1
0
mirror of https://gitlab.com/shorewall/code.git synced 2024-12-30 18:19:04 +01:00

Fiddle with the document about my configuration

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2922 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-10-22 17:37:38 +00:00
parent 1fb2827f7e
commit abf477019c
10 changed files with 225 additions and 127 deletions

View File

@ -23,7 +23,7 @@
<holder>Thomas M. Eastep</holder>
</copyright>
<edition>2.4.0</edition>
<edition>3.0.0</edition>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
@ -134,20 +134,6 @@
Please review the appropriate guide before trying to use this documentation
directly.</para>
<caution>
<para>Are you running Shorewall on <ulink
url="http://www.mandrakesoft.com"><trademark>Mandrake</trademark>
Linux</ulink> with a two-interface setup?</para>
<para>If so and if you configured your system while running a Mandrake
release earlier than 10.0 final then this documentation will not apply
directly to your environment. If you want to use the documentation that
you find here, you will want to consider uninstalling what you have and
installing a configuration that matches this documentation. See the <ulink
url="two-interface.htm">Two-interface QuickStart Guide</ulink> for
details.</para>
</caution>
<orderedlist>
<listitem>
<para><ulink url="Kernel2.6.html">2.6 Kernel</ulink></para>
@ -617,6 +603,11 @@
<para><ulink url="samba.htm">SMB</ulink></para>
</listitem>
<listitem>
<para><ulink url="Shorewall_Squid_Usage.html">Squid with
Shorewall</ulink></para>
</listitem>
<listitem>
<para><ulink url="starting_and_stopping_shorewall.htm">Starting/stopping
the Firewall</ulink><itemizedlist>
@ -631,12 +622,11 @@
</listitem>
<listitem>
<para><ulink url="Shorewall_Squid_Usage.html">Squid with
Shorewall</ulink></para>
<para><ulink url="NAT.htm">Static (one-to-one) NAT</ulink></para>
</listitem>
<listitem>
<para><ulink url="NAT.htm">Static (one-to-one) NAT</ulink></para>
<para><ulink url="support.htm">Support</ulink></para>
</listitem>
<listitem>

View File

@ -5,7 +5,7 @@
<!--$Id$-->
<articleinfo>
<title>OpenVPN Tunnels</title>
<title>OpenVPN Tunnels and Bridges</title>
<authorgroup>
<author>
@ -21,7 +21,7 @@
</author>
</authorgroup>
<pubdate>2005-10-18</pubdate>
<pubdate>2005-10-19</pubdate>
<copyright>
<year>2003</year>

View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2005-10-02</pubdate>
<pubdate>2005-10-21</pubdate>
<copyright>
<year>2004</year>
@ -83,6 +83,11 @@
<section>
<title>Requirements</title>
<para>Note that if you need a bridge but do not need to restrict the
traffic through the bridge then any version of Shorewall will work. See
the <ulink url="SimpleBridge.html">Simple Bridge documentation</ulink> for
details.</para>
<para>In order to use Shorewall as a bridging firewall:</para>
<itemizedlist>
@ -112,11 +117,6 @@
installed.</para>
</listitem>
</itemizedlist>
<para>Note that if you need a bridge but do not need to restrict the
traffic through the bridge then any version of Shorewall will work. See
the <ulink url="SimpleBridge.html">Simple Bridge documentation</ulink> for
details.</para>
</section>
<section>

View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2005-09-29</pubdate>
<pubdate>2005-10-20</pubdate>
<copyright>
<year>2001-2005</year>
@ -127,8 +127,8 @@
</listitem>
<listitem>
<para><filename>/etc/shorewall/tunnels</filename> - defines IPSEC,
GRE and IPIP tunnels with end-points on the firewall system.</para>
<para><filename>/etc/shorewall/tunnels</filename> - defines tunnels
(VPN) with end-points on the firewall system.</para>
</listitem>
<listitem>
@ -173,7 +173,8 @@
<listitem>
<para><filename>/etc/shorewall/actions</filename> and
<filename>/usr/share/shorewall/action.template</filename>.</para>
<filename>/usr/share/shorewall/action.template</filename> allow
user-defined actions.</para>
</listitem>
<listitem>
@ -227,13 +228,13 @@ ACCEPT net $FW tcp www #This is an end-of-line comment</progra
<title>Line Continuation</title>
<para>You may continue lines in the configuration files using the usual
backslash (<quote>\</quote>) followed immediately by a new line
character.</para>
backslash (<quote>\</quote>) followed immediately by a new line character
(Enter key).</para>
<example>
<title>Line Continuation</title>
<programlisting>ACCEPT net $FW tcp \
<programlisting>ACCEPT net $FW tcp \
smtp,www,pop3,imap #Services running on the firewall</programlisting>
</example>
</section>
@ -488,7 +489,8 @@ Shorewall has detected the following iptables/netfilter capabilities:
Packet Type Match: Not available
Policy Match: Available
Physdev Match: Available
<emphasis role="bold">IP range Match: Available &lt;-------------- </emphasis></programlisting>
<emphasis role="bold">IP range Match: Available &lt;--------------
</emphasis></programlisting>
</section>
<section id="Ports">

