mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-22 06:10:42 +01:00
Spell check pass through first half of docs.
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8667 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
6f231a7a43
commit
aac55dbac4
@ -26,7 +26,7 @@
|
||||
<copyright>
|
||||
<year>2003-2004</year>
|
||||
|
||||
<holder>Eric de Thoars and Tom Eastep</holder>
|
||||
<holder>Eric de Thouars and Tom Eastep</holder>
|
||||
</copyright>
|
||||
|
||||
<legalnotice>
|
||||
|
@ -202,7 +202,7 @@
|
||||
on outbound ones.</para>
|
||||
|
||||
<para>Accounting rules are not stateful -- each rule only handles traffic
|
||||
in one direction. For example, if eth0 is your internet interface, and you
|
||||
in one direction. For example, if eth0 is your Internet interface, and you
|
||||
have a web server in your DMZ connected to eth1, then to count HTTP
|
||||
traffic in both directions requires two rules:</para>
|
||||
|
||||
|
@ -144,9 +144,9 @@ ACCEPT - - tcp 135,139,445
|
||||
<para>Ensure correct operation. Default actions can also avoid common
|
||||
pitfalls like dropping connection requests on port TCP port 113. If
|
||||
these connections are dropped (rather than rejected) then you may
|
||||
encounter problems connecting to internet services that utilize the
|
||||
encounter problems connecting to Internet services that utilize the
|
||||
AUTH protocol of client authentication<footnote>
|
||||
<para>AUTH is actually pretty silly on today's internet but it's
|
||||
<para>AUTH is actually pretty silly on today's Internet but it's
|
||||
amazing how many servers still employ it.</para>
|
||||
</footnote></para>
|
||||
</listitem>
|
||||
|
@ -81,7 +81,7 @@
|
||||
class="directory">/usr/share/shorewall</filename>, <filename
|
||||
class="directory">/etc/shorewall</filename>,
|
||||
<filename>/etc/init.d</filename> and <filename
|
||||
class="directory">/var/lilb/shorewall/</filename>. These are described in
|
||||
class="directory">/var/lib/shorewall/</filename>. These are described in
|
||||
the sub-sections that follow.</para>
|
||||
|
||||
<section id="sbin">
|
||||
@ -363,7 +363,7 @@
|
||||
class="directory">/usr/share/shorewall-lite</filename>, /etc/<filename
|
||||
class="directory">shorewall-lite</filename>,
|
||||
<filename>/etc/init.d</filename> and <filename
|
||||
class="directory">/var/lilb/shorewall/</filename>. These are described in
|
||||
class="directory">/var/lib/shorewall/</filename>. These are described in
|
||||
the sub-sections that follow.</para>
|
||||
|
||||
<section id="sbin-lite">
|
||||
|
@ -226,7 +226,7 @@
|
||||
<note>
|
||||
<para>The firewall systems do <emphasis role="bold">NOT</emphasis>
|
||||
need to have the full Shorewall product installed but rather only
|
||||
the Shorewall Lite product. Shorewall and Shorewall LIte may be
|
||||
the Shorewall Lite product. Shorewall and Shorewall Lite may be
|
||||
installed on the same system but that isn't encouraged.</para>
|
||||
</note>
|
||||
</listitem>
|
||||
|
@ -50,7 +50,7 @@
|
||||
<title>Explicit Congestion Notification (ECN)</title>
|
||||
|
||||
<para>Explicit Congestion Notification (ECN) is described in RFC 3168 and
|
||||
is a proposed internet standard. Unfortunately, not all sites support ECN
|
||||
is a proposed Internet standard. Unfortunately, not all sites support ECN
|
||||
and when a TCP connection offering ECN is sent to sites that don't support
|
||||
it, the result is often that the connection request is ignored.</para>
|
||||
|
||||
|
74
docs/FAQ.xml
74
docs/FAQ.xml
@ -135,7 +135,7 @@
|
||||
|
||||
<section id="faq76">
|
||||
<title>(FAQ 76) I just upgraded my Debian system and now masquerading
|
||||
doesn work? What happened?</title>
|
||||
doesn't work? What happened?</title>
|
||||
|
||||
<para><emphasis role="bold">Answer:</emphasis> This happens to people
|
||||
who ignore <ulink url="Install.htm#Upgrade_Deb">our advice</ulink> and
|
||||
@ -149,7 +149,7 @@
|
||||
|
||||
<section id="faq76a">
|
||||
<title>(FAQ 76a) I just upgraded my Ubuntu system and now masquerading
|
||||
doesn work? What happened?</title>
|
||||
doesn't work? What happened?</title>
|
||||
|
||||
<para><emphasis role="bold">Answer:</emphasis> See <link
|
||||
linkend="faq76">above</link>.</para>
|
||||
@ -157,7 +157,7 @@
|
||||
|
||||
<section id="faq76b">
|
||||
<title>(FAQ 76b) I just upgraded my Kubuntu system and now
|
||||
masquerading doesn work? What happened?</title>
|
||||
masquerading doesn't work? What happened?</title>
|
||||
|
||||
<para><emphasis role="bold">Answer:</emphasis> See <link
|
||||
linkend="faq76">above</link>.</para>
|
||||
@ -193,7 +193,7 @@ DNAT net loc:192.168.1.5 udp 7777</programlisting>
|
||||
# PORT DEST.
|
||||
DNAT net loc:<emphasis>local-IP-address</emphasis>>[:<emphasis>local-port</emphasis>] <emphasis>protocol</emphasis> <emphasis>port-number</emphasis> - <emphasis>external-IP</emphasis></programlisting>
|
||||
|
||||
<para>If you want to forward requests from a particular internet address
|
||||
<para>If you want to forward requests from a particular Internet address
|
||||
( <emphasis>address</emphasis> ):</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL
|
||||
@ -253,7 +253,7 @@ DNAT net:<emphasis>address</emphasis> loc:<emphasis>local-IP-address</empha
|
||||
<listitem>
|
||||
