mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-22 22:30:58 +01:00
Shorewall 1.4.10
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1099 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
f67cb1eab8
commit
afee989ee5
@ -92,7 +92,7 @@
|
||||
# Otherwise, a separate rule will be generated for each
|
||||
# port.
|
||||
#
|
||||
# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted,
|
||||
# SOURCE PORT(S) (Optional) Port(s) used by the client. If omitted,
|
||||
# any source port is acceptable. Specified as a comma-
|
||||
# separated list of port names, port numbers or port
|
||||
# ranges.
|
||||
@ -126,6 +126,6 @@
|
||||
# place a similar limit in the TARGET column.
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
|
||||
# PORT PORT(S) DEST LIMIT
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE
|
||||
# PORT PORT(S) LIMIT
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
@ -1,23 +1,23 @@
|
||||
Changes since 1.4.8
|
||||
Changes since 1.4.9
|
||||
|
||||
1) Replace "Static NAT" with "One-to-one NAT".
|
||||
1) Implement destination list in masq file.
|
||||
|
||||
2) Change SMB common rules to DROP.
|
||||
2) Appled Frédéric LESPEZ's patch for packet marking by user/group id.
|
||||
|
||||
3) Change wording in release notes.
|
||||
3) Correct column headings in action.template
|
||||
|
||||
4) Move ip_forward handling to a function.
|
||||
4) Handle IPV6 addresses correctly with ADD_IP_ALIASES=Yes or
|
||||
ADD_SNAT_ALIASES=Yes.
|
||||
|
||||
5) Change 'norfc1918' logging to log out of chains named 'rfc1918'.
|
||||
5) Implement "detectnets" option.
|
||||
|
||||
6) Reword the description of NEWNOTSYN in shorewall.conf.
|
||||
6) Correct the CONTINUE target and fix a couple of bugs in rate
|
||||
limiting (with an assist from Steven Jan Springl).
|
||||
|
||||
7) Added MODULE_SUFFIX option to shorewall.conf.
|
||||
7) Silently drop smurfs and broadcasts in the 'reject' chain.
|
||||
|
||||
8) Add /etc/shorewall/actions and /etc/shorewall/action.template
|
||||
8) Add multicast to 'detectnets' zones.
|
||||
|
||||
9) Fix SNAT handling in DNAT rules.
|
||||
9) Don't add broadcasts to /0 groups.
|
||||
|
||||
10) Change default to NEWNOTSYN=Yes
|
||||
|
||||
11) Add rule to drop null source addressed ICMPs.
|
||||
10) Fix "-" in PROTO column of an action file.
|
||||
|
@ -28,7 +28,7 @@
|
||||
# shown below. Simply run this script to revert to your prior version of
|
||||
# Shoreline Firewall.
|
||||
|
||||
VERSION=1.4.9
|
||||
VERSION=1.4.10
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
212
STABLE/firewall
212
STABLE/firewall
@ -564,11 +564,21 @@ determine_hosts() {
|
||||
eval interfaces=\$${zone}_interfaces
|
||||
|
||||
for interface in $interfaces; do
|
||||
if [ -z "$hosts" ]; then
|
||||
hosts=$interface:0.0.0.0/0
|
||||
eval options=\$`chain_base ${interface}`_options
|
||||
|
||||
if list_search detectnets $options; then
|
||||
subnets=`get_routed_subnets $interface`
|
||||
else
|
||||
hosts="$hosts $interface:0.0.0.0/0"
|
||||
subnets=0.0.0.0/0
|
||||
fi
|
||||
|
||||
for subnet in $subnets; do
|
||||
if [ -z "$hosts" ]; then
|
||||
hosts=$interface:$subnet
|
||||
else
|
||||
hosts="$hosts $interface:$subnet"
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
||||
interfaces=
|
||||
@ -611,6 +621,8 @@ validate_zone() # $1 = zone
|
||||
# Validate the zone names and options in the interfaces file
|
||||
#
|
||||
validate_interfaces_file() {
|
||||
local wildcard
|
||||
|
||||
while read z interface subnet options; do
|
||||
expandv z interface subnet options
|
||||
r="$z $interface $subnet $options"
|
||||
@ -628,10 +640,15 @@ validate_interfaces_file() {
|
||||
list_search $interface $all_interfaces && \
|
||||
startup_error "Duplicate Interface $interface"
|
||||
|
||||
wildcard=
|
||||
|
||||
case $interface in
|
||||
*:*)
|
||||
startup_error "Invalid Interface Name: $interface"
|
||||
;;
|
||||
*+*)
|
||||
wildcard=Yes
|
||||
;;
|
||||
esac
|
||||
|
||||
all_interfaces="$all_interfaces $interface"
|
||||
@ -646,6 +663,10 @@ validate_interfaces_file() {
|
||||
case $option in
|
||||
dhcp|norfc1918|tcpflags|newnotsyn|arp_filter|routefilter|blacklist|proxyarp|maclist|-)
|
||||
;;
|
||||
detectnets)
|
||||
[ -n "$wildcard" ] && \
|
||||
startup_error "The \"detectnets\" option may not be used with a wild-card interface"
|
||||
;;
|
||||
dropunclean|logunclean)
|
||||
error_message \
|
||||
"Warning: The 'dropunclean' and 'logunclean' options will be removed in a future release"
|
||||
@ -1709,6 +1730,25 @@ process_tc_rule()
|
||||
esac
|
||||
fi
|
||||
|
||||
if [ "x$user" != "x-" ]; then
|
||||
|
||||
[ "$chain" != tcout ] && \
|
||||
fatal_error "Invalid use of a user/group: rule \"$rule\""
|
||||
|
||||
case "$user" in
|
||||
*:*)
|
||||
r="$r-m owner"
|
||||
temp="${user%:*}"
|
||||
[ -n "$temp" ] && r="$r --uid-owner $temp "
|
||||
temp="${user#*:}"
|
||||
[ -n "$temp" ] && r="$r --gid-owner $temp "
|
||||
;;
|
||||
*)
|
||||
r="$r-m owner --uid-owner $user "
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
||||
[ "x$dest" = "x-" ] || r="${r}-d $dest "
|
||||
[ "$proto" = "all" ] || r="${r}-p $proto "
|
||||
[ "x$port" = "x-" ] || r="${r}--dport $port "
|
||||
@ -1767,9 +1807,9 @@ setup_tc1() {
|
||||
#
|
||||
strip_file tcrules
|
||||
|
||||
while read mark sources dests proto ports sports; do
|
||||
expandv mark sources dests proto ports sports
|
||||
rule=`echo "$mark $sources $dests $proto $ports $sports"`
|
||||
while read mark sources dests proto ports sports user; do
|
||||
expandv mark sources dests proto ports sports user
|
||||
rule=`echo "$mark $sources $dests $proto $ports $sports $user"`
|
||||
process_tc_rule
|
||||
done < $TMP_DIR/tcrules
|
||||
#
|
||||
@ -2335,7 +2375,7 @@ process_action() # $1 = action
|
||||
|
||||
# Generate Netfilter rule(s)
|
||||
|
||||
protocol=${protocol:=all}
|
||||
[ "x$protocol" = "x-" ] && protocol=all || protocol=${protocol:=all}
|
||||
|
||||
if [ -n "$MULTIPORT" ] && \
|
||||
! list_search $protocol "icmp" "ICMP" "1" && \
|
||||
@ -2904,6 +2944,8 @@ process_rule() # $1 = target
|
||||
|
||||
# Function Body - isolate rate limit
|
||||
|
||||
[ "x$ratelimit" = "x-" ] && ratelimit=
|
||||
|
||||
if [ -z "$ratelimit" ]; then
|
||||
if [ "$target" != "${target%<*}" ]; then
|
||||
ratelimit="${target#*<}"
|
||||
@ -2915,9 +2957,6 @@ process_rule() # $1 = target
|
||||
|
||||
if [ -n "$ratelimit" ]; then
|
||||
case $ratelimit in
|
||||
-)
|
||||
ratelimit=
|
||||
;;
|
||||
*:*)
|
||||
ratelimit="-m limit --limit ${ratelimit%:*} --limit-burst ${ratelimit#*:}"
|
||||
;;
|
||||
@ -2955,7 +2994,11 @@ process_rule() # $1 = target
|
||||
case "$userset" in
|
||||
*:*)
|
||||
case $target in
|
||||
ACCEPT|REJECT|DROP)
|
||||
ACCEPT)
|
||||
;;
|
||||
REJECT|DROP)
|
||||
[ -n "$ratelimit" ] && fatal_error \
|
||||
"Rate Limiting only available with ACCEPT, DNAT[-], REDIRECT[-] and LOG"
|
||||
;;
|
||||
*)
|
||||
fatal_error "<user>:<group> may only be specified in ACCEPT, REJECT and DROP rules: rule \"$rule\""
