the internet to your firewall</li>
<li>reject all other connection requests (Shorewall requires this catchall
policy).</li>
</ol>
<p>At this point, edit your /etc/shorewall/policy and make any changes that you
wish.</p>
<h2 align="left">External Interface</h2>
<p align="left">The firewall has a single network interface. Where Internet
connectivity is through a cable or DSL &quot;Modem&quot;, the <i>External Interface</i>
will be the ethernet adapter (<b>eth0</b>) that is connected to that &quot;Modem&quot;&nbsp;
<u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol
over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling
<u>P</u>rotocol </i>(PPTP) in which case the External Interface will be a <b>ppp0</b>. If you connect via a regular modem, your External
Interface will also be <b>ppp0</b>. If you connect using ISDN, your external
interface will be<b> ippp0.</b></p>
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13" height="13">&nbsp;&nbsp;&nbsp; The Shorewall one-interface sample configuration assumes that
the external interface is <b>eth0</b>.
If your configuration is different, you will have to modify the sample
/etc/shorewall/interfaces file accordingly. While you are there, you may wish to
review the list of options that are specified for the interface. Some hints:</p>
<ul> <ul>
<li> <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>, you can replace the of dos2unix</a></li>
&quot;detect&quot; in the second column with &quot;-&quot;.</li> <li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
<li> of dos2unix</a></li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b> or if you have a static IP
address, you can remove &quot;dhcp&quot; from the option list.</li>
</ul> </ul>
<div align="left">
<h2 align="left">IP Addresses</h2> <h2 align="left">Shorewall Concepts</h2>
</div>
<div align="left"> <p>The configuration files for Shorewall are contained in the directory
<p align="left">RFC 1918 reserves several <i>Private </i>IP address ranges for /etc/shorewall -- for simple setups, you only need to deal with a few of
use in private networks:</p> these as described in this guide. After you have <a href="Install.htm">installed
<div align="left"> Shorewall</a>, download the <a
<pre> 10.0.0.0 - 10.255.255.255 href="/pub/shorewall/LATEST.samples/one-interface.tgz">one-interface sample</a>,
172.16.0.0 - 172.31.255.255 un-tar it (tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewall
192.168.0.0 - 192.168.255.255</pre> (they will replace files with the same names that were placed in /etc/shorewall
</div> during Shorewall installation).</p>
<p align="left">These addresses are sometimes referred to as <i>non-routable</i>
because the Internet backbone routers will not forward a packet whose <p>As each file is introduced, I suggest that you look through the actual
destination address is reserved by RFC 1918. In some cases though, ISPs are file on your system -- each file contains detailed configuration instructions
assigning these addresses then using <i>Network Address Translation </i>to and default entries.</p>
rewrite packet headers when forwarding to/from the internet.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" align="left" width="13" height="13">&nbsp;&nbsp;&nbsp;&nbsp; <p>Shorewall views the network where it is running as being composed of a
Before starting Shorewall, you should look at the IP address of your external set of <i>zones.</i> In the one-interface sample configuration, only one
interface and if it is one of the above ranges, you should remove the zone is defined:</p>
'norfc1918' option from the entry in /etc/shorewall/interfaces.</div>
<div align="left"> <table border="0" style="border-collapse: collapse;" cellpadding="3"
<h2 align="left">Enabling other Connections</h2> cellspacing="0" id="AutoNumber2">
</div> <tbody>
<div align="left"> <tr>
<p align="left">If you wish to enable connections from the internet to your firewall, the general format is:</div> <td><u><b>Name</b></u></td>
<div align="left"> <td><u><b>Description</b></u></td>
<blockquote> </tr>
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber4"> <tr>
<tr> <td><b>net</b></td>
<td><u><b>ACTION</b></u></td> <td><b>The Internet</b></td>
<td><u><b>SOURCE</b></u></td> </tr>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td> </tbody>
<td><u><b>PORT</b></u></td> </table>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td> <p>Shorewall zones are defined in <a href="Documentation.htm#Zones"> /etc/shorewall/zones</a>.</p>
<p>Shorewall also recognizes the firewall system as its own zone - by default,
the firewall itself is known as <b>fw</b>.</p>
<p>Rules about what traffic to allow and what traffic to deny are expressed
in terms of zones.</p>
<ul>
<li>You express your default policy for connections from one zone to
another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
</a>file.</li>
<li>You define exceptions to those default policies in the <a
href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
</ul>
<p>For each connection request entering the firewall, the request is first
checked against the /etc/shorewall/rules file. If no rule in that file matches
the connection request then the first policy in /etc/shorewall/policy that
matches the request is applied. If that policy is REJECT or DROP  the request
is first checked against the rules in /etc/shorewall/common (the samples
provide that file for you).</p>
<p>The /etc/shorewall/policy file included with the one-interface sample has
the following policies:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber3">
<tbody>
<tr>
<td><u><b>SOURCE ZONE</b></u></td>
<td><u><b>DESTINATION ZONE</b></u></td>
<td><u><b>POLICY</b></u></td>
<td><u><b>LOG LEVEL</b></u></td>
<td><u><b>LIMIT:BURST</b></u></td>
</tr> </tr>
<tr> <tr>
<td>ACCEPT</td>
<td>net</td>
<td>fw</td> <td>fw</td>
<td><i>&lt;protocol&gt;</i></td> <td>net</td>
<td><i>&lt;port&gt;</i></td> <td>ACCEPT</td>
<td>&nbsp;</td> <td> </td>
<td>&nbsp;</td> <td> </td>
</tr> </tr>
</table> <tr>
<td>net</td>
<td>net</td>
<td>DROP</td>
<td>info</td>
<td> </td>
</tr>
<tr>
<td>all</td>
<td>all</td>
<td>REJECT</td>
<td>info</td>
<td> </td>
</tr>
</tbody>
</table>
</blockquote> </blockquote>
</div>
<div align="left"> <pre> fw net ACCEPT<br> net all DROP info<br> all all REJECT info</pre>
<p align="left">Example - You want to run a Web Server and a POP3 Server on your firewall
system:</div> <p>The above policy will:</p>
<div align="left">
<blockquote> <ol>
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber5"> <li>allow all connection requests from the firewall to the internet</li>
<tr> <li>drop (ignore) all connection requests from the internet to your firewall</li>
<td><u><b>ACTION</b></u></td> <li>reject all other connection requests (Shorewall requires this catchall
<td><u><b>SOURCE</b></u></td> policy).</li>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td> </ol>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td> <p>At this point, edit your /etc/shorewall/policy and make any changes that
<td><u><b>ORIGINAL ADDRESS</b></u></td> you wish.</p>
</tr>
<tr> <h2 align="left">External Interface</h2>
<td>ACCEPT</td>
<td>net</td> <p align="left">The firewall has a single network interface. Where Internet
<td>fw</td> connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
<td>tcp</td> will be the ethernet adapter (<b>eth0</b>) that is connected to that "Modem" 
<td>80</td> <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol
<td>&nbsp;</td> over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling
<td>&nbsp;</td> <u>P</u>rotocol </i>(PPTP) in which case the External Interface will be
</tr> a <b>ppp0</b>. If you connect via a regular modem, your External Interface
<tr> will also be <b>ppp0</b>. If you connect using ISDN, your external interface
<td>ACCEPT</td> will be<b> ippp0.</b></p>
<td>net</td>
<td>fw</td> <p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
<td>tcp</td> height="13">
<td>110</td>     The Shorewall one-interface sample configuration assumes that the external
<td>&nbsp;</td> interface is <b>eth0</b>. If your configuration is different, you will have
<td>&nbsp;</td> to modify the sample /etc/shorewall/interfaces file accordingly. While you
</tr> are there, you may wish to review the list of options that are specified
</table> for the interface. Some hints:</p>
</blockquote>
</div> <ul>
<div align="left"> <li>
<p align="left">If you don't know what port and protocol a particular <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>,
application uses, see <a href="ports.htm">here</a>.</div> you can replace the "detect" in the second column with "-". </p>
<div align="left"> </li>
<p align="left"><b>Important: </b>I don't recommend enabling telnet to/from <li>
the internet because it uses clear text (even for login!). If you want shell <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>
access to your firewall from the internet, use SSH:</div> or if you have a static IP address, you can remove "dhcp" from the option
<div align="left"> list. </p>
<blockquote> </li>
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber4">
<tr> </ul>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td> <div align="left">
<td><u><b>DESTINATION</b></u></td> <h2 align="left">IP Addresses</h2>
<td><u><b>PROTOCOL</b></u></td> </div>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td> <div align="left">
<td><u><b>ORIGINAL ADDRESS</b></u></td> <p align="left">RFC 1918 reserves several <i>Private </i>IP address ranges
</tr> for use in private networks:</p>
<tr>
<td>ACCEPT</td> <div align="left">
<td>net</td> <pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
<td>fw</td> </div>
<td>tcp</td>
<td>22</td> <p align="left">These addresses are sometimes referred to as <i>non-routable</i>
<td>&nbsp;</td> because the Internet backbone routers will not forward a packet whose
<td>&nbsp;</td> destination address is reserved by RFC 1918. In some cases though, ISPs
</tr> are assigning these addresses then using <i>Network Address Translation
</table> </i>to rewrite packet headers when forwarding to/from the internet.</p>
</blockquote>
</div> <p align="left"><img border="0" src="images/BD21298_.gif" align="left"
<div align="left"> width="13" height="13">
<pre> ACCEPT net fw tcp 22</pre>      Before starting Shorewall, you should look at the IP address of
</div> your external interface and if it is one of the above ranges, you should
<div align="left"> remove the 'norfc1918' option from the entry in /etc/shorewall/interfaces.</p>
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13" height="13">&nbsp;&nbsp;&nbsp; At this point, edit </div>
/etc/shorewall/rules to add other connections as desired.</div>
<div align="left"> <div align="left">
<h2 align="left">Starting and Stopping Your Firewall</h2> <h2 align="left">Enabling other Connections</h2>
</div> </div>
<div align="left">
<p align="left">The <a href="Install.htm">installation procedure </a> <div align="left">
configures your system to start Shorewall at system boot.</div> <p align="left">If you wish to enable connections from the internet to your
<div align="left"> firewall, the general format is:</p>
<p align="left">The firewall is started using the &quot;shorewall start&quot; command </div>
and stopped using &quot;shorewall stop&quot;. When the firewall is stopped, routing is
enabled on those hosts that have an entry in <div align="left">
<a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A <blockquote>
running firewall may be restarted using the &quot;shorewall restart&quot; command. If <table border="1" cellpadding="2" style="border-collapse: collapse;"
you want to totally remove any trace of Shorewall from your Netfilter id="AutoNumber4">
configuration, use &quot;shorewall clear&quot;.</div> <tbody>
<div align="left"> <tr>
<p align="left"><b>WARNING: </b>If you are connected to your firewall from the <td><u><b>ACTION</b></u></td>
internet, do not issue a &quot;shorewall stop&quot; command unless you have added an <td><u><b>SOURCE</b></u></td>
entry for the IP address that you are connected from to <td><u><b>DESTINATION</b></u></td>
<a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. <td><u><b>PROTOCOL</b></u></td>
Also, I don't recommend using &quot;shorewall restart&quot;; it is better to create an <td><u><b>PORT</b></u></td>
<i><a href="Documentation.htm#Configs">alternate configuration</a></i> and <td><u><b>SOURCE PORT</b></u></td>
test it using the <a href="Documentation.htm#Starting">&quot;shorewall try&quot; command</a>.</div> <td><u><b>ORIGINAL ADDRESS</b></u></td>
<p align="left"><font size="2">Last updated </tr>
7/23/2002 - <a href="support.htm">Tom <tr>
Eastep</a></font></p> <td>ACCEPT</td>
<td>net</td>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas M. Eastep</font></a></p> <td>fw</td>
<td><i>&lt;protocol&gt;</i></td>
<td><i>&lt;port&gt;</i></td>
<td> </td>
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
</div>
<div align="left">
<p align="left">Example - You want to run a Web Server and a POP3 Server on
your firewall system:</p>
</div>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber5">
<tbody>
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr>
<tr>
<td>ACCEPT</td>
<td>net</td>
<td>fw</td>
<td>tcp</td>
<td>80</td>
<td> </td>
<td> </td>
</tr>
<tr>
<td>ACCEPT</td>
<td>net</td>
<td>fw</td>
<td>tcp</td>
<td>110</td>
<td> </td>
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
</div>
<div align="left">
<p align="left">If you don't know what port and protocol a particular application
uses, see <a href="ports.htm">here</a>.</p>
</div>
<div align="left">
<p align="left"><b>Important: </b>I don't recommend enabling telnet to/from
the internet because it uses clear text (even for login!). If you want
shell access to your firewall from the internet, use SSH:</p>
</div>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber4">
<tbody>
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr>
<tr>
<td>ACCEPT</td>
<td>net</td>
<td>fw</td>
<td>tcp</td>
<td>22</td>
<td> </td>
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
</div>
<div align="left">
<pre> ACCEPT net fw tcp 22</pre>
</div>
<div align="left">
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
height="13">
    At this point, edit /etc/shorewall/rules to add other connections
as desired.</p>
</div>
<div align="left">
<h2 align="left">Starting and Stopping Your Firewall</h2>
</div>
<div align="left">
<p align="left"> <img border="0" src="images/BD21298_2.gif"
width="13" height="13" alt="Arrow">
    The <a href="Install.htm">installation procedure </a> configures
your system to start Shorewall at system boot but beginning with Shorewall
version 1.3.9 startup is disabled so that your system won't try to start
Shorewall before configuration is complete. Once you have completed configuration
of your firewall, you can enable Shorewall startup by removing the file /etc/shorewall/startup_disabled.<br>
</p>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Users of the .deb
package must edit /etc/default/shorewall and set 'startup=1'.</font><br>
</p>
</div>
<div align="left">
<p align="left">The firewall is started using the "shorewall start" command
and stopped using "shorewall stop". When the firewall is stopped, routing
is enabled on those hosts that have an entry in <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A
running firewall may be restarted using the "shorewall restart" command.
If you want to totally remove any trace of Shorewall from your Netfilter
configuration, use "shorewall clear".</p>
</div>
<div align="left">
<p align="left"><b>WARNING: </b>If you are connected to your firewall from
the internet, do not issue a "shorewall stop" command unless you have added
an entry for the IP address that you are connected from to <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to create
an <i><a href="Documentation.htm#Configs">alternate configuration</a></i>
and test it using the <a href="Documentation.htm#Starting">"shorewall try"
command</a>.</p>
</div>
<p align="left"><font size="2">Last updated 9/26/2002 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas
M. Eastep</font></a></p>
<br>
<br>
</body> </body>
</html>
</html>

