Fix oversights in ID changes

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6699 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-06-28 22:24:59 +00:00
parent c35f8c48d8
commit aef34d7908
7 changed files with 53 additions and 607 deletions

View File

@ -35,7 +35,8 @@
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
@ -53,7 +54,7 @@
url="http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO/configuring-ipv6to4-tunnels.html">Setup
of 6to4 tunnels</ulink>.</para>
<section>
<section id="Tunnel6to4">
<title>Connecting two IPv6 Networks</title>
<para>Suppose that we have the following situation:</para>
@ -62,17 +63,20 @@
<para>We want systems in the 2002:100:333::/64 subnetwork to be able to
communicate with the systems in the 2002:488:999::/64 network. This is
accomplished through use of the <filename><filename>/etc/shorewall/tunnels</filename></filename>
file and the <quote>ip</quote> utility for network interface and routing
accomplished through use of the
<filename><filename>/etc/shorewall/tunnels</filename></filename> file and
the <quote>ip</quote> utility for network interface and routing
configuration.</para>
<para>Unlike GRE and IPIP tunneling, the <filename>/etc/shorewall/policy</filename>,
<filename>/etc/shorewall/interfaces</filename> and <filename>/etc/shorewall/zones</filename>
files are not used. There is no need to declare a zone to represent the
remote IPv6 network. This remote network is not visible on IPv4 interfaces
and to iptables. All that is visible on the IPv4 level is an IPv4 stream
which contains IPv6 traffic. Separate IPv6 interfaces and ip6tables rules
need to be defined to handle this traffic.</para>
<para>Unlike GRE and IPIP tunneling, the
<filename>/etc/shorewall/policy</filename>,
<filename>/etc/shorewall/interfaces</filename> and
<filename>/etc/shorewall/zones</filename> files are not used. There is no
need to declare a zone to represent the remote IPv6 network. This remote
network is not visible on IPv4 interfaces and to iptables. All that is
visible on the IPv4 level is an IPv4 stream which contains IPv6 traffic.
Separate IPv6 interfaces and ip6tables rules need to be defined to handle
this traffic.</para>
<para>In <filename>/etc/shorewall/tunnels </filename>on system A, we need
the following:</para>
@ -86,10 +90,10 @@
<para>Use the following commands to setup system A:</para>
<programlisting>&#62;<command>ip tunnel add tun6to4 mode sit ttl 254 remote 134.28.54.2</command>
&#62;<command>ip link set dev tun6to4 up</command>
&#62;<command>ip addr add 3ffe:8280:0:2001::1/64 dev tun6to4</command>
&#62;<command>ip route add 2002:488:999::/64 via 3ffe:8280:0:2001::2</command></programlisting>
<programlisting>&gt;<command>ip tunnel add tun6to4 mode sit ttl 254 remote 134.28.54.2</command>
&gt;<command>ip link set dev tun6to4 up</command>
&gt;<command>ip addr add 3ffe:8280:0:2001::1/64 dev tun6to4</command>
&gt;<command>ip route add 2002:488:999::/64 via 3ffe:8280:0:2001::2</command></programlisting>
<para>Similarly, in <filename>/etc/shorewall/tunnels</filename> on system
B we have:</para>
@ -99,10 +103,10 @@
<para>And use the following commands to setup system B:</para>
<programlisting>&#62;<command>ip tunnel add tun6to4 mode sit ttl 254 remote 206.191.148.9</command>
&#62;<command>ip link set dev tun6to4 up</command>
&#62;<command>ip addr add 3ffe:8280:0:2001::2/64 dev tun6to4</command>
&#62;<command>ip route add 2002:100:333::/64 via 3ffe:8280:0:2001::1</command></programlisting>
<programlisting>&gt;<command>ip tunnel add tun6to4 mode sit ttl 254 remote 206.191.148.9</command>
&gt;<command>ip link set dev tun6to4 up</command>
&gt;<command>ip addr add 3ffe:8280:0:2001::2/64 dev tun6to4</command>
&gt;<command>ip route add 2002:100:333::/64 via 3ffe:8280:0:2001::1</command></programlisting>
<para>On both systems, restart Shorewall and issue the configuration
commands as listed above. The systems in both IPv6 subnetworks can now

