mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-30 18:19:04 +01:00
Fiddle with the document about my configuration
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2922 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
1fb2827f7e
commit
abf477019c
@ -23,7 +23,7 @@
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
|
||||
<edition>2.4.0</edition>
|
||||
<edition>3.0.0</edition>
|
||||
|
||||
<legalnotice>
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
@ -134,20 +134,6 @@
|
||||
Please review the appropriate guide before trying to use this documentation
|
||||
directly.</para>
|
||||
|
||||
<caution>
|
||||
<para>Are you running Shorewall on <ulink
|
||||
url="http://www.mandrakesoft.com"><trademark>Mandrake</trademark>
|
||||
Linux</ulink> with a two-interface setup?</para>
|
||||
|
||||
<para>If so and if you configured your system while running a Mandrake
|
||||
release earlier than 10.0 final then this documentation will not apply
|
||||
directly to your environment. If you want to use the documentation that
|
||||
you find here, you will want to consider uninstalling what you have and
|
||||
installing a configuration that matches this documentation. See the <ulink
|
||||
url="two-interface.htm">Two-interface QuickStart Guide</ulink> for
|
||||
details.</para>
|
||||
</caution>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para><ulink url="Kernel2.6.html">2.6 Kernel</ulink></para>
|
||||
@ -617,6 +603,11 @@
|
||||
<para><ulink url="samba.htm">SMB</ulink></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="Shorewall_Squid_Usage.html">Squid with
|
||||
Shorewall</ulink></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="starting_and_stopping_shorewall.htm">Starting/stopping
|
||||
the Firewall</ulink><itemizedlist>
|
||||
@ -631,12 +622,11 @@
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="Shorewall_Squid_Usage.html">Squid with
|
||||
Shorewall</ulink></para>
|
||||
<para><ulink url="NAT.htm">Static (one-to-one) NAT</ulink></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="NAT.htm">Static (one-to-one) NAT</ulink></para>
|
||||
<para><ulink url="support.htm">Support</ulink></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
|
@ -5,7 +5,7 @@
|
||||
<!--$Id$-->
|
||||
|
||||
<articleinfo>
|
||||
<title>OpenVPN Tunnels</title>
|
||||
<title>OpenVPN Tunnels and Bridges</title>
|
||||
|
||||
<authorgroup>
|
||||
<author>
|
||||
@ -21,7 +21,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2005-10-18</pubdate>
|
||||
<pubdate>2005-10-19</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2003</year>
|
||||
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2005-10-02</pubdate>
|
||||
<pubdate>2005-10-21</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2004</year>
|
||||
@ -83,6 +83,11 @@
|
||||
<section>
|
||||
<title>Requirements</title>
|
||||
|
||||
<para>Note that if you need a bridge but do not need to restrict the
|
||||
traffic through the bridge then any version of Shorewall will work. See
|
||||
the <ulink url="SimpleBridge.html">Simple Bridge documentation</ulink> for
|
||||
details.</para>
|
||||
|
||||
<para>In order to use Shorewall as a bridging firewall:</para>
|
||||
|
||||
<itemizedlist>
|
||||
@ -112,11 +117,6 @@
|
||||
installed.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>Note that if you need a bridge but do not need to restrict the
|
||||
traffic through the bridge then any version of Shorewall will work. See
|
||||
the <ulink url="SimpleBridge.html">Simple Bridge documentation</ulink> for
|
||||
details.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2005-09-29</pubdate>
|
||||
<pubdate>2005-10-20</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2005</year>
|
||||
@ -127,8 +127,8 @@
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><filename>/etc/shorewall/tunnels</filename> - defines IPSEC,
|
||||
GRE and IPIP tunnels with end-points on the firewall system.</para>
|
||||
<para><filename>/etc/shorewall/tunnels</filename> - defines tunnels
|
||||
(VPN) with end-points on the firewall system.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -173,7 +173,8 @@
|
||||
|
||||
<listitem>
|
||||
<para><filename>/etc/shorewall/actions</filename> and
|
||||
<filename>/usr/share/shorewall/action.template</filename>.</para>
|
||||
<filename>/usr/share/shorewall/action.template</filename> allow
|
||||
user-defined actions.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -227,13 +228,13 @@ ACCEPT net $FW tcp www #This is an end-of-line comment</progra
|
||||
<title>Line Continuation</title>
|
||||
|
||||
<para>You may continue lines in the configuration files using the usual
|
||||
backslash (<quote>\</quote>) followed immediately by a new line
|
||||
character.</para>
|
||||