|
||||
@ -2981,9 +3024,13 @@ process_rule() # $1 = target
|
||||
target=`accept_chain $userset`
|
||||
;;
|
||||
DROP)
|
||||
[ -n "$ratelimit" ] && fatal_error \
|
||||
"Rate Limiting only available with ACCEPT, DNAT[-], REDIRECT[-] and LOG"
|
||||
target=`drop_chain $userset`
|
||||
;;
|
||||
REJECT)
|
||||
[ -n "$ratelimit" ] && fatal_error \
|
||||
"Rate Limiting only available with ACCEPT, DNAT[-], REDIRECT[-] and LOG"
|
||||
target=`reject_chain $userset`
|
||||
;;
|
||||
*)
|
||||
@ -2999,8 +3046,15 @@ process_rule() # $1 = target
|
||||
ACCEPT|LOG)
|
||||
;;
|
||||
REJECT)
|
||||
[ -n "$ratelimit" ] && fatal_error \
|
||||
"Rate Limiting only available with ACCEPT, DNAT[-], REDIRECT[-] and LOG"
|
||||
target=reject
|
||||
;;
|
||||
CONTINUE)
|
||||
[ -n "$ratelimit" ] && fatal_error \
|
||||
"Rate Limiting only available with ACCEPT, DNAT[-], REDIRECT[-] and LOG"
|
||||
target=RETURN
|
||||
;;
|
||||
DNAT)
|
||||
target=ACCEPT
|
||||
address=${address:=detect}
|
||||
@ -3735,7 +3789,7 @@ setup_masq()
|
||||
case $fullinterface in
|
||||
*:*:*)
|
||||
# Both alias name and subnet
|
||||
destnet="${fullinterface##*:}"
|
||||
destnets="${fullinterface##*:}"
|
||||
fullinterface="${fullinterface%:*}"
|
||||
;;
|
||||
*:*)
|
||||
@ -3743,17 +3797,17 @@ setup_masq()
|
||||
case ${fullinterface#*:} in
|
||||
*.*)
|
||||
# It's a subnet
|
||||
destnet="${fullinterface#*:}"
|
||||
destnets="${fullinterface#*:}"
|
||||
fullinterface="${fullinterface%:*}"
|
||||
;;
|
||||
*)
|
||||
#it's an alias name
|
||||
destnet="0.0.0.0/0"
|
||||
destnets="0.0.0.0/0"
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
*)
|
||||
destnet="0.0.0.0/0"
|
||||
destnets="0.0.0.0/0"
|
||||
;;
|
||||
esac
|
||||
|
||||
@ -3770,7 +3824,6 @@ setup_masq()
|
||||
subnet="${subnet%!*}"
|
||||
fi
|
||||
|
||||
chain=`masq_chain $interface`
|
||||
|
||||
source="$subnet"
|
||||
|
||||
@ -3799,33 +3852,70 @@ setup_masq()
|
||||
done
|
||||
fi
|
||||
|
||||
destination=$destnet
|
||||
destination=$destnets
|
||||
|
||||
if [ -n "$nomasq" ]; then
|
||||
newchain=masq${masq_seq}
|
||||
createnatchain $newchain
|
||||
chain=`masq_chain $interface`
|
||||
|
||||
if [ -n "$subnet" ]; then
|
||||
for s in $subnet; do
|
||||
addnatrule $chain -d $destnet -s $s -j $newchain
|
||||
case $destnets in
|
||||
!*)
|
||||
newchain=masq${masq_seq}
|
||||
createnatchain $newchain
|
||||
destnets=${destnets#!}
|
||||
|
||||
for destnet in $(separate_list $destnets); do
|
||||
addnatrule $newchain -d $destnet -j RETURN
|
||||
done
|
||||
else
|
||||
addnatrule $chain -d $destnet -j $newchain
|
||||
fi
|
||||
|
||||
masq_seq=$(($masq_seq + 1))
|
||||
chain=$newchain
|
||||
subnet=
|
||||
destnet=
|
||||
if [ -n "$subnet" ]; then
|
||||
for s in $subnet; do
|
||||
addnatrule $chain -s $s -j $newchain
|
||||
done
|
||||
subnet=
|
||||
else
|
||||
addnatrule $chain -j $newchain
|
||||
fi
|
||||
|
||||
for addr in `separate_list $nomasq`; do
|
||||
addnatrule $chain -s $addr -j RETURN
|
||||
done
|
||||
masq_seq=$(($masq_seq + 1))
|
||||
chain=$newchain
|
||||
destnets=0.0.0.0/0
|
||||
|
||||
source="$source except $nomasq"
|
||||
else
|
||||
destnet="-d $destnet"
|
||||
fi
|
||||
if [ -n "$nonmasq" ]; then
|
||||
for addr in `separate_list $nomasq`; do
|
||||
addnatrule $chain -s $addr -j RETURN
|
||||
done
|
||||
source="$source except $nomasq"
|
||||
fi
|
||||
;;
|
||||
*)
|
||||
if [ -n "$nomasq" ]; then
|
||||
newchain=masq${masq_seq}
|
||||
createnatchain $newchain
|
||||
|
||||
if [ -n "$subnet" ]; then
|
||||
for s in $subnet; do
|
||||
for destnet in $(separate_list $destnets); do
|
||||
addnatrule $chain -d $destnet -s $s -j $newchain
|
||||
done
|
||||
done
|
||||
else
|
||||
for destnet in $(separate_list $destnets); do
|
||||
addnatrule $chain -d $destnet -j $newchain
|
||||
done
|
||||
fi
|
||||
|
||||
masq_seq=$(($masq_seq + 1))
|
||||
chain=$newchain
|
||||
subnet=
|
||||
destnets=0.0.0.0/0
|
||||
|
||||
for addr in `separate_list $nomasq`; do
|
||||
addnatrule $chain -s $addr -j RETURN
|
||||
done
|
||||
|
||||
source="$source except $nomasq"
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
|
||||
if [ -n "$addresses" ]; then
|
||||
temp=
|
||||
@ -3837,18 +3927,26 @@ setup_masq()
|
||||
if [ -n "$subnet" ]; then
|
||||
for s in $subnet; do
|
||||
if [ -n "$addresses" ]; then
|
||||
addnatrule $chain -s $s $destnet -j SNAT $temp
|
||||
for destnet in $(separate_list $destnets); do
|
||||
addnatrule $chain -s $s -d $destnet -j SNAT $temp
|
||||
done
|
||||
echo " To $destination from $s through ${interface} using $addresses"
|
||||
else
|
||||
addnatrule $chain -s $s $destnet -j MASQUERADE
|
||||
for destnet in $(separate_list $destnets); do
|
||||
addnatrule $chain -s $s -d $destnet -j MASQUERADE
|
||||
done
|
||||
echo " To $destination from $s through ${interface}"
|
||||
fi
|
||||
done
|
||||
elif [ -n "$address" ]; then
|
||||
addnatrule $chain $destnet -j SNAT $temp
|
||||
for destnet in $(separate_list $destnets); do
|
||||
addnatrule $chain -d $destnet -j SNAT $temp
|
||||
done
|
||||
echo " To $destination from $source through ${interface} using $addresses"
|
||||
else
|
||||
addnatrule $chain $destnet -j MASQUERADE
|
||||
for destnet in $(separate_list $destnets); do
|
||||
addnatrule $chain -d $destnet -j MASQUERADE
|
||||
done
|
||||
echo " To $destination from $source through ${interface}"
|
||||
fi
|
||||
|
||||
@ -4345,9 +4443,26 @@ build_common_chain() {
|
||||
#
|
||||
add_common_rules() {
|
||||
local savelogparms="$LOGPARMS"
|
||||
local broadcasts="$(find_broadcasts) 255.255.255.255 224.0.0.0/4"
|
||||
#
|
||||
# Reject Rules
|
||||
# Reject Rules -- Don't respond to broadcasts with an ICMP
|
||||
#
|
||||
qt iptables -A reject -m pkttype --pkt-type broadcast -j DROP
|
||||
if ! qt iptables -A reject -m pkttype --pkt-type multicast -j DROP; then
|
||||
#
|
||||
# No pkttype support -- do it the hard way
|
||||
#
|
||||
for address in $broadcasts ; do
|
||||
run_iptables -A reject -d $address -j DROP
|
||||
done
|
||||
fi
|
||||
#
|
||||
# Don't feed the smurfs
|
||||
#
|
||||
for address in $broadcasts ; do
|
||||
run_iptables -A reject -s $address -j DROP
|
||||
done
|
||||
|
||||
run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset
|
||||
run_iptables -A reject -p udp -j REJECT
|
||||
#
|
||||
@ -4754,6 +4869,8 @@ activate_rules()
|
||||
echo "$FW $zone $chain1" >> ${STATEDIR}/chains
|
||||
echo "$zone $FW $chain2" >> ${STATEDIR}/chains
|
||||
|
||||
need_broadcast=
|
||||
|
||||
for host in $source_hosts; do
|
||||
interface=${host%:*}
|
||||
subnet=${host#*:}
|
||||
@ -4771,8 +4888,19 @@ activate_rules()
|
||||
[ -n "$complex" ] && \
|
||||
run_iptables -A `forward_chain $interface` -s $subnet -j $frwd_chain
|
||||
|
||||
if [ "$subnet" != 0.0.0.0/0 ]; then
|
||||
if ! list_search $interface $need_broadcast ; then
|
||||
eval options=\$`chain_base ${interface}`_options
|
||||
list_search detectnets $options && need_broadcast="$need_broadcast $interface"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