<para>As root, type <quote> <command>shorewall reset</command>
|
||||
</quote> ("<command>shorewall-lite reset</command>", if you are
|
||||
running Shorewall Lite). This clears all NetFilter
|
||||
running Shorewall Lite). This clears all Netfilter
|
||||
counters.</para>
|
||||
</listitem>
|
||||
|
||||
@ -315,7 +315,7 @@ DNAT net:<emphasis>address</emphasis> loc:<emphasis>local-IP-address</empha
|
||||
the connection is being dropped or rejected. If it is, then you
|
||||
may have a zone definition problem such that the server is in a
|
||||
different zone than what is specified in the DEST column. At a
|
||||
root promt, type "<command>shorewall show zones</command>"
|
||||
root prompt, type "<command>shorewall show zones</command>"
|
||||
("<command>shorewall-lite show zones</command>") then be sure that
|
||||
in the DEST column you have specified the <emphasis
|
||||
role="bold">first</emphasis> zone in the list that matches
|
||||
@ -335,7 +335,7 @@ DNAT net:<emphasis>address</emphasis> loc:<emphasis>local-IP-address</empha
|
||||
</section>
|
||||
|
||||
<section id="faq1c">
|
||||
<title>(FAQ 1c) From the internet, I want to connect to port 1022 on
|
||||
<title>(FAQ 1c) From the Internet, I want to connect to port 1022 on
|
||||
my firewall and have the firewall forward the connection to port 22 on
|
||||
local system 192.168.1.3. How do I do that?</title>
|
||||
|
||||
@ -462,7 +462,7 @@ eth1:192.168.1.4 0.0.0.0/0 192.168.1.1 tcp 21</
|
||||
|
||||
<section id="faq1g">
|
||||
<title>(FAQ 1g) I would like to redirect port 80 on my public IP
|
||||
address (206.124.146.176) to port 993 on internet host
|
||||
address (206.124.146.176) to port 993 on Internet host
|
||||
66.249.93.111</title>
|
||||
|
||||
<para><emphasis role="bold">Answer</emphasis>: This requires a vile
|
||||
@ -497,8 +497,8 @@ eth0:66.249.93.111 0.0.0.0/0 206.124.146.176 tcp 993</programlistin
|
||||
Guide</ulink> appropriate for your setup; the guides cover this topic in
|
||||
a tutorial fashion. DNAT rules should be used for connections that need
|
||||
to go the opposite direction from SNAT/MASQUERADE. So if you masquerade
|
||||
or use SNAT from your local network to the internet then you will need
|
||||
to use DNAT rules to allow connections from the internet to your local
|
||||
or use SNAT from your local network to the Internet then you will need
|
||||
to use DNAT rules to allow connections from the Internet to your local
|
||||
network. You also want to use DNAT rules when you intentionally want to
|
||||
rewrite the destination IP address or port number. In all other cases,
|
||||
you use ACCEPT unless you need to hijack connections as they go through
|
||||
@ -537,7 +537,7 @@ eth0:66.249.93.111 0.0.0.0/0 206.124.146.176 tcp 993</programlistin
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>Having an internet-accessible server in your local network is
|
||||
<para>Having an Internet-accessible server in your local network is
|
||||
like raising foxes in the corner of your hen house. If the server is
|
||||
compromised, there's nothing between that server and your other
|
||||
internal systems. For the cost of another NIC and a cross-over
|
||||
@ -559,7 +559,7 @@ eth0:66.249.93.111 0.0.0.0/0 206.124.146.176 tcp 993</programlistin
|
||||
</itemizedlist>
|
||||
|
||||
<para>So the best and most secure way to solve this problem is to move
|
||||
your internet-accessible server(s) to a separate LAN segment with it's
|
||||
your Internet-accessible server(s) to a separate LAN segment with it's
|
||||
own interface to your firewall and follow <link linkend="faq2b">FAQ
|
||||
2b</link>. That way, your local systems are still safe if your server
|
||||
gets hacked and you don't have to run a split DNS configuration
|
||||
@ -643,7 +643,7 @@ DNAT loc loc:192.168.1.5 tcp www - <emph
|
||||
<para>If the ALL INTERFACES column in /etc/shorewall/nat is empty or
|
||||
contains <quote>Yes</quote>, you will also see log messages like the
|
||||
following when trying to access a host in Z from another host in Z
|
||||
using the destination hosts's public address:</para>
|
||||
using the destination host's public address:</para>
|
||||
|
||||
<programlisting>Oct 4 10:26:40 netgw kernel:
|
||||
Shorewall:FORWARD:REJECT:IN=eth1 OUT=eth1 SRC=192.168.118.200
|
||||
@ -685,7 +685,7 @@ DNAT loc loc:192.168.1.5 tcp www - <emph
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
dmz eth2 192.168.2.255 <emphasis role="bold">routeback</emphasis> </programlisting>
|
||||
|
||||
<para>In <filename>/etc/shorewall/na</filename>t, be sure that you
|
||||
<para>In <filename>/etc/shorewall/nat</filename>, be sure that you
|
||||
have <quote>Yes</quote> in the ALL INTERFACES column.</para>
|
||||
|
||||
<para>In /etc/shorewall/masq:</para>
|
||||
@ -802,7 +802,7 @@ DNAT loc dmz:192.168.2.4 tcp 80 - <emph
|
||||
<blockquote>
|
||||
<para><programlisting>> I know PoM -ng is going to address this issue, but till it is ready, and
|
||||
> all the extras are ported to it, is there any way to use the h.323
|
||||
> contrack module kernel patch with a 2.6 kernel?
|
||||
> conntrack module kernel patch with a 2.6 kernel?
|
||||
> Running 2.6.1 - no 2.4 kernel stuff on the system, so downgrade is not
|
||||
> an option... The module is not ported yet to 2.6, sorry.