backslash (<quote>\</quote>) followed immediately by a new line character
|
||||
(Enter key).</para>
|
||||
|
||||
<example>
|
||||
<title>Line Continuation</title>
|
||||
|
||||
<programlisting>ACCEPT net $FW tcp \
|
||||
<programlisting>ACCEPT net $FW tcp \↵
|
||||
smtp,www,pop3,imap #Services running on the firewall</programlisting>
|
||||
</example>
|
||||
</section>
|
||||
@ -488,7 +489,8 @@ Shorewall has detected the following iptables/netfilter capabilities:
|
||||
Packet Type Match: Not available
|
||||
Policy Match: Available
|
||||
Physdev Match: Available
|
||||
<emphasis role="bold">IP range Match: Available <-------------- </emphasis></programlisting>
|
||||
<emphasis role="bold">IP range Match: Available <--------------
|
||||
</emphasis></programlisting>
|
||||
</section>
|
||||
|
||||
<section id="Ports">
|
||||
|
@ -33,7 +33,8 @@
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
@ -42,8 +43,8 @@
|
||||
at a level below Netfilter. Hence, Netfilter (and therefore Shorewall)
|
||||
cannot be used effectively to police DHCP. The <quote>dhcp</quote>
|
||||
interface option described in this article allows for Netfilter to stay
|
||||
out of DHCP's way for those operations that can be controlled by
|
||||
Netfilter and prevents unwanted logging of DHCP-related traffic by
|
||||
out of DHCP's way for those operations that can be controlled by Netfilter
|
||||
and prevents unwanted logging of DHCP-related traffic by
|
||||
Shorewall-generated Netfilter logging rules.</para>
|
||||
</note>
|
||||
|
||||
@ -65,8 +66,6 @@
|
||||
modifying <filename>/etc/sysconfig/dhcpd</filename>.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para></para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
@ -75,22 +74,25 @@
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>Specify the <quote>dhcp</quote> option for this interface in the
|
||||
<ulink url="Documentation.htm#Interfaces"><filename>/etc/shorewall/interfaces</filename></ulink>
|
||||
file. This will generate rules that will allow DHCP to and from
|
||||
<ulink
|
||||
url="Documentation.htm#Interfaces"><filename>/etc/shorewall/interfaces</filename></ulink>
|
||||
file. This will generate rules that will allow DHCP to and from
|
||||
your firewall system.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>If you know that the dynamic address is always going to be in
|
||||
the same subnet, you can specify the subnet address in the
|
||||
interface's entry in the <ulink url="Documentation.htm#Interfaces"><filename>/etc/shorewall/interfaces</filename></ulink>
|
||||
the same subnet, you can specify the subnet address in the interface's
|
||||
entry in the <ulink
|
||||
url="Documentation.htm#Interfaces"><filename>/etc/shorewall/interfaces</filename></ulink>
|
||||
file.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>If you don't know the subnet address in advance, you should
|
||||
specify <quote>detect</quote> for the interface's subnet address
|
||||
in the <ulink url="Documentation.htm#Interfaces"><filename>/etc/shorewall/interfaces</filename></ulink>
|
||||
<para>If you don't know the subnet address in advance, you should
|
||||
specify <quote>detect</quote> for the interface's subnet address in
|
||||
the <ulink
|
||||
url="Documentation.htm#Interfaces"><filename>/etc/shorewall/interfaces</filename></ulink>
|
||||
file and start Shorewall after the interface has started.</para>
|
||||
</listitem>
|
||||
|
||||
@ -98,7 +100,7 @@
|
||||
<para>In the event that the subnet address might change while
|
||||
Shorewall is started, you need to arrange for a <quote>shorewall
|
||||
refresh</quote> command to be executed when a new dynamic IP address
|
||||
gets assigned to the interface. Check your DHCP client's
|
||||
gets assigned to the interface. Check your DHCP client's
|
||||
documentation.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2005-10-13</pubdate>
|
||||
<pubdate>2005-10-22</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2005</year>
|
||||
@ -52,15 +52,16 @@
|
||||
releases.</para>
|
||||
</caution>
|
||||
|
||||
<para>I have DSL service and have 5 static IP addresses
|
||||
(206.124.146.176-180). My DSL <quote>modem</quote> (Westell 2200) is
|
||||
connected to eth2 and has IP address 192.168.1.1 (factory default). The
|
||||
modem is configured in <quote>bridge</quote> mode so PPPoE is not
|
||||
involved. I have a local network connected to eth3 (subnet
|
||||
192.168.1.0/24), a wireless network (192.168.3.0/24) connected to eth0,
|
||||
and a DMZ connected to eth1 (206.124.146.176/32). Note that I configure
|
||||
the same IP address on both <filename class="devicefile">eth1</filename>
|
||||
and <filename class="devicefile">eth2</filename>.</para>
|
||||
<para>I have DSL service with 5 static IP addresses (206.124.146.176-180).