|
||||
for interface in $need_broadcast ; do
|
||||
run_iptables -A OUTPUT -o $interface -d 255.255.255.255 -j $chain1
|
||||
run_iptables -A OUTPUT -o $interface -d 224.0.0.0/4 -j $chain1
|
||||
done
|
||||
|
||||
for zone1 in $zones; do
|
||||
|
||||
eval policy=\$${zone}2${zone1}_policy
|
||||
|
@ -54,7 +54,7 @@
|
||||
# /etc/rc.d/rc.local file is modified to start the firewall.
|
||||
#
|
||||
|
||||
VERSION=1.4.9
|
||||
VERSION=1.4.10
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -117,6 +117,13 @@
|
||||
# interface. The interface must be up
|
||||
# when Shorewall is started.
|
||||
#
|
||||
# detectnets - Automatically taylors the zone named
|
||||
# in the ZONE column to include only those
|
||||
# hosts routed through the interface.
|
||||
#
|
||||
# WARNING: DO NOT SET THE detectnets OPTION ON YOUR
|
||||
# INTERNET INTERFACE!
|
||||
#
|
||||
# The order in which you list the options is not
|
||||
# significant but the list should have no embedded white
|
||||
# space.
|
||||
|
@ -18,7 +18,12 @@
|
||||
# PLACE IN YOUR SHOREWALL CONFIGURATION.
|
||||
#
|
||||
# This may be qualified by adding the character
|
||||
# ":" followed by a destination host or subnet.
|
||||
# ":" followed by a comma-separed list of
|
||||
# destination hosts or subnets. If this list begins with
|
||||
# "!" then masquerading will occur if and only if the
|
||||
# connection destination is NOT included in the list.
|
||||
# Otherwise, the masquerading will occur if and only if
|
||||
# the destination IS included in the list.
|
||||
#
|
||||
#
|
||||
# SUBNET -- Subnet that you wish to masquerade. You can specify this as
|
||||
@ -89,7 +94,7 @@
|
||||
#
|
||||
# You want all outgoing traffic from 192.168.1.0/24 through
|
||||
# eth0 to use source address 206.124.146.176 which is NOT the
|
||||
# primary address of eth0. You want 206.124.146.176 added to
|
||||
# primary address of eth0. You want 206.124.146.176 to
|
||||
# be added to eth0 with name eth0:0.
|
||||
#
|
||||
# eth0:0 192.168.1.0/24 206.124.146.176
|
||||
|
@ -1,24 +1,23 @@
|
||||
This is a minor release of Shorewall.
|
||||
|
||||
Problems Corrected since version 1.4.8:
|
||||
Problems Corrected since version 1.4.9:
|
||||
|
||||
1) There has been a low continuing level of confusion over the terms
|
||||
"Source NAT" (SNAT) and "Static NAT". To avoid future confusion, all
|
||||
instances of "Static NAT" have been replaced with "One-to-one NAT"
|
||||
in the documentation and configuration files.
|
||||
1. The column descriptions in the action.template file did not match
|
||||
the column headings. That has been corrected.
|
||||
|
||||
2) The description of NEWNOTSYN in shorewall.conf has been reworded for
|
||||
clarity.
|
||||
2. The presence of IPV6 addresses on devices generates error messages
|
||||
during [re]start if ADD_IP_ALIASES=Yes or ADD_SNAT_ALIASES=Yes are
|
||||
specified in /etc/shorewall/shorewall.conf.
|
||||
|
||||
3) Wild-card rules (those involving "all" as SOURCE or DEST) will no
|
||||
longer produce an error if they attempt to add a rule that would
|
||||
override a NONE policy. The logic for expanding these wild-card
|
||||
rules now simply skips those (SOURCE,DEST) pairs that have a NONE
|
||||
policy.
|
||||
3. The CONTINUE action in /etc/shorewall/rules now works correctly. A
|
||||
couple of problems involving rate limiting have been
|
||||
corrected. These bug fixes courtesy of Steven Jan Springl.
|
||||
|
||||
4) DNAT rules that also specified SNAT now work reliably. Previously,
|
||||
there were cases where the SNAT specification was effectively
|
||||
ignored.
|
||||
4. Shorewall now tries to avoid sending an ICMP response to broadcasts
|
||||
and smurfs.
|
||||
|
||||
5. Specifying "-" or "all" in the PROTO column of an action no longer
|
||||
causes a startup error.
|
||||
|
||||
Migration Issues:
|
||||
|
||||
@ -26,79 +25,37 @@ None.
|
||||
|
||||
New Features:
|
||||
|
||||
1) The documentation has been completely rebased to Docbook XML. The
|
||||
documentation is now released as separate HTML and XML packages.
|
||||
1) The INTERFACE column in the /etc/shorewall/masq file may now
|
||||
specify a destination list.
|
||||
|
||||
2) To cut down on the number of "Why are these ports closed rather than
|
||||
stealthed?" questions, the SMB-related rules in
|
||||
/etc/shorewall/common.def have been changed from 'reject' to 'DROP'.
|
||||
Example:
|
||||
|
||||
3) For easier identification, packets logged under the 'norfc1918'
|
||||
interface option are now logged out of chains named
|
||||
'rfc1918'. Previously, such packets were logged under chains named
|
||||
'logdrop'.
|
||||
#INTERFACE SUBNET ADDRESS
|
||||
eth0:192.0.2.3,192.0.2.16/28 eth1
|
||||
|
||||
4) Distributors and developers seem to be regularly inventing new
|
||||
naming conventions for kernel modules. To avoid the need to change
|
||||
Shorewall code for each new convention, the MODULE_SUFFIX option has
|
||||
been added to shorewall.conf. MODULE_SUFFIX may be set to the suffix
|
||||
for module names in your particular distribution. If MODULE_SUFFIX
|
||||
is not set in shorewall.conf, Shorewall will use the list "o gz ko
|
||||
o.gz".
|
||||
If the list begins with "!" then SNAT will occur only if the
|
||||
destination IP address is NOT included in the list.
|
||||
|
||||
To see what suffix is used by your distribution:
|
||||
2) Output traffic control rules (those with the firewall as the source)
|
||||
may now be qualified by the effective userid and/or effective group
|
||||
id of the program generating the output. This feature is courtesy of
|
||||
Frédéric LESPEZ.
|
||||
|
||||
ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
|
||||
A new USER column has been added to /etc/shorewall/tcrules.
|
||||
|
||||
All of the files listed should have the same suffix (extension). Set
|
||||
MODULE_SUFFIX to that suffix.
|
||||
It may contain :
|
||||
|
||||
Examples:
|
||||
[<user name or number>]:[<group name or number>]
|
||||
|
||||
If all files end in ".kzo" then set MODULE_SUFFIX="kzo"
|
||||
If all files end in ".kz.o" then set MODULE_SUFFIX="kz.o"
|
||||
The colon is optionnal when specifying only a user.
|
||||
|
||||
5) Support for user defined rule ACTIONS has been implemented through
|
||||
two new files:
|
||||
Examples : john: / john / :users / john:users
|
||||
|
||||
/etc/shorewall/actions - used to list the user-defined ACTIONS.
|
||||
/etc/shorewall/action.template - For each user defined <action>, copy
|
||||
this file to
|
||||
/etc/shorewall/action.<action> and
|
||||
add the appropriate rules for that
|
||||
<action>.
|
||||
Once an <action> has been defined, it may be used like any of the
|
||||
builtin ACTIONS (ACCEPT, DROP, etc.) in /etc/shorewall/rules.
|
||||
3) A "detectnets" interface option has been added for entries in
|
||||
/etc/shorewall/interfaces. This option automatically taylors the
|
||||
definition of the zone named in the ZONE column to include just
|
||||
those hosts that have routes through the interface named in the
|
||||
INTERFACE column. The named interface must be UP when
|
||||
Shorewall is [re]started.
|
||||
|
||||
Example: You want an action that logs a packet at the 'info' level
|
||||
and accepts the connection.
|
||||
|
||||
In /etc/shorewall/actions, you would add:
|
||||
|
||||
LogAndAccept
|
||||
|
||||
You would then copy /etc/shorewall/action.template to
|
||||
/etc/shorewall/action.LogAndAccept and in that file, you would add the two
|
||||
rules:
|
||||
|
||||
LOG:info
|
||||
ACCEPT
|
||||
|
||||
6) The default value for NEWNOTSYN in shorewall.conf is now "Yes"
|
||||
(non-syn TCP packets that are not part of an existing connection are
|
||||
filtered according to the rules and policies rather than being
|
||||
dropped). I have made this change for two reasons:
|
||||
|
||||
a) NEWNOTSYN=No tends to result in lots of "stuck" connections since
|
||||
any timeout during TCP session tear down results in the firewall
|
||||
dropping all of the retries.
|
||||
|
||||
b) The old default of NEWNOTSYN=No and LOGNEWNOTSYN=info resulted in
|
||||
lots of confusing messages when a connection got "stuck". While I
|
||||
could have changed the default value of LOGNEWNOTSYN to suppress
|
||||
logging, I dislike defaults that silently throw away packets.
|
||||
|
||||
7) The common.def file now contains an entry that silently drops ICMP
|
||||
packets with a null source address. Ad Koster reported a case where
|
||||
these were occuring frequently as a result of a broken system on his
|
||||
external network.
|
||||
WARNING: DO NOT SET THIS OPTION ON YOUR INTERNET INTERFACE!