|
||||
> Do I have any options besides a gatekeeper app (does not work in my
|
||||
@ -831,7 +831,7 @@ to debug/develop the newnat interface.</programlisting></para>
|
||||
url="shorewall_quickstart_guide.htm">Quick Start Guides</ulink> should
|
||||
have to ask this question.</para>
|
||||
|
||||
<para>Regardless of which guide you used, all outbound communcation is
|
||||
<para>Regardless of which guide you used, all outbound communication is
|
||||
open by default. So you do not need to 'open ports' for output.</para>
|
||||
|
||||
<para>For input:</para>
|
||||
@ -877,7 +877,7 @@ to debug/develop the newnat interface.</programlisting></para>
|
||||
<para><emphasis role="bold">Answer:</emphasis> The default Shorewall
|
||||
setup invokes the <emphasis role="bold">Drop</emphasis> action prior to
|
||||
enforcing a DROP policy and the default policy to all zones from the
|
||||
internet is DROP. The Drop action is defined in
|
||||
Internet is DROP. The Drop action is defined in
|
||||
<filename>/usr/share/shorewall/action.Drop</filename> which in turn
|
||||
invokes the <emphasis role="bold">Auth</emphasis> macro (defined in
|
||||
<filename>/usr/share/shorewall/macro.Auth</filename>) specifying the
|
||||
@ -916,7 +916,7 @@ to debug/develop the newnat interface.</programlisting></para>
|
||||
establishment of new connections. Once a connection is established
|
||||
through the firewall it will be usable until disconnected (tcp) or
|
||||
until it times out (other protocols). If you stop telnet and try to
|
||||
establish a new session your firerwall will block that attempt.</para>
|
||||
establish a new session your firewall will block that attempt.</para>
|
||||
</section>
|
||||
|
||||
<section id="faq4c">
|
||||
@ -973,7 +973,7 @@ to debug/develop the newnat interface.</programlisting></para>
|
||||
<para>The DNS settings on the local systems are wrong or the user is
|
||||
running a DNS server on the firewall and hasn't enabled UDP and TCP
|
||||
port 53 from the local net to the firewall or from the firewall to
|
||||
the internet.</para>
|
||||
the Internet.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -1042,7 +1042,7 @@ to debug/develop the newnat interface.</programlisting></para>
|
||||
may no longer be defined in terms of bridge ports. See <ulink
|
||||
url="bridge-Shorewall-perl.html">the new Shorewall-shell bridging
|
||||
documentation</ulink> for information about configuring a
|
||||
bridge/firewall under kernel 2.6.20 and later with Shoreawall shell or
|
||||
bridge/firewall under kernel 2.6.20 and later with Shorewall shell or
|
||||
the<ulink url="bridge-Shorewall-perl.html"> Shorewall-perl bridging
|
||||
documentation</ulink> if you use Shorewall-perl
|
||||
(highly-recommended).<note>
|
||||
@ -1167,7 +1167,7 @@ DROP net fw udp 10619</programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>the ethernet frame type (2 bytes)</para>
|
||||
<para>the Ethernet frame type (2 bytes)</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
@ -1216,7 +1216,7 @@ teastep@ursa:~$ </programlisting>The first number determines the maximum log
|
||||
<emphasis role="bold">less than</emphasis> this number are sent to the
|
||||
console. On the system shown in the example above, priorities 0-5 are
|
||||
sent to the console. Since Shorewall defaults to using 'info' (6), the
|
||||
Shorewall-generated Netfilter ruleset will generate log messages that
|
||||
Shorewall-generated Netfilter rule set will generate log messages that
|
||||
<emphasis role="bold">will not appear on the console.</emphasis></para>
|
||||
|
||||
<para>The second number is the default log level for kernel printk()
|
||||
@ -1252,7 +1252,7 @@ teastep@ursa:~$ </programlisting>The first number determines the maximum log
|
||||
messages or the content of the messages.</para>
|
||||
|
||||
<para>The actual log file where Netfilter messages are written is not
|
||||
standardized and will vary by distribution and distribusion version.
|
||||
standardized and will vary by distribution and distribution version.
|
||||
But anytime you see no logging, it's time to look outside the
|
||||
Shorewall configuration for the cause. As an example, recent
|
||||
<trademark>SuSE</trademark> releases use syslog-ng by default and
|
||||
@ -1376,7 +1376,7 @@ teastep@ursa:~$ </programlisting>The first number determines the maximum log
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>blacklst</term>
|
||||
<term>blacklist</term>
|
||||
|
||||
<listitem>
|
||||
<para>The packet is being logged because the source IP is
|
||||
@ -1634,7 +1634,7 @@ modprobe: Can't locate module iptable_raw</programlisting>
|
||||
<title>Routing</title>
|
||||
|
||||
<section id="faq32">
|
||||
<title>(FAQ 32) My firewall has two connections to the internet from two
|
||||
<title>(FAQ 32) My firewall has two connections to the Internet from two
|
||||
different ISPs. How do I set this up in Shorewall?</title>
|
||||
|
||||
<para><emphasis role="bold">Answer</emphasis>: See <ulink
|
||||
@ -1933,7 +1933,7 @@ iptables: Invalid argument
|
||||
of the control of the packaging system and provides consistent behavior
|
||||
between the init scripts and <filename>/sbin/shorewall</filename> (and
|
||||
<filename>/sbin/shorewall-lite</filename>). For more information on the
|
||||
tradeoffs involved when deciding whether to use the Debian package, see
|
||||
factors involved when deciding whether to use the Debian package, see
|
||||
<ulink url="http://wiki.shorewall.net/wiki/ShorewallOnDebian">this
|
||||
article</ulink>.</para>
|
||||
</section>
|
||||
@ -2004,7 +2004,7 @@ iptables: Invalid argument
|
||||
<title>Traffic Shaping</title>
|
||||
|
||||
<section id="faq67">
|
||||
<title>(FAQ 67) I just configured Shorewall's builtin traffic shaping
|
||||
<title>(FAQ 67) I just configured Shorewall's built in traffic shaping
|
||||
and now Shorewall fails to Start.</title>
|
||||
|
||||
<para>The error I receive is as follows:<programlisting>RTNETLINK answers: No such file or directory
|
||||
@ -2086,7 +2086,7 @@ We have an error talking to the kernel
|
||||
|
||||
<section id="faq25a">
|
||||
<title>(FAQ 25a) How do I tell which version of Shorewall-perl and
|
||||
Shorewall-shell that I have intalled?</title>
|
||||
Shorewall-shell that I have installed?</title>
|
||||
|
||||
<para><emphasis role="bold">Answer</emphasis>: At the shell prompt,
|
||||
type:</para>
|
||||
@ -2174,7 +2174,7 @@ We have an error talking to the kernel
|
||||
<section id="faq14">
|
||||
<title>(FAQ 14) I'm connected via a cable modem and it has an internal
|
||||
web server that allows me to configure/monitor it but as expected if I
|
||||
enable rfc1918 blocking for my eth0 interface (the internet one), it
|
||||
enable rfc1918 blocking for my eth0 interface (the Internet one), it
|
||||
also blocks the cable modems web server.</title>
|
||||
|
||||