|
||||
My DSL <quote>modem</quote> (Westell 2200) is connected to eth2 and has IP
|
||||
address 192.168.1.1 (factory default). The modem is configured in
|
||||
<quote>bridge</quote> mode so PPPoE is not involved. I have a local
|
||||
network connected to eth3 which is bridged to interface tun0 via bridge
|
||||
br0 (subnet 192.168.1.0/24), a wireless network (192.168.3.0/24) connected
|
||||
to eth0, and a DMZ connected to eth1 (206.124.146.176/32). Note that I
|
||||
configure the same IP address on both <filename
|
||||
class="devicefile">eth1</filename> and <filename
|
||||
class="devicefile">eth2</filename>.</para>
|
||||
|
||||
<para>In this configuration:</para>
|
||||
|
||||
@ -80,7 +81,7 @@
|
||||
<listitem>
|
||||
<para>I use SNAT through 206.124.146.179 for my Wife's Windows XP
|
||||
system <quote>Tarry</quote>, my <firstterm>crash and burn</firstterm>
|
||||
system "Wookie", and our SuSE 10.0 laptop <quote>Tipper</quote> which
|
||||
system "Wookie", our SuSE 10.0 laptop <quote>Tipper</quote> which
|
||||
connects through the Wireless Access Point (wap) via a Wireless Bridge
|
||||
(wet), and my work laptop (eastepnc6000) when it is not docked in my
|
||||
office.<note>
|
||||
@ -113,13 +114,13 @@
|
||||
WAP11. In additional to using the rather weak WEP 40-bit encryption
|
||||
(64-bit with the 24-bit preamble), I use <ulink
|
||||
url="MAC_Validation.html">MAC verification</ulink> and <ulink
|
||||
url="OPENVPN.html">OpenVPN</ulink>.</para>
|
||||
url="OPENVPN.html">OpenVPN</ulink> in bridge mode.</para>
|
||||
|
||||
<para>The single system in the DMZ (address 206.124.146.177) runs postfix,
|
||||
Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP
|
||||
server (Pure-ftpd) under Fedora Core 4. The system also runs fetchmail to
|
||||
fetch our email from our old and current ISPs. That server is accessible
|
||||
from the Internet through <ulink url="ProxyARP.htm">Proxy
|
||||
Courier IMAP (imap and imaps), DNS (Bind 9), a Web server (Apache) and an
|
||||
FTP server (Pure-ftpd) under Fedora Core 4. The system also runs fetchmail
|
||||
to fetch our email from our old and current ISPs. That server is
|
||||
accessible from the Internet through <ulink url="ProxyARP.htm">Proxy
|
||||
ARP</ulink>.</para>
|
||||
|
||||
<para>The firewall system itself runs a DHCP server that serves the local
|
||||
@ -144,11 +145,10 @@
|
||||
/etc/network/interfaces file (see below) adds a host route to
|
||||
206.124.146.177 through eth1 when that interface is brought up.</para>
|
||||
|
||||
<para>The firewall is configured with OpenVPN for VPN access from our
|
||||
second home in <ulink url="http://www.omakchamber.com/">Omak,
|
||||
Washington</ulink> or when we are otherwise out of town. We run a second
|
||||
instance of OpenVPN that is used to <ulink url="OPENVPN.html">bridge the
|
||||
wireless laptops in the Wifi zone to the local lan</ulink>.</para>
|
||||
<para>In addition to the Openvpn bridge, the firewall hosts an OpenVPN
|
||||