|
||||
|
@ -46,7 +46,7 @@
|
||||
49.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
|
||||
50.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
|
||||
58.0.0.0/7 logdrop # Reserved
|
||||
70.0.0.0/7 logdrop # Reserved
|
||||
71.0.0.0/8 logdrop # Reserved
|
||||
72.0.0.0/5 logdrop # Reserved
|
||||
85.0.0.0/8 logdrop # Reserved
|
||||
86.0.0.0/7 logdrop # Reserved
|
||||
|
@ -1,5 +1,5 @@
|
||||
%define name shorewall
|
||||
%define version 1.4.9
|
||||
%define version 1.4.10
|
||||
%define release 1
|
||||
%define prefix /usr
|
||||
|
||||
@ -109,6 +109,14 @@ fi
|
||||
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
|
||||
|
||||
%changelog
|
||||
* Fri Jan 30 2004 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.10-1
|
||||
* Tue Jan 27 2004 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.10-RC3
|
||||
* Sat Jan 24 2004 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.10-RC2
|
||||
* Thu Jan 22 2004 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.10-RC1
|
||||
* Tue Jan 13 2004 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.9
|
||||
* Mon Dec 29 2003 Tom Eastep <tom@shorewall.net>
|
||||
|
@ -57,7 +57,22 @@
|
||||
# any source port is acceptable. Specified as a comma-
|
||||
# separated list of port names, port numbers or port
|
||||
# ranges.
|
||||
#
|
||||
# USER This column may only be non-empty if the SOURCE is
|
||||
# the firewall itself.
|
||||
#
|
||||
# When this column is non-empty, the rule applies only
|
||||
# if the program generating the output is running under
|
||||
# the effective user and/or group.
|
||||
#
|
||||
# It may contain :
|
||||
#
|
||||
# [<user name or number>]:[<group name or number>]
|
||||
#
|
||||
# The colon is optionnal when specifying only a user.
|
||||
# Examples : john: / john / :users / john:users
|
||||
#
|
||||
##############################################################################
|
||||
#MARK SOURCE DEST PROTO PORT(S) CLIENT
|
||||
#MARK SOURCE DEST PROTO PORT(S) CLIENT USER
|
||||
# PORT(S)
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
@ -26,7 +26,7 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Seattle Firewall
|
||||
|
||||
VERSION=1.4.9
|
||||
VERSION=1.4.10
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -17,7 +17,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-01-24</pubdate>
|
||||
<pubdate>2004-01-25</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2004</year>
|
||||
@ -60,132 +60,22 @@
|
||||
shows how to do port forwarding under Shorewall. The format of a
|
||||
port-forwarding rule to a local system is as follows:</para>
|
||||
|
||||
<informaltable>
|
||||
<tgroup cols="7">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">ACTION</entry>
|
||||
|
||||
<entry align="center">SOURCE</entry>
|
||||
|
||||
<entry align="center">DESTINATION</entry>
|
||||
|
||||
<entry align="center">PROTOCOL</entry>
|
||||
|
||||
<entry align="center">PORT</entry>
|
||||
|
||||
<entry align="center">SOURCE PORT</entry>
|
||||
|
||||
<entry align="center">ORIG. DEST.</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>DNAT</entry>
|
||||
|
||||
<entry>net</entry>
|
||||
|
||||
<entry>loc:<local IP address>[:<local port>]</entry>
|
||||
|
||||
<entry><protocol></entry>
|
||||
|
||||
<entry><port #></entry>
|
||||
|
||||
<entry></entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</informaltable>
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT
|
||||
DNAT net loc:<l<emphasis>ocal IP address</emphasis>>[:<<emphasis>local port</emphasis>>] <<emphasis>protocol</emphasis>> <<emphasis>port #</emphasis>></programlisting>
|
||||
|
||||
<para>So to forward UDP port 7777 to internal system 192.168.1.5, the
|
||||
rule is:</para>
|
||||
|
||||
<informaltable>
|
||||
<tgroup cols="7">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">ACTION</entry>
|
||||
|
||||
<entry align="center">SOURCE</entry>
|
||||
|
||||
<entry align="center">DESTINATION</entry>
|
||||
|
||||
<entry align="center">PROTOCOL</entry>
|
||||
|
||||
<entry align="center">PORT</entry>
|
||||
|
||||
<entry align="center">SOURCE PORT</entry>
|
||||
|
||||
<entry align="center">ORIG. DEST.</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>DNAT</entry>
|
||||
|
||||
<entry>net</entry>
|
||||
|
||||
<entry>loc:192.168.1.5</entry>
|
||||
|
||||
<entry>udp</entry>
|
||||
|
||||
<entry>7777</entry>
|
||||
|
||||
<entry></entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</informaltable>
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT
|
||||
DNAT net loc:192.168.1.5 udp 7777</programlisting>
|
||||
|
||||
<para>If you want to forward requests directed to a particular address (
|
||||
<emphasis><external IP></emphasis> ) on your firewall to an
|
||||
internal system:</para>
|
||||
|
||||
<informaltable>
|
||||
<tgroup cols="7">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">ACTION</entry>
|
||||
|
||||
<entry align="center">SOURCE</entry>
|
||||
|
||||
<entry align="center">DESTINATION</entry>
|
||||
|
||||
<entry align="center">PROTOCOL</entry>
|
||||
|
||||
<entry align="center">PORT</entry>
|
||||
|
||||
<entry align="center">SOURCE PORT</entry>
|
||||
|
||||
<entry align="center">ORIG. DEST.</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>DNAT</entry>
|
||||
|
||||
<entry>net</entry>
|
||||
|
||||
<entry>loc:<local IP address>[:<local port>]</entry>
|
||||
|
||||
<entry><protocol></entry>
|
||||
|
||||
<entry><port #></entry>
|
||||
|
||||
<entry>-</entry>
|
||||
|
||||
<entry><external IP></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</informaltable>
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL
|
||||
# PORT DEST.
|
||||
DNAT net loc:<l<emphasis>ocal IP address</emphasis>>[:<<emphasis>local port</emphasis>>] <<emphasis>protocol</emphasis>> <<emphasis>port #</emphasis>> - <<emphasis>external IP</emphasis>></programlisting>
|
||||
|
||||
<para>Finally, if you need to forward a range of ports, in the PORT
|
||||
column specify the range as <emphasis><low-port>:<high-port></emphasis>.</para>
|
||||
@ -235,8 +125,8 @@
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>As root, type <quote>iptables -t nat -Z</quote>. This clears
|
||||
the NetFilter counters in the nat table.</para>
|
||||
<para>As root, type <quote><command>iptables -t nat -Z</command></quote>.
|
||||
This clears the NetFilter counters in the nat table.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -244,7 +134,7 @@
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>As root type <quote>shorewall show nat</quote></para>
|
||||
<para>As root type <quote><command>shorewall show nat</command></quote></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -295,47 +185,10 @@
|
||||
my firewall and have the firewall forward the connection to port 22 on
|
||||
local system 192.168.1.3. How do I do that?</title>
|
||||
|
||||
<para>In /etc/shorewall/rules:</para>
|
||||
<para>In /<filename>etc/shorewall/rules</filename>:</para>
|
||||
|
||||
<informaltable>
|
||||
<tgroup cols="7">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">ACTION</entry>
|
||||
|
||||
<entry align="center">SOURCE</entry>
|
||||
|
||||
<entry>DESTINATION</entry>
|
||||
|
||||
<entry>PROTOCOL</entry>
|
||||
|
||||
<entry>PORT</entry>
|
||||
|
||||
<entry>SOURCE PORT</entry>
|
||||
|
||||
<entry>ORIG. DEST.</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>DNAT</entry>
|
||||
|
||||
<entry>net</entry>
|
||||
|
||||
<entry>loc:192.168.1.3:22</entry>
|
||||
|
||||
<entry>tcp</entry>
|
||||
|
||||
<entry>1022</entry>
|
||||
|
||||
<entry></entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</informaltable>
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT
|
||||
DNAT net loc:192.168.3:22 tcp 1022</programlisting>
|
||||
</section>
|
||||
</section>
|
||||
|
||||
@ -407,127 +260,30 @@
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>In /etc/shorewall/interfaces:</para>
|
||||
<para>In <filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<informaltable>
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">INTERFACE</entry>
|
||||
|
||||
<entry align="center">BROADCAST</entry>
|
||||
|
||||
<entry align="center">OPTIONS</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>loc</entry>
|
||||
|
||||
<entry>eth1</entry>
|
||||
|
||||
<entry>detect</entry>
|
||||
|
||||
<entry><emphasis role="bold">routeback</emphasis></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</informaltable>
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
loc eth1 detect <emphasis role="bold">routeback</emphasis></programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>In /etc/shorewall/rules:</para>
|
||||
<para>In <filename>/etc/shorewall/rules</filename>:</para>
|
||||
|
||||
<informaltable>
|
||||
<tgroup cols="7">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">ACTION</entry>
|
||||
|
||||
<entry align="center">SOURCE</entry>
|
||||
|
||||
<entry align="center">DESTINATION</entry>
|
||||
|
||||
<entry align="center">PROTOCOL</entry>
|
||||
|
||||
<entry align="center">PORT</entry>
|
||||
|
||||
<entry align="center">SOURCE PORT</entry>
|
||||
|
||||
<entry align="center">ORIG. DEST.</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>DNAT</entry>
|
||||
|
||||
<entry>loc</entry>
|
||||
|
||||
<entry>web:192.168.1.5</entry>
|
||||
|
||||
<entry>tcp</entry>
|
||||
|
||||
<entry>www</entry>
|
||||
|
||||
<entry>-</entry>
|
||||
|
||||
<entry>130.151.100.69:192.168.1.254</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</informaltable>
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL
|
||||
# PORT DEST.
|
||||
DNAT loc loc:192.168.1.5 tcp www - 130.151.100.69:192.168.1.254</programlisting>
|
||||
|
||||
<para>That rule only works of course if you have a static external
|
||||
IP address. If you have a dynamic IP address and are running
|
||||
Shorewall 1.3.4 or later then include this in /etc/shorewall/init:</para>
|
||||
Shorewall 1.3.4 or later then include this in <filename>/etc/shorewall/init</filename>:</para>
|
||||
|
||||
<programlisting>ETH0_IP=`find_interface_address eth0`</programlisting>
|
||||
<programlisting><command>ETH0_IP=`find_interface_address eth0`</command></programlisting>
|
||||
|
||||
<para>and make your DNAT rule:</para>
|
||||
|
||||
<informaltable>
|
||||
<tgroup cols="7">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">ACTION</entry>
|
||||
|
||||
<entry align="center">SOURCE</entry>
|
||||
|
||||
<entry align="center">DESTINATION</entry>
|
||||
|
||||
<entry align="center">PROTOCOL</entry>
|
||||
|
||||
<entry align="center">PORT</entry>
|
||||
|
||||
<entry align="center">SOURCE PORT</entry>
|
||||
|
||||
<entry align="center">ORIG. DEST.</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>DNAT</entry>
|
||||
|
||||
<entry>loc</entry>
|
||||
|
||||
<entry>web:192.168.1.5</entry>
|
||||
|
||||
<entry>tcp</entry>
|
||||
|
||||
<entry>www</entry>
|
||||
|
||||
<entry>-</entry>
|
||||
|
||||
<entry>$ETH0_IP:192.168.1.254</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</informaltable>