<para>Is there any way it can add a rule before the rfc1918 blocking
|
||||
@ -2217,7 +2217,7 @@ We have an error talking to the kernel
|
||||
</section>
|
||||
|
||||
<section id="faq14b">
|
||||
<title>(FAQ 14b) I connect to the internet with PPPoE. When I try to
|
||||
<title>(FAQ 14b) I connect to the Internet with PPPoE. When I try to
|
||||
access the built-in web server in my DSL Modem, I get connection
|
||||
Refused.</title>
|
||||
|
||||
@ -2285,7 +2285,7 @@ eth0 eth1 # eth1 = interface to local netwo
|
||||
|
||||
<section id="faq18">
|
||||
<title>(FAQ 18) Is there any way to use aliased ip addresses with
|
||||
Shorewall, and maintain separate rulesets for different IPs?</title>
|
||||
Shorewall, and maintain separate rule sets for different IPs?</title>
|
||||
|
||||
<para><emphasis role="bold">Answer:</emphasis> Yes. See <ulink
|
||||
url="Shorewall_and_Aliased_Interfaces.html">Shorewall and Aliased
|
||||
@ -2369,7 +2369,7 @@ eth0 eth1 # eth1 = interface to local netwo
|
||||
<command>iptables-restore</command> to instantiate the Netfilter
|
||||
configuration. So it runs much faster than the script generated by
|
||||
the Shorewall-shell compiler and doesn't disable new connections
|
||||
during ruleset installation.</para>
|
||||
during rule set installation.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -2432,7 +2432,7 @@ rmmod nf_conntrack_sip</programlisting>Then change the DONT_LOAD specification
|
||||
|
||||
<section id="faq20">
|
||||
<title>(FAQ 20) I have just set up a server. Do I have to change
|
||||
Shorewall to allow access to my server from the internet?</title>
|
||||
Shorewall to allow access to my server from the Internet?</title>
|
||||
|
||||
<para><emphasis role="bold">Answer</emphasis>: Yes. Consult the <ulink
|
||||
url="shorewall_quickstart_guide.htm">QuickStart guide</ulink> that you
|
||||
@ -2441,8 +2441,8 @@ rmmod nf_conntrack_sip</programlisting>Then change the DONT_LOAD specification
|
||||
</section>
|
||||
|
||||
<section id="faq24">
|
||||
<title>(FAQ 24) How can I allow conections to let's say the ssh port
|
||||
only from specific IP Addresses on the internet?</title>
|
||||
<title>(FAQ 24) How can I allow connections to let's say the ssh port
|
||||
only from specific IP Addresses on the Internet?</title>
|
||||
|
||||
<para><emphasis role="bold">Answer</emphasis>: In the SOURCE column of
|
||||
the rule, follow <quote>net</quote> by a colon and a list of the
|
||||
@ -2540,14 +2540,14 @@ REJECT fw net:pagead2.googlesyndication.com all</programlisting
|
||||
headers at the front of each packet. Stateful packet filters (of which
|
||||
Netfilter is an example) use a combination of header contents and state
|
||||
created when the packet filter processed earlier packets. Netfilter (and
|
||||
Shorewall's use of netfilter) also consider the network interface(s)
|
||||
Shorewall's use of Netfilter) also consider the network interface(s)
|
||||
where each packet entered and/or where the packet will leave the
|
||||
firewall/router.</para>
|
||||
|
||||
<para>When you specify <ulink
|
||||
url="configuration_file_basics.htm#dnsnames">a domain name in a
|
||||
Shorewall rule</ulink>, the iptables program resolves that name to one
|
||||
or more IP addresses and the actual netfilter rules that are created are
|
||||
or more IP addresses and the actual Netfilter rules that are created are
|
||||
expressed in terms of those IP addresses. So the rule that you entered
|
||||
was equivalent to:</para>
|
||||
|
||||
|
@ -319,7 +319,7 @@ xt_tcpudp 3328 0
|
||||
|
||||
<example id="Example2">
|
||||
<title>if you run an FTP server that listens on port 49 or you need to
|
||||
access a server on the internet that listens on that port then you would
|
||||
access a server on the Internet that listens on that port then you would
|
||||
have:</title>
|
||||
|
||||
<programlisting>loadmodule nf_conntrack_ftp ports=21,49
|
||||
@ -414,7 +414,7 @@ FTP/ACCEPT dmz net</programlisting>
|
||||
|
||||
<para>Note that the FTP connection tracking in the kernel cannot handle
|
||||
cases where a PORT command (or PASV reply) is broken across two packets or
|
||||
is misssing the ending <cr>/<lf>. When such cases occur, you
|
||||
is missing the ending <cr>/<lf>. When such cases occur, you
|
||||
will see a console message similar to this one:</para>
|
||||
|
||||
<programlisting>Apr 28 23:55:09 gateway kernel: conntrack_ftp: partial PORT 715014972+1</programlisting>
|
||||
|
@ -54,7 +54,7 @@
|
||||
|
||||
<para>We want systems in the 192.168.1.0/24 subnetwork to be able to
|
||||
communicate with the systems in the 10.0.0.0/8 network. This is
|
||||
accomplished through use of the /etc/shorwall/tunnels file, the
|
||||
accomplished through use of the /etc/shorewall/tunnels file, the
|
||||
/etc/shorewall/policy file and the /etc/shorewall/tunnel script that is
|
||||
included with Shorewall.</para>
|
||||
|
||||
|
@ -43,7 +43,7 @@
|
||||
</articleinfo>
|
||||
|
||||
<warning>
|
||||
<para>GRE and IPIP Tunnels are insecure when used over the internet; use
|
||||
<para>GRE and IPIP Tunnels are insecure when used over the Internet; use
|
||||
them at your own risk</para>
|
||||
</warning>
|
||||
|
||||
|
@ -48,9 +48,9 @@
|
||||
<section id="Intro">
|
||||
<title>Introduction</title>
|
||||
|
||||
<para>Shorewall verions 2.2.0 and later include support for the ipp2p
|
||||
<para>Shorewall versions 2.2.0 and later include support for the ipp2p
|
||||
match facility. This is a departure from my usual policy in that the ipp2p
|
||||
match facility is included in Patch-O-Matic-NG and is unlikely to ever be
|
||||
match facility is included in Patch-O-Matic-ENG and is unlikely to ever be
|
||||
included in the kernel.org source tree. Questions about how to install the
|
||||
patch or how to build your kernel and/or iptables should not be posted on
|
||||
the Shorewall mailing lists but should rather be referred to the Netfilter
|
||||
|
@ -76,7 +76,7 @@
|
||||
broken when used with a bridge device. The problem has been reported to
|
||||
the responsible Netfilter developer who has confirmed the problem. The
|
||||
problem was presumably corrected in Kernel 2.6.20 as a result of the
|
||||
removal of defered FORWARD/OUTPUT processing of traffic destined for a
|
||||
removal of deferred FORWARD/OUTPUT processing of traffic destined for a
|
||||
bridge. See the <ulink
|
||||
url="bridge-Shorewall-perl.html">"<emphasis>Shorewall-perl and Bridged
|
||||
Firewalls</emphasis>"</ulink> article.</para>
|
||||
@ -134,7 +134,7 @@
|
||||
by normal rules and policies.</para>
|
||||
|
||||
<para>Under the 2.4 Linux Kernel, the association of unencrypted traffic
|
||||
and zones was made easy by the presense of IPSEC pseudo-interfaces with
|
||||
and zones was made easy by the presence of IPSEC pseudo-interfaces with
|
||||
names of the form <filename class="devicefile">ipsecn</filename> (e.g.