View File

@ -1,557 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article>
<!--$Id$-->
<articleinfo>
<title>Corporate Network</title>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
<author>
<firstname>Graeme</firstname>
<surname>Boyle</surname>
</author>
</authorgroup>
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
<copyright>
<year>2003</year>
<year>2005</year>
<holder>Thomas M. Eastep and Graeme Boyle</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<warning>
<para><emphasis role="bold">This document has not been updated yet, to
reflect a correct configuration for Shorewall 3</emphasis>.</para>
</warning>
<section>
<title>The Network</title>
<note>
<itemizedlist>
<listitem>
<para>This configuration is used on a corporate network that has a
Linux (RedHat 8.0) server with three interfaces, running Shorewall
1.4.5 release,</para>
</listitem>
<listitem>
<para>Make sure you know what public IP addresses are currently
being used and verify these <emphasis>before</emphasis>
starting.</para>
</listitem>
<listitem>
<para>Verify your DNS settings <emphasis>before</emphasis> starting
any Shorewall configuration especially if you have split DNS.</para>
</listitem>
<listitem>
<para>System names and Internet IP addresses have been changed to
protect the innocent.</para>
</listitem>
</itemizedlist>
</note>
<warning>
<para>This configuration uses a combination of One-to-one NAT and Proxy
ARP. This is generally not relevant to a simple configuration with a
single public IP address. If you have just a single public IP address,
most of what you see here won't apply to your setup so beware of copying
parts of this configuration and expecting them to work for you. What you
copy may or may not work in your configuration.</para>
</warning>
<para>I have a T1 with 64 static IP addresses (192.0.18.65-127/26). The
internet is connected to eth0. The local network is connected via eth1
(10.10.0.0/22) and the DMZ is connected to eth2 (192.168.21.0/24). I have
an IPSec tunnel connecting our offices in Germany to our offices in the
US. I host two Microsoft Exchange servers for two different companies
behind the firewall hence, the two Exchange servers in the diagram
below.</para>
<section>
<title>Summary</title>
<itemizedlist>
<listitem>
<para>SNAT for all systems connected to the LAN - Internal addresses
10.10.x.x to external address 192.0.18.127.</para>
</listitem>
<listitem>
<para>One-to-one NAT for <emphasis>Polaris</emphasis> (Exchange
Server #2). Internal address 10.10.1.8 and external address
192.0.18.70.</para>
</listitem>
<listitem>
<para>One-to-one NAT for <emphasis>Sims</emphasis> (Inventory
Management server). Internal address 10.10.1.56 and external address
192.0.18.75.</para>
</listitem>
<listitem>
<para>One-to-one NAT for <emphasis>Project</emphasis> (Project Web
Server). Internal address 10.10.1.55 and external address
192.0.18.84.</para>
</listitem>
<listitem>
<para>One-to-one NAT for <emphasis>Fortress</emphasis> (Exchange
Server). Internal address 10.10.1.252 and external address
192.0.18.93.</para>
</listitem>
<listitem>
<para>One-to-one NAT for <emphasis>BBSRV</emphasis> (Blackberry
Server). Internal address 10.10.1.230 and external address
192.0.18.97.</para>
</listitem>
<listitem>
<para>One-to-one NAT for <emphasis>Intweb</emphasis> (Intranet Web
Server). Internal address 10.10.1.60 and external address
192.0.18.115.</para>
</listitem>
</itemizedlist>
<para>The firewall runs on a 2Gb, Dual PIV/2.8GHz, Intel motherboard
with RH8.0.</para>
<para>The Firewall is also a proxy server running Privoxy 3.0.</para>
<para>The single system in the DMZ (address 192.0.18.80) runs sendmail,
imap, pop3, DNS, a Web server (Apache) and an FTP server (vsFTPd 1.1.0).
That server is managed through Proxy ARP.</para>
