mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-23 06:38:53 +01:00
Documentation Updates
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1090 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
2e80e459bb
commit
ac8d03c5f4
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-01-05</pubdate>
|
||||
<pubdate>2004-01-22</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2004</year>
|
||||
@ -680,6 +680,21 @@ dmz DMZ Demilitarized zone</programlisting>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>detectnets</term>
|
||||
|
||||
<listitem>
|
||||
<para>(Added in version 1.4.10) - If this option is specified,
|
||||
the zone named in the ZONE column will contain only the hosts
|
||||
routed through the interface named in the INTERFACE column.
|
||||
<emphasis role="bold">Do not set this option on your external
|
||||
(Internet) interface!</emphasis> The interface must be in the
|
||||
UP state when Shorewall is [re]started.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para>My recommendations concerning options:</para>
|
||||
|
||||
<itemizedlist>
|
||||
@ -688,7 +703,7 @@ dmz DMZ Demilitarized zone</programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Wireless Interface -- <emphasis role="bold">maclist,routefilter,tcpflags</emphasis></para>
|
||||
<para>Wireless Interface -- <emphasis role="bold">maclist,routefilter,tcpflags,detectnets</emphasis></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -926,7 +941,7 @@ loc eth1:192.168.1.0/24,192.168.12.0/24</programlisting>
|
||||
to a particular connection request then the policy from
|
||||
<filename>/etc/shorewall/policy</filename> is applied.</para>
|
||||
|
||||
<para>Four policies are defined:</para>
|
||||
<para>Five policies are defined:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
@ -1827,14 +1842,23 @@ DNAT net loc:192.168.1.101-192.168.1.109 tcp 80</programlisting>
|
||||
optionally qualified by adding <quote>:</quote> and a subnet or host
|
||||
IP. When this qualification is added, only packets addressed to that
|
||||
host or subnet will be masqueraded. Beginning with Shorewall version
|
||||
1.3.14, if you have set ADD_SNAT_ALIASES=Yes in <xref linkend="Conf" />,
|
||||
you can cause Shorewall to create an alias <emphasis>label</emphasis>
|
||||
of the form <emphasis>interfacename:digit</emphasis> (e.g., eth0:0)
|
||||
by placing that label in this column. See example 5 below. Alias
|
||||
labels created in this way allow the alias to be visible to the
|
||||
ipconfig utility. <emphasis role="bold">THAT IS THE ONLY THING THAT
|
||||
THIS LABEL IS GOOD FOR AND IT MAY NOT APPEAR ANYWHERE ELSE IN YOUR
|
||||
SHOREWALL CONFIGURATION.</emphasis></para>
|
||||
1.4.10, the interface name can be qualified with ":"
|
||||
followed by a comma separated list of hosts and/or subnets. If this
|
||||
list begins with <quote>!</quote> (e.g., <quote>eth0:!192.0.2.8/29,192.0.2.32/29</quote>)
|
||||
then only packets addressed to destinations <emphasis role="bold">not</emphasis>
|
||||
listed will be masqueraded; otherwise (e.g., <quote>eth0:192.0.2.8/29,192.0.2.32/29</quote>),
|
||||
traffic will be masqueraded if it <emphasis role="bold">does</emphasis>
|
||||
match one of the listed addresses.</para>
|
||||
|
||||
<para>Beginning with Shorewall version 1.3.14, if you have set
|
||||
ADD_SNAT_ALIASES=Yes in <xref linkend="Conf" />, you can cause
|
||||
Shorewall to create an alias <emphasis>label</emphasis> of the form
|
||||
<emphasis>interfacename:digit</emphasis> (e.g., eth0:0) by placing
|
||||
that label in this column. See example 5 below. Alias labels created
|
||||
in this way allow the alias to be visible to the ipconfig utility.