View File

@ -33,7 +33,8 @@
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
@ -42,8 +43,8 @@
at a level below Netfilter. Hence, Netfilter (and therefore Shorewall)
cannot be used effectively to police DHCP. The <quote>dhcp</quote>
interface option described in this article allows for Netfilter to stay
out of DHCP&#39;s way for those operations that can be controlled by
Netfilter and prevents unwanted logging of DHCP-related traffic by
out of DHCP's way for those operations that can be controlled by Netfilter
and prevents unwanted logging of DHCP-related traffic by
Shorewall-generated Netfilter logging rules.</para>
</note>
@ -65,8 +66,6 @@
modifying <filename>/etc/sysconfig/dhcpd</filename>.</para>
</listitem>
</itemizedlist>
<para></para>
</section>
<section>
@ -75,22 +74,25 @@
<itemizedlist>
<listitem>
<para>Specify the <quote>dhcp</quote> option for this interface in the
<ulink url="Documentation.htm#Interfaces"><filename>/etc/shorewall/interfaces</filename></ulink>
file.&#x00A0;This will generate rules that will allow DHCP to and from
<ulink
url="Documentation.htm#Interfaces"><filename>/etc/shorewall/interfaces</filename></ulink>
file.&nbsp;This will generate rules that will allow DHCP to and from
your firewall system.</para>
</listitem>
<listitem>
<para>If you know that the dynamic address is always going to be in
the same subnet, you can specify the subnet address in the
interface&#39;s entry in the <ulink url="Documentation.htm#Interfaces"><filename>/etc/shorewall/interfaces</filename></ulink>
the same subnet, you can specify the subnet address in the interface's
entry in the <ulink
url="Documentation.htm#Interfaces"><filename>/etc/shorewall/interfaces</filename></ulink>
file.</para>
</listitem>
<listitem>
<para>If you don&#39;t know the subnet address in advance, you should
specify <quote>detect</quote> for the interface&#39;s subnet address
in the <ulink url="Documentation.htm#Interfaces"><filename>/etc/shorewall/interfaces</filename></ulink>
<para>If you don't know the subnet address in advance, you should
specify <quote>detect</quote> for the interface's subnet address in
the <ulink
url="Documentation.htm#Interfaces"><filename>/etc/shorewall/interfaces</filename></ulink>
file and start Shorewall after the interface has started.</para>
</listitem>
@ -98,7 +100,7 @@
<para>In the event that the subnet address might change while
Shorewall is started, you need to arrange for a <quote>shorewall
refresh</quote> command to be executed when a new dynamic IP address
gets assigned to the interface. Check your DHCP client&#39;s
gets assigned to the interface. Check your DHCP client's
documentation.</para>
</listitem>
</itemizedlist>