<para>All administration and publishing is done using ssh/scp. I have X
installed on the firewall and the system in the DMZ. X applications
tunnel through SSH to Hummingbird Exceed running on a PC located in the
LAN. Access to the firewall using SSH is restricted to systems in the
LAN, DMZ or the system Kaos which is on the Internet and managed by
me.</para>
<graphic fileref="images/CorpNetwork.gif" />
<para>The Ethernet 0 interface in the Server is configured with IP
address 192.0.18.68, netmask 255.255.255.192. The server's default
gateway is 192.0.18.65, the Router connected to my network and the ISP.
This is the same default gateway used by the firewall itself. On the
firewall, Shorewall automatically adds a host route to 192.0.18.80
through Ethernet 2 (192.168.21.1) because of the entry in
/etc/shorewall/proxyarp (see below). I modified the start, stop and init
scripts to include the fixes suggested when having an IPSec
tunnel.</para>
</section>
<section>
<title>Some Mistakes I Made</title>
<para>Yes, believe it or not, I made some really basic mistakes when
building this firewall. Firstly, I had the new firewall setup in
parallel with the old firewall so that there was no interruption of
service to my users. During my out-bound testing, I set up systems on
the LAN to utilize the firewall which worked fine. When testing my NAT
connections, from the outside, these would fail and I could not
understand why. Eventually, I changed the default route on the internal
system I was trying to access, to point to the new firewall and
<quote>bingo</quote>, everything worked as expected. This oversight
delayed my deployment by a couple of days not to mention level of
frustration it produced.</para>
<para>Another problem that I encountered was in setting up the Proxyarp
system in the DMZ. Initially I forgot to remove the entry for the eth2
from the /etc/shorewall/masq file. Once my file settings were correct, I
started verifying that the ARP caches on the firewall, as well as the
outside system <quote>kaos</quote>, were showing the correct Ethernet
MAC address. However, in testing remote access, I could access the
system in the DMZ only from the firewall and LAN but not from the
Internet. The message I received was <quote>connection denied</quote> on
all protocols. What I did not realize was that a <quote>helpful</quote>
administrator that had turned on an old system and assigned the same
address as the one I was using for Proxyarp without notifying me. How
did I work this out. I shutdown the system in the DMZ, rebooted the
router and flushed the ARP cache on the firewall and kaos. Then, from
kaos, I started pinging that IP address and checked the updated ARP
cache and lo-and-behold a different MAC address showed up. High levels
of frustration etc., etc. The administrator will not be doing that
again! :-)</para>
</section>
<section>
<title>Lessons Learned</title>
<itemizedlist>
<listitem>
<para>Read the documentation.</para>
</listitem>
<listitem>
<para>Draw your network topology before starting.</para>
</listitem>
<listitem>
<para>Understand what services you are going to allow in and out of
the firewall, whether they are TCP or UDP packets and make a note of
these port numbers.</para>
</listitem>
<listitem>
<para>Try to get quiet time to build the firewall - you need to
focus on the job at hand.</para>
</listitem>
<listitem>
<para>When asking for assistance, be honest and include as much
detail as requested. Don't try and hide IP addresses etc., you will
probably screw up the logs and make receiving assistance
harder.</para>
</listitem>
<listitem>
<para>Read the documentation.</para>
</listitem>
</itemizedlist>
</section>
<section>
<title>Futures</title>
<para>This is by no means the final configuration. In the near future, I