372
STABLE/documentation/starting_and_stopping_shorewall.htm
View File

@ -1,183 +1,225 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta http-equiv="Content-Language" content="en-us">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<title>Starting and Stopping Shorewall</title>
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Starting and Stopping Shorewall</title>
</head> </head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Starting/Stopping and Monitoring the Firewall</font></h1>
</td>
</tr>
</table>
<p>
If you have a permanent internet connection such as DSL or Cable, I
recommend that you start the firewall automatically at boot. Once you
have installed "firewall" in your init.d directory, simply type "chkconfig
--add firewall". This will start the firewall in run levels 2-5 and stop
it in run levels 1 and 6. If you want to configure your firewall differently
from this default, you can use the "--level" option in chkconfig
(see "man chkconfig") or using your favorite graphical run-level editor.</p>
<p><strong><u>
<font color="#000099">
Important Note:</font></u> </strong></p>
<p>
If you use dialup, you may want to start the firewall in your /etc/ppp/ip-up.local
script. I recommend just placing "shorewall restart" in that script.
</p>
<p>
You can manually start and stop Shoreline Firewall using the "shorewall"
shell program: </p>
<ul>
<li>shorewall start - starts the firewall</li>
<li>shorewall stop - stops the firewall</li>
<li>shorewall restart - stops the firewall (if it's running) and
then starts it again</li>
<li>shorewall reset - reset the packet and byte counters in the
firewall</li>
<li>shorewall clear - remove all rules and chains installed by
Shoreline Firewall</li>
<li>shorewall refresh - refresh the rules involving the broadcast addresses
of firewall interfaces and the black and white lists.</li>
</ul>
<p>
The "shorewall" program may also be used to monitor the firewall.</p>
<ul>
<li>shorewall status - produce a verbose report about the firewall
(iptables -L -n -v)</li>
<li>shorewall show <i>chain</i> - produce a verbose report about <i>chain
</i>(iptables -L <i>chain</i> -n -v)</li>
<li>shorewall show nat - produce a verbose report about the nat table
(iptables -t nat -L -n -v)</li>
<li>shorewall show tos - produce a verbose report about the mangle table
(iptables -t mangle -L -n -v)</li>
<li>shorewall show log - display the last 20 packet log entries.</li>
<li>shorewall show connections - displays the IP connections currently being
tracked by the firewall.</li>
<li>shorewall
show
tc
- displays information about the traffic control/shaping configuration.</li>
<li>shorewall monitor [ delay ] - Continuously display the firewall
status, last 20 log entries and nat. When the log entry display
changes, an audible alarm is sounded.</li>
<li>shorewall hits - Produces several reports about the Shorewall packet log
messages in the current /var/log/messages file.</li>
<li>shorewall version - Displays the installed
version number.</li>
<li>shorewall check - Performs a <u>cursory</u> validation
of the zones, interfaces, hosts, rules and policy files.
<font size="4" color="#FF6666"><b>The &quot;check&quot; command does not parse and
validate the generated iptables commands so even though the &quot;check&quot; command
completes successfully, the configuration may fail to start. See the
recommended way to make configuration changes described below. </b></font>
</li>
<li>shorewall try<i> configuration-directory</i> [<i> timeout</i> ] - Restart shorewall using the
specified configuration and if an error occurs or if the<i> timeout </i>
option is given and the new configuration has been up for that many seconds
then shorewall is restarted using the standard configuration.</li>
<li>shorewall deny, shorewall reject, shorewall accept and shorewall save
implement <a href="blacklisting_support.htm">dynamic blacklisting</a>.</li>
<li>shorewall logwatch (added in version 1.3.2) - Monitors the
<a href="#Conf">LOGFILE </a>and produces an audible alarm when new Shorewall
messages are logged.</li>
</ul>
<p> <table border="0" cellpadding="0" cellspacing="0"
The <b>shorewall start</b>, <b>shorewall restart, shorewall check </b>&nbsp;and style="border-collapse: collapse;" bordercolor="#111111" width="100%"
<b>shorewall try </b>commands allow you to specify which <a href="#Configs"> id="AutoNumber1" bgcolor="#400169" height="90">
Shorewall configuration</a>
to use:</p> <tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Starting/Stopping and Monitoring
the Firewall</font></h1>
</td>
</tr>
</tbody>
</table>
<blockquote> <p> If you have a permanent internet connection such as DSL or Cable,
I recommend that you start the firewall automatically at boot. Once you
<p> have installed "firewall" in your init.d directory, simply type
shorewall [ -c <i>configuration-directory</i> ] {start|restart|check}<br> "chkconfig --add firewall". This will start the firewall in run levels
shorewall try <i>configuration-directory</i></p> 2-5 and stop it in run levels 1 and 6. If you want to configure your firewall
</blockquote> differently from this default, you can use the "--level" option in
chkconfig (see "man chkconfig") or using your favorite graphical run-level
<p> editor.</p>
If a <i>configuration-directory</i> is specified, each time that Shorewall
is going to use a file in /etc/shorewall it will first look in the <i>configuration-directory</i>
. If the file is present in the <i>configuration-directory</i>, that file
will be used; otherwise, the file in /etc/shorewall will be used.</p>
<p>
When changing the configuration of a production firewall, I recommend the
following:</p>
<ul>
<li>mkdir /etc/test</li>
<li>cd /etc/test</li>
<li>&lt;copy any files that you need to change from /etc/shorewall to . and change them here&gt;</li>
<li>shorewall -c . check</li> <p><strong><u> <font color="#000099"> Important Notes:</font></u></strong><br>
<li>&lt;correct any errors found by check and check again&gt;</li> </p>
<li>/sbin/shorewall try .</li>
<ol>
<li>Shorewall startup is disabled by default. Once you have configured
your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.
Note: Users of the .deb package must edit /etc/default/shorewall and set
'startup=1'.<br>
</li>
<li>If you use dialup, you may want to start the firewall in your
/etc/ppp/ip-up.local script. I recommend just placing "shorewall restart"
in that script.</li>
</ol>
<p>
</p>
<p> You can manually start and stop Shoreline Firewall using the "shorewall"
shell program: </p>
<ul>
<li>shorewall start - starts the firewall</li>
<li>shorewall stop - stops the firewall</li>
<li>shorewall restart - stops the firewall (if it's running)
and then starts it again</li>
<li>shorewall reset - reset the packet and byte counters
in the firewall</li>
<li>shorewall clear - remove all rules and chains installed
by Shoreline Firewall</li>
<li>shorewall refresh - refresh the rules involving the broadcast
addresses of firewall interfaces and the black and white lists.</li>
</ul> </ul>
<p>
If the configuration starts but doesn't work, just &quot;shorewall restart&quot; to
restore the old configuration. If the new configuration fails to start, the
&quot;try&quot; command will automatically start the old one for you.</p>
<p>
When the new configuration works then just </p>
<ul>
<li>cp * /etc/shorewall</li> <p> The "shorewall" program may also be used to monitor the firewall.</p>
<li>cd</li>
<li>rm -rf /etc/test</li>
<ul>
<li>shorewall status - produce a verbose report about the firewall
(iptables -L -n -v)</li>
<li>shorewall show <i>chain</i> - produce a verbose report about <i>chain
</i>(iptables -L <i>chain</i> -n -v)</li>
<li>shorewall show nat - produce a verbose report about the nat table
(iptables -t nat -L -n -v)</li>
<li>shorewall show tos - produce a verbose report about the mangle table
(iptables -t mangle -L -n -v)</li>
<li>shorewall show log - display the last 20 packet log entries.</li>
<li>shorewall show connections - displays the IP connections currently
being tracked by the firewall.</li>
<li>shorewall
show
tc - displays information
about the traffic control/shaping configuration.</li>
<li>shorewall monitor [ delay ] - Continuously display the firewall
status, last 20 log entries and nat. When the log entry display
changes, an audible alarm is sounded.</li>
<li>shorewall hits - Produces several reports about the Shorewall packet
log messages in the current /var/log/messages file.</li>
<li>shorewall version - Displays the installed version number.</li>
<li>shorewall check - Performs a <u>cursory</u> validation of the
zones, interfaces, hosts, rules and policy files. <font size="4"
color="#ff6666"><b>The "check" command does not parse and validate the
generated iptables commands so even though the "check" command completes
successfully, the configuration may fail to start. See the recommended
way to make configuration changes described below. </b></font> </li>
<li>shorewall try<i> configuration-directory</i> [<i> timeout</i> ]
- Restart shorewall using the specified configuration and if an error
occurs or if the<i> timeout </i> option is given and the new configuration
has been up for that many seconds then shorewall is restarted using the
standard configuration.</li>
<li>shorewall deny, shorewall reject, shorewall accept and shorewall
save implement <a href="blacklisting_support.htm">dynamic blacklisting</a>.</li>
<li>shorewall logwatch (added in version 1.3.2) - Monitors the <a
href="#Conf">LOGFILE </a>and produces an audible alarm when new Shorewall
messages are logged.</li>
</ul> </ul>
<p><font size="2"> <p> The <b>shorewall start</b>, <b>shorewall restart, shorewall check </b> and
Updated 8/8/2002 - <a href="support.htm">Tom <b>shorewall try </b>commands allow you to specify which <a
Eastep</a> href="#Configs"> Shorewall configuration</a> to use:</p>
</font></p>
<blockquote>
<p> shorewall [ -c <i>configuration-directory</i> ] {start|restart|check}<br>
shorewall try <i>configuration-directory</i></p>
</blockquote>
<p> If a <i>configuration-directory</i> is specified, each time that Shorewall
is going to use a file in /etc/shorewall it will first look in the <i>configuration-directory</i>
. If the file is present in the <i>configuration-directory</i>, that file
will be used; otherwise, the file in /etc/shorewall will be used.</p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> <p> When changing the configuration of a production firewall, I recommend
the following:</p>
</body>
<ul>
</html>
<li>mkdir /etc/test</li>
<li>cd /etc/test</li>
<li>&lt;copy any files that you need to change from /etc/shorewall
to . and change them here&gt;</li>
<li>shorewall -c . check</li>
<li>&lt;correct any errors found by check and check again&gt;</li>
<li>/sbin/shorewall try .</li>
</ul>
<p> If the configuration starts but doesn't work, just "shorewall restart"
to restore the old configuration. If the new configuration fails to start,
the "try" command will automatically start the old one for you.</p>
<p> When the new configuration works then just </p>
<ul>
<li>cp * /etc/shorewall</li>
<li>cd</li>
<li>rm -rf /etc/test</li>
</ul>
<p><font size="2"> Updated 9/26/2002 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
</body>
</html>