|
||||
<filename class="devicefile">ipsec0</filename>). Outgoing unencrypted
|
||||
traffic (case 1.) was send through an <filename
|
||||
@ -201,11 +201,11 @@
|
||||
|
||||
<note>
|
||||
<para>For simple zones such as are shown in the following examples, the
|
||||
two techniques are equivalent and are used interchangably.</para>
|
||||
two techniques are equivalent and are used interchangeably.</para>
|
||||
</note>
|
||||
|
||||
<note>
|
||||
<para>It is redundent to have <emphasis role="bold">ipsec</emphasis> in
|
||||
<para>It is redundant to have <emphasis role="bold">ipsec</emphasis> in
|
||||
the TYPE column of the <filename>/etc/shorewall/zones</filename> entry
|
||||
for a zone and to also have the <emphasis role="bold">ipsec</emphasis>
|
||||
option in <filename>/etc/shorewall/hosts</filename> entries for that
|
||||
@ -234,13 +234,13 @@
|
||||
<section id="GwFw">
|
||||
<title>IPSec Gateway on the Firewall System</title>
|
||||
|
||||
<para>Suppose that we have the following sutuation:</para>
|
||||
<para>Suppose that we have the following situation:</para>
|
||||
|
||||
<graphic fileref="images/TwoNets1.png" />
|
||||
|
||||
<para>We want systems in the 192.168.1.0/24 sub-network to be able to
|
||||
communicate with systems in the 10.0.0.0/8 network. We assume that on both
|
||||
systems A and B, eth0 is the internet interface.</para>
|
||||
systems A and B, eth0 is the Internet interface.</para>
|
||||
|
||||
<para>To make this work, we need to do two things:</para>
|
||||
|
||||
@ -301,7 +301,7 @@ net ipv4
|
||||
</blockquote>
|
||||
|
||||
<para>Remember the assumption that both systems A and B have eth0 as their
|
||||
internet interface.</para>
|
||||
Internet interface.</para>
|
||||
|
||||
<para>You must define the vpn zone using the
|
||||
<filename>/etc/shorewall/hosts</filename> file. The hosts file entries
|
||||
@ -448,11 +448,11 @@ sainfo address 192.168.1.0/24 any address 134.28.54.2/32 any
|
||||
}</programlisting>
|
||||
|
||||
<warning>
|
||||
<para>If you have hosts that access the internet through an IPSEC
|
||||
<para>If you have hosts that access the Internet through an IPSEC
|
||||
tunnel, then it is a good idea to set the MSS value for traffic from
|
||||
those hosts explicitly in the
|
||||
<filename>/etc/shorewall/zones</filename> file. For example, if hosts
|
||||
in the <emphasis role="bold">sec</emphasis> zone access the internet
|
||||
in the <emphasis role="bold">sec</emphasis> zone access the Internet
|
||||
through an ESP tunnel then the following entry would be
|
||||
appropriate:</para>
|
||||
|
||||
@ -605,7 +605,7 @@ spdflush;</programlisting>
|
||||
|
||||
<para>On the mobile system (system B), it is not possible to create a
|
||||
static IPSEC configuration because the IP address of the laptop's
|
||||
internet connection isn't static. I have created an 'ipsecvpn' script
|
||||
Internet connection isn't static. I have created an 'ipsecvpn' script
|
||||
and included in the tarball and in the RPM's documentation directory;
|
||||
this script can be used to start and stop the connection.</para>
|
||||
|
||||
@ -726,7 +726,7 @@ loc ipv4
|
||||
<para>Since the L2TP will require the use of pppd, you will end up with
|
||||
one or more ppp interfaces (each representing an individual road warrior
|
||||
connection) for which you will need to account. This can be done by
|
||||
modifying the inerfaces file. (Modify with additional options as
|
||||
modifying the interfaces file. (Modify with additional options as
|
||||
needed.)</para>
|
||||
|
||||
<blockquote>
|
||||
|
@ -105,13 +105,13 @@ conn packetdefault
|
||||
<section id="GwFw">
|
||||
<title>IPSec Gateway on the Firewall System</title>
|
||||
|
||||
<para>Suppose that we have the following sutuation:</para>
|
||||
<para>Suppose that we have the following situation:</para>
|
||||
|
||||
<graphic fileref="images/TwoNets1.png" />
|
||||
|
||||
<para>We want systems in the 192.168.1.0/24 sub-network to be able to
|
||||
communicate with systems in the 10.0.0.0/8 network. We assume that on both
|
||||
systems A and B, eth0 is the internet interface.</para>
|
||||
systems A and B, eth0 is the Internet interface.</para>
|
||||
|
||||
<para>To make this work, we need to do two things:</para>
|
||||
|
||||
@ -177,7 +177,7 @@ vpn ipsec0</programlisting>
|
||||
<filename>/etc/shorewall/zones</filename>.</emphasis></para>
|
||||
|
||||
<para>Remember the assumption that both systems A and B have eth0 as
|
||||
their internet interface.</para>
|
||||
their Internet interface.</para>
|
||||
|
||||
<para>You must define the vpn zone using the /etc/shorewall/hosts
|
||||
file.</para>
|
||||
@ -193,7 +193,7 @@ vpn eth0:10.0.0.0/8</programlisting>
|
||||
vpn eth0:192.168.1.0/24</programlisting>
|
||||
|
||||
<para>In addition, <emphasis role="bold">if you are using Masquerading
|
||||
or SNAT</emphasis> on your firewalls, you need to elmiinate the remote
|
||||
or SNAT</emphasis> on your firewalls, you need to eliminate the remote
|
||||
network from Masquerade/SNAT. These entries <emphasis
|
||||
role="bold">replace</emphasis> your current masquerade/SNAT entries for
|
||||
the local networks.</para>
|
||||
@ -229,7 +229,7 @@ vpn loc ACCEPT</programlisting>
|
||||
|
||||
<para>Shorewall can be used in a VPN Hub environment where multiple remote
|
||||
networks are connected to a gateway running Shorewall. This environment is
|
||||
shown in this diatram.</para>
|
||||
shown in this diagram.</para>
|
||||
|
||||
<graphic fileref="images/ThreeNets.png" />
|
||||
|
||||
@ -425,7 +425,7 @@ ipsec net 0.0.0.0/0 vpn1,vpn2,vpn3</programlisting>
|
||||
Shorewall will issue warnings to that effect. These warnings may be safely
|
||||
ignored. FreeS/Wan may now be configured to have three different Road
|
||||
Warrior connections with the choice of connection being based on X-509
|
||||
certificates or some other means. Each of these connectioins will utilize
|
||||
certificates or some other means. Each of these connections will utilize
|
||||
a different updown script that adds the remote station to the appropriate
|
||||
zone when the connection comes up and that deletes the remote station when