View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2005-10-13</pubdate>
<pubdate>2005-10-22</pubdate>
<copyright>
<year>2001-2005</year>
@ -52,15 +52,16 @@
releases.</para>
</caution>
<para>I have DSL service and have 5 static IP addresses
(206.124.146.176-180). My DSL <quote>modem</quote> (Westell 2200) is
connected to eth2 and has IP address 192.168.1.1 (factory default). The
modem is configured in <quote>bridge</quote> mode so PPPoE is not
involved. I have a local network connected to eth3 (subnet
192.168.1.0/24), a wireless network (192.168.3.0/24) connected to eth0,
and a DMZ connected to eth1 (206.124.146.176/32). Note that I configure
the same IP address on both <filename class="devicefile">eth1</filename>
and <filename class="devicefile">eth2</filename>.</para>
<para>I have DSL service with 5 static IP addresses (206.124.146.176-180).
My DSL <quote>modem</quote> (Westell 2200) is connected to eth2 and has IP
address 192.168.1.1 (factory default). The modem is configured in
<quote>bridge</quote> mode so PPPoE is not involved. I have a local
network connected to eth3 which is bridged to interface tun0 via bridge
br0 (subnet 192.168.1.0/24), a wireless network (192.168.3.0/24) connected
to eth0, and a DMZ connected to eth1 (206.124.146.176/32). Note that I
configure the same IP address on both <filename
class="devicefile">eth1</filename> and <filename
class="devicefile">eth2</filename>.</para>
<para>In this configuration:</para>
@ -80,7 +81,7 @@
<listitem>
<para>I use SNAT through 206.124.146.179 for&nbsp;my Wife's Windows XP
system <quote>Tarry</quote>, my <firstterm>crash and burn</firstterm>
system "Wookie", and our SuSE 10.0 laptop <quote>Tipper</quote> which
system "Wookie", our SuSE 10.0 laptop <quote>Tipper</quote> which
connects through the Wireless Access Point (wap) via a Wireless Bridge
(wet), and my work laptop (eastepnc6000) when it is not docked in my
office.<note>
@ -113,13 +114,13 @@
WAP11.&nbsp; In additional to using the rather weak WEP 40-bit encryption
(64-bit with the 24-bit preamble), I use <ulink
url="MAC_Validation.html">MAC verification</ulink> and <ulink
url="OPENVPN.html">OpenVPN</ulink>.</para>
url="OPENVPN.html">OpenVPN</ulink> in bridge mode.</para>
<para>The single system in the DMZ (address 206.124.146.177) runs postfix,
Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP
server (Pure-ftpd) under Fedora Core 4. The system also runs fetchmail to
fetch our email from our old and current ISPs. That server is accessible
from the Internet through <ulink url="ProxyARP.htm">Proxy
Courier IMAP (imap and imaps), DNS (Bind 9), a Web server (Apache) and an
FTP server (Pure-ftpd) under Fedora Core 4. The system also runs fetchmail
to fetch our email from our old and current ISPs. That server is
accessible from the Internet through <ulink url="ProxyARP.htm">Proxy
ARP</ulink>.</para>
<para>The firewall system itself runs a DHCP server that serves the local
@ -144,11 +145,10 @@
/etc/network/interfaces file (see below) adds a host route to
206.124.146.177 through eth1 when that interface is brought up.</para>
<para>The firewall is configured with OpenVPN for VPN access from our
second home in <ulink url="http://www.omakchamber.com/">Omak,
Washington</ulink> or when we are otherwise out of town. We run a second
instance of OpenVPN that is used to <ulink url="OPENVPN.html">bridge the
wireless laptops in the Wifi zone to the local lan</ulink>.</para>
<para>In addition to the Openvpn bridge, the firewall hosts an OpenVPN
Tunnel server for VPN access from our second home in <ulink
url="http://www.omakchamber.com/">Omak, Washington</ulink> or when we are
otherwise out of town.</para>
<para><graphic align="center" fileref="images/network.png" /><note>
<para>Eastepnc6000 is shown in both the local LAN and in the Wifi zone
@ -624,15 +624,25 @@ $EXT_IF 1.5mbit 384kbit
<title>/etc/shorewall/tcclasses</title>
<blockquote>
<para>My traffic shaping configuration is the "WonderShaper" <ulink
<para>My traffic shaping configuration is basically the "WonderShaper"
<ulink
url="http://www1.shorewall.net/pub/shorewall/Samples/tc4shorewall">example
from tc4shorewall</ulink>.</para>
from tc4shorewall</ulink> with a little tweaking.</para>
<programlisting>#INTERFACE MARK RATE CEIL PRIORITY OPTIONS
$EXT_IF 10 full ful 1 tcp-ack,tos-minimize-delay
$EXT_IF 20 9*full/10 9*full/10 2 default
$EXT_IF 30 6*full/10 6*full/10 3
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
<programlisting>
Sent 3144472390 bytes 4019424 pkts (dropped 0, overlimits 0)
Device tun0:
qdisc pfifo_fast 0: bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1
Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
</programlisting>
</blockquote>
</section>
@ -644,17 +654,69 @@ $EXT_IF 30 6*full/10 6*full/10 3
throttled and rsync gets throttled even more.</para>
<note>
<para>The class id for tc4shorewall-generated classes is 1:&lt;100 +
mark value&gt;. The rules below are using the Netfilter CLASSIFY
target to classify the traffic directly without having to first mark
then classify based on the marks.</para>
<para>The class id for tc4shorewall-generated classes is
&lt;<emphasis>device number</emphasis>&gt;:&lt;<emphasis>100 + mark
value</emphasis>&gt; where the first device in
<filename>/etc/shorewall/tcdevices</filename> is device number 1,
the second is device number 2 and so on. The rules below are using
the Netfilter CLASSIFY target to classify the traffic directly
without having to first mark then classify based on the
marks.</para>
</note>
<programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
# PORT(S)
1:110 192.168.0.0/22 $EXT_IF
1:130 206.124.146.177 $EXT_IF tcp - 873
1:130 206.124.146.177 $EXT_IF tcp - 873 #Rsync to the Mirrors
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
<para>Here is the output of <command>shorewall show tc</command> while
the Shorewall mirrors were receiving updates via rsync and the link
was otherwise idle. Note the rate limiting imposed by the 1:30
Class.</para>
<programlisting>Shorewall-3.0.0-RC2 Traffic Control at gateway - Sat Oct 22 09:11:26 PDT 2005
...
Device eth2:
qdisc htb 1: r2q 10 default 120 direct_packets_stat 2 ver 3.17
Sent 205450106 bytes 644093 pkts (dropped 0, overlimits 104779)
backlog 20p
qdisc ingress ffff: ----------------
Sent 160811382 bytes 498294 pkts (dropped 37, overlimits 0)
qdisc sfq 110: parent 1:110 limit 128p quantum 1514b flows 128/1024 perturb 10sec
Sent 81718034 bytes 417516 pkts (dropped 0, overlimits 0)
qdisc sfq 120: parent 1:120 limit 128p quantum 1514b flows 128/1024 perturb 10sec
Sent 61224535 bytes 177773 pkts (dropped 0, overlimits 0)
qdisc sfq 130: parent 1:130 limit 128p quantum 1514b flows 128/1024 perturb 10sec
Sent 62507157 bytes 48802 pkts (dropped 0, overlimits 0)
backlog 20p
class htb 1:110 parent 1:1 leaf 110: prio 1 quantum 4915 rate 384000bit ceil 384000bit burst 1791b/8 mpu 0b overhead 0b cburst 1791b/8 mpu 0b overhead 0b level 0
Sent 81718034 bytes 417516 pkts (dropped 0, overlimits 0)
rate 424bit
lended: 417516 borrowed: 0 giants: 0
tokens: 36864 ctokens: 36864
class htb 1:1 root rate 384000bit ceil 384000bit burst 1791b/8 mpu 0b overhead 0b cburst 1791b/8 mpu 0b overhead 0b level 7
Sent 205422474 bytes 644073 pkts (dropped 0, overlimits 0)
rate 231568bit 19pps
lended: 0 borrowed: 0 giants: 0
tokens: -26280 ctokens: -26280
class htb 1:130 parent 1:1 leaf 130: prio 3 quantum 2944 rate 230000bit ceil 230000bit burst 1714b/8 mpu 0b overhead 0b cburst 1714b/8 mpu 0b overhead 0b level 0
Sent 62507157 bytes 48802 pkts (dropped 0, overlimits 0)
<emphasis role="bold">rate 230848bit 19pps backlog 18p</emphasis>
lended: 48784 borrowed: 0 giants: 0
tokens: -106401 ctokens: -106401
class htb 1:120 parent 1:1 leaf 120: prio 2 quantum 4416 rate 345000bit ceil 345000bit burst 1771b/8 mpu 0b overhead 0b cburst 1771b/8 mpu 0b overhead 0b level 0
Sent 61224535 bytes 177773 pkts (dropped 0, overlimits 0)
rate 1000bit
lended: 177773 borrowed: 0 giants: 0
tokens: 41126 ctokens: 41126
...</programlisting>
</blockquote>
</section>

