extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-08 22:58:50 +01:00
Code Issues Packages Projects Releases Wiki Activity

Shorewall 1.4.10

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1099 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-01-31 03:24:02 +00:00
parent f67cb1eab8
commit afee989ee5
21 changed files with 540 additions and 702 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
STABLE/action.template
View File

@ -92,7 +92,7 @@
# Otherwise, a separate rule will be generated for each # Otherwise, a separate rule will be generated for each
# port. # port.
# #
# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted, # SOURCE PORT(S) (Optional) Port(s) used by the client. If omitted,
# any source port is acceptable. Specified as a comma- # any source port is acceptable. Specified as a comma-
# separated list of port names, port numbers or port # separated list of port names, port numbers or port
# ranges. # ranges.
@ -126,6 +126,6 @@
# place a similar limit in the TARGET column. # place a similar limit in the TARGET column.
# #
###################################################################################### ######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE #TARGET SOURCE DEST PROTO DEST SOURCE RATE
# PORT PORT(S) DEST LIMIT # PORT PORT(S) LIMIT
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

26
STABLE/changelog.txt
View File

@ -1,23 +1,23 @@
Changes since 1.4.8 Changes since 1.4.9
1) Replace "Static NAT" with "One-to-one NAT". 1) Implement destination list in masq file.
2) Change SMB common rules to DROP. 2) Appled Frédéric LESPEZ's patch for packet marking by user/group id.
3) Change wording in release notes. 3) Correct column headings in action.template
4) Move ip_forward handling to a function. 4) Handle IPV6 addresses correctly with ADD_IP_ALIASES=Yes or
ADD_SNAT_ALIASES=Yes.
5) Change 'norfc1918' logging to log out of chains named 'rfc1918'. 5) Implement "detectnets" option.
6) Reword the description of NEWNOTSYN in shorewall.conf. 6) Correct the CONTINUE target and fix a couple of bugs in rate
limiting (with an assist from Steven Jan Springl).
7) Added MODULE_SUFFIX option to shorewall.conf. 7) Silently drop smurfs and broadcasts in the 'reject' chain.
8) Add /etc/shorewall/actions and /etc/shorewall/action.template 8) Add multicast to 'detectnets' zones.
9) Fix SNAT handling in DNAT rules. 9) Don't add broadcasts to /0 groups.
10) Change default to NEWNOTSYN=Yes 10) Fix "-" in PROTO column of an action file.
11) Add rule to drop null source addressed ICMPs.

2
STABLE/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of # shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall. # Shoreline Firewall.
VERSION=1.4.9 VERSION=1.4.10
usage() # $1 = exit status usage() # $1 = exit status
{ {