Tunnel server for VPN access from our second home in <ulink
|
||||
url="http://www.omakchamber.com/">Omak, Washington</ulink> or when we are
|
||||
otherwise out of town.</para>
|
||||
|
||||
<para><graphic align="center" fileref="images/network.png" /><note>
|
||||
<para>Eastepnc6000 is shown in both the local LAN and in the Wifi zone
|
||||
@ -624,15 +624,25 @@ $EXT_IF 1.5mbit 384kbit
|
||||
<title>/etc/shorewall/tcclasses</title>
|
||||
|
||||
<blockquote>
|
||||
<para>My traffic shaping configuration is the "WonderShaper" <ulink
|
||||
<para>My traffic shaping configuration is basically the "WonderShaper"
|
||||
<ulink
|
||||
url="http://www1.shorewall.net/pub/shorewall/Samples/tc4shorewall">example
|
||||
from tc4shorewall</ulink>.</para>
|
||||
from tc4shorewall</ulink> with a little tweaking.</para>
|
||||
|
||||
<programlisting>#INTERFACE MARK RATE CEIL PRIORITY OPTIONS
|
||||
$EXT_IF 10 full ful 1 tcp-ack,tos-minimize-delay
|
||||
$EXT_IF 20 9*full/10 9*full/10 2 default
|
||||
$EXT_IF 30 6*full/10 6*full/10 3
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
|
||||
<programlisting>
|
||||
Sent 3144472390 bytes 4019424 pkts (dropped 0, overlimits 0)
|
||||
|
||||
Device tun0:
|
||||
qdisc pfifo_fast 0: bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1
|
||||
Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
|
||||
|
||||
</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
|
||||
@ -644,17 +654,69 @@ $EXT_IF 30 6*full/10 6*full/10 3
|
||||
throttled and rsync gets throttled even more.</para>
|
||||
|
||||
<note>
|
||||
<para>The class id for tc4shorewall-generated classes is 1:<100 +
|
||||
mark value>. The rules below are using the Netfilter CLASSIFY
|
||||
target to classify the traffic directly without having to first mark
|
||||
then classify based on the marks.</para>
|
||||
<para>The class id for tc4shorewall-generated classes is
|
||||
<<emphasis>device number</emphasis>>:<<emphasis>100 + mark
|
||||
value</emphasis>> where the first device in
|
||||
<filename>/etc/shorewall/tcdevices</filename> is device number 1,
|
||||
the second is device number 2 and so on. The rules below are using
|
||||
the Netfilter CLASSIFY target to classify the traffic directly
|
||||
without having to first mark then classify based on the
|
||||
marks.</para>
|
||||
</note>
|
||||
|
||||
<programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
|
||||
# PORT(S)
|
||||
1:110 192.168.0.0/22 $EXT_IF
|
||||
1:130 206.124.146.177 $EXT_IF tcp - 873
|
||||
1:130 206.124.146.177 $EXT_IF tcp - 873 #Rsync to the Mirrors
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
|
||||
<para>Here is the output of <command>shorewall show tc</command> while
|
||||
the Shorewall mirrors were receiving updates via rsync and the link
|
||||
was otherwise idle. Note the rate limiting imposed by the 1:30
|
||||
Class.</para>
|
||||
|
||||
<programlisting>Shorewall-3.0.0-RC2 Traffic Control at gateway - Sat Oct 22 09:11:26 PDT 2005
|
||||
|
||||
...