View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2005-09-30</pubdate>
<pubdate>2005-10-20</pubdate>
<copyright>
<year>2002-2005</year>
@ -132,12 +132,29 @@
<filename class="directory">/etc/shorewall</filename> -- for simple
setups, you only need to deal with a few of these as described in this
guide. After you have <ulink url="Install.htm">installed
Shorewall</ulink>, <emphasis role="bold">download the <ulink
url="http://www1.shorewall.net/pub/shorewall/Samples/">one-interface
sample</ulink>, un-tar it (tar -zxvf one-interface.tgz) and and copy the
files to /etc/shorewall (they will replace files with the same names that
were placed in /etc/shorewall during Shorewall
installation)</emphasis>.</para>
Shorewall</ulink>, you can find the Samples as follows:</para>
<orderedlist>
<listitem>
<para>If you installed using an RPM, the samples will be in the
Samples/one-interface/ subdirectory of the Shorewall documentation
directory. If you don't know where the Shorewall documentation
directory is, you can find the samples using this command:</para>
<programlisting>~# rpm -ql shorewall | fgrep one-interface
/usr/share/doc/packages/shorewall/Samples/one-interface
/usr/share/doc/packages/shorewall/Samples/one-interface/interfaces
/usr/share/doc/packages/shorewall/Samples/one-interface/policy
/usr/share/doc/packages/shorewall/Samples/one-interface/rules
/usr/share/doc/packages/shorewall/Samples/one-interface/zones
~#</programlisting>
</listitem>
<listitem>
<para>If you installed using the tarball, the samples are in the
Samples/one-interface directory in the tarball.</para>
</listitem>
</orderedlist>
<warning>
<para><emphasis role="bold">Note to Debian Users</emphasis></para>