203
STABLE/documentation/support.htm
View File

@ -1,88 +1,85 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<title>Support</title> <title>Support</title>
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Support</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Support</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<h3 align="left"> <span style="font-weight: 400;"><i> "<font size="3">It <h3 align="left"> <span style="font-weight: 400;"><i> "<font size="3">It is
is easier to post a problem than to use your own brain" </font>-- </i> <font easier to post a problem than to use your own brain" </font>-- </i> <font
size="2">Weitse Venema (creator of <a href="http://www.postfix.org">Postfix</a>)</font></span></h3> size="2">Wietse Venema (creator of <a href="http://www.postfix.org">Postfix</a>)</font></span></h3>
<p align="left"> <i>"Any sane computer with tell you how it works -- you <p align="left"> <i>"Any sane computer will tell you how it works -- you just
just have to ask it the right questions" </i>-- <font size="2">Tom Eastep</font></p> have to ask it the right questions" </i>-- <font size="2">Tom Eastep</font></p>
<blockquote> </blockquote> <blockquote> </blockquote>
<p><span style="font-weight: 400;"><i>"It irks me when people believe that
free software comes at no cost. The cost is incredibly high."</i> <p><span style="font-weight: 400;"><i>"It irks me when people believe that
- <font size="2"> Weitse Venema</font></span></p> free software comes at no cost. The cost is incredibly high."</i>
- <font size="2"> Wietse Venema</font></span></p>
<h3 align="left">Before Reporting a Problem</h3> <h3 align="left">Before Reporting a Problem</h3>
<p>There are a number of sources for problem solution information.</p> <p>There are a number of sources for problem solution information.</p>
<ul> <ul>
<li>The <a href="FAQ.htm">FAQ</a> has solutions to common problems.</li> <li>The <a href="FAQ.htm">FAQ</a> has solutions to common problems.</li>
<li>The <a href="troubleshoot.htm">Troubleshooting</a> Information contains <li>The <a href="troubleshoot.htm">Troubleshooting</a> Information
a number of tips to help you solve common problems.</li> contains a number of tips to help you solve common problems.</li>
<li>The <a href="errata.htm"> Errata</a> has links to download updated <li>The <a href="errata.htm"> Errata</a> has links to download updated
components.</li> components.</li>
<li>The Mailing List Archives are a useful source of problem solving <li>The Mailing List Archives search facility can locate posts about
information.</li> similar problems:</li>
</ul> </ul>
<blockquote> <h4>Mailing List Archive Search</h4>
<p>The archives from the mailing List are at <a
href="http://www.shorewall.net/pipermail/shorewall-users">http://www.shorewall.net/pipermail/shorewall-users</a>.</p> <form method="post" action="http://www.shorewall.net/cgi-bin/htsearch">
<p> <font size="-1"> Match:
<h3>Search the Mailing List Archives at Shorewall.net</h3> <select name="method">
<option value="and">All </option>
<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch"> <option value="or">Any </option>
<p> <font size="-1"> Match: <option value="boolean">Boolean </option>
<select name="method"> </select>
<option value="and">All </option>
<option value="or">Any </option>
<option value="boolean">Boolean </option>
</select>
Format: Format:
<select name="format"> <select name="format">
<option value="builtin-long">Long </option> <option value="builtin-long">Long </option>
<option value="builtin-short">Short </option> <option value="builtin-short">Short </option>
</select> </select>
Sort by: Sort by:
<select name="sort"> <select name="sort">
<option value="score">Score </option> <option value="score">Score </option>
<option value="time">Time </option> <option value="time">Time </option>
<option value="title">Title </option> <option value="title">Title </option>
<option value="revscore">Reverse Score </option> <option value="revscore">Reverse Score </option>
<option value="revtime">Reverse Time </option> <option value="revtime">Reverse Time </option>
<option value="revtitle">Reverse Title </option> <option value="revtitle">Reverse Title </option>
</select> </select>
</font> <input type="hidden" name="config" value="htdig"> <input </font> <input type="hidden" name="config" value="htdig"> <input
type="hidden" name="restrict" type="hidden" name="restrict"
value="[http://www.shorewall.net/pipermail/.*]"> <input type="hidden" value="[http://www.shorewall.net/pipermail/.*]"> <input type="hidden"
@ -90,58 +87,60 @@ a number of tips to help you solve common problems.</li>
Search: <input type="text" size="30" name="words" value=""> <input Search: <input type="text" size="30" name="words" value=""> <input
type="submit" value="Search"> </p> type="submit" value="Search"> </p>
</form> </form>
</blockquote>
<h3 align="left">Problem Reporting Guidelines</h3> <h3 align="left">Problem Reporting Guidelines</h3>
<ul> <ul>
<li>When reporting a problem, give as much information as you can. Reports <li>When reporting a problem, give as much information as you can.
that say "I tried XYZ and it didn't work" are not at all helpful.</li> Reports that say "I tried XYZ and it didn't work" are not at all helpful.</li>
<li>Please don't describe your environment and then ask us to send you <li>Please don't describe your environment and then ask us to send
custom configuration files. We're here to answer your questions you custom configuration files. We're here to answer your questions
but we can't do your job for you.</li> but we can't do your job for you.</li>
<li>Do you see any "Shorewall" messages in /var/log/messages when <li>Do you see any "Shorewall" messages in /var/log/messages when
you exercise the function that is giving you problems?</li> you exercise the function that is giving you problems?</li>
<li>Have you looked at the packet flow with a tool like tcpdump to <li>Have you looked at the packet flow with a tool like tcpdump
try to understand what is going on?</li> to try to understand what is going on?</li>
<li>Have you tried using the diagnostic capabilities of the application <li>Have you tried using the diagnostic capabilities of the application
that isn't working? For example, if "ssh" isn't able to connect, using that isn't working? For example, if "ssh" isn't able to connect, using
the "-v" option gives you a lot of valuable diagnostic information.</li> the "-v" option gives you a lot of valuable diagnostic information.</li>
<li>Please include any of the Shorewall configuration files (especially <li>Please include any of the Shorewall configuration files (especially
the /etc/shorewall/hosts file if you have modified that file) that you the /etc/shorewall/hosts file if you have modified that file) that you
think are relevant. If an error occurs when you try to "shorewall start", think are relevant. If an error occurs when you try to "shorewall start",
include a trace (See the <a href="troubleshoot.htm">Troubleshooting</a> include a trace (See the <a href="troubleshoot.htm">Troubleshooting</a>
section for instructions).</li> section for instructions).</li>
<li>The list server limits posts to 120kb so don't post GIFs of your <li>The list server limits posts to 120kb so don't post GIFs of your
network layout, etc to the Mailing List -- your post will be rejected.</li> network layout, etc to the Mailing List -- your post will be rejected.</li>
</ul> </ul>
<h3>Where to Send your Problem Report or to Ask for Help</h3> <h3>Where to Send your Problem Report or to Ask for Help</h3>
<h4>If you run Shorewall under Bering -- <span style="font-weight: 400;">please <h4>If you run Shorewall under Bering -- <span style="font-weight: 400;">please
post your question or problem to the <a post your question or problem to the <a
href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing list</a>.</span></h4> href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing list</a>.</span></h4>
<p>Otherwise, please post your question or problem to the <a <p>Otherwise, please post your question or problem to the <a
href="mailto:shorewall-users@shorewall.net">Shorewall users mailing list</a>; href="mailto:shorewall-users@shorewall.net">Shorewall users mailing list</a>;
there are lots of folks there who are willing to help you. Your question/problem there are lots of folks there who are willing to help you. Your question/problem
description and their responses will be placed in the mailing list archives description and their responses will be placed in the mailing list archives