|
||||
the connection comes down. For example, when 134.28.54.2 connects for the
|
||||
|
@ -38,7 +38,7 @@
|
||||
|
||||
<caution>
|
||||
<para><emphasis role="bold">This article applies to Shorewall 3.0 and
|
||||
later. If you are installing or upgradeing to a version of Shorewall
|
||||
later. If you are installing or upgrading to a version of Shorewall
|
||||
earlier than Shorewall 3.0.0 then please see the documentation for that
|
||||
release.</emphasis></para>
|
||||
</caution>
|
||||
@ -490,12 +490,12 @@ tar -jxf shorewall-shell-4.0.0.tar.bz2</command> (if you use this compiler)</pro
|
||||
<blockquote>
|
||||
<para>It's *VERY* simple...just put in a new CD and reboot! :-)
|
||||
Actually, I'm only slightly kidding...that's exactly how I upgrade my
|
||||
prodution firewalls. The partial backup feature I added to Dachstein
|
||||
allows configuration data to be stored seperately from the rest of the
|
||||
production firewalls. The partial backup feature I added to Dachstein
|
||||
allows configuration data to be stored separately from the rest of the
|
||||
package.</para>
|
||||
|
||||
<para>Once the config data is seperated from the rest of the package,
|
||||
it's an easy matter to upgrade the pacakge while keeping your current
|
||||
<para>Once the config data is separated from the rest of the package,
|
||||
it's an easy matter to upgrade the package while keeping your current
|
||||
configuration (in my case, just inserting a new CD and
|
||||
re-booting).</para>
|
||||
|
||||
@ -521,7 +521,7 @@ tar -jxf shorewall-shell-4.0.0.tar.bz2</command> (if you use this compiler)</pro
|
||||
|
||||
<listitem>
|
||||
<para>Make sure you have a working copy of your existing firewall
|
||||
('OLD') in a safe place, that you *DO NOT* use durring this process.
|
||||
('OLD') in a safe place, that you *DO NOT* use during this process.
|
||||
That way, if anything goes wrong you can simply reboot off the OLD
|
||||
disk to get back to a working configuration.</para>
|
||||
</listitem>
|
||||
@ -593,7 +593,7 @@ tar -xzvf /mnt/package2.lrp
|
||||
<package>.list file that resides in /etc or /var/lib/lrpkg is
|
||||
part of the configuration data and is used to create the partial
|
||||
backup. If shorewall puts anything in /etc that isn't a user modified
|
||||
configuration file, a proper shorwall.local file should be created
|
||||
configuration file, a proper shorewall.local file should be created
|
||||
prior to making the partial backup [<emphasis role="bold">Editor's
|
||||
note</emphasis>: Shorewall places only user-modifiable files in
|
||||
/etc].</para>
|
||||
|
@ -65,8 +65,8 @@
|
||||
<listitem>
|
||||
<para>iptables-restore - a program included with iptables that
|
||||
allows for atomic installation of a set of Netfilter rules. This is
|
||||
a much more efficient way to install a ruleset than running the
|
||||
iptables utility once for each rule in the ruleset.</para>
|
||||
a much more efficient way to install a rule set than running the
|
||||
iptables utility once for each rule in the rule set.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -269,17 +269,17 @@ loc net ACCEPT
|
||||
net all DROP info
|
||||
all all REJECT info</programlisting>In the three-interface
|
||||
sample, the line below is included but commented out. If you want your
|
||||
firewall system to have full access to servers on the internet, uncomment
|
||||
firewall system to have full access to servers on the Internet, uncomment
|
||||
that line. <programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||
$FW net ACCEPT</programlisting> The above policy will:
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>Allow all connection requests from your local network to the
|
||||
internet</para>
|
||||
Internet</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Drop (ignore) all connection requests from the internet to
|
||||
<para>Drop (ignore) all connection requests from the Internet to
|
||||
your firewall or local networks; these ignored connection requests
|
||||
will be logged using the <emphasis>info</emphasis> syslog priority
|
||||
(log level).</para>
|
||||
@ -287,7 +287,7 @@ $FW net ACCEPT</programlisting> The above policy will:
|
||||
|
||||
<listitem>
|
||||
<para>Optionally accept all connection requests from the firewall to
|
||||
the internet (if you uncomment the additional policy)</para>
|
||||
the Internet (if you uncomment the additional policy)</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -298,8 +298,8 @@ $FW net ACCEPT</programlisting> The above policy will:
|
||||
</itemizedlist></para>
|
||||
|
||||
<para>To illustrate how rules provide exceptions to policies, suppose that
|
||||
you have the polcies listed above but you want to be able to connect to
|
||||
your firewall from the internet using Secure Shell (SSH). Recall that SSH
|
||||
you have the polices listed above but you want to be able to connect to
|
||||
your firewall from the Internet using Secure Shell (SSH). Recall that SSH
|
||||
connects uses TCP port 22.</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
@ -307,7 +307,7 @@ $FW net ACCEPT</programlisting> The above policy will:
|
||||
ACCEPT net $FW tcp 22</programlisting>
|
||||
|
||||
<para>So although you have a policy of ignoring all connection attempts
|
||||
from the net zone (from the internet), the above exception to that policy
|
||||
from the net zone (from the Internet), the above exception to that policy
|
||||
allows you to connect to the SSH server running on your firewall.</para>
|
||||
|
||||
<para>Because Shorewall makes no assumptions about what traffic you want
|
||||
@ -317,7 +317,7 @@ ACCEPT net $FW tcp 22</programlisting>
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>The <ulink url="shorewall_quickstart_guide.htm">QuickStart
|
||||
guildes</ulink> point to pre-populated files for use in common setups
|
||||
guides</ulink> point to pre-populated files for use in common setups
|
||||
and the <ulink url="shorewall_setup_guide.htm">Shorewall Setup
|
||||
Guide</ulink> shows you examples for use with other more complex
|
||||