|
||||
<emphasis role="bold">THAT IS THE ONLY THING THAT THIS LABEL IS GOOD
|
||||
FOR AND IT MAY NOT APPEAR ANYWHERE ELSE IN YOUR SHOREWALL
|
||||
CONFIGURATION.</emphasis></para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -3091,7 +3115,9 @@ eth1 -</programlisting>
|
||||
<appendix>
|
||||
<title>Revision History</title>
|
||||
|
||||
<para><revhistory><revision><revnumber>1.11</revnumber><date>2005-01-05</date><authorinitials>TE</authorinitials><revremark>Standards
|
||||
<para><revhistory><revision><revnumber>1.12</revnumber><date>2004-01-21</date><authorinitials>TE</authorinitials><revremark>Add
|
||||
masquerade destination list.</revremark></revision><revision><revnumber>1.12</revnumber><date>2004-01-18</date><authorinitials>TE</authorinitials><revremark>Correct
|
||||
typo.</revremark></revision><revision><revnumber>1.11</revnumber><date>2004-01-05</date><authorinitials>TE</authorinitials><revremark>Standards
|
||||
Compliance</revremark></revision><revision><revnumber>1.10</revnumber><date>2004-01-05</date><authorinitials>TE</authorinitials><revremark>Improved
|
||||
formatting of DNAT- and REDIRECT- for clarity</revremark></revision><revision><revnumber>1.9</revnumber><date>2003-12-25</date><authorinitials>MN</authorinitials><revremark>Initial
|
||||
Docbook Conversion Complete</revremark></revision></revhistory></para>
|
||||
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2003-12-31</pubdate>
|
||||
<pubdate>2004-01-21</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2003</year>
|
||||
@ -23,7 +23,7 @@
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
|
||||
<edition>1.4.8</edition>
|
||||
<edition>1.4.9</edition>
|
||||
|
||||
<legalnotice>
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
@ -73,6 +73,10 @@
|
||||
(virtual) Interfaces (e.g., eth0:0)</ulink></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="traffic_shaping.htm">Bandwidth Control</ulink></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="blacklisting_support.htm">Blacklisting</ulink></para>
|
||||
|
||||
|
@ -17,7 +17,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-01-20</pubdate>
|
||||
<pubdate>2004-01-24</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2004</year>
|
||||
@ -1590,7 +1590,12 @@ Creating input Chains...
|
||||
<para><emphasis role="bold">Answer:</emphasis> The above output is
|
||||
perfectly normal. The Net zone is defined as all hosts that are
|
||||
connected through eth0 and the local zone is defined as all hosts
|
||||
connected through eth1</para>
|
||||
connected through eth1. If you are running Shorewall 1.4.10 or later,
|
||||
you can consider setting the <ulink url="Documentation.htm#Interfaces"><emphasis
|
||||
role="bold">detectnets</emphasis> interface option</ulink> on your local
|
||||
interface (eth1 in the above example). That will cause Shorewall to
|
||||
restrict the local zone to only those networks routed through that
|
||||
interface.</para>
|
||||
</section>
|
||||
|
||||
<section id="faq22">
|
||||
@ -1909,7 +1914,9 @@ Creating input Chains...
|
||||
<appendix>
|
||||
<title>Revision History</title>
|
||||
|
||||
<para><revhistory><revision><revnumber>1.12</revnumber><date>2004-01-20</date><authorinitials>TE</authorinitials><revremark>Improve
|
||||
<para><revhistory><revision><revnumber>1.13</revnumber><date>2004-01-24</date><authorinitials>TE</authorinitials><revremark>Add
|
||||
a note about the <emphasis role="bold">detectnets</emphasis> interface
|
||||
option in FAQ 9.</revremark></revision><revision><revnumber>1.12</revnumber><date>2004-01-20</date><authorinitials>TE</authorinitials><revremark>Improve
|
||||
FAQ 16 answer.</revremark></revision><revision><revnumber>1.11</revnumber><date>2004-01-14</date><authorinitials>TE</authorinitials><revremark>Corrected
|
||||
broken link</revremark></revision><revision><revnumber>1.10</revnumber><date>2004-01-09</date><authorinitials>TE</authorinitials><revremark>Added
|
||||
a couple of more legacy FAQ numbers.</revremark></revision><revision><revnumber>1.9</revnumber><date>2004-01-08</date><authorinitials>TE</authorinitials><revremark>Corrected
|
||||
|
@ -15,14 +15,10 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2003-10-29</pubdate>
|
||||
<pubdate>2004-01-22</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001</year>
|
||||
|
||||
<year>2002</year>
|
||||
|
||||
<year>2003</year>
|
||||
<year>2001-2004</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
@ -37,6 +33,16 @@
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<warning>
|
||||
<para>This documentation does not cover configuring IPSEC under the 2.6
|
||||
Linux Kernel. David Hollis has provided i<ulink
|
||||
url="http://lists.shorewall.net/pipermail/shorewall-users/2003-December/010417.html">nformation
|
||||
about how to set up a simple tunnel under 2.6</ulink>. One important point
|
||||
that is not made explicit in David's post is that the <emphasis
|
||||
role="bold">vpn</emphasis> zone must be defined before the <emphasis
|
||||
role="bold">net</emphasis> zone in <filename>/etc/shorewall/zones</filename>.</para>
|
||||
</warning>
|
||||
|
||||
<section>
|
||||
<title>Configuring FreeS/Wan</title>
|
||||
|
||||
|
@ -15,10 +15,10 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2003-10-17</pubdate>
|
||||
<pubdate>2004-01-20</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2003</year>