to help people who have a similar question or problem in the future.</p> to help people who have a similar question or problem in the future.</p>
<p>I don't look at problems sent to me directly but I try to spend some amount <p>I don't look at problems sent to me directly but I try to spend some amount
of time each day responding to problems posted on the mailing list.</p> of time each day responding to problems posted on the mailing list.</p>
<p align="center"><a href="mailto:teastep@shorewall.net">-Tom</a></p> <p align="center"><a href="mailto:teastep@shorewall.net">-Tom</a></p>
<p>To Subscribe to the mailing list go to <a <p>To Subscribe to the mailing list go to <a
href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a> href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a>
.</p> .</p>
<p align="left"><font size="2">Last Updated 9/14/2002 - Tom Eastep</font></p> <p align="left"><font size="2">Last Updated 9/27/2002 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br> <br>
<br>
</body> </body>
</html> </html>

1880
STABLE/documentation/three-interface.htm
View File

File diff suppressed because it is too large Load Diff

1549
STABLE/documentation/two-interface.htm
View File

File diff suppressed because it is too large Load Diff

297
STABLE/documentation/upgrade_issues.htm
View File

@ -1,145 +1,172 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Upgrade Issues</title> <title>Upgrade Issues</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr> <table border="0" cellpadding="0" cellspacing="0"
<td width="100%"> style="border-collapse: collapse;" width="100%" id="AutoNumber1"
<h1 align="center"><font color="#FFFFFF">Upgrade Issues</font></h1> bgcolor="#400169" height="90">
</td> <tbody>
</tr> <tr>
</table> <td width="100%">
<h1 align="center"><font color="#ffffff">Upgrade Issues</font></h1>
<p>For upgrade instructions see the </td>
<a href="Install.htm">Install/Upgrade page</a>.</p> </tr>
<h3>Version &gt;= 1.3.7</h3> </tbody>
</table>
<p>Users specifying ALLOWRELATED=No in
/etc/shorewall.conf will need to include the <p>For upgrade instructions see the <a
following rules in their /etc/shorewall/icmpdef href="Install.htm">Install/Upgrade page</a>.</p>
file (creating this file if necessary):</p>
<h3>Version &gt;= 1.3.9</h3>
<pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT The 'functions' file has moved to /usr/lib/shorewall/functions. If you have
run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT an application that uses functions from that file, your application will need
run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT to be changed to reflect this change of location.<br>
run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</pre> <h3>Version &gt;= 1.3.8</h3>
<p>Users having an /etc/shorewall/icmpdef file may remove the &quot;.
/etc/shorewall/icmp.def&quot; command from that file since the icmp.def file is now <p>If you have a pair of firewall systems configured for failover
empty.</p> or if you have asymmetric routing, you will need to modify
<h3><b><a name="Bering">Upgrading </a>Bering to your firewall setup slightly under Shorewall
Shorewall &gt;= 1.3.3</b></h3> versions &gt;= 1.3.8. Beginning with version 1.3.8,
you must set NEWNOTSYN=Yes in your
<p>To properly upgrade with Shorewall version /etc/shorewall/shorewall.conf file.</p>
1.3.3 and later:</p>
<h3>Version &gt;= 1.3.7</h3>
<ol>
<li>Be sure you have a backup -- you will need <p>Users specifying ALLOWRELATED=No in /etc/shorewall.conf
to transcribe any Shorewall configuration will need to include the following rules in
changes that you have made to the new their /etc/shorewall/icmpdef file (creating
configuration.</li> this file if necessary):</p>
<li>Replace the shorwall.lrp package provided on
the Bering floppy with the later one. If you did <pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</pre>
not obtain the later version from Jacques's
site, see additional instructions below.</li> <p>Users having an /etc/shorewall/icmpdef file may remove the ". /etc/shorewall/icmp.def"
<li>Edit the /var/lib/lrpkg/root.exclude.list command from that file since the icmp.def file is now empty.</p>
file and remove the /var/lib/shorewall entry if
present. Then do not forget to backup root.lrp !</li> <h3><b><a name="Bering">Upgrading </a>Bering to
</ol> Shorewall &gt;= 1.3.3</b></h3>
<p>The .lrp that I release isn't set up for a two-interface firewall like
Jacques's. You need to follow the <a href="two-interface.htm">instructions for <p>To properly upgrade with Shorewall version
setting up a two-interface firewall</a> plus you also need to add the following 1.3.3 and later:</p>
two Bering-specific rules to /etc/shorewall/rules:</p>
<blockquote> <ol>
<pre># Bering specific rules: <li>Be sure you have a backup -- you
# allow loc to fw udp/53 for dnscache to work will need to transcribe any Shorewall configuration
# allow loc to fw tcp/80 for weblet to work changes that you have made to the new
# configuration.</li>
ACCEPT loc fw udp 53 <li>Replace the shorwall.lrp package
ACCEPT loc fw tcp 80</pre> provided on the Bering floppy with the
</blockquote> later one. If you did not obtain the later
version from Jacques's site, see additional
<h3 align="Left">Version &gt;= 1.3.6</h3> instructions below.</li>
<li>Edit the /var/lib/lrpkg/root.exclude.list
<p align="Left">If you have a pair of firewall systems configured for file and remove the /var/lib/shorewall entry
failover, you will need to modify your firewall setup slightly under if present. Then do not forget to backup
Shorewall versions &gt;= 1.3.6. </p> root.lrp !</li>
<ol>
<li>
<p align="Left">Create the file /etc/shorewall/newnotsyn and in it add
the following rule<br>
<br>
<font face="Courier">run_iptables -A newnotsyn -j RETURN # So that the
connection tracking table can be rebuilt<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
# from non-SYN packets after takeover.<br>
&nbsp;</font></li>
<li>
<p align="Left">Create /etc/shorewall/common (if you don't already
have that file) and include the following:<br>
<br>
<font face="Courier">run_iptables -A common -p tcp --tcp-flags
ACK,FIN,RST ACK -j ACCEPT #Accept Acks to rebuild connection<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
#tracking table. <br>
. /etc/shorewall/common.def</font></li>
</ol> </ol>
<h3 align="Left">Versions &gt;= 1.3.5</h3> <p>The .lrp that I release isn't set up for a two-interface firewall like
Jacques's. You need to follow the <a href="two-interface.htm">instructions
<p align="Left">Some forms of pre-1.3.0 rules file syntax are no for setting up a two-interface firewall</a> plus you also need to add the
longer supported. </p> following two Bering-specific rules to /etc/shorewall/rules:</p>
<p align="Left">Example 1:</p> <blockquote>
<pre># Bering specific rules:<br># allow loc to fw udp/53 for dnscache to work<br># allow loc to fw tcp/80 for weblet to work<br>#<br>ACCEPT loc fw udp 53<br>ACCEPT loc fw tcp 80</pre>
<div align="left"> </blockquote>
<pre> ACCEPT net loc:192.168.1.12:22 tcp 11111 - all</pre>
</div> <h3 align="left">Version 1.3.6 and 1.3.7</h3>
<p align="Left">Must be replaced with:</p> <p align="left">If you have a pair of firewall systems configured for
failover or if you have asymmetric routing, you will need to modify
<div align="left"> your firewall setup slightly under Shorewall versions 1.3.6 and
<pre> DNAT net loc:192.168.1.12:22 tcp 11111</pre> 1.3.7</p>
</div>
<div align="left"> <ol>
<p align="left">Example 2:</div> <li>
<div align="left"> <p align="left">Create the file /etc/shorewall/newnotsyn and in it add
<pre> ACCEPT loc fw::3128 tcp 80 - all</pre> the following rule<br>
</div> <br>
<div align="left"> <font face="Courier">run_iptables -A newnotsyn -j RETURN #
<p align="left">Must be replaced with:</div> So that the connection tracking table can be rebuilt<br>
<div align="left">                                     # from non-SYN packets
<pre> REDIRECT loc 3128 tcp 80</pre> after takeover.<br>
</div>  </font> </p>
</li>
<h3 align="Left">Version &gt;= 1.3.2</h3> <li>
<p align="left">Create /etc/shorewall/common (if you don't already
<p align="Left">The functions and versions files together with the have that file) and include the following:<br>
'firewall' symbolic link have moved from /etc/shorewall to /var/lib/shorewall. <br>
If you have applications that access these files, those applications <font face="Courier">run_iptables -A common -p tcp --tcp-flags
should be modified accordingly.</p> ACK,FIN,RST ACK -j ACCEPT #Accept Acks to rebuild connection<br>
                                                                   