setups.</para>
|
||||
@ -377,7 +377,7 @@ ACCEPT net $FW tcp 22</programlisting>
|
||||
highly portable to those Unix-like platforms that support Perl
|
||||
(including Cygwin) and is the compiler of choice for new Shorewall
|
||||
installations. Scripts created using Shorewall-perl use
|
||||
iptables-restore to install the generated Netfilter ruleset.</para>
|
||||
iptables-restore to install the generated Netfilter rule set.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
|
@ -53,10 +53,10 @@
|
||||
<graphic align="center" fileref="images/Network2008.png" />
|
||||
|
||||
<para>My personal laptop (Ursa) hosts the virtual machines. As shown in
|
||||
the diagram, Ursa has routes to the internet through both the
|
||||
the diagram, Ursa has routes to the Internet through both the
|
||||
<trademark>Linksys</trademark> WRT300N and through my Shorewall firewall.
|
||||
This allows me to test the <ulink url="MultiISP.html">Shorewall Multi-ISP
|
||||
feature</ulink>, even though I only have a single internet
|
||||
feature</ulink>, even though I only have a single Internet
|
||||
connection</para>
|
||||
|
||||
<para>The Linux Bridges shown in the diagram are, of course, actually
|
||||
|
@ -41,7 +41,7 @@
|
||||
|
||||
<important>
|
||||
<para><emphasis role="bold">MAC addresses are only visible within an
|
||||
ethernet segment so all MAC addresses used in verification must belong to
|
||||
Ethernet segment so all MAC addresses used in verification must belong to
|
||||
devices physically connected to one of the LANs to which your firewall is
|
||||
connected.</emphasis></para>
|
||||
|
||||
@ -175,7 +175,7 @@
|
||||
<term>INTERFACE</term>
|
||||
|
||||
<listitem>
|
||||
<para>The name of an ethernet interface on the Shorewall
|
||||
<para>The name of an Ethernet interface on the Shorewall
|
||||
system.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -184,7 +184,7 @@
|
||||
<term>MAC</term>
|
||||
|
||||
<listitem>
|
||||
<para>The MAC address of a device on the ethernet segment connected
|
||||
<para>The MAC address of a device on the Ethernet segment connected
|
||||
by INTERFACE. It is not necessary to use the Shorewall MAC format in
|
||||
this column although you may use that format if you so choose.
|
||||
Beginning with Shorewall 3.1, you may specify "-" here if you enter
|
||||
|
@ -105,7 +105,7 @@
|
||||
|
||||
<member><ulink
|
||||
url="manpages/shorewall-providers.html">providers</ulink> - Define
|
||||
routing tables, usually for mutliple internet links.</member>
|
||||
routing tables, usually for multiple Internet links.</member>
|
||||
|
||||
<member><ulink url="manpages/shorewall-proxyarp.html">proxyarp</ulink>
|
||||
- Define Proxy ARP.</member>
|
||||
|
@ -90,7 +90,7 @@
|
||||
<para>Optional libraries are loaded upon demand based on the user's
|
||||
configuration.</para>
|
||||
|
||||
<para>In Shorewall 3.4, the optional librares are as follows.</para>
|
||||
<para>In Shorewall 3.4, the optional libraries are as follows.</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
|
@ -75,7 +75,7 @@
|
||||
<title>Multiple Internet Connection Support</title>
|
||||
|
||||
<para>Beginning with Shorewall 2.3.2, limited support is included for
|
||||
multiple internet connections. Limitations of this support are as
|
||||
multiple Internet connections. Limitations of this support are as
|
||||
follows:</para>
|
||||
|
||||
<itemizedlist>
|
||||
@ -110,7 +110,7 @@
|
||||
<title>Overview</title>
|
||||
|
||||
<para>Let's assume that a firewall is connected via two separate
|
||||
ethernet interfaces to two different ISPs as in the following
|
||||
Ethernet interfaces to two different ISPs as in the following
|
||||
diagram.</para>
|
||||
|
||||
<graphic align="center" fileref="images/TwoISPs.png" valign="middle" />
|
||||
@ -148,7 +148,7 @@
|
||||
|
||||
<para>When you use the <emphasis role="bold">track</emphasis> option in
|
||||
<filename>/etc/shorewall/providers</filename>, connections from the
|
||||
internet are automatically routed back out of the correct interface and
|
||||
Internet are automatically routed back out of the correct interface and
|
||||
through the correct ISP gateway. This works whether the connection is
|
||||
handled by the firewall itself or if it is routed or port-forwarded to a
|
||||
system behind the firewall.</para>
|
||||
@ -304,7 +304,7 @@
|
||||
be tracked so that responses may be routed back out this
|
||||
same interface.</para>
|
||||
|
||||
<para>You want to specify 'track' if internet hosts will be
|
||||
<para>You want to specify 'track' if Internet hosts will be
|
||||
connecting to local servers through this provider. Any time
|
||||
that you specify 'track', you will also want to specify
|
||||
'balance' (see below).</para>
|
||||
@ -338,7 +338,7 @@
|
||||
<important>
|
||||
<para>If you are using
|
||||
<filename>/etc/shorewall/providers</filename> because you
|
||||
have multiple internet connections, we recommend that you
|
||||
have multiple Internet connections, we recommend that you
|
||||
specify 'track' even if you don't need it. It helps
|
||||
maintain long-term connections in which there are
|
||||
significant periods with no traffic.</para>
|
||||
@ -367,7 +367,7 @@
|
||||
<important>
|
||||
<para>If you are using
|
||||
<filename>/etc/shorewall/providers</filename> because you
|
||||
have multiple internet connections, we recommend that you
|
||||
have multiple Internet connections, we recommend that you
|
||||
specify 'balance' even if you don't need it. You can still
|
||||
use entries in <filename>/etc/shorewall/tcrules</filename>
|
||||
to force all traffic to one provider or another.<note>
|
||||
@ -464,7 +464,7 @@
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para>For those of you who are termnally confused between<emphasis
|
||||
<para>For those of you who are terminally confused between<emphasis
|
||||
role="bold"> track</emphasis> and <emphasis
|
||||
role="bold">balance</emphasis>:</para>
|
||||
|
||||
@ -494,7 +494,7 @@
|
||||
Shorewall copies all routes through the interface specified in the
|
||||
INTERFACE column plus the interfaces listed in this column.