will be moving more systems from the LAN to the DMZ. I will also be
watching the logs for port scan programs etc. but, this should be
standard security maintenance.</para>
</section>
</section>
<section>
<title>Configuration Files</title>
<para>Here are copies of my files. I have removed most of the internal
documentation for the purpose of this space however, my system still has
the original files with all the comments and I highly recommend you do the
same.</para>
<section>
<title>Shorewall.conf</title>
<programlisting>##############################################################################
# /etc/shorewall/shorewall.conf V1.4 - Change the following variables to
# match your setup
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# This file should be placed in /etc/shorewall
#
# (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
##############################################################################
# L O G G I N G
##############################################################################
LOGFILE=/var/log/messages
LOGFORMAT=<quote>Shorewall:%s:%s:</quote>
LOGRATE=
LOGBURST=
LOGUNCLEAN=info
BLACKLIST_LOGLEVEL=
LOGNEWNOTSYN=
MACLIST_LOG_LEVEL=info
TCP_FLAGS_LOG_LEVEL=debug
RFC1918_LOG_LEVEL=debug
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
SUBSYSLOCK=/var/lock/subsys/shorewall
STATEDIR=/var/lib/shorewall
MODULESDIR=
FW=fw
NAT_ENABLED=Yes
MANGLE_ENABLED=Yes
IP_FORWARDING=On
ADD_IP_ALIASES=Yes
ADD_SNAT_ALIASES=Yes
TC_ENABLED=Yes
CLEAR_TC=No
MARK_IN_FORWARD_CHAIN=No
CLAMPMSS=No
ROUTE_FILTER=Yes
NAT_BEFORE_RULES=No
MULTIPORT=Yes
DETECT_DNAT_IPADDRS=Yes
MUTEX_TIMEOUT=60
NEWNOTSYN=Yes
BLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=REJECT
TCP_FLAGS_DISPOSITION=DROP
#LAST LINE -- DO NOT REMOVE</programlisting>
</section>
<section>
<title>Zones File</title>
<programlisting>#
# Shorewall 1.4 -- Sample Zone File For Two Interfaces
# /etc/shorewall/zones
#
# This file determines your network zones. Columns are:
#
# ZONE Short name of the zone
# DISPLAY Display name of the zone
# COMMENTS Comments about the zone
#
#ZONE DISPLAY COMMENTS
net Net Internet
loc Local Local Networks
dmz DMZ Demilitarized Zone
vpn1 VPN1 VPN to Germany
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
</section>
<section>
<title>Interfaces File</title>
<programlisting>##############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 62.123.106.127 routefilter,norfc1918,blacklist,tcpflags
loc eth1 detect dhcp,routefilter
dmz eth2 detect
vpn1 ipsec0
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
</programlisting>
</section>
<section>
<title>Routestopped File</title>
<programlisting>#INTERFACE HOST(S)
eth1 -
eth2 -
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</section>
<section>
<title>Policy File</title>
<programlisting>###############################################################################
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
loc net ACCEPT
loc fw ACCEPT
loc dmz ACCEPT
# If you want open access to the Internet from your Firewall
# remove the comment from the following line.
fw net ACCEPT
fw loc ACCEPT
fw dmz ACCEPT
dmz fw ACCEPT
dmz loc ACCEPT
dmz net ACCEPT
#
# Adding VPN Access
loc vpn1 ACCEPT
dmz vpn1 ACCEPT
fw vpn1 ACCEPT
vpn1 loc ACCEPT
vpn1 dmz ACCEPT
vpn1 fw ACCEPT
#
net all DROP info
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
</section>
<section>
<title>Masq File</title>
<programlisting>#INTERFACE SUBNET ADDRESS
eth0 eth1 192.0.18.126
#
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
</section>
<section>
<title>NAT File</title>
<programlisting>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
#
# Intranet Web Server
192.0.18.115 eth0:0 10.10.1.60 No No
#
# Project Web Server
192.0.18.84 eth0:1 10.10.1.55 No No