<p><font size="2"> #tracking table. <br>
Last updated 9/13/2002 - . /etc/shorewall/common.def</font> </p>
<a href="support.htm">Tom Eastep</a></font> </p> </li>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> </ol>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<h3 align="left">Versions &gt;= 1.3.5</h3>
<p align="left">Some forms of pre-1.3.0 rules file syntax are no
longer supported. </p>
<p align="left">Example 1:</p>
<div align="left">
<pre> ACCEPT net loc:192.168.1.12:22 tcp 11111 - all</pre>
</div>
<p align="left">Must be replaced with:</p>
<div align="left">
<pre> DNAT net loc:192.168.1.12:22 tcp 11111</pre>
</div>
<div align="left">
<p align="left">Example 2:</p>
</div>
<div align="left">
<pre> ACCEPT loc fw::3128 tcp 80 - all</pre>
</div>
<div align="left">
<p align="left">Must be replaced with:</p>
</div>
<div align="left">
<pre> REDIRECT loc 3128 tcp 80</pre>
</div>
<h3 align="left">Version &gt;= 1.3.2</h3>
<p align="left">The functions and versions files together with the
'firewall' symbolic link have moved from /etc/shorewall to /var/lib/shorewall.
If you have applications that access these files, those applications
should be modified accordingly.</p>
<p><font size="2"> Last updated 9/30/2002 -
<a href="support.htm">Tom Eastep</a></font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
<br>
</body> </body>
</html> </html>

15
STABLE/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of # shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall. # Shoreline Firewall.
VERSION=1.3.8 VERSION=1.3.9a
usage() # $1 = exit status usage() # $1 = exit status
{ {
@ -57,7 +57,10 @@ fi
echo "Backing Out Installation of Shorewall $VERSION" echo "Backing Out Installation of Shorewall $VERSION"
if [ -L /var/lib/shorewall/firewall ]; then if [ -L /usr/lib/shorewall/firewall ]; then
FIREWALL=`ls -l /usr/lib/shorewall/firewall | sed 's/^.*> //'`
restore_file $FIREWALL
elif [ -L /var/lib/shorewall/firewall ]; then
FIREWALL=`ls -l /var/lib/shorewall/firewall | sed 's/^.*> //'` FIREWALL=`ls -l /var/lib/shorewall/firewall | sed 's/^.*> //'`
restore_file $FIREWALL restore_file $FIREWALL
fi fi
@ -69,6 +72,7 @@ restore_file /sbin/shorewall
restore_file /etc/shorewall/shorewall.conf restore_file /etc/shorewall/shorewall.conf
restore_file /etc/shorewall/functions restore_file /etc/shorewall/functions
restore_file /usr/lib/shorewall/functions
restore_file /var/lib/shorewall/functions restore_file /var/lib/shorewall/functions
restore_file /etc/shorewall/common.def restore_file /etc/shorewall/common.def
@ -109,8 +113,11 @@ restore_file /etc/shorewall/whitelist
restore_file /etc/shorewall/rfc1918 restore_file /etc/shorewall/rfc1918
if [ -f /var/lib/shorewall/version-${VERSION}.bkout ]; then if [ -f /usr/lib/shorewall/version-${VERSION}.bkout ]; then
restore_file /var/shorewall/version restore_file /usr/lib/shorewall/version
oldversion="`cat /usr/lib/shorewall/version`"
elif [ -f /var/lib/shorewall/version-${VERSION}.bkout ]; then
restore_file /var/lib/shorewall/version
oldversion="`cat /var/lib/shorewall/version`" oldversion="`cat /var/lib/shorewall/version`"
else else
restore_file /etc/shorewall/version restore_file /etc/shorewall/version