212
STABLE/firewall
View File

@ -564,11 +564,21 @@ determine_hosts() {
eval interfaces=\$${zone}_interfaces eval interfaces=\$${zone}_interfaces
for interface in $interfaces; do for interface in $interfaces; do
if [ -z "$hosts" ]; then eval options=\$`chain_base ${interface}`_options
hosts=$interface:0.0.0.0/0
if list_search detectnets $options; then
subnets=`get_routed_subnets $interface`
else else
hosts="$hosts $interface:0.0.0.0/0" subnets=0.0.0.0/0
fi fi
for subnet in $subnets; do
if [ -z "$hosts" ]; then
hosts=$interface:$subnet
else
hosts="$hosts $interface:$subnet"
fi
done
done done
interfaces= interfaces=
@ -611,6 +621,8 @@ validate_zone() # $1 = zone
# Validate the zone names and options in the interfaces file # Validate the zone names and options in the interfaces file
# #
validate_interfaces_file() { validate_interfaces_file() {
local wildcard
while read z interface subnet options; do while read z interface subnet options; do
expandv z interface subnet options expandv z interface subnet options
r="$z $interface $subnet $options" r="$z $interface $subnet $options"
@ -628,10 +640,15 @@ validate_interfaces_file() {
list_search $interface $all_interfaces && \ list_search $interface $all_interfaces && \
startup_error "Duplicate Interface $interface" startup_error "Duplicate Interface $interface"
wildcard=
case $interface in case $interface in
*:*) *:*)
startup_error "Invalid Interface Name: $interface" startup_error "Invalid Interface Name: $interface"
;; ;;
*+*)
wildcard=Yes
;;
esac esac
all_interfaces="$all_interfaces $interface" all_interfaces="$all_interfaces $interface"
@ -646,6 +663,10 @@ validate_interfaces_file() {
case $option in case $option in
dhcp|norfc1918|tcpflags|newnotsyn|arp_filter|routefilter|blacklist|proxyarp|maclist|-) dhcp|norfc1918|tcpflags|newnotsyn|arp_filter|routefilter|blacklist|proxyarp|maclist|-)
;; ;;
detectnets)
[ -n "$wildcard" ] && \
startup_error "The \"detectnets\" option may not be used with a wild-card interface"
;;
dropunclean|logunclean) dropunclean|logunclean)
error_message \ error_message \
"Warning: The 'dropunclean' and 'logunclean' options will be removed in a future release" "Warning: The 'dropunclean' and 'logunclean' options will be removed in a future release"
@ -1709,6 +1730,25 @@ process_tc_rule()
esac esac
fi fi
if [ "x$user" != "x-" ]; then
[ "$chain" != tcout ] && \
fatal_error "Invalid use of a user/group: rule \"$rule\""
case "$user" in
*:*)
r="$r-m owner"
temp="${user%:*}"
[ -n "$temp" ] && r="$r --uid-owner $temp "
temp="${user#*:}"
[ -n "$temp" ] && r="$r --gid-owner $temp "
;;
*)
r="$r-m owner --uid-owner $user "
;;
esac
fi
[ "x$dest" = "x-" ] || r="${r}-d $dest " [ "x$dest" = "x-" ] || r="${r}-d $dest "
[ "$proto" = "all" ] || r="${r}-p $proto " [ "$proto" = "all" ] || r="${r}-p $proto "
[ "x$port" = "x-" ] || r="${r}--dport $port " [ "x$port" = "x-" ] || r="${r}--dport $port "
@ -1767,9 +1807,9 @@ setup_tc1() {
# #
strip_file tcrules strip_file tcrules
while read mark sources dests proto ports sports; do while read mark sources dests proto ports sports user; do
expandv mark sources dests proto ports sports expandv mark sources dests proto ports sports user
rule=`echo "$mark $sources $dests $proto $ports $sports"` rule=`echo "$mark $sources $dests $proto $ports $sports $user"`
process_tc_rule process_tc_rule
done < $TMP_DIR/tcrules done < $TMP_DIR/tcrules
# #
@ -2335,7 +2375,7 @@ process_action() # $1 = action
# Generate Netfilter rule(s) # Generate Netfilter rule(s)
protocol=${protocol:=all} [ "x$protocol" = "x-" ] && protocol=all || protocol=${protocol:=all}
if [ -n "$MULTIPORT" ] && \ if [ -n "$MULTIPORT" ] && \
! list_search $protocol "icmp" "ICMP" "1" && \ ! list_search $protocol "icmp" "ICMP" "1" && \
@ -2904,6 +2944,8 @@ process_rule() # $1 = target
# Function Body - isolate rate limit # Function Body - isolate rate limit
[ "x$ratelimit" = "x-" ] && ratelimit=
if [ -z "$ratelimit" ]; then if [ -z "$ratelimit" ]; then
if [ "$target" != "${target%<*}" ]; then if [ "$target" != "${target%<*}" ]; then
ratelimit="${target#*<}" ratelimit="${target#*<}"
@ -2915,9 +2957,6 @@ process_rule() # $1 = target
if [ -n "$ratelimit" ]; then if [ -n "$ratelimit" ]; then
case $ratelimit in case $ratelimit in
-)
ratelimit=
;;
*:*) *:*)
ratelimit="-m limit --limit ${ratelimit%:*} --limit-burst ${ratelimit#*:}" ratelimit="-m limit --limit ${ratelimit%:*} --limit-burst ${ratelimit#*:}"
;; ;;
@ -2955,7 +2994,11 @@ process_rule() # $1 = target