#
# Blackberry Server
192.0.18.97 eth0:2 10.10.1.55 No No
#
# Corporate Mail Server
192.0.18.93 eth0:3 10.10.1.252 No No
#
# Second Corp Mail Server
192.0.18.70 eth0:4 10.10.1.8 No No
#
# Sims Server
192.0.18.75 eth0:5 10.10.1.56 No No
#
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
</section>
<section>
<title>Proxy ARP File</title>
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVEROUTE
#
# The Corporate email server in the DMZ
192.0.18.80 eth2 eth0 No
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</section>
<section>
<title>Tunnels File</title>
<programlisting># TYPE ZONE GATEWAY GATEWAY ZONE PORT
ipsec net 134.147.129.82
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</section>
<section>
<title>Rules File (The shell variables are set in
/etc/shorewall/params)</title>
<programlisting>##############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT PORT(S) DEST
#
# Accept DNS connections from the firewall to the network
#
ACCEPT fw net tcp 53
ACCEPT fw net udp 53
#
# Accept SSH from internet interface from kaos only
#
ACCEPT net:192.0.18.98 fw tcp 22
#
# Accept connections from the local network for administration
#
ACCEPT loc fw tcp 20:22
ACCEPT loc net tcp 22
ACCEPT loc fw tcp 53
ACCEPT loc fw udp 53
ACCEPT loc net tcp 53
ACCEPT loc net udp 53
#
# Allow Ping To And From Firewall
#
ACCEPT loc fw icmp 8
ACCEPT loc dmz icmp 8
ACCEPT loc net icmp 8
ACCEPT dmz fw icmp 8
ACCEPT dmz loc icmp 8
ACCEPT dmz net icmp 8
DROP net fw icmp 8
DROP net loc icmp 8
DROP net dmz icmp 8
ACCEPT fw loc icmp 8
ACCEPT fw dmz icmp 8
DROP fw net icmp 8
#
# Accept proxy web connections from the inside
#
ACCEPT loc fw tcp 8118
#
# Forward PcAnywhere, Oracle and Web traffic from outside to the Demo systems
# From a specific IP Address on the Internet.
#
# ACCEPT net:207.65.110.10 loc:10.10.3.151 tcp 1521,http
# ACCEPT net:207.65.110.10 loc:10.10.2.32 tcp 5631:5632
#
# Intranet web server
ACCEPT net loc:10.10.1.60 tcp 443
ACCEPT dmz loc:10.10.1.60 tcp 443
#
# Projects web server
ACCEPT net loc:10.10.1.55 tcp 80
ACCEPT dmz loc:10.10.1.55 tcp 80
#
# Blackberry Server
ACCEPT net loc:10.10.1.230 tcp 3101
#
# Corporate Email Server
ACCEPT net loc:10.10.1.252 tcp 25,53,110,143,443
#
# Corporate #2 Email Server
ACCEPT net loc:10.10.1.8 tcp 25,80,110,443
#
# Sims Server
ACCEPT net loc:10.10.1.56 tcp 80,443
ACCEPT net loc:10.10.1.56 tcp 7001:7002
ACCEPT net:63.83.198.0/24 loc:10.10.1.56 tcp 5631:5632
#
# Access to DMZ
ACCEPT loc dmz udp 53,177
ACCEPT loc dmz tcp 80,25,53,22,143,443,993,20,110
ACCEPT net dmz udp 53
ACCEPT net dmz tcp 25,53,22,21,123
ACCEPT dmz net tcp 25,53,80,123,443,21,22
ACCEPT dmz net udp 53
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</section>
<section>
<title>Start File</title>
<programlisting>############################################################################
# Shorewall 1.4 -- /etc/shorewall/start
#
# Add commands below that you want to be executed after shorewall has
# been started or restarted.
#
qt service ipsec start</programlisting>
</section>
<section>
<title>Stop File</title>
<programlisting>############################################################################
# Shorewall 1.4 -- /etc/shorewall/stop
#
# Add commands below that you want to be executed at the beginning of a
# <quote>shorewall stop</quote> command.
#
qt service ipsec stop</programlisting>
</section>
<section>
<title>Init File</title>
<programlisting>############################################################################
# Shorewall 1.4 -- /etc/shorewall/init
#
# Add commands below that you want to be executed at the beginning of
# a <quote>shorewall start</quote> or <quote>shorewall restart</quote> command.
#
qt service ipsec stop</programlisting>
</section>
</section>
</article>