|
||||
<year>2003-2004</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
@ -33,7 +33,7 @@
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<para> </para>
|
||||
<para></para>
|
||||
|
||||
<para>This page covers Shorewall configuration to use with <ulink
|
||||
url="http://www.squid-cache.org">Squid</ulink> running as a Transparent
|
||||
@ -401,7 +401,7 @@ chkconfig --level 35 iptables on</programlisting>
|
||||
</section>
|
||||
|
||||
<section id="DMZ">
|
||||
<title>Squid (transparent) Running in the DMZ (This is what I do)</title>
|
||||
<title>Squid (transparent) Running in the DMZ</title>
|
||||
|
||||
<para>You have a single Linux system in your DMZ with IP address
|
||||
192.0.2.177. You want to run both a web server and Squid on that system.
|
||||
|
@ -15,10 +15,10 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2003-10-22</pubdate>
|
||||
<pubdate>2004-01-19</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2003</year>
|
||||
<year>2003-2004</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
@ -42,7 +42,7 @@
|
||||
|
||||
<para>To filter traffic from your <quote>loc</quote> zone with ftwall, you
|
||||
insert the following rules <emphasis role="bold">near the top</emphasis> of
|
||||
your /etc/shorewall/rules file (before and ACCEPT rules whose source is the
|
||||
your /etc/shorewall/rules file (before any ACCEPT rules whose source is the
|
||||
<quote>loc</quote> zone).</para>
|
||||
|
||||
<programlisting> QUEUE loc net tcp
|
||||
@ -51,4 +51,9 @@
|
||||
|
||||
<para>Now simply configure ftwall as described in the ftwall documentation
|
||||
and restart Shorewall.</para>
|
||||
|
||||
<tip>
|
||||
<para>There is an ftwall init script for use with <trademark>SuSE</trademark>
|
||||
Linux at <ulink url="http://shorewall.net/pub/shorewall/contrib/ftwall">http://shorewall.net/pub/shorewall/contrib/ftwall</ulink>.</para>
|
||||
</tip>
|
||||
</article>
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-01-05</pubdate>
|
||||
<pubdate>2004-01-17</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2002-2004</year>
|
||||
@ -140,7 +140,7 @@
|
||||
option in <filename>/etc/shorewall/interfaces</filename>.</para>
|
||||
|
||||
<example>
|
||||
<title>Ingore packets from a pair of systems</title>
|
||||
<title>Ignore packets from a pair of systems</title>
|
||||
|
||||
<programlisting> <command>shorewall drop 192.0.2.124 192.0.2.125</command></programlisting>
|
||||
|
||||
|
@ -13,7 +13,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-01-03</pubdate>
|
||||
<pubdate>2004-01-19</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2004</year>
|
||||
@ -62,16 +62,44 @@
|
||||
</itemizedlist>
|
||||
</caution>
|
||||
|
||||
<section>
|
||||
<title>RFC1918 File</title>
|
||||
|
||||
<para><ulink url="http://shorewall.net/pub/shorewall/errata/1.4.8/rfc1918">Here</ulink>
|
||||
is the most up to date version of the <ulink
|
||||
url="Documentation.htm#rfc1918">rfc1918 file</ulink>.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Problems in Version 1.4</title>
|
||||
|
||||
<section>
|
||||
<title>All Versions</title>
|
||||
<title>Shorewall 1.4.9</title>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/pub/shorewall/errata/1.4.8/rfc1918">Here</ulink>
|
||||
is the most up to date version of the <ulink
|
||||
url="Documentation.htm#rfc1918">rfc1918 file</ulink>.</para>
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>The column descriptions in the action.template file did not
|
||||
match the column headings.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>This problem has been corrected in <ulink
|
||||
url="http://shorewall.net/pub/shorewall/errata/1.4.9/action.template">this
|
||||
action.template file</ulink> which may be installed in /etc/shorewall.</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>The presence of IPV6 addresses on devices generates error
|
||||
messages during <command>[re]start </command>if ADD_IP_ALIASES=Yes
|
||||
or ADD_SNAT_ALIASES=Yes are specified in
|
||||