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL
|
||||
# PORT DEST.
|
||||
DNAT loc loc:192.168.1.5 tcp www - $ETH0_IP:192.168.1.254</programlisting>
|
||||
|
||||
<para>Using this technique, you will want to configure your
|
||||
DHCP/PPPoE client to automatically restart Shorewall each time that
|
||||
@ -597,94 +353,23 @@
|
||||
|
||||
<literallayout>Zone: dmz Interface: eth2 Subnet: 192.168.2.0/24</literallayout>
|
||||
|
||||
<para>In /etc/shorewall/interfaces:</para>
|
||||
<para>In <filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<informaltable>
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">ZONE</entry>
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
loc eth2 192.168.2.255 <emphasis role="bold">routeback</emphasis></programlisting>
|
||||
|
||||
<entry align="center">INTERFACE</entry>
|
||||
<para>In <filename>/etc/shorewall/policy</filename>:</para>
|
||||
|
||||
<entry align="center">BROADCAST</entry>
|
||||
<programlisting>#SOURCE DESTINATION POLICY LIMIT:BURST
|
||||
dmz dmz ACCEPT</programlisting>
|
||||
|
||||
<entry align="center">OPTIONS</entry>
|
||||
</row>
|
||||
</thead>
|
||||
<para>In <filename>/etc/shorewall/masq</filename>:</para>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>dmz</entry>
|
||||
<programlisting>#INTERFACE SUBNET ADDRESS
|
||||
eth2 192.168.2.0/24</programlisting>
|
||||
|
||||
<entry>eth2</entry>
|
||||
|
||||
<entry>192.168.2.255</entry>
|
||||
|
||||
<entry><emphasis role="bold">routeback</emphasis></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</informaltable>
|
||||
|
||||
<para>In /etc/shorewall/policy:</para>
|
||||
|
||||
<informaltable>
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">SOURCE</entry>
|
||||
|
||||
<entry align="center">DESTINATION</entry>
|
||||
|
||||
<entry align="center">POLICY</entry>
|
||||
|
||||
<entry align="center">LIMIT:BURST</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>dmz</entry>
|
||||
|
||||
<entry>dmz</entry>
|
||||
|
||||
<entry>ACCEPT</entry>
|
||||
|
||||
<entry><emphasis role="bold"></emphasis></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</informaltable>
|
||||
|
||||
<para>In /etc/shorewall/masq:</para>
|
||||
|
||||
<informaltable>
|
||||
<tgroup cols="3">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">INTERFACE</entry>
|
||||
|
||||
<entry align="center">SUBNET</entry>
|
||||
|
||||
<entry align="center">ADDRESS</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>eth2</entry>
|
||||
|
||||
<entry>192.168.2.0/24</entry>
|
||||
|
||||
<entry><emphasis role="bold"></emphasis></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</informaltable>
|
||||
|
||||
<para>In /etc/shorewall/nat, be sure that you have <quote>Yes</quote>
|
||||
in the ALL INTERFACES column.</para>
|
||||
<para>In <filename>/etc/shorewall/na</filename>t, be sure that you
|
||||
have <quote>Yes</quote> in the ALL INTERFACES column.</para>
|
||||
</example>
|
||||
</section>
|
||||
</section>
|
||||
@ -791,18 +476,19 @@
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>Create /etc/shorewall/common if it doesn't already exist.</para>
|
||||
<para>Create <filename>/etc/shorewall/common</filename> if it
|
||||
doesn't already exist.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Be sure that the first command in the file is <quote>.
|
||||
/etc/shorewall/common.def</quote></para>
|
||||
<filename>/etc/shorewall/common.de</filename>f</quote></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Add the following to /etc/shorewall/common</para>
|
||||
<para>Add the following to <filename>/etc/shorewall/common</filename></para>
|
||||
|
||||
<programlisting>run_iptables -A icmpdef -p ICMP --icmp-type echo-request -j ACCEPT</programlisting>
|
||||
<programlisting><command>run_iptables -A icmpdef -p ICMP --icmp-type echo-request -j ACCEPT</command></programlisting>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
|
||||
@ -859,14 +545,15 @@
|
||||
see <quote>man syslog</quote>) in your <ulink
|
||||
url="Documentation.htm#Policy">policies</ulink> and <ulink
|
||||
url="Documentation.htm#Rules">rules</ulink>. The destination for
|
||||
messaged logged by syslog is controlled by /etc/syslog.conf (see
|
||||
<quote>man syslog.conf</quote>). When you have changed /etc/syslog.conf,
|
||||
be sure to restart syslogd (on a RedHat system, <quote>service syslog
|
||||
restart</quote>).</para>
|
||||
messaged logged by syslog is controlled by <filename>/etc/syslog.conf</filename>
|
||||
(see <quote>man syslog.conf</quote>). When you have changed
|
||||
/etc/syslog.conf, be sure to restart syslogd (on a RedHat system,
|
||||
<quote>service syslog restart</quote>).</para>
|
||||
|
||||
<para>By default, older versions of Shorewall ratelimited log messages
|
||||
through <ulink url="Documentation.htm#Conf">settings</ulink> in
|
||||
/etc/shorewall/shorewall.conf -- If you want to log all messages, set:</para>
|
||||
<filename>/etc/shorewall/shorewall.conf</filename> -- If you want to log
|
||||
all messages, set:</para>
|
||||
|
||||
<programlisting>LOGLIMIT=""
|
||||
LOGBURST=""</programlisting>
|
||||
@ -929,20 +616,21 @@ url="http://www.shorewall.net/pub/shorewall/parsefw/">http://www.shorewall.net/p
|
||||
</orderedlist>
|
||||
|
||||
<para>You can distinguish the difference by setting the <emphasis
|
||||
role="bold">logunclean</emphasis> option (<ulink
|
||||
url="Documentation.htm#Interfaces">/etc/shorewall/interfaces</ulink>)
|
||||
role="bold">logunclean</emphasis> option (<filename><ulink
|
||||
url="Documentation.htm#Interfaces">/etc/shorewall/interfaces</ulink></filename>)
|
||||
on your external interface (eth0 in the above example). If they get
|
||||
logged twice, they are corrupted. I solve this problem by using an
|
||||
/etc/shorewall/common file like this:</para>
|
||||
|
||||
<programlisting>#
|
||||
# Include the standard common.def file
|
||||
# . /etc/shorewall/common.def
|
||||
#
|
||||
<command>. /etc/shorewall/common.def</command>
|
||||
#
|
||||
# The following rule is non-standard and compensates for tardy
|
||||
# DNS replies
|
||||
#
|
||||
run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP</programlisting>
|
||||
<command>run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP</command></programlisting>
|
||||
|
||||
<para>The above file is also include in all of my sample
|
||||
configurations available in the <ulink
|
||||
@ -1012,8 +700,8 @@ run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP</programlis
|
||||
|
||||
<tip>
|
||||
<para>Under Debian, you can set KLOGD=<quote>-c 5</quote> in
|
||||
/etc/init.d/klogd to suppress info (log level 6) messages on the
|
||||
console.</para>
|
||||
<filename>/etc/init.d/klogd</filename> to suppress info (log level 6)
|
||||
messages on the console.</para>
|
||||
</tip>
|
||||
|
||||
<tip>
|
||||
@ -1034,9 +722,9 @@ run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP</programlis
|
||||
<term>man1918 or logdrop</term>
|
||||
|
||||
<listitem>
|
||||
<para>The destination address is listed in /etc/shorewall/rfc1918
|
||||
<para>The destination address is listed in <filename>/etc/shorewall/rfc1918</filename>
|
||||
with a <emphasis role="bold">logdrop</emphasis> target -- see
|
||||
<ulink url="Documentation.htm#rfc1918">/etc/shorewall/rfc1918</ulink>.</para>
|
||||
<filename><ulink url="Documentation.htm#rfc1918">/etc/shorewall/rfc1918</ulink></filename>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -1044,9 +732,9 @@ run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP</programlis
|
||||
<term>rfc1918 or logdrop</term>
|
||||
|
||||
<listitem>
|
||||
<para>The source address is listed in /etc/shorewall/rfc1918 with
|
||||
a <emphasis role="bold">logdrop</emphasis> target -- see <ulink
|
||||
url="Documentation.htm#rfc1918">/etc/shorewall/rfc1918</ulink>.</para>
|
||||
<para>The source address is listed in <filename>/etc/shorewall/rfc1918</filename>
|
||||
with a <emphasis role="bold">logdrop</emphasis> target -- see
|
||||
<filename><ulink url="Documentation.htm#rfc1918">/etc/shorewall/rfc1918</ulink></filename>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -1099,7 +787,7 @@ run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP</programlis
|
||||
<para>The packet is being logged under the <emphasis role="bold">dropunclean</emphasis>
|
||||
<ulink url="Documentation.htm#Interfaces">interface option</ulink>
|
||||
as specified in the <emphasis role="bold">LOGUNCLEAN</emphasis>
|
||||
setting in <ulink url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>.</para>
|
||||
setting in <ulink url="Documentation.htm#Conf"><filename>/etc/shorewall/shorewall.conf</filename></ulink>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -1108,7 +796,8 @@ run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP</programlis
|
||||
|
||||
<listitem>
|
||||
<para>The packet is being logged because the source IP is
|
||||
blacklisted in the <ulink url="Documentation.htm#Blacklist">/etc/shorewall/blacklist</ulink>
|
||||
blacklisted in the <filename><ulink
|
||||
url="Documentation.htm#Blacklist">/etc/shorewall/blacklist</ulink></filename>
|
||||
file.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -1121,7 +810,7 @@ run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP</programlis
|
||||
is not part of any current connection yet it is not a syn packet.