View File

@ -170,8 +170,7 @@
</row>
<row>
<entry><ulink url="CorpNetwork.htm">Corporate Network
Example</ulink></entry>
<entry><ulink url="dhcp.htm">DHCP</ulink></entry>
<entry><ulink url="Multiple_Zones.html">Multiple Zones Through One
Interface</ulink></entry>
@ -182,7 +181,8 @@
</row>
<row>
<entry><ulink url="dhcp.htm">DHCP</ulink></entry>
<entry><ulink url="ECN.html">ECN Disabling by host or
subnet</ulink></entry>
<entry><ulink url="XenMyWay-Routed.html">My Shorewall
Configuration</ulink></entry>
@ -192,8 +192,8 @@
</row>
<row>
<entry><ulink url="ECN.html">ECN Disabling by host or
subnet</ulink></entry>
<entry><ulink url="shorewall_extension_scripts.htm">Extension
Scripts</ulink> (User Exits)</entry>
<entry><ulink url="NetfilterOverview.html">Netfilter
Overview</ulink></entry>
@ -202,8 +202,8 @@
</row>
<row>
<entry><ulink url="shorewall_extension_scripts.htm">Extension
Scripts</ulink> (User Exits)</entry>
<entry><ulink
url="fallback.htm">Fallback/Uninstall</ulink></entry>
<entry><ulink url="netmap.html">Network Mapping</ulink></entry>
@ -212,8 +212,7 @@
</row>
<row>
<entry><ulink
url="fallback.htm">Fallback/Uninstall</ulink></entry>
<entry><ulink url="FAQ.htm">FAQs</ulink></entry>
<entry><ulink url="NAT.htm">One-to-one NAT</ulink> (Static
NAT)</entry>
@ -224,7 +223,8 @@
</row>
<row>
<entry><ulink url="FAQ.htm">FAQs</ulink></entry>
<entry><ulink
url="shorewall_features.htm">Features</ulink></entry>
<entry><ulink url="OPENVPN.html">OpenVPN</ulink></entry>
@ -233,8 +233,8 @@
</row>
<row>
<entry><ulink
url="shorewall_features.htm">Features</ulink></entry>
<entry><ulink url="Multiple_Zones.html">Forwarding Traffic on the
Same Interface</ulink></entry>
<entry><ulink url="starting_and_stopping_shorewall.htm">Operating
Shorewall</ulink></entry>
@ -243,8 +243,7 @@
</row>
<row>
<entry><ulink url="Multiple_Zones.html">Forwarding Traffic on the
Same Interface</ulink></entry>
<entry><ulink url="FTP.html">FTP and Shorewall</ulink></entry>
<entry><ulink url="PacketMarking.html">Packet
Marking</ulink></entry>
@ -254,7 +253,8 @@
</row>
<row>
<entry><ulink url="FTP.html">FTP and Shorewall</ulink></entry>
<entry><ulink url="support.htm">Getting help or answers to
questions</ulink></entry>
<entry><ulink url="PacketHandling.html">Packet Processing in a
Shorewall-based Firewall</ulink></entry>
@ -263,8 +263,8 @@
</row>
<row>
<entry><ulink url="support.htm">Getting help or answers to
questions</ulink></entry>
<entry><ulink url="Install.htm">Installation/Upgrade</ulink>
(<ulink url="Install_fr.html">Français</ulink>)</entry>
<entry><ulink url="ping.html">'Ping' Management</ulink></entry>
@ -273,8 +273,7 @@
</row>
<row>
<entry><ulink url="Install.htm">Installation/Upgrade</ulink>
(<ulink url="Install_fr.html">Français</ulink>)</entry>
<entry><ulink url="IPP2P.html">IPP2P</ulink></entry>
<entry><ulink url="ports.htm">Port Information</ulink></entry>
@ -283,7 +282,7 @@
</row>
<row>
<entry><ulink url="IPP2P.html">IPP2P</ulink></entry>
<entry></entry>
<entry><ulink url="PortKnocking.html">Port Knocking and Other Uses
of the 'Recent Match'</ulink></entry>

View File

@ -32,8 +32,8 @@
</legalnotice>
</articleinfo>
<section>
<title id="Intro">Introduction</title>
<section id="Intro">
<title>Introduction</title>
<para>The information in this document applies only to 4.x releases of
Shorewall.</para>
@ -64,7 +64,7 @@
</itemizedlist>
</section>
<section>
<section id="Shorewall">
<title>What is Shorewall?</title>
<para>The Shoreline Firewall, more commonly known as
@ -305,8 +305,8 @@ ACCEPT net $FW tcp 22</programlisting>
</itemizedlist>
</section>
<section>
<title id="Packages">Shorewall Packages</title>
<section id="Packages">
<title>Shorewall Packages</title>
<para>Shorewall 4.0 consists of four packages.</para>

View File

@ -128,8 +128,8 @@
<para>The currently-supported major releases are 3.2.x and 3.4.x.</para>
</section>
<section>
<title id="Old">Old Release Model</title>
<section id="Old">
<title>Old Release Model</title>
<para>This release model described above was adopted on 2004-07-03 and
modified 2004-07-21. Prior to 2004-07-03, a different release model was

View File

@ -58,7 +58,7 @@
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
Ping/ACCEPT z1 z2</programlisting>
<example>
<example id="Example1">
<title>Ping from local zone to firewall</title>
<para>To permit ping from the local zone to the firewall:</para>
@ -82,7 +82,7 @@ Ping/ACCEPT loc $FW</programlisting>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
Ping/DROP z1 z2</programlisting>
<example>
<example id="Example2">
<title>Silently drop pings from the Internet</title>
<para>To drop ping from the internet, you would need this rule in

View File

@ -57,8 +57,8 @@
have a survey module, but when i last looked at them, they were more
limited and harder to use than Zoomerang.</para>
<section>
<title id="Survey">Survey and results links</title>
<section id="Survey">
<title>Survey and results links</title>
<para>The survey is still open as of this writing, and can be accessed
at <ulink url="http://www.zoomerang.com/survey.zgi?p=WEB2253NNBCN44">the