|
||||
|
||||
Device eth2:
|
||||
qdisc htb 1: r2q 10 default 120 direct_packets_stat 2 ver 3.17
|
||||
Sent 205450106 bytes 644093 pkts (dropped 0, overlimits 104779)
|
||||
backlog 20p
|
||||
qdisc ingress ffff: ----------------
|
||||
Sent 160811382 bytes 498294 pkts (dropped 37, overlimits 0)
|
||||
qdisc sfq 110: parent 1:110 limit 128p quantum 1514b flows 128/1024 perturb 10sec
|
||||
Sent 81718034 bytes 417516 pkts (dropped 0, overlimits 0)
|
||||
qdisc sfq 120: parent 1:120 limit 128p quantum 1514b flows 128/1024 perturb 10sec
|
||||
Sent 61224535 bytes 177773 pkts (dropped 0, overlimits 0)
|
||||
qdisc sfq 130: parent 1:130 limit 128p quantum 1514b flows 128/1024 perturb 10sec
|
||||
Sent 62507157 bytes 48802 pkts (dropped 0, overlimits 0)
|
||||
backlog 20p
|
||||
class htb 1:110 parent 1:1 leaf 110: prio 1 quantum 4915 rate 384000bit ceil 384000bit burst 1791b/8 mpu 0b overhead 0b cburst 1791b/8 mpu 0b overhead 0b level 0
|
||||
Sent 81718034 bytes 417516 pkts (dropped 0, overlimits 0)
|
||||
rate 424bit
|
||||
lended: 417516 borrowed: 0 giants: 0
|
||||
tokens: 36864 ctokens: 36864
|
||||
|
||||
class htb 1:1 root rate 384000bit ceil 384000bit burst 1791b/8 mpu 0b overhead 0b cburst 1791b/8 mpu 0b overhead 0b level 7
|
||||
Sent 205422474 bytes 644073 pkts (dropped 0, overlimits 0)
|
||||
rate 231568bit 19pps
|
||||
lended: 0 borrowed: 0 giants: 0
|
||||
tokens: -26280 ctokens: -26280
|
||||
|
||||
class htb 1:130 parent 1:1 leaf 130: prio 3 quantum 2944 rate 230000bit ceil 230000bit burst 1714b/8 mpu 0b overhead 0b cburst 1714b/8 mpu 0b overhead 0b level 0
|
||||
Sent 62507157 bytes 48802 pkts (dropped 0, overlimits 0)
|
||||
<emphasis role="bold">rate 230848bit 19pps backlog 18p</emphasis>
|
||||
lended: 48784 borrowed: 0 giants: 0
|
||||
tokens: -106401 ctokens: -106401
|
||||
|
||||
class htb 1:120 parent 1:1 leaf 120: prio 2 quantum 4416 rate 345000bit ceil 345000bit burst 1771b/8 mpu 0b overhead 0b cburst 1771b/8 mpu 0b overhead 0b level 0
|
||||
Sent 61224535 bytes 177773 pkts (dropped 0, overlimits 0)
|
||||
rate 1000bit
|
||||
lended: 177773 borrowed: 0 giants: 0
|
||||
tokens: 41126 ctokens: 41126
|
||||
|
||||
...</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
|
||||
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2005-09-30</pubdate>
|
||||
<pubdate>2005-10-20</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2002-2005</year>
|
||||
@ -132,12 +132,29 @@
|
||||
<filename class="directory">/etc/shorewall</filename> -- for simple
|
||||
setups, you only need to deal with a few of these as described in this
|
||||
guide. After you have <ulink url="Install.htm">installed
|
||||
Shorewall</ulink>, <emphasis role="bold">download the <ulink
|
||||
url="http://www1.shorewall.net/pub/shorewall/Samples/">one-interface
|
||||
sample</ulink>, un-tar it (tar -zxvf one-interface.tgz) and and copy the
|
||||
files to /etc/shorewall (they will replace files with the same names that
|
||||
were placed in /etc/shorewall during Shorewall
|
||||
installation)</emphasis>.</para>
|
||||
Shorewall</ulink>, you can find the Samples as follows:</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>If you installed using an RPM, the samples will be in the
|
||||
Samples/one-interface/ subdirectory of the Shorewall documentation
|
||||
directory. If you don't know where the Shorewall documentation
|
||||
directory is, you can find the samples using this command:</para>
|
||||
|
||||
<programlisting>~# rpm -ql shorewall | fgrep one-interface
|
||||
/usr/share/doc/packages/shorewall/Samples/one-interface
|
||||
/usr/share/doc/packages/shorewall/Samples/one-interface/interfaces
|
||||
/usr/share/doc/packages/shorewall/Samples/one-interface/policy
|
||||
/usr/share/doc/packages/shorewall/Samples/one-interface/rules
|
||||
/usr/share/doc/packages/shorewall/Samples/one-interface/zones
|
||||