|
||||
Options affecting the logging of such packets include <emphasis
|
||||
role="bold">NEWNOTSYN</emphasis> and <emphasis role="bold">LOGNEWNOTSYN</emphasis>
|
||||
in <ulink url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>.</para>
|
||||
in <ulink url="Documentation.htm#Conf"><filename>/etc/shorewall/shorewall.conf</filename></ulink>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -1290,78 +979,29 @@ run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP</programlis
|
||||
<para>Setting this up in Shorewall is easy; setting up the routing is a
|
||||
bit harder.</para>
|
||||
|
||||
<para>Assuming that eth0 and eth1 are the interfaces to the two ISPs
|
||||
then:</para>
|
||||
<para>Assuming that <filename class="devicefile">eth0</filename> and
|
||||
<filename class="devicefile">eth1</filename> are the interfaces to the
|
||||
two ISPs then:</para>
|
||||
|
||||
<para>/etc/shorewall/interfaces:</para>
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<informaltable>
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">ZONE</entry>
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 detect
|
||||
net eth1 detect</programlisting>
|
||||
|
||||
<entry align="center">INTERFACE</entry>
|
||||
<para><filename>/etc/shorewall/policy</filename>:</para>
|
||||
|
||||
<entry align="center">BROADCAST</entry>
|
||||
<programlisting>#SOURCE DESTINATION POLICY LIMIT:BURST
|
||||
net net DROP</programlisting>
|
||||
|
||||
<entry align="center">OPTIONS</entry>
|
||||
</row>
|
||||
</thead>
|
||||
<para>If you have masqueraded hosts, be sure to update
|
||||
<filename>/etc/shorewall/masq</filename> to masquerade to both ISPs. For
|
||||
example, if you masquerade all hosts connected to <filename
|
||||
class="devicefile">eth2</filename> then:</para>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>net</entry>
|
||||
|
||||
<entry>eth0</entry>
|
||||
|
||||
<entry>detect</entry>
|
||||
|
||||
<entry>...</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>net</entry>
|
||||
|
||||
<entry>eth1</entry>
|
||||
|
||||
<entry>detect</entry>
|
||||
|
||||
<entry>...</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</informaltable>
|
||||
|
||||
<para>/etc/shorewall/policy:</para>
|
||||
|
||||
<informaltable>
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">SOURCE</entry>
|
||||
|
||||
<entry align="center">DESTINATION</entry>
|
||||
|
||||
<entry align="center">POLICY</entry>
|
||||
|
||||
<entry align="center">LIMIT:BURST</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>net</entry>
|
||||
|
||||
<entry>net</entry>
|
||||
|
||||
<entry>DROP</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</informaltable>
|
||||
<programlisting>#INTERFACE SUBNET ADDRESS
|
||||
eth0 eth2
|
||||
eth1 eth2</programlisting>
|
||||
|
||||
<para><citetitle>There was an article in SysAdmin covering this topic.
|
||||
It may be found at <ulink
|
||||
@ -1520,11 +1160,11 @@ ip route add 127.0.0.0/8 dev lo table T2</programlisting>
|
||||
<title>(FAQ 7) When I stop Shorewall using <quote>shorewall stop</quote>,
|
||||
I can't connect to anything. Why doesn't that command work?</title>
|
||||
|
||||
<para>The <quote>stop</quote> command is intended to place your firewall
|
||||
into a safe state whereby only those hosts listed in
|
||||
/etc/shorewall/routestopped' are activated. If you want to totally
|
||||
open up your firewall, you must use the <quote>shorewall clear</quote>
|
||||
command.</para>
|
||||
<para>The <quote><command>stop</command></quote> command is intended to
|
||||
place your firewall into a safe state whereby only those hosts listed in
|
||||
<filename>/etc/shorewall/routestopped</filename>' are activated. If
|
||||
you want to totally open up your firewall, you must use the
|
||||
<quote><command>shorewall clear</command></quote> command.</para>
|
||||
</section>
|
||||
|
||||
<section id="faq8">
|
||||
@ -1590,12 +1230,13 @@ Creating input Chains...
|
||||
<para><emphasis role="bold">Answer:</emphasis> The above output is
|
||||
perfectly normal. The Net zone is defined as all hosts that are
|
||||
connected through eth0 and the local zone is defined as all hosts
|
||||
connected through eth1. If you are running Shorewall 1.4.10 or later,
|
||||
you can consider setting the <ulink url="Documentation.htm#Interfaces"><emphasis
|
||||
role="bold">detectnets</emphasis> interface option</ulink> on your local
|
||||
interface (eth1 in the above example). That will cause Shorewall to
|
||||
restrict the local zone to only those networks routed through that
|
||||
interface.</para>
|
||||
connected through <filename class="devicefile">eth1</filename>. If you
|
||||
are running Shorewall 1.4.10 or later, you can consider setting the
|
||||
<ulink url="Documentation.htm#Interfaces"><emphasis role="bold">detectnets</emphasis>
|
||||
interface option</ulink> on your local interface (<filename
|
||||
class="devicefile">eth1</filename> in the above example). That will
|
||||
cause Shorewall to restrict the local zone to only those networks routed
|
||||
through that interface.</para>
|
||||
</section>
|
||||
|
||||
<section id="faq22">
|
||||
@ -1665,7 +1306,7 @@ Creating input Chains...
|
||||
|
||||
<para>At the shell prompt, type:</para>
|
||||
|
||||
<programlisting>/sbin/shorewall version</programlisting>
|
||||
<programlisting><command>/sbin/shorewall version</command></programlisting>
|
||||
</section>
|
||||
|
||||
<section id="faq31">
|
||||
@ -1745,32 +1386,15 @@ Creating input Chains...
|
||||
version of Shorewall earlier than 1.3.1, create /etc/shorewall/start and
|
||||
in it, place the following:</para>
|
||||
|
||||
<programlisting>run_iptables -I rfc1918 -s 192.168.100.1 -j ACCEPT</programlisting>
|
||||
<programlisting><command>run_iptables -I rfc1918 -s 192.168.100.1 -j ACCEPT</command></programlisting>
|
||||
|
||||
<para>If you are running version 1.3.1 or later, simply add the
|
||||
following to <ulink url="Documentation.htm#rfc1918">/etc/shorewall/rfc1918</ulink>:</para>
|
||||
|
||||
<para>Be sure that you add the entry ABOVE the entry for 192.168.0.0/16.</para>
|
||||
|
||||
<informaltable>
|
||||
<tgroup cols="2">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">SUBNET</entry>
|
||||
|
||||
<entry align="center">TARGET</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>192.168.100.1</entry>
|
||||
|
||||
<entry>RETURN</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</informaltable>
|
||||
<programlisting>#SUBNET TARGET
|
||||
192.168.100.1 RETURN</programlisting>
|
||||
|
||||
<note>
|
||||
<para>If you add a second IP address to your external firewall
|
||||
@ -1779,31 +1403,9 @@ Creating input Chains...
|
||||
configure the address 192.168.100.2 on your firewall, then you would
|
||||
add two entries to /etc/shorewall/rfc1918:</para>
|
||||
|
||||
<informaltable>
|
||||
<tgroup cols="2">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">SUBNET</entry>
|
||||
|
||||
<entry align="center">TARGET</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>192.168.100.1</entry>
|
||||
|
||||
<entry>RETURN</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>192.168.100.2</entry>
|
||||
|
||||
<entry>RETURN</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</informaltable>
|
||||
<programlisting>#SUBNET TARGET
|
||||
192.168.100.1 RETURN
|
||||
192.168.100.2 RETURN</programlisting>
|
||||
</note>
|
||||
|
||||
<section id="faq14a">
|
||||
@ -1883,7 +1485,7 @@ Creating input Chains...