78
STABLE/firewall
View File

@ -74,14 +74,14 @@ list_search() # $1 = element to search for , $2-$n = list
# Function to count list elements # # Function to count list elements #
############################################################################### ###############################################################################
list_count() { list_count() {
local temp=`separate_list $1` local temp="`separate_list $1`"
echo $temp | wc -w echo $temp | wc -w
} }
############################################################################### ###############################################################################
# Mutual exclusion -- These functions are jackets for the mutual exclusion # # Mutual exclusion -- These functions are jackets for the mutual exclusion #
# routines in /var/lib/shorewall/functions. They invoke # # routines in /usr/lib/shorewall/functions. They invoke #
# the corresponding function in that file if the user did # # the corresponding function in that file if the user did #
# not specify "nolock" on the runline. # # not specify "nolock" on the runline. #
############################################################################### ###############################################################################
@ -592,7 +592,7 @@ validate_rule() {
# Ensure that the passed comma-separated list has 15 or fewer elements # Ensure that the passed comma-separated list has 15 or fewer elements
# #
validate_list() { validate_list() {
local temp=`separate_list $1` local temp="`separate_list $1`"
[ `echo $temp | wc -w` -le 15 ] [ `echo $temp | wc -w` -le 15 ]
} }
@ -609,10 +609,13 @@ validate_rule() {
[ -n "$client" ] && case "$client" in [ -n "$client" ] && case "$client" in
-) -)
;; ;;
*:*)
cli="-i ${client%:*} -s ${client#*:}"
;;
~*) ~*)
cli=`mac_match $client` cli=`mac_match $client`
;; ;;
[0-9]*|![0-9]*) *.*.*)
# #
# IP Address, address or subnet # IP Address, address or subnet
# #
@ -632,7 +635,7 @@ validate_rule() {
-) -)
serv= serv=
;; ;;
[0-9]*|![0-9]*) *.*.*)
serv=$server serv=$server
;; ;;
~*) ~*)
@ -669,6 +672,7 @@ validate_rule() {
state="-m state --state RELATED" state="-m state --state RELATED"
;; ;;
*) *)
state=
[ -n "$port" ] && [ "x${port}" != "x-" ] && \ [ -n "$port" ] && [ "x${port}" != "x-" ] && \
startup_error "Port number not allowed with protocol " \ startup_error "Port number not allowed with protocol " \
"\"$proto\"; rule: \"$rule\"" "\"$proto\"; rule: \"$rule\""
@ -775,7 +779,7 @@ validate_rule() {
clientzone="$clients" clientzone="$clients"
clients= clients=
else else
clientzone="${clients%:*}" clientzone="${clients%%:*}"
clients="${clients#*:}" clients="${clients#*:}"
[ -z "$clientzone" -o -z "$clients" ] && \ [ -z "$clientzone" -o -z "$clients" ] && \
startup_error "Error: Empty source zone or qualifier: rule \"$rule\"" startup_error "Error: Empty source zone or qualifier: rule \"$rule\""
@ -1141,10 +1145,10 @@ setup_tunnels() # $1 = name of tunnels file
setup_one_ipsec() # $1 = gateway $2 = gateway zone setup_one_ipsec() # $1 = gateway $2 = gateway zone
{ {
options="-m state --state NEW -j ACCEPT" options="-m state --state NEW -j ACCEPT"
addrule $inchain -p 50 -s $1 $options addrule $inchain -p 50 -s $1 -j ACCEPT
addrule $outchain -p 50 -d $1 $options addrule $outchain -p 50 -d $1 -j ACCEPT
run_iptables -A $inchain -p 51 -s $1 $options run_iptables -A $inchain -p 51 -s $1 -j ACCEPT
run_iptables -A $outchain -p 51 -d $1 $options run_iptables -A $outchain -p 51 -d $1 -j ACCEPT
run_iptables -A $inchain -p udp -s $1 --sport 500 --dport 500 $options run_iptables -A $inchain -p udp -s $1 --sport 500 --dport 500 $options
run_iptables -A $outchain -p udp -d $1 --dport 500 --sport 500 $options run_iptables -A $outchain -p udp -d $1 --dport 500 --sport 500 $options
@ -1162,9 +1166,8 @@ setup_tunnels() # $1 = name of tunnels file
setup_one_other() # $1 = TYPE, $2 = gateway, $3 = protocol setup_one_other() # $1 = TYPE, $2 = gateway, $3 = protocol
{ {
options="-m state --state NEW -j ACCEPT" addrule $inchain -p $3 -s $2 -j ACCEPT
addrule $inchain -p $3 -s $2 $options addrule $outchain -p $3 -d $2 -j ACCEPT
addrule $outchain -p $3 -d $2 $options
echo " $1 tunnel to $gateway defined." echo " $1 tunnel to $gateway defined."
} }
@ -1381,7 +1384,7 @@ process_tc_rule()
if [ "x$source" != "x-" ]; then if [ "x$source" != "x-" ]; then
case $source in case $source in
[0-9]*) *.*.*)
r="-s $source " r="-s $source "
;; ;;
~*) ~*)
@ -1624,7 +1627,10 @@ add_a_rule()
[ -n "$client" ] && case "$client" in [ -n "$client" ] && case "$client" in
-) -)
;; ;;
[0-9]*|![0-9]*) *:*)
cli="-i ${client%:*} -s ${client#*:}"
;;
*.*.*)
cli="-s $client" cli="-s $client"
;; ;;
~*) ~*)
@ -1643,7 +1649,7 @@ add_a_rule()
-) -)
serv= serv=
;; ;;
[0-9]*|![0-9]*) *.*.*)
serv=$server serv=$server
;; ;;
*) *)
@ -1698,6 +1704,7 @@ add_a_rule()
state="-m state --state RELATED" state="-m state --state RELATED"
;; ;;
*) *)
state=
[ -n "$port" ] && [ "x${port}" != "x-" ] && \ [ -n "$port" ] && [ "x${port}" != "x-" ] && \
fatal_error "Port number not allowed with protocol " \ fatal_error "Port number not allowed with protocol " \
"\"$proto\"; rule: \"$rule\"" "\"$proto\"; rule: \"$rule\""
@ -1820,7 +1827,7 @@ process_rule() {
clientzone="$clients" clientzone="$clients"
clients= clients=
else else
clientzone="${clients%:*}" clientzone="${clients%%:*}"
clients="${clients#*:}" clients="${clients#*:}"
[ -z "$clientzone" -o -z "$clients" ] && \ [ -z "$clientzone" -o -z "$clients" ] && \
fatal_error "Error: Empty source zone or qualifier: rule \"$rule\"" fatal_error "Error: Empty source zone or qualifier: rule \"$rule\""
@ -1967,7 +1974,7 @@ process_tos_rule() {
fi fi
[ -n "$src" ] && case "$src" in [ -n "$src" ] && case "$src" in
[0-9]*|![0-9]*) *.*.*)
# #
# IP Address or subnet # IP Address or subnet
# #
@ -2010,7 +2017,7 @@ process_tos_rule() {
fi fi
[ -n "$dst" ] && case "$dst" in [ -n "$dst" ] && case "$dst" in
[0-9]*|![0-9]*) *.*.*)
# #
# IP Address or subnet # IP Address or subnet
# #
@ -2416,7 +2423,7 @@ setup_masq()
iface= iface=
case $subnet in case $subnet in
[0-9]*|![0-9]*) *.*.*)
source="$subnet" source="$subnet"
subnet="-s $subnet" subnet="-s $subnet"
;; ;;
@ -2783,12 +2790,17 @@ initialize_netfilter () {
setpolicy INPUT DROP setpolicy INPUT DROP
setpolicy OUTPUT DROP setpolicy OUTPUT DROP
setpolicy FORWARD DROP setpolicy FORWARD DROP
deleteallchains deleteallchains
setcontinue FORWARD setcontinue FORWARD
setcontinue INPUT setcontinue INPUT
setcontinue OUTPUT setcontinue OUTPUT
#
# Allow DNS lookups during startup for FQDNs
#
run_iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
run_iptables -A FORWARD -p udp --dport 53 -j ACCEPT
[ -n "$CLAMPMSS" ] && \ [ -n "$CLAMPMSS" ] && \
run_iptables -A FORWARD -p tcp \ run_iptables -A FORWARD -p tcp \
@ -3245,6 +3257,9 @@ activate_rules()
run_iptables -D INPUT 1 run_iptables -D INPUT 1
run_iptables -D OUTPUT 1 run_iptables -D OUTPUT 1
run_iptables -D FORWARD 1 run_iptables -D FORWARD 1
run_iptables -D OUTPUT -p udp --dport 53 -j ACCEPT
run_iptables -D FORWARD -p udp --dport 53 -j ACCEPT
} }
################################################################################ ################################################################################
@ -3252,6 +3267,16 @@ activate_rules()
################################################################################ ################################################################################
define_firewall() # $1 = Command (Start or Restart) define_firewall() # $1 = Command (Start or Restart)
{ {
if [ -f /etc/shorewall/startup_disabled ]; then
echo " Shorewall Startup is disabled -- to enable startup"
echo " after you have completed Shorewall configuration,"
echo " remove the file /etc/shorewall/startup_disabled"
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
my_mutex_off
exit 2
fi
echo "${1}ing Shorewall..." echo "${1}ing Shorewall..."
verify_os_version verify_os_version
@ -3329,7 +3354,7 @@ define_firewall() # $1 = Command (Start or Restart)
createchain shorewall no createchain shorewall no
date > /var/lib/shorewall/restarted date > $STATEDIR/restarted
report "Shorewall ${1}ed" report "Shorewall ${1}ed"
@ -3512,7 +3537,7 @@ do_initialize() {
trap "rm -rf $TMP_DIR; my_mutex_off; exit 2" 1 2 3 4 5 6 9 trap "rm -rf $TMP_DIR; my_mutex_off; exit 2" 1 2 3 4 5 6 9
functions=/var/lib/shorewall/functions functions=/usr/lib/shorewall/functions
if [ -f $functions ]; then if [ -f $functions ]; then
. $functions . $functions
@ -3520,7 +3545,7 @@ do_initialize() {
startup_error "$functions does not exist!" startup_error "$functions does not exist!"
fi fi
version_file=/var/lib/shorewall/version version_file=/usr/lib/shorewall/version
[ -f $version_file ] && version=`cat $version_file` [ -f $version_file ] && version=`cat $version_file`
# #
@ -3536,6 +3561,7 @@ do_initialize() {
[ -d $STATEDIR ] || mkdir -p $STATEDIR [ -d $STATEDIR ] || mkdir -p $STATEDIR
[ -z "$FW" ] && FW=fw [ -z "$FW" ] && FW=fw
ALLOWRELATED="`added_param_value_yes ALLOWRELATED $ALLOWRELATED`" ALLOWRELATED="`added_param_value_yes ALLOWRELATED $ALLOWRELATED`"
@ -3623,6 +3649,7 @@ case "$command" in
if qt iptables -L shorewall -n ; then if qt iptables -L shorewall -n ; then
[ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK [ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK
echo "Shorewall Already Started" echo "Shorewall Already Started"
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
my_mutex_off my_mutex_off
exit 0; exit 0;
fi fi
@ -3652,7 +3679,7 @@ case "$command" in
reset) reset)
iptables -L -n -Z -v iptables -L -n -Z -v
report "Shorewall Counters Reset" report "Shorewall Counters Reset"
date > /var/lib/shorewall/restarted date > $STATEDIR/restarted
;; ;;
refresh) refresh)
@ -3660,6 +3687,7 @@ case "$command" in
my_mutex_on my_mutex_on
if ! qt iptables -L shorewall -n ; then if ! qt iptables -L shorewall -n ; then
echo "Shorewall Not Started" echo "Shorewall Not Started"
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
my_mutex_off my_mutex_off
exit 2; exit 2;
fi fi

2
STABLE/functions
View File

@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
# #
# Shorewall 1.3 -- /var/lib/shorewall/functions # Shorewall 1.3 -- /usr/lib/shorewall/functions
# #
# Suppress all output for a command # Suppress all output for a command