View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2005-10-03</pubdate>
<pubdate>2005-10-20</pubdate>
<copyright>
<year>2002-2005</year>
@ -192,14 +192,32 @@
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para>After you have installed Shorewall, <emphasis role="bold">download
the <ulink
url="http://shorewall.net/pub/shorewall/Samples">three-interface
sample</ulink>, un-tar it</emphasis> (<command>tar <option>-zxvf</option>
<filename>three-interfaces.tgz</filename></command>) and and copy the
files to <filename>/etc/shorewall</filename> (the files will replace files
with the same names that were placed in
<filename>/etc/shorewall</filename> when Shorewall was installed).</para>
<para>After you have installed Shorewall, locate the three-interface
Sample configuration:</para>
<orderedlist>
<listitem>
<para>If you installed using an RPM, the samples will be in the
Samples/three-interfaces/ subdirectory of the Shorewall documentation
directory. If you don't know where the Shorewall documentation
directory is, you can find the samples using this command:</para>
<programlisting>~# rpm -ql shorewall | fgrep three-interfaces
/usr/share/doc/packages/shorewall/Samples/three-interfaces
/usr/share/doc/packages/shorewall/Samples/three-interfaces/interfaces
/usr/share/doc/packages/shorewall/Samples/three-interfaces/masq
/usr/share/doc/packages/shorewall/Samples/three-interfaces/policy
/usr/share/doc/packages/shorewall/Samples/three-interfaces/routestopped
/usr/share/doc/packages/shorewall/Samples/three-interfaces/rules
/usr/share/doc/packages/shorewall/Samples/three-interfaces/zones
~#</programlisting>
</listitem>
<listitem>
<para>If you installed using the tarball, the samples are in the
Samples/three-interfaces directory in the tarball.</para>
</listitem>
</orderedlist>
<para>As each file is introduced, I suggest that you look through the
actual file on your system -- each file contains detailed configuration