|
||||
|
||||
<para>Add this command to your /etc/shorewall/start file:</para>
|
||||
|
||||
<programlisting>run_iptables -D OUTPUT -p ! icmp -m state --state INVALID -j DROP</programlisting>
|
||||
<programlisting><command>run_iptables -D OUTPUT -p ! icmp -m state --state INVALID -j DROP</command></programlisting>
|
||||
</section>
|
||||
</section>
|
||||
|
||||
@ -1941,8 +1543,9 @@ iptables: Invalid argument
|
||||
<appendix>
|
||||
<title>Revision History</title>
|
||||
|
||||
<para><revhistory><revision><revnumber>1.14</revnumber><date>2004-01-24</date><authorinitials>TE</authorinitials><revremark>Added
|
||||
FAQ 27a regarding kernel/iptables incompatibility.<emphasis role="bold"></emphasis></revremark></revision><revision><revnumber>1.13</revnumber><date>2004-01-24</date><authorinitials>TE</authorinitials><revremark>Add
|
||||
<para><revhistory><revision><revnumber>1.15</revnumber><date>2004-01-25</date><authorinitials>TE</authorinitials><revremark>Updated
|
||||
FAQ 32 to mention masquerading. Remove tables.</revremark></revision><revision><revnumber>1.14</revnumber><date>2004-01-24</date><authorinitials>TE</authorinitials><revremark>Added
|
||||
FAQ 27a regarding kernel/iptables incompatibility.</revremark></revision><revision><revnumber>1.13</revnumber><date>2004-01-24</date><authorinitials>TE</authorinitials><revremark>Add
|
||||
a note about the <emphasis role="bold">detectnets</emphasis> interface
|
||||
option in FAQ 9.</revremark></revision><revision><revnumber>1.12</revnumber><date>2004-01-20</date><authorinitials>TE</authorinitials><revremark>Improve
|
||||
FAQ 16 answer.</revremark></revision><revision><revnumber>1.11</revnumber><date>2004-01-14</date><authorinitials>TE</authorinitials><revremark>Corrected
|
||||
|
@ -13,10 +13,10 @@
|
||||
<surname>Eastep</surname>
|
||||
</author>
|
||||
|
||||
<pubdate>2003/12/23</pubdate>
|
||||
<pubdate>2004-01-26</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2003</year>
|
||||
<year>2003-2004</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
@ -98,6 +98,82 @@
|
||||
</section>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Shorewall Concepts</title>
|
||||
|
||||
<para>The configuration files for Shorewall are contained in the directory
|
||||
<filename class="directory">/etc/shorewall</filename> -- for simple
|
||||
setups, you will only need to deal with a few of them.</para>
|
||||
|
||||
<para>Shorewall views the network where it is running as being composed of
|
||||
a set of zones. In the <ulink url="three-interface.htm">three-interface
|
||||
sample configuration</ulink> for example, the following zone names are
|
||||
used: <informaltable frame="all" pgwide="0"><tgroup align="left" cols="2"><thead
|
||||
valign="middle"><row valign="middle"><entry align="left">Name</entry><entry
|
||||
align="left">Description</entry></row></thead><tbody valign="middle"><row
|
||||
valign="middle"><entry align="left"><varname>net</varname></entry><entry
|
||||
align="left">The Internet</entry></row><row valign="middle"><entry
|
||||
align="left"><varname>loc</varname></entry><entry align="left">Your Local
|
||||
Network</entry></row><row valign="middle"><entry align="left"><varname>dmz</varname></entry><entry
|
||||
align="left">Demilitarized Zone</entry></row></tbody></tgroup></informaltable>Zones
|
||||
are defined in the <ulink url="Documentation.htm#Zones"><filename
|
||||
class="directory">/etc/shorewall/</filename><filename>zones</filename></ulink>
|
||||
file.</para>
|
||||
|
||||
<para>Shorewall also recognizes the firewall system as its own zone - by
|
||||
default, the firewall itself is known as <emphasis role="bold"><varname>fw</varname></emphasis>.</para>
|
||||
|
||||
<para>Rules about what traffic to allow and what traffic to deny are
|
||||
expressed in terms of zones. <itemizedlist spacing="compact"><listitem><para>You
|
||||
express your default policy for connections from one zone to another zone
|
||||
in the <ulink url="Documentation.htm#Policy"><filename class="directory">/etc/shorewall/</filename><filename>policy</filename></ulink>
|
||||
file.</para></listitem><listitem><para>You define exceptions to those
|
||||
default policies in the <ulink url="Documentation.htm#Rules"><filename
|
||||
class="directory">/etc/shorewall/</filename><filename>rules</filename></ulink>
|
||||
file.</para></listitem></itemizedlist>For each connection request entering
|
||||
the firewall, the request is first checked against the <filename
|
||||
class="directory">/etc/shorewall/</filename><filename>rules</filename>
|
||||
file. If no rule in that file matches the connection request then the
|
||||
first policy in <filename class="directory">/etc/shorewall/</filename><filename>policy</filename>
|
||||
that matches the request is applied. If that policy is <varname>REJECT</varname>
|
||||
or <varname>DROP</varname> the request is first checked against the rules
|
||||
in <filename class="directory">/etc/shorewall/</filename><filename>common</filename>
|
||||
if that file exists; otherwise the rules in <filename class="directory">/etc/shorewall/</filename><filename>common.def</filename>
|
||||
are checked.</para>
|
||||
|
||||
<para>The <filename class="directory">/etc/shorewall/</filename><filename>policy</filename>
|
||||
file included with the three-interface sample has the following policies:
|
||||
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||
loc net ACCEPT
|
||||
net all DROP info
|
||||
all all REJECT info</programlisting>In the three-interface
|
||||
sample, the line below is included but commented out. If you want your
|
||||
firewall system to have full access to servers on the internet, uncomment
|
||||
that line. <programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||
fw net ACCEPT</programlisting> The above policy will:
|
||||
<itemizedlist><listitem><para>Allow all connection requests from your
|
||||
local network to the internet</para></listitem><listitem><para>Drop
|
||||
(ignore) all connection requests from the internet to your firewall or
|
||||
local network</para></listitem><listitem><para>Optionally accept all
|
||||
connection requests from the firewall to the internet (if you uncomment
|
||||
the additional policy)</para></listitem><listitem><para>reject all other
|
||||
connection requests.</para></listitem></itemizedlist></para>
|
||||
|
||||
<para>The simplest way to define a zone is to associate the zone with a
|
||||
network interface using the <ulink url="Documentation.htm#Interfaces"><filename>/etc/shorewall/interfaces</filename></ulink>
|
||||
file. In the three-interface sample, the three zones are defined using
|
||||
that file as follows:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 detect dhcp,routefilter,norfc1918
|
||||
loc eth1 detect
|
||||
dmz eth2 detect</programlisting>
|
||||
|
||||
<para>The above file defines the net zone as all hosts interfacing to the
|
||||
firewall through eth0, the loc zone as all hosts interfacing through eth1
|
||||
and the dmz as all hosts interfacing through eth2.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>License</title>
|
||||
|
||||
|
@ -15,14 +15,10 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2003-12-09</pubdate>
|
||||
<pubdate>2003-01-29</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001</year>
|
||||
|
||||
<year>2002</year>
|
||||
|
||||
<year>2003</year>
|
||||
<year>2003-2004</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
@ -37,8 +33,8 @@
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<para>Prior to Shorewall version 1.4.9, rules in /etc/shorewall/rules were
|
||||
limited to those defined by Netfilter (ACCEPT, DROP, REJECT, etc.).
|
||||
<para>Prior to Shorewall version 1.4.9, rules in <filename>/etc/shorewall/rules</filename>
|
||||
were limited to those defined by Netfilter (ACCEPT, DROP, REJECT, etc.).
|
||||
Beginning with Shorewall version 1.4.9, users may use sequences of these
|
||||
elementary operations to define more complex actions.</para>
|
||||
|
||||
@ -46,18 +42,19 @@
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>Add a line to /etc/shorewall/actions that names your new action.
|
||||
Action names must be valid shell variable names as well as valid
|
||||
Netfilter chain names. It is recommended that the name you select for a
|
||||
new action begins with with a capital letter; that way, the name
|
||||
won't conflict with a Shorewall-defined chain name.</para>
|
||||
<para>Add a line to <filename><filename>/etc/shorewall/actions</filename></filename>
|
||||
that names your new action. Action names must be valid shell variable
|
||||
names as well as valid Netfilter chain names. It is recommended that the
|
||||
name you select for a new action begins with with a capital letter; that
|
||||
way, the name won't conflict with a Shorewall-defined chain name.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Once you have defined your new action name (ActionName), then copy
|
||||
/etc/shorewall/action.template to /etc/shorewall/action.ActionName (for
|
||||
example, if your new action name is <quote>Foo</quote> then copy
|
||||
/etc/shorewall/action.template to /etc/shorewall/action.foo).</para>
|
||||
/etc/shorewall/action.template to <filename>/etc/shorewall/action.ActionName</filename>
|
||||
(for example, if your new action name is <quote>Foo</quote> then copy
|
||||
<filename>/etc/shorewall/action.template</filename> to
|
||||
<filename>/etc/shorewall/action.Foo</filename>).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -70,13 +67,15 @@
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>TARGET - Must be ACCEPT, DROP, REJECT, LOG, QUEUE or
|
||||
<action> where <action> is a previously-defined action.