37
STABLE/install.sh
View File

@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall. # /etc/rc.d/rc.local file is modified to start the firewall.
# #
VERSION=1.3.8 VERSION=1.3.9a
usage() # $1 = exit status usage() # $1 = exit status
{ {
@ -254,9 +254,10 @@ fi
echo -e "\nShorewall script installed in ${PREFIX}${DEST}/$FIREWALL" echo -e "\nShorewall script installed in ${PREFIX}${DEST}/$FIREWALL"
# #
# Create /etc/shorewall and /var/shorewall if needed # Create /etc/shorewall, /usr/lib/shorewall and /var/shorewall if needed
# #
mkdir -p ${PREFIX}/etc/shorewall mkdir -p ${PREFIX}/etc/shorewall
mkdir -p ${PREFIX}/usr/lib/shorewall
mkdir -p ${PREFIX}/var/lib/shorewall mkdir -p ${PREFIX}/var/lib/shorewall
# #
# Install the config file # Install the config file
@ -280,7 +281,12 @@ fi
# #
# Install the functions file # Install the functions file
# #
install_file_with_backup functions ${PREFIX}/var/lib/shorewall/functions 0444 if [ -f ${PREFIX}/etc/shorewall/functions ]; then
backup_file ${PREFIX}/var/lib/shorewall/functions
rm -f ${PREFIX}/var/lib/shorewall/functions
fi
install_file_with_backup functions ${PREFIX}/usr/lib/shorewall/functions 0444
echo -e "\nCommon functions installed in ${PREFIX}/var/lib/shorewall/functions" echo -e "\nCommon functions installed in ${PREFIX}/var/lib/shorewall/functions"
# #
@ -443,19 +449,19 @@ fi
# Backup the version file # Backup the version file
# #
if [ -z "$PREFIX" ]; then if [ -z "$PREFIX" ]; then
if [ -f /var/lib/shorewall/version ]; then if [ -f /usr/lib/shorewall/version ]; then
backup_file /var/lib/shorewall/version backup_file /usr/lib/shorewall/version
elif [ -n "$oldversion" ]; then elif [ -n "$oldversion" ]; then
echo $oldversion > /var/lib/shorewall/version-${VERSION}.bkout echo $oldversion > /usr/lib/shorewall/version-${VERSION}.bkout
else else
echo "Unknown" > /var/lib/shorewall/version-${VERSION}.bkout echo "Unknown" > /usr/lib/shorewall/version-${VERSION}.bkout
fi fi
fi fi
# #
# Create the version file # Create the version file
# #
echo "$VERSION" > ${PREFIX}/var/lib/shorewall/version echo "$VERSION" > ${PREFIX}/usr/lib/shorewall/version
chmod 644 ${PREFIX}/var/lib/shorewall/version chmod 644 ${PREFIX}/usr/lib/shorewall/version
# #
# Remove and create the symbolic link to the firewall script # Remove and create the symbolic link to the firewall script
# #
@ -463,12 +469,13 @@ chmod 644 ${PREFIX}/var/lib/shorewall/version
if [ -z "$PREFIX" ]; then if [ -z "$PREFIX" ]; then
rm -f /etc/shorewall/firewall rm -f /etc/shorewall/firewall
rm -f /var/lib/shorewall/firewall rm -f /var/lib/shorewall/firewall
ln -s ${DEST}/${FIREWALL} /var/lib/shorewall/firewall rm -f /usr/lib/shorewall/firewall
ln -s ${DEST}/${FIREWALL} /usr/lib/shorewall/firewall
else else
pushd ${PREFIX}/var/lib/shorewall/ >> /dev/null && ln -s ../../..${DEST}/${FIREWALL} firewall && popd >> /dev/null pushd ${PREFIX}/usr/lib/shorewall/ >> /dev/null && ln -s ../../..${DEST}/${FIREWALL} firewall && popd >> /dev/null
fi fi
echo -e "\n${PREFIX}/var/lib/shorewall/firewall linked to ${PREFIX}$DEST/$FIREWALL" echo -e "\n${PREFIX}/usr/lib/shorewall/firewall linked to ${PREFIX}$DEST/$FIREWALL"
if [ -z "$PREFIX" -a -n "$first_install" ]; then if [ -z "$PREFIX" -a -n "$first_install" ]; then
if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
@ -493,7 +500,13 @@ if [ -z "$PREFIX" -a -n "$first_install" ]; then
else else
modify_rclocal modify_rclocal
fi fi
echo \
"########################################################################
# REMOVE THIS FILE AFTER YOU HAVE CONFIGURED SHOREWALL #
########################################################################" > /etc/shorewall/startup_disabled
fi fi
# #
# Report Success # Report Success
# #

4
STABLE/masq
View File

@ -37,7 +37,9 @@
# WARNING: Do NOT specify ADD_SNAT_ALIASES=Yes if # WARNING: Do NOT specify ADD_SNAT_ALIASES=Yes if
# the address given in this column is the primary # the address given in this column is the primary
# IP address for the interface in the INTERFACE # IP address for the interface in the INTERFACE
# column. # column.
#
# This column may not contain a DNS Name.
# #
# Example 1: # Example 1:
# #

4
STABLE/nat
View File

@ -14,10 +14,10 @@
# #
# EXTERNAL External IP Address - this should NOT be the primary # EXTERNAL External IP Address - this should NOT be the primary
# IP address of the interface named in the next # IP address of the interface named in the next
# column. # column and must not be a DNS Name.
# INTERFACE Interface that we want to EXTERNAL address to appear # INTERFACE Interface that we want to EXTERNAL address to appear
# on # on
# INTERNAL Internal Address # INTERNAL Internal Address (must not be a DNS Name).
# ALL INTERFACES If Yes or yes (or left empty), NAT will be effective # ALL INTERFACES If Yes or yes (or left empty), NAT will be effective
# from all hosts. If No or no then NAT will be effective # from all hosts. If No or no then NAT will be effective
# only through the interface named in the INTERFACE # only through the interface named in the INTERFACE

22
STABLE/releasenotes.txt
View File

@ -3,20 +3,14 @@ fixes.
New features include: New features include:
1. A NEWNOTSYN option has been added to shorewall.conf. This option 1. DNS Names are now allowed in Shorewall config files.
determines whether Shorewall accepts TCP packets which are not part
of an established connection and that are not 'SYN' packets (SYN
flag on and ACK flag off).
2. The connection SOURCE may now be qualified by both interface
and IP address in a Shorewall rule.
2. The need for the 'multi' option to communicate between zones za and 3. Shorewall startup is now disabled after initial installation until
zb on the same interface is removed in the case where the chain the file /etc/shorewall/startup_disabled is removed.
'za2zb' and/or 'zb2za' exists. 'za2zb' will exist if:
a. There is a policy for za to zb. 4. The 'functions' and 'version' files and the 'firewall' symbolic link
b. There is at least one rule for za to zb. have been moved from /var/lib/shorewall to /usr/lib/shorewall to
appease the LFS police at Debian.
3. The /etc/shorewall/blacklist file now contains three columns. In
addition to the SUBNET/ADDRESS column, there are optional PROTOCOL
and PORT columns to block only certain applications from the
blacklisted addresses.

16
STABLE/rules
View File

@ -56,9 +56,12 @@
# MAC address 00:A0:C9:15:39:78. # MAC address 00:A0:C9:15:39:78.
# #
# Alternatively, clients may be specified by interface # Alternatively, clients may be specified by interface
# by appending ":" followed by the interface name. For # by appending ":" to the zone name followed by the
# example, loc:eth1 specifies a client that # interface name. For example, loc:eth1 specifies a
# communicates with the firewall system through eth1. # client that communicates with the firewall system
# through eth1. This may be optionally followed by
# another colon (":") and an IP/MAC/subnet address
# as described above (e.g., loc:eth1:192.168.1.5).
# #
# DEST Location of Server. May be a zone defined in # DEST Location of Server. May be a zone defined in
# /etc/shorewall/zones or $FW to indicate the firewall # /etc/shorewall/zones or $FW to indicate the firewall
@ -68,6 +71,13 @@
# subnet, host or interface by appending ":" and the # subnet, host or interface by appending ":" and the
# subnet, host or interface. See above. # subnet, host or interface. See above.
# #
# Restrictions:
#
# 1. MAC addresses are not allowed.
# 2. In DNAT rules, only IP addresses are
# allowed; no FQDNs or subnet addresses
# are permitted.
#
# The port that the server is listening on may be # The port that the server is listening on may be
# included and separated from the server's IP address by # included and separated from the server's IP address by
# ":". If omitted, the firewall will not modifiy the # ":". If omitted, the firewall will not modifiy the