|
||||
Normally, you will list all interfaces on your firewall in this
|
||||
column except those internet interfaces specified in the INTERFACE
|
||||
column except those Internet interfaces specified in the INTERFACE
|
||||
column of entries in this file.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -532,7 +532,7 @@
|
||||
and any interfaces that do not have an IPv4 configuration. You should
|
||||
also omit interfaces like <emphasis role="bold">tun</emphasis>
|
||||
interfaces that are created dynamically. Traffic to networks handled by
|
||||
those intefaces should be routed through the main table using entries in
|
||||
those interfaces should be routed through the main table using entries in
|
||||
<filename>/etc/shorewall/route_rules</filename> (see Example 2 <link
|
||||
linkend="Examples">below</link>).</para>
|
||||
|
||||
@ -608,7 +608,7 @@
|
||||
<title>Martians</title>
|
||||
|
||||
<para>One problem that often arises with Multi-ISP configuration is
|
||||
'Martians'. If your internet interfaces are configured with the
|
||||
'Martians'. If your Internet interfaces are configured with the
|
||||
<emphasis role="bold">routefilter</emphasis> option in
|
||||
<filename>/etc/shorewall/interfaces</filename> (remember that if you set
|
||||
that option, you should also select <emphasis
|
||||
@ -965,7 +965,7 @@ gateway:~ #</programlisting>Note that because we used a priority of 1000, the
|
||||
OpenVPN (routed setup w/tunX) in combination with multiple providers.
|
||||
In this case you have to set up a rule to ensure that the OpenVPN
|
||||
traffic is routed back through the tunX interface(s) rather than
|
||||
through any of the providers. 10.8.0.0/24 is the subnet choosen in
|
||||
through any of the providers. 10.8.0.0/24 is the subnet chosen in
|
||||
your OpenVPN configuration (server 10.8.0.0 255.255.255.0).</para>
|
||||
|
||||
<programlisting>#SOURCE DEST PROVIDER PRIORITY
|
||||
@ -981,7 +981,7 @@ gateway:~ #</programlisting>Note that because we used a priority of 1000, the
|
||||
|
||||
<orderedlist numeration="loweralpha">
|
||||
<listitem>
|
||||
<para>Only ethernet (or ethernet-like) interfaces can be used. For
|
||||
<para>Only Ethernet (or Ethernet-like) interfaces can be used. For
|
||||
inbound traffic, the MAC addresses of the gateway routers are used
|
||||
to determine which provider a packet was received through. Note that
|
||||
only routed traffic can be categorized using this technique.</para>
|
||||
@ -1129,4 +1129,4 @@ linksys 1 1 - wlan0 172.20.1.1 track,balance=1,optional
|
||||
shorewall 2 2 - eth0 192.168.1.254 track,balance=2,optional</programlisting>/etc/shorewall/rules:<programlisting>#SOURCE DEST PROVIDER PRIORITY
|
||||
- - shorewall 11999</programlisting></para>
|
||||
</section>
|
||||
</article>
|
||||
</article>
|
||||
|
@ -90,7 +90,7 @@
|
||||
|
||||
<listitem>
|
||||
<para>The order of entries in /etc/shorewall/hosts is immaterial as
|
||||
far as the generated ruleset is concerned.</para>
|
||||
far as the generated rule set is concerned.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
@ -125,7 +125,7 @@
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>The firewall requirements to/from the internet are the same
|
||||
<para>The firewall requirements to/from the Internet are the same
|
||||
for 192.168.1.0/24 and 192.168.2.0/24.</para>
|
||||
</listitem>
|
||||
|
||||
@ -180,7 +180,7 @@
|
||||
<title>Nested Zones</title>
|
||||
|
||||
<para>You can define one zone (called it <quote>loc</quote>) as being
|
||||
all hosts connectied to eth1 and a second zone <quote>loc1</quote>
|
||||
all hosts connected to eth1 and a second zone <quote>loc1</quote>
|
||||
(192.168.2.0/24) as a sub-zone.</para>
|
||||
|
||||
<graphic fileref="images/MultiZone1A.png" />
|
||||
@ -190,7 +190,7 @@
|
||||
connection request doesn't match a <quote>loc1</quote> rule, it will
|
||||
be matched against the <quote>loc</quote> rules. For example, if your
|
||||
loc1->net policy is CONTINUE then if a connection request from loc1
|
||||
to the internet doesn't match any rules for loc1->net then it will
|
||||
to the Internet doesn't match any rules for loc1->net then it will
|
||||
be checked against the loc->net rules.</para>
|
||||
|
||||
<para><filename>/etc/shorewall/zones</filename></para>
|
||||
@ -302,7 +302,7 @@ loc1 loc NONE</programlisting>
|
||||
|
||||
<para>Nested zones may also be used to configure a
|
||||
<quote>one-armed</quote> router (I don't call it a <quote>firewall</quote>
|
||||
because it is very insecure. For example, if you connect to the internet
|
||||
because it is very insecure. For example, if you connect to the Internet
|
||||
via cable modem, your next door neighbor has full access to your local
|
||||
systems as does everyone else connected to the same cable modem head-end
|
||||
controller). Here eth0 is configured with both a public IP address and an
|
||||
|
Loading…
Reference in New Issue
Block a user