~#</programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>If you installed using the tarball, the samples are in the
|
||||
Samples/one-interface directory in the tarball.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
|
||||
<warning>
|
||||
<para><emphasis role="bold">Note to Debian Users</emphasis></para>
|
||||
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2005-10-03</pubdate>
|
||||
<pubdate>2005-10-20</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2002-2005</year>
|
||||
@ -192,14 +192,32 @@
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
|
||||
<para>After you have installed Shorewall, <emphasis role="bold">download
|
||||
the <ulink
|
||||
url="http://shorewall.net/pub/shorewall/Samples">three-interface
|
||||
sample</ulink>, un-tar it</emphasis> (<command>tar <option>-zxvf</option>
|
||||
<filename>three-interfaces.tgz</filename></command>) and and copy the
|
||||
files to <filename>/etc/shorewall</filename> (the files will replace files
|
||||
with the same names that were placed in
|
||||
<filename>/etc/shorewall</filename> when Shorewall was installed).</para>
|
||||
<para>After you have installed Shorewall, locate the three-interface
|
||||
Sample configuration:</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>If you installed using an RPM, the samples will be in the
|
||||
Samples/three-interfaces/ subdirectory of the Shorewall documentation
|
||||
directory. If you don't know where the Shorewall documentation
|
||||
directory is, you can find the samples using this command:</para>
|
||||
|
||||
<programlisting>~# rpm -ql shorewall | fgrep three-interfaces
|
||||
/usr/share/doc/packages/shorewall/Samples/three-interfaces
|
||||
/usr/share/doc/packages/shorewall/Samples/three-interfaces/interfaces
|
||||
/usr/share/doc/packages/shorewall/Samples/three-interfaces/masq
|
||||
/usr/share/doc/packages/shorewall/Samples/three-interfaces/policy
|
||||
/usr/share/doc/packages/shorewall/Samples/three-interfaces/routestopped
|
||||
/usr/share/doc/packages/shorewall/Samples/three-interfaces/rules
|
||||
/usr/share/doc/packages/shorewall/Samples/three-interfaces/zones
|
||||
~#</programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>If you installed using the tarball, the samples are in the
|
||||
Samples/three-interfaces directory in the tarball.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
|
||||
<para>As each file is introduced, I suggest that you look through the
|
||||
actual file on your system -- each file contains detailed configuration
|
||||
|
@ -12,7 +12,7 @@
|
||||
<surname>Eastep</surname>
|
||||
</author>
|
||||
|
||||
<pubdate>2005-10-03</pubdate>
|
||||
<pubdate>2005-10-21</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2002-</year>
|
||||
@ -78,33 +78,7 @@
|
||||
<imagedata fileref="images/basics.png" format="PNG" />
|
||||
</imageobject>
|
||||
</mediaobject>
|
||||
</figure> <tip>
|
||||
<title>Shorewall and <trademark>Mandrake</trademark> 9.0+</title>
|
||||
|
||||
<para>If you are running Shorewall under
|
||||
<trademark>Mandrake</trademark> 9.0 or later, you can easily configure
|
||||
the above setup using the <trademark>Mandrake</trademark>
|
||||
<quote>Internet Connection Sharing</quote> applet. From the
|
||||
<emphasis><interface>Mandrake Control Center</interface></emphasis>,
|
||||
select <quote><guimenuitem>Network</guimenuitem> &
|
||||
<guisubmenu>Internet</guisubmenu></quote> then
|
||||
<quote><interface>Connection Sharing</interface></quote>.</para>
|
||||
|
||||
<para>Note however, that the Shorewall configuration produced by
|
||||
<emphasis>Mandrake Internet Connection Sharing</emphasis> is strange
|
||||
and is apt to confuse you if you use the rest of this documentation
|
||||
(it has two local zones; <varname>loc</varname> and
|
||||
<varname>masq</varname> where <varname>loc</varname> is empty; this