View File

@ -12,7 +12,7 @@
<surname>Eastep</surname>
</author>
<pubdate>2005-10-03</pubdate>
<pubdate>2005-10-21</pubdate>
<copyright>
<year>2002-</year>
@ -78,33 +78,7 @@
<imagedata fileref="images/basics.png" format="PNG" />
</imageobject>
</mediaobject>
</figure> <tip>
<title>Shorewall and <trademark>Mandrake</trademark> 9.0+</title>
<para>If you are running Shorewall under
<trademark>Mandrake</trademark> 9.0 or later, you can easily configure
the above setup using the <trademark>Mandrake</trademark>
<quote>Internet Connection Sharing</quote> applet. From the
<emphasis><interface>Mandrake Control Center</interface></emphasis>,
select <quote><guimenuitem>Network</guimenuitem> &amp;
<guisubmenu>Internet</guisubmenu></quote> then
<quote><interface>Connection Sharing</interface></quote>.</para>
<para>Note however, that the Shorewall configuration produced by
<emphasis>Mandrake Internet Connection Sharing</emphasis> is strange
and is apt to confuse you if you use the rest of this documentation
(it has two local zones; <varname>loc</varname> and
<varname>masq</varname> where <varname>loc</varname> is empty; this
conflicts with this documentation which assumes a single local zone
<varname>loc</varname>). We therefore recommend that once you have set
up this sharing that you uninstall the <trademark>Mandrake</trademark>
Shorewall RPM and install the one from the <ulink
url="download.htm">download</ulink> page then follow the instructions
in this Guide.</para>
</tip><note>
<para><emphasis role="bold">The above Shorewall Issue is corrected in
Mandrake 10.0 and later.</emphasis></para>
</note> <caution>
</figure> <caution>
<para>If you edit your configuration files on a
<trademark>Windows</trademark> system, you must save them as
<trademark>Unix</trademark> files if your editor supports that option
@ -199,14 +173,32 @@
<para><inlinegraphic fileref="images/BD21298_.gif"
format="GIF" /><important>
<para>After you have <ulink url="Install.htm">installed
Shorewall</ulink>, <emphasis role="bold">download the <ulink
url="http://www1.shorewall.net/pub/shorewall/Samples/">two-interface
sample</ulink>, un-tar it </emphasis>(<command>tar
<option>-zxvf</option>
<filename>two-interfaces.tgz</filename></command>) and and copy the
files to <filename class="directory">/etc/shorewall</filename>
<emphasis role="bold">(these files will replace files with the same
name)</emphasis>.</para>
Shorewall</ulink>, locate the two-interfaces samples:</para>
<orderedlist>
<listitem>
<para>If you installed using an RPM, the samples will be in the
Samples/two-interfaces/ subdirectory of the Shorewall
documentation directory. If you don't know where the Shorewall
documentation directory is, you can find the samples using this
command:</para>
<programlisting>~# rpm -ql shorewall | fgrep two-interfaces
/usr/share/doc/packages/shorewall/Samples/two-interfaces
/usr/share/doc/packages/shorewall/Samples/two-interfaces/interfaces
/usr/share/doc/packages/shorewall/Samples/two-interfaces/masq
/usr/share/doc/packages/shorewall/Samples/two-interfaces/policy
/usr/share/doc/packages/shorewall/Samples/two-interfaces/routestopped
/usr/share/doc/packages/shorewall/Samples/two-interfaces/rules
/usr/share/doc/packages/shorewall/Samples/two-interfaces/zones
~#</programlisting>
</listitem>
<listitem>
<para>If you installed using the tarball, the samples are in the
Samples/two-interfaces directory in the tarball.</para>
</listitem>
</orderedlist>
</important> As each file is introduced, I suggest that you look through
the actual file on your system -- each file contains detailed
configuration instructions and default entries.</para>

View File

@ -65,6 +65,21 @@
<entry>Iptables Tutorial: <ulink
url="http://iptables-tutorial.frozentux.net/">http://iptables-tutorial.frozentux.net/</ulink></entry>
</row>
<row rowsep="0" valign="middle">
<entry>Debian apt-get sources for Shorewall: <ulink
url="http://idea.sec.dico.unimi.it/~lorenzo/index.html#Debian">http://idea.sec.dico.unimi.it/~lorenzo/index.html#Debian</ulink></entry>
</row>
<row rowsep="0" valign="middle">
<entry>About the Shorewall Author: <ulink
url="http://www.shorewall.net/shoreline.htm">http://www.shorewall.net/shoreline.htm</ulink></entry>
</row>
<row rowsep="0" valign="middle">
<entry>Tom's 2005 LinuxFest NW Presentation: <ulink
url="http://www.shorewall.net/LinuxFest.pdf">http://www.shorewall.net/LinuxFest.pdf</ulink></entry>
</row>
</tbody>
</tgroup>
</informaltable>