/etc/shorewall/shorewall.conf.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>This problem has been corrected in <ulink
|
||||
url="http://shorewall.net/pub/shorewall/errata/1.4.8/firewall">this
|
||||
firewall script</ulink> which may be installed in
|
||||
/usr/share/shorewall/firewall as described above.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
@ -437,9 +465,11 @@ Aborted (core dumped)</programlisting>
|
||||
</section>
|
||||
|
||||
<appendix>
|
||||
<title>Revision History</title>
|
||||
<title>Revision History4</title>
|
||||
|
||||
<para><revhistory><revision><revnumber>1.3</revnumber><date>2004-01-03</date><authorinitials>TE</authorinitials><revremark>Added
|
||||
<para><revhistory><revision><revnumber>1.4</revnumber><date>2004-01-19</date><authorinitials>TE</authorinitials><revremark>IPV6
|
||||
address problems. Make RFC1918 file section more prominent.</revremark></revision><revision><revnumber>1.3</revnumber><date>2004-01-14</date><authorinitials>TE</authorinitials><revremark>Confusing
|
||||
template file in 1.4.9</revremark></revision><revision><revnumber>1.3</revnumber><date>2004-01-03</date><authorinitials>TE</authorinitials><revremark>Added
|
||||
note about REJECT RedHat Kernal problem being corrected.</revremark></revision><revision><revnumber>1.2</revnumber><date>2003-12-29</date><authorinitials>TE</authorinitials><revremark>Updated
|
||||
RFC1918 file</revremark></revision><revision><revnumber>1.1</revnumber><date>2003-12-17</date><authorinitials>TE</authorinitials><revremark>Initial
|
||||
Conversion to Docbook XML</revremark></revision></revhistory></para>
|
||||
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-01-08</pubdate>
|
||||
<pubdate>2004-01-20</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2004</year>
|
||||
@ -66,8 +66,9 @@
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>One-to-one NAT for EastepLaptop (My work system). Internal
|
||||
address 192.168.1.7 and external address 206.124.146.180.</para>
|
||||
<para>One-to-one NAT for EastepLaptop (My work system -- Windows XP
|
||||
SP2). Internal address 192.168.1.7 and external address
|
||||
206.124.146.180.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -86,7 +87,7 @@
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>The firewall runs on a 256MB PII/233 with RH9.0.</para>
|
||||
<para>The firewall runs on a 256MB PII/233 with Debian Sarge (Testing).</para>
|
||||
|
||||
<para>Wookie, Ursa and the Firewall all run Samba and the Firewall acts as
|
||||
a WINS server.</para>
|
||||
@ -100,19 +101,20 @@
|
||||
|
||||
<para>The single system in the DMZ (address 206.124.146.177) runs postfix,
|
||||
Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP
|
||||
server (Pure-ftpd). The system also runs fetchmail to fetch our email from
|
||||
our old and current ISPs. That server is managed through Proxy ARP.</para>
|
||||
server (Pure-ftpd) under RedHat 9.0. The system also runs fetchmail to
|
||||
fetch our email from our old and current ISPs. That server is managed
|
||||
through Proxy ARP.</para>
|
||||
|
||||
<para>The firewall system itself runs a DHCP server that serves the local
|
||||
network.</para>
|
||||
|
||||
<para>All administration and publishing is done using ssh/scp. I have X
|
||||
installed on the firewall but no X server or desktop is installed. X
|
||||
applications tunnel through SSH to XWin.exe running on Ursa. The server
|
||||
does have a desktop environment installed and that desktop environment is
|
||||
available via XDMCP from the local zone. For the most part though, X
|
||||
tunneled through SSH is used for server administration and the server runs
|
||||
at run level 3 (multi-user console mode on RedHat).</para>
|
||||
<para>All administration and publishing is done using ssh/scp. I have a
|
||||
desktop environment installed on the firewall but I am not usually logged
|
||||
in to it. X applications tunnel through SSH to Ursa. The server also has a
|
||||
desktop environment installed and that desktop environment is available
|
||||
via XDMCP from the local zone. For the most part though, X tunneled