|
||||
The TARGET may optionally be followed by a colon (<quote>:</quote>) and
|
||||
a syslog log level (e.g, REJECT:info or ACCEPT:debugging). This causes
|
||||
the packet to be logged at the specified level. You may also specify
|
||||
ULOG (must be in upper case) as a log level.This will log to the ULOG
|
||||
target for routing to a separate log through use of ulogd
|
||||
(http://www.gnumonks.org/projects/ulogd).</para>
|
||||
<action> where <action> is a previously-defined action
|
||||
(that is, it must precede the action being defined in this file in your
|
||||
<filename>/etc/shorewall/actions</filename> file). The TARGET may
|
||||
optionally be followed by a colon (<quote>:</quote>) and a syslog log
|
||||
level (e.g, REJECT:info or ACCEPT:debugging). This causes the packet to
|
||||
be logged at the specified level. You may also specify ULOG (must be in
|
||||
upper case) as a log level.This will log to the ULOG target for routing
|
||||
to a separate log through use of ulogd (<ulink
|
||||
url="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</ulink>).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -97,7 +96,8 @@
|
||||
MAC addresses are not allowed.</para>
|
||||
|
||||
<para>Unlike in the SOURCE column, you may specify a range of up to 256
|
||||
IP addresses using the syntax <first ip>-<last ip>.</para>
|
||||
IP addresses using the syntax <<emphasis>first ip</emphasis>>-<<emphasis>last
|
||||
ip</emphasis>>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -107,20 +107,45 @@
|
||||
|
||||
<listitem>
|
||||
<para>DEST PORT(S) - Destination Ports. A comma-separated list of Port
|
||||
names (from /etc/services), port numbers or port ranges; if the protocol
|
||||
is <quote>icmp</quote>, this column is interpreted as the destination
|
||||
icmp-type(s).</para>
|
||||
names (from <filename>/etc/services</filename>), port numbers or port
|
||||
ranges; if the protocol is <quote>icmp</quote>, this column is
|
||||
interpreted as the destination icmp-type(s).</para>
|
||||
|
||||
<para>A port range is expressed as <low port>:<high
|
||||
port>.</para>
|
||||
<para>A port range is expressed as <<emphasis>low port</emphasis>>:<<emphasis>high
|
||||
port</emphasis>>.</para>
|
||||
|
||||
<para>This column is ignored if PROTOCOL = all but must be entered if
|
||||
any of the following ields are supplied. In that case, it is suggested
|
||||
that this field contain <quote>-</quote>.</para>
|
||||
|
||||
<para>If your kernel contains multi-port match support, then only a
|
||||
single Netfilter rule will be generated if in this list and the CLIENT
|
||||
PORT(S) list below:</para>
|
||||
single Netfilter rule will be generated if in this list and in the
|
||||
CLIENT PORT(S) list below:</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>There are 15 or less ports listed.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>No port ranges are included.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
|
||||
<para>Otherwise, a separate rule will be generated for each port.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>SOURCE PORT(S) - Port(s) used by the client. If omitted, any
|
||||
source port is acceptable. Specified as a comma-separated list of port
|
||||
names, port numbers or port ranges.</para>
|
||||
|
||||
<para>If you don't want to restrict client ports but need to specify
|
||||
an ADDRESS in the next column, then place "-" in this column.</para>
|
||||
|
||||
<para>If your kernel contains multi-port match support, then only a
|
||||
single Netfilter rule will be generated if in this list and in the DEST
|
||||
PORT(S) list above:</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
@ -139,11 +164,13 @@
|
||||
<para>RATE LIMIT - You may rate-limit the rule by placing a value in
|
||||
this column:</para>
|
||||
|
||||
<para><programlisting> <rate>/<interval>[:<burst>]</programlisting>where
|
||||
<rate> is the number of connections per <interval> (<quote>sec</quote>
|
||||
or <quote>min</quote>) and <burst> is the largest burst
|
||||
permitted. If no <burst> is given, a value of 5 is assumed.
|
||||
There may be no whitespace embedded in the specification.</para>
|
||||
<para><programlisting> <<emphasis>rate</emphasis>>/<<emphasis>interval</emphasis>>[:<<emphasis>burst</emphasis>>]</programlisting>where
|
||||
<<emphasis>rate</emphasis>> is the number of connections per
|
||||
<<emphasis>interval</emphasis>> (<quote>sec</quote> or
|
||||
<quote>min</quote>) and <<emphasis>burst</emphasis>> is the
|
||||
largest burst permitted. If no <<emphasis>burst</emphasis>> is
|
||||
given, a value of 5 is assumed. There may be no whitespace embedded in
|
||||
the specification.</para>
|
||||
|
||||
<para><programlisting> Example: 10/sec:20</programlisting></para>
|
||||
</listitem>
|
||||
@ -151,9 +178,8 @@
|
||||
|
||||
<para>Example:</para>
|
||||
|
||||
<para><emphasis role="bold">/etc/shorewall/actions:</emphasis></para>
|
||||
<para><filename>/etc/shorewall/actions</filename>:</para>
|
||||
|
||||
<para><programlisting> LogAndAccept</programlisting><emphasis
|
||||
role="bold">/etc/shorewall/action.LogAndAccept</emphasis><programlisting> LOG:info
|
||||
<para><programlisting> LogAndAccept</programlisting><phrase><filename>/etc/shorewall/action.LogAndAccept</filename></phrase><programlisting> LOG:info
|
||||
ACCEPT</programlisting></para>
|
||||
</article>
|
@ -13,7 +13,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-01-04</pubdate>
|
||||
<pubdate>2004-01-26</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2002</year>
|
||||
@ -44,6 +44,17 @@
|
||||
<para>In the rules that are shown in this document, the ACTION is shown as
|
||||
ACCEPT. You may need to use DNAT (see <ulink url="FAQ.htm#faq30">FAQ 30</ulink>)
|
||||
or you may want DROP or REJECT if you are trying to block the application.</para>
|
||||
|
||||
<para>Example: You want to port forward FTP from the net to your server at
|
||||
192.168.1.4 in your DMZ. The FTP section below gives you:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> tcp 21</programlisting>
|
||||
|
||||
<para>You would code your rule as follows:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
DNAT net dmz:192.168.1.4 tcp 21</programlisting>
|
||||
</note>
|
||||
|
||||
<section>
|
||||
@ -75,7 +86,7 @@ ACCEPT <emphasis><source></emphasis> <emphasis><destination>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> udp 4000
|
||||
ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> tcp 53</programlisting>
|
||||
ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> tcp 4000:4100</programlisting>
|
||||
|
||||
<para>UDP Port 4000. You will also need to open a range of TCP ports which
|
||||
you can specify to your ICQ client. By default, clients use 4000-4100.</para>
|
||||
@ -108,7 +119,8 @@ ACCEPT <emphasis><destination></emphasis> <emphasis><source>
|
||||
<title>NFS</title>
|
||||
|
||||
<para>I personally use the following rules for opening access from zone z1
|
||||
to a server with IP address a.b.c.d in zone z2:</para>
|
||||
to a server with IP address a.b.c.d in zone z2. I have found though that
|
||||
different distributions behave differently so your milage may vary.</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
ACCEPT <emphasis><z1></emphasis> <emphasis> <z2></emphasis>:a.b.c.d tcp 111
|
||||
@ -237,7 +249,8 @@ ACCEPT <emphasis><source></emphasis> <emphasis><destination>
|
||||
<appendix>
|
||||
<title>Revision History</title>
|
||||
|
||||
<para><revhistory><revision><revnumber>1.3</revnumber><date>2004-01-04</date><authorinitials>TE</authorinitials><revremark>Alphabetize</revremark></revision><revision><revnumber>1.2</revnumber><date>2004-01-03</date><authorinitials>TE</authorinitials><revremark>Add
|
||||
<para><revhistory><revision><revnumber>1.4</revnumber><date>2004-01-26</date><authorinitials>TE</authorinitials><revremark>Correct
|
||||
ICQ.</revremark></revision><revision><revnumber>1.3</revnumber><date>2004-01-04</date><authorinitials>TE</authorinitials><revremark>Alphabetize</revremark></revision><revision><revnumber>1.2</revnumber><date>2004-01-03</date><authorinitials>TE</authorinitials><revremark>Add
|
||||
rules file entries.</revremark></revision><revision><revnumber>1.1</revnumber><date>2002-07-30</date><authorinitials>TE</authorinitials><revremark>Initial
|
||||
version converted to Docbook XML</revremark></revision></revhistory></para>
|
||||
</appendix>
|
||||
|
@ -12,7 +12,7 @@
|
||||
<surname>Eastep</surname>
|
||||
</author>
|
||||
|
||||
<pubdate>2003-01-06</pubdate>
|
||||
<pubdate>2003-01-26</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2002</year>
|
||||
@ -164,14 +164,12 @@
|
||||
valign="middle"><row valign="middle"><entry align="left"><varname>net</varname></entry><entry
|
||||
align="left">The Internet</entry></row><row valign="middle"><entry
|
||||
align="left"><varname>loc</varname></entry><entry align="left">Your Local
|
||||
Network</entry></row><row valign="middle"><entry align="left"><varname>dmz</varname></entry><entry
|
||||
align="left">Demilitarized Zone</entry></row></tbody></tgroup></informaltable>
|
||||
Zones are defined in the <ulink url="Documentation.htm#Zones"><filename
|
||||
class="directory">/etc/shorewall/</filename><filename>zones</filename></ulink>
|
||||
Network</entry></row></tbody></tgroup></informaltable> Zones are defined
|
||||
in the <ulink url="Documentation.htm#Zones"><filename class="directory">/etc/shorewall/</filename><filename>zones</filename></ulink>
|
||||
file.</para>
|
||||
|
||||
<para>Shorewall also recognizes the firewall system as its own zone - by
|
||||
default, the firewall itself is known as <varname>fw</varname>.</para>
|
||||
default, the firewall itself is known as <emphasis role="bold"><varname>fw</varname></emphasis>.</para>
|
||||
|
||||
<para>Rules about what traffic to allow and what traffic to deny are
|
||||
expressed in terms of zones. <itemizedlist spacing="compact"><listitem><para>You
|
||||
|
@ -28,7 +28,7 @@
|
||||
# shown below. Simply run this script to revert to your prior version of
|
||||
# Shoreline Firewall.
|
||||
|
||||
VERSION=1.4.10-RC3
|
||||
VERSION=1.4.10
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -54,7 +54,7 @@
|
||||
# /etc/rc.d/rc.local file is modified to start the firewall.
|
||||
#
|
||||
|
||||
VERSION=1.4.10-RC3
|
||||
VERSION=1.4.10
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -1,6 +1,6 @@
|
||||
%define name shorewall
|
||||
%define version 1.4.10
|
||||
%define release 0RC3
|
||||
%define release 1
|
||||
%define prefix /usr
|
||||
|
||||
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
|
||||
@ -109,6 +109,8 @@ fi
|
||||
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
|
||||
|
||||
%changelog
|
||||
* Fri Jan 30 2004 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.10-1
|
||||
* Tue Jan 27 2004 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.10-RC3
|
||||
* Sat Jan 24 2004 Tom Eastep <tom@shorewall.net>
|
||||
|
@ -26,7 +26,7 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Seattle Firewall
|
||||
|
||||
VERSION=1.4.10-RC3
|
||||
VERSION=1.4.10
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
Loading…
Reference in New Issue
Block a user