|
||||
conflicts with this documentation which assumes a single local zone
|
||||
<varname>loc</varname>). We therefore recommend that once you have set
|
||||
up this sharing that you uninstall the <trademark>Mandrake</trademark>
|
||||
Shorewall RPM and install the one from the <ulink
|
||||
url="download.htm">download</ulink> page then follow the instructions
|
||||
in this Guide.</para>
|
||||
</tip><note>
|
||||
<para><emphasis role="bold">The above Shorewall Issue is corrected in
|
||||
Mandrake 10.0 and later.</emphasis></para>
|
||||
</note> <caution>
|
||||
</figure> <caution>
|
||||
<para>If you edit your configuration files on a
|
||||
<trademark>Windows</trademark> system, you must save them as
|
||||
<trademark>Unix</trademark> files if your editor supports that option
|
||||
@ -199,14 +173,32 @@
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif"
|
||||
format="GIF" /><important>
|
||||
<para>After you have <ulink url="Install.htm">installed
|
||||
Shorewall</ulink>, <emphasis role="bold">download the <ulink
|
||||
url="http://www1.shorewall.net/pub/shorewall/Samples/">two-interface
|
||||
sample</ulink>, un-tar it </emphasis>(<command>tar
|
||||
<option>-zxvf</option>
|
||||
<filename>two-interfaces.tgz</filename></command>) and and copy the
|
||||
files to <filename class="directory">/etc/shorewall</filename>
|
||||
<emphasis role="bold">(these files will replace files with the same
|
||||
name)</emphasis>.</para>
|
||||
Shorewall</ulink>, locate the two-interfaces samples:</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>If you installed using an RPM, the samples will be in the
|
||||
Samples/two-interfaces/ subdirectory of the Shorewall
|
||||
documentation directory. If you don't know where the Shorewall
|
||||
documentation directory is, you can find the samples using this
|
||||
command:</para>
|
||||
|
||||
<programlisting>~# rpm -ql shorewall | fgrep two-interfaces
|
||||
/usr/share/doc/packages/shorewall/Samples/two-interfaces
|
||||
/usr/share/doc/packages/shorewall/Samples/two-interfaces/interfaces
|
||||
/usr/share/doc/packages/shorewall/Samples/two-interfaces/masq
|
||||
/usr/share/doc/packages/shorewall/Samples/two-interfaces/policy
|
||||
/usr/share/doc/packages/shorewall/Samples/two-interfaces/routestopped
|
||||
/usr/share/doc/packages/shorewall/Samples/two-interfaces/rules
|
||||
/usr/share/doc/packages/shorewall/Samples/two-interfaces/zones
|
||||
~#</programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>If you installed using the tarball, the samples are in the
|
||||
Samples/two-interfaces directory in the tarball.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</important> As each file is introduced, I suggest that you look through
|
||||
the actual file on your system -- each file contains detailed
|
||||
configuration instructions and default entries.</para>
|
||||
|
@ -65,6 +65,21 @@
|
||||
<entry>Iptables Tutorial: <ulink
|
||||
url="http://iptables-tutorial.frozentux.net/">http://iptables-tutorial.frozentux.net/</ulink></entry>
|
||||
</row>
|
||||
|
||||
<row rowsep="0" valign="middle">
|
||||
<entry>Debian apt-get sources for Shorewall: <ulink
|
||||
url="http://idea.sec.dico.unimi.it/~lorenzo/index.html#Debian">http://idea.sec.dico.unimi.it/~lorenzo/index.html#Debian</ulink></entry>
|
||||
</row>
|
||||
|
||||
<row rowsep="0" valign="middle">
|
||||
<entry>About the Shorewall Author: <ulink
|
||||
url="http://www.shorewall.net/shoreline.htm">http://www.shorewall.net/shoreline.htm</ulink></entry>
|
||||
</row>
|
||||
|
||||
<row rowsep="0" valign="middle">
|
||||
<entry>Tom's 2005 LinuxFest NW Presentation: <ulink
|
||||
url="http://www.shorewall.net/LinuxFest.pdf">http://www.shorewall.net/LinuxFest.pdf</ulink></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</informaltable>
|
||||
|
Loading…
Reference in New Issue
Block a user