21
STABLE/shorewall
View File

@ -312,6 +312,8 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
echo -e "Dropped/Rejected Packet Log\\n" echo -e "Dropped/Rejected Packet Log\\n"
show_reset
rejects=`iptables -L -v -n | grep 'LOG'` rejects=`iptables -L -v -n | grep 'LOG'`
if [ "$rejects" != "$oldrejects" ]; then if [ "$rejects" != "$oldrejects" ]; then
@ -384,6 +386,8 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
echo -e "Dropped/Rejected Packet Log\\n" echo -e "Dropped/Rejected Packet Log\\n"
show_reset
rejects=`iptables -L -v -n | grep 'LOG'` rejects=`iptables -L -v -n | grep 'LOG'`
if [ "$rejects" != "$oldrejects" ]; then if [ "$rejects" != "$oldrejects" ]; then
@ -437,8 +441,8 @@ usage() # $1 = exit status
# Display the time that the counters were last reset # # Display the time that the counters were last reset #
################################################################################# #################################################################################
show_reset() { show_reset() {
[ -f /var/lib/shorewall/restarted ] && \ [ -f $STATEDIR/restarted ] && \
echo -e "Counters reset `cat /var/lib/shorewall/restarted`\\n" echo -e "Counters reset `cat $STATEDIR/restarted`\\n"
} }
################################################################################# #################################################################################
@ -491,7 +495,7 @@ fi
[ -n "$SHOREWALL_DIR" ] && export SHOREWALL_DIR [ -n "$SHOREWALL_DIR" ] && export SHOREWALL_DIR
functions=/var/lib/shorewall/functions functions=/usr/lib/shorewall/functions
if [ -f $functions ]; then if [ -f $functions ]; then
. $functions . $functions
@ -500,7 +504,7 @@ else
exit 2 exit 2
fi fi
firewall=/var/lib/shorewall/firewall firewall=/usr/lib/shorewall/firewall
if [ ! -f $firewall ]; then if [ ! -f $firewall ]; then
echo "ERROR: Shorewall is not properly installed" echo "ERROR: Shorewall is not properly installed"
@ -508,7 +512,7 @@ if [ ! -f $firewall ]; then
echo " $firewall is a symbolic link to a" echo " $firewall is a symbolic link to a"
echo " non-existant file" echo " non-existant file"
else else
echo " The file /var/lib/shorewall/firewall does not exist" echo " The file /usr/lib/shorewall/firewall does not exist"
fi fi
exit 2 exit 2
@ -516,13 +520,13 @@ fi
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
version_file=/var/lib/shorewall/version version_file=/usr/lib/shorewall/version
if [ -f $version_file ]; then if [ -f $version_file ]; then
version=`cat $version_file` version=`cat $version_file`
else else
echo "ERROR: Shorewall is not properly installed" echo "ERROR: Shorewall is not properly installed"
echo " The file /var/lib/shorewall/version does not exist" echo " The file /usr/lib/shorewall/version does not exist"
exit 1 exit 1
fi fi
@ -546,6 +550,7 @@ case "$1" in
iptables -t nat -L -n -v iptables -t nat -L -n -v
;; ;;
tos|mangle) tos|mangle)
get_config
echo -e "Shorewall-$version TOS at $HOSTNAME - `date`\\n" echo -e "Shorewall-$version TOS at $HOSTNAME - `date`\\n"
show_reset show_reset
iptables -t mangle -L -n -v iptables -t mangle -L -n -v
@ -553,6 +558,7 @@ case "$1" in
log) log)
get_config get_config
echo -e "Shorewall-$version Log at $HOSTNAME - `date`\\n" echo -e "Shorewall-$version Log at $HOSTNAME - `date`\\n"
show_reset
host=`echo $HOSTNAME | sed 's/\..*$//'` host=`echo $HOSTNAME | sed 's/\..*$//'`
packet_log 20 packet_log 20
;; ;;
@ -561,6 +567,7 @@ case "$1" in
show_tc show_tc
;; ;;
*) *)
get_config
echo -e "Shorewall-$version Chain $2 at $HOSTNAME - `date`\\n" echo -e "Shorewall-$version Chain $2 at $HOSTNAME - `date`\\n"
show_reset show_reset
iptables -L $2 -n -v iptables -L $2 -n -v

40
STABLE/shorewall.spec
View File

@ -1,5 +1,5 @@
%define name shorewall %define name shorewall
%define version 1.3.8 %define version 1.3.9a
%define release 1 %define release 1
%define prefix /usr %define prefix /usr
@ -40,16 +40,40 @@ export GROUP=`id -n -g` ;\
rm -rf $RPM_BUILD_ROOT rm -rf $RPM_BUILD_ROOT
%post %post
if [ -x /sbin/insserv ]; then /sbin/insserv /etc/rc.d/shorewall; elif [ -x /sbin/chkconfig ]; then /sbin/chkconfig --add shorewall; fi
if [ $1 -eq 1 ]; then
echo \
"########################################################################
# REMOVE THIS FILE AFTER YOU HAVE CONFIGURED SHOREWALL #
########################################################################" \
> /etc/shorewall/startup_disabled
if [ -x /sbin/insserv ]; then
/sbin/insserv /etc/rc.d/shorewall
elif [ -x /sbin/chkconfig ]; then
/sbin/chkconfig --add shorewall;
fi
fi
%preun %preun
if [ $1 = 0 ]; then if [ -x /sbin/insserv ]; then /sbin/insserv -r /etc/init.d/shorewall ; elif [ -x /sbin/chkconfig ]; then /sbin/chkconfig --del shorewall; fi ; fi
if [ $1 = 0 ]; then
if [ -x /sbin/insserv ]; then
/sbin/insserv -r /etc/init.d/shorewall
elif [ -x /sbin/chkconfig ]; then
/sbin/chkconfig --del shorewall
fi
rm -f /etc/shorewall/startup_disabled
fi
%files %files
/etc/init.d/shorewall /etc/init.d/shorewall
%attr(0700,root,root) %dir /etc/shorewall %attr(0700,root,root) %dir /etc/shorewall
%attr(0700,root,root) %dir /usr/lib/shorewall
%attr(0700,root,root) %dir /var/lib/shorewall %attr(0700,root,root) %dir /var/lib/shorewall
%attr(0600,root,root) /var/lib/shorewall/version %attr(0600,root,root) /usr/lib/shorewall/version
%attr(0600,root,root) /etc/shorewall/common.def %attr(0600,root,root) /etc/shorewall/common.def
%attr(0600,root,root) /etc/shorewall/icmp.def %attr(0600,root,root) /etc/shorewall/icmp.def
%attr(0600,root,root) %config(noreplace) /etc/shorewall/shorewall.conf %attr(0600,root,root) %config(noreplace) /etc/shorewall/shorewall.conf
@ -70,12 +94,16 @@ if [ $1 = 0 ]; then if [ -x /sbin/insserv ]; then /sbin/insserv -r /etc/init.d/s
%attr(0600,root,root) %config(noreplace) /etc/shorewall/blacklist %attr(0600,root,root) %config(noreplace) /etc/shorewall/blacklist
%attr(0600,root,root) %config(noreplace) /etc/shorewall/rfc1918 %attr(0600,root,root) %config(noreplace) /etc/shorewall/rfc1918
%attr(0544,root,root) /sbin/shorewall %attr(0544,root,root) /sbin/shorewall
%attr(0444,root,root) /var/lib/shorewall/functions %attr(0444,root,root) /usr/lib/shorewall/functions
/var/lib/shorewall/firewall /usr/lib/shorewall/firewall
%doc documentation %doc documentation
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog %changelog
* Mon Sep 30 2002 Tom Eastep <tom@shorewall.net>
- Changed version to 1.3.9a
* Thu Sep 18 2002 Tom Eastep <tom@shorewall.net>
- Changed version to 1.3.8
* Mon Sep 16 2002 Tom Eastep <tom@shorewall.net> * Mon Sep 16 2002 Tom Eastep <tom@shorewall.net>
- Changed version to 1.3.8 - Changed version to 1.3.8
* Mon Sep 02 2002 Tom Eastep <tom@shorewall.net> * Mon Sep 02 2002 Tom Eastep <tom@shorewall.net>

11
STABLE/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall # shown below. Simply run this script to remove Seattle Firewall
VERSION=1.3.8 VERSION=1.3.9a
usage() # $1 = exit status usage() # $1 = exit status
{ {
@ -78,9 +78,15 @@ if qt iptables -L shorewall -n; then
/sbin/shorewall clear /sbin/shorewall clear
fi fi
if [ -L /var/lib/shorewall/firewall ]; then if [ -L /usr/lib/shorewall/firewall ]; then
FIREWALL=`ls -l /usr/lib/shorewall/firewall | sed 's/^.*> //'`
elif [ -L /var/lib/shorewall/firewall ]; then
FIREWALL=`ls -l /var/lib/shorewall/firewall | sed 's/^.*> //'` FIREWALL=`ls -l /var/lib/shorewall/firewall | sed 's/^.*> //'`
else
FIREWALL=
fi
if [ -n "$FIREWALL" ]; then
if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
insserv -r $FIREWALL insserv -r $FIREWALL
elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
@ -97,6 +103,7 @@ if [ -n "$VERSION" ]; then
fi fi
rm -rf /etc/shorewall rm -rf /etc/shorewall
rm -rf /usr/lib/shorewall
rm -rf /var/lib/shorewall rm -rf /var/lib/shorewall
echo "Shorewall Uninstalled" echo "Shorewall Uninstalled"

2
Shorewall/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of # shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall. # Shoreline Firewall.
VERSION=1.3.9 VERSION=1.3.9a
usage() # $1 = exit status usage() # $1 = exit status
{ {

2
Shorewall/install.sh
View File

@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall. # /etc/rc.d/rc.local file is modified to start the firewall.
# #
VERSION=1.3.9 VERSION=1.3.9a
usage() # $1 = exit status usage() # $1 = exit status
{ {

4
Shorewall/shorewall.spec
View File

@ -1,5 +1,5 @@
%define name shorewall %define name shorewall
%define version 1.3.9 %define version 1.3.9a
%define release 1 %define release 1
%define prefix /usr %define prefix /usr
@ -100,6 +100,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog %changelog
* Mon Sep 30 2002 Tom Eastep <tom@shorewall.net>
- Changed version to 1.3.9a
* Thu Sep 18 2002 Tom Eastep <tom@shorewall.net> * Thu Sep 18 2002 Tom Eastep <tom@shorewall.net>
- Changed version to 1.3.8 - Changed version to 1.3.8
* Mon Sep 16 2002 Tom Eastep <tom@shorewall.net> * Mon Sep 16 2002 Tom Eastep <tom@shorewall.net>

2
Shorewall/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall # shown below. Simply run this script to remove Seattle Firewall
VERSION=1.3.9 VERSION=1.3.9a
usage() # $1 = exit status usage() # $1 = exit status
{ {