|
||||
through SSH is used for server administration and the server runs at run
|
||||
level 3 (multi-user console mode on RedHat).</para>
|
||||
|
||||
<para>I run an SNMP server on my firewall to serve <ulink
|
||||
url="http://www.ee.ethz.ch/~oetiker/webtools/mrtg/">MRTG</ulink> running
|
||||
@ -120,9 +122,9 @@
|
||||
ethernet interface in the Server is configured with IP address
|
||||
206.124.146.177, netmask 255.255.255.0. The server's default gateway
|
||||
is 206.124.146.254 (Router at my ISP. This is the same default gateway
|
||||
used by the firewall itself). On the firewall, my /sbin/ifup-local script
|
||||
(see below) adds a host route to 206.124.146.177 through eth1 when that
|
||||
interface is brought up.</para>
|
||||
used by the firewall itself). On the firewall, an entry in my
|
||||
/etc/network/interfaces file (see below) adds a host route to
|
||||
206.124.146.177 through eth1 when that interface is brought up.</para>
|
||||
|
||||
<para>Ursa (192.168.1.5 A.K.A. 206.124.146.178) runs a PPTP server for
|
||||
Road Warrior access.</para>
|
||||
@ -541,90 +543,24 @@ ACCEPT all all icmp
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Init File</title>
|
||||
<title>/etc/network/interfaces</title>
|
||||
|
||||
<blockquote>
|
||||
<para>This file deals with redirecting html requests to <ulink
|
||||
url="Shorewall_Squid_Usage.html#DMZ">Squid on the DMZ server</ulink>.</para>
|
||||
</blockquote>
|
||||
<para>This file is Debian specific. My additional entry (which is
|
||||
displayed in <emphasis role="bold">bold type</emphasis>) adds a route
|
||||
to my DMZ server when eth1 is brought up. It allows me to enter
|
||||
<quote>Yes</quote> in the HAVEROUTE column of <link linkend="ProxyARP">my
|
||||
Proxy ARP file</link>.</para>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#
|
||||
# Add a second routing table with my server as the default gateway
|
||||
# Use this routing table with all packets marked with value 1
|
||||
#
|
||||
if [ -z "`ip route list table 202 2> /dev/null`" ] ; then
|
||||
run_ip rule add fwmark 1 table www.out
|
||||
run_ip route add default via 206.124.146.177 dev eth1 table www.out
|
||||
run_ip route flush cache
|
||||
fi</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>/etc/iproute2/rt_tables</title>
|
||||
|
||||
<blockquote>
|
||||
<para>This file deals with redirecting html requests to <ulink
|
||||
url="Shorewall_Squid_Usage.html#DMZ">Squid on the DMZ server</ulink>.</para>
|
||||
</blockquote>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#
|
||||
# reserved values
|
||||
#
|
||||
#255 local
|
||||
#254 main
|
||||
#253 default
|
||||
#0 unspec
|
||||
|
||||
#
|
||||
# local -- I added the entry below
|
||||
#
|
||||
202 www.out</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Tcrules File</title>
|
||||
|
||||
<blockquote>
|
||||
<para>This file deals with redirecting html requests to <ulink
|
||||
url="Shorewall_Squid_Usage.html#DMZ">Squid on the DMZ server</ulink>
|
||||
-- in my setup, it is <emphasis role="bold">not</emphasis> used for
|
||||
traffic shapping/control.</para>
|
||||
</blockquote>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT PORT(S)
|
||||
1:P eth2,eth3 !192.168.0.0/16 tcp 80</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Tcstart File</title>
|
||||
|
||||
<blockquote>
|
||||
<para>My tcstart file is just the HTB version of <ulink
|
||||
url="http://lartc.org/wondershaper/">The WonderShaper</ulink>.</para>
|
||||
</blockquote>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>/sbin/ifup-local</title>
|
||||
|
||||
<blockquote>
|
||||
<para>This file is Redhat specific and adds a route to my DMZ server
|
||||
when eth1 is brought up. It allows me to enter <quote>Yes</quote> in
|
||||
the HAVEROUTE column of <link linkend="ProxyARP">my Proxy ARP file</link>.</para>
|
||||
|
||||
<programlisting>#!/bin/sh
|
||||
|
||||
case $1 in
|
||||
eth1)
|
||||
ip route add 206.124.146.177 dev eth1
|
||||
;;
|
||||
esac</programlisting>
|
||||
<programlisting>...
|
||||
auto eth1
|
||||
iface eth1 inet static
|
||||
address 192.168.2.1
|
||||
netmask 255.255.255.0
|
||||
network 192.168.2.0
|
||||
broadcast 192.168.2.255
|
||||
<emphasis role="bold">up ip route add 206.124.146.177 dev eth1
|
||||
</emphasis>...</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
</section>
|
||||
|
@ -15,10 +15,10 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2003-10-21</pubdate>
|
||||
<pubdate>2004-01-21</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2003</year>
|
||||
<year>2001-2004</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
@ -223,6 +223,21 @@
|
||||
omitted, any source port is acceptable. Specified as a comma-separate
|
||||
list of port names, port numbers or port ranges.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>USER (Added in Shorewall version 1.4.10) - (Optional) This
|
||||
column may only be non-empty if the SOURCE is the firewall itself.
|
||||
When this column is non-empty, the rule applies only if the program
|
||||
generating the output is running under the effective user and/or
|
||||
group. It may contain : </para>
|
||||
|
||||
<para>[<user name or number>]:[<group name or number>]
|
||||
</para>
|
||||
|
||||
<para>The colon is optionnal when specifying only a user. </para>
|
||||
|
||||
<para>Examples : john: / john / :users / john:users</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<example>
|
||||
@ -233,7 +248,7 @@
|
||||
originating on the firewall itself should be marked with 3.</para>
|
||||
|
||||
<informaltable>
|
||||
<tgroup cols="6">
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">MARK</entry>
|
||||
@ -243,10 +258,6 @@
|
||||
<entry align="center">DESTINATION</entry>
|
||||
|
||||
<entry align="center">PROTOCOL</entry>
|
||||
|
||||
<entry align="center">PORT(S)</entry>
|
||||
|
||||
<entry align="center">CLIENT PORT(S)</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
@ -259,10 +270,6 @@
|
||||
<entry>0.0.0.0/0</entry>
|
||||
|
||||
<entry>all</entry>
|
||||
|
||||
<entry></entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
@ -273,10 +280,6 @@
|
||||
<entry>0.0.0.0/0</entry>
|
||||
|
||||
<entry>all</entry>
|
||||
|
||||
<entry></entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
@ -287,10 +290,6 @@
|
||||
<entry>0.0.0.0/0</entry>
|
||||
|
||||
<entry>all</entry>
|
||||
|
||||
<entry></entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
@ -301,10 +300,6 @@
|
||||
<entry>0.0.0.0/0</entry>
|
||||
|
||||
<entry>all</entry>
|
||||
|
||||
<entry></entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
@ -318,7 +313,7 @@
|
||||
destined for 155.186.235.151 should be marked with 12.</para>
|
||||
|
||||
<informaltable>
|
||||
<tgroup cols="6">
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">MARK</entry>
|
||||
@ -328,10 +323,6 @@
|
||||
<entry align="center">DESTINATION</entry>
|
||||
|
||||
<entry align="center">PROTOCOL</entry>
|
||||
|
||||
<entry align="center">PORT(S)</entry>
|
||||
|
||||
<entry align="center">CLIENT PORT(S)</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
@ -344,10 +335,6 @@
|
||||
<entry>155.186.235.151</entry>
|
||||
|
||||
<entry>47</entry>
|
||||
|
||||
<entry></entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
@ -361,7 +348,7 @@
|
||||
155.186.235.151 should be marked with 22.</para>
|
||||
|
||||
<informaltable>
|
||||
<tgroup cols="6">
|
||||
<tgroup cols="5">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">MARK</entry>
|
||||
@ -373,8 +360,6 @@
|
||||
<entry align="center">PROTOCOL</entry>
|
||||
|
||||
<entry align="center">PORT(S)</entry>
|
||||
|
||||
<entry align="center">CLIENT PORT(S)</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
@ -389,8 +374,6 @@
|
||||
<entry>tcp</entry>
|
||||
|
||||
<entry>22</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
@ -405,10 +388,7 @@
|
||||
url="http://lartc.org/wondershaper/">The Wonder Shaper </ulink>(I just
|
||||
copied wshaper.htb to /etc/shorewall/tcstart and modified it as shown in
|
||||
the Wondershaper README). WonderShaper DOES NOT USE THE
|
||||
/etc/shorewall/tcrules file. While I currently have entries in
|
||||
/etc/shorewall/tcrules, I do so for <ulink
|
||||
url="Shorewall_Squid_Usage.html">policy routing for Squid</ulink> and not
|
||||
for Traffic Shaping.</para>
|
||||
/etc/shorewall/tcrules file.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
|
Loading…
Reference in New Issue
Block a user