case "$userset" in case "$userset" in
*:*) *:*)
case $target in case $target in
ACCEPT|REJECT|DROP) ACCEPT)
;;
REJECT|DROP)
[ -n "$ratelimit" ] && fatal_error \
"Rate Limiting only available with ACCEPT, DNAT[-], REDIRECT[-] and LOG"
;; ;;
*) *)
fatal_error "<user>:<group> may only be specified in ACCEPT, REJECT and DROP rules: rule \"$rule\"" fatal_error "<user>:<group> may only be specified in ACCEPT, REJECT and DROP rules: rule \"$rule\""
@ -2981,9 +3024,13 @@ process_rule() # $1 = target
target=`accept_chain $userset` target=`accept_chain $userset`
;; ;;
DROP) DROP)
[ -n "$ratelimit" ] && fatal_error \
"Rate Limiting only available with ACCEPT, DNAT[-], REDIRECT[-] and LOG"
target=`drop_chain $userset` target=`drop_chain $userset`
;; ;;
REJECT) REJECT)
[ -n "$ratelimit" ] && fatal_error \
"Rate Limiting only available with ACCEPT, DNAT[-], REDIRECT[-] and LOG"
target=`reject_chain $userset` target=`reject_chain $userset`
;; ;;
*) *)
@ -2999,8 +3046,15 @@ process_rule() # $1 = target
ACCEPT|LOG) ACCEPT|LOG)
;; ;;
REJECT) REJECT)
[ -n "$ratelimit" ] && fatal_error \
"Rate Limiting only available with ACCEPT, DNAT[-], REDIRECT[-] and LOG"
target=reject target=reject
;; ;;
CONTINUE)
[ -n "$ratelimit" ] && fatal_error \
"Rate Limiting only available with ACCEPT, DNAT[-], REDIRECT[-] and LOG"
target=RETURN
;;
DNAT) DNAT)
target=ACCEPT target=ACCEPT
address=${address:=detect} address=${address:=detect}
@ -3735,7 +3789,7 @@ setup_masq()
case $fullinterface in case $fullinterface in
*:*:*) *:*:*)
# Both alias name and subnet # Both alias name and subnet
destnet="${fullinterface##*:}" destnets="${fullinterface##*:}"
fullinterface="${fullinterface%:*}" fullinterface="${fullinterface%:*}"
;; ;;
*:*) *:*)
@ -3743,17 +3797,17 @@ setup_masq()
case ${fullinterface#*:} in case ${fullinterface#*:} in
*.*) *.*)
# It's a subnet # It's a subnet
destnet="${fullinterface#*:}" destnets="${fullinterface#*:}"
fullinterface="${fullinterface%:*}" fullinterface="${fullinterface%:*}"
;; ;;
*) *)
#it's an alias name #it's an alias name
destnet="0.0.0.0/0" destnets="0.0.0.0/0"
;; ;;
esac esac
;; ;;
*) *)
destnet="0.0.0.0/0" destnets="0.0.0.0/0"
;; ;;
esac esac
@ -3770,7 +3824,6 @@ setup_masq()
subnet="${subnet%!*}" subnet="${subnet%!*}"
fi fi
chain=`masq_chain $interface`
source="$subnet" source="$subnet"
@ -3799,33 +3852,70 @@ setup_masq()
done done
fi fi
destination=$destnet destination=$destnets
if [ -n "$nomasq" ]; then chain=`masq_chain $interface`
newchain=masq${masq_seq}
createnatchain $newchain
if [ -n "$subnet" ]; then case $destnets in
for s in $subnet; do !*)
addnatrule $chain -d $destnet -s $s -j $newchain newchain=masq${masq_seq}
createnatchain $newchain
destnets=${destnets#!}
for destnet in $(separate_list $destnets); do
addnatrule $newchain -d $destnet -j RETURN
done done
else
addnatrule $chain -d $destnet -j $newchain
fi
masq_seq=$(($masq_seq + 1)) if [ -n "$subnet" ]; then
chain=$newchain for s in $subnet; do
subnet= addnatrule $chain -s $s -j $newchain
destnet= done
subnet=
else
addnatrule $chain -j $newchain
fi
for addr in `separate_list $nomasq`; do masq_seq=$(($masq_seq + 1))
addnatrule $chain -s $addr -j RETURN chain=$newchain
done destnets=0.0.0.0/0
source="$source except $nomasq" if [ -n "$nonmasq" ]; then
else for addr in `separate_list $nomasq`; do
destnet="-d $destnet" addnatrule $chain -s $addr -j RETURN
fi done
source="$source except $nomasq"
fi
;;
*)
if [ -n "$nomasq" ]; then
newchain=masq${masq_seq}
createnatchain $newchain
if [ -n "$subnet" ]; then
for s in $subnet; do
for destnet in $(separate_list $destnets); do
addnatrule $chain -d $destnet -s $s -j $newchain
done
done
else
for destnet in $(separate_list $destnets); do
addnatrule $chain -d $destnet -j $newchain
done
fi
masq_seq=$(($masq_seq + 1))
chain=$newchain
subnet=
destnets=0.0.0.0/0
for addr in `separate_list $nomasq`; do
addnatrule $chain -s $addr -j RETURN
done
source="$source except $nomasq"
fi
;;
esac
if [ -n "$addresses" ]; then if [ -n "$addresses" ]; then
temp= temp=
@ -3837,18 +3927,26 @@ setup_masq()
if [ -n "$subnet" ]; then if [ -n "$subnet" ]; then
for s in $subnet; do for s in $subnet; do
if [ -n "$addresses" ]; then if [ -n "$addresses" ]; then
addnatrule $chain -s $s $destnet -j SNAT $temp for destnet in $(separate_list $destnets); do
addnatrule $chain -s $s -d $destnet -j SNAT $temp
done
echo " To $destination from $s through ${interface} using $addresses" echo " To $destination from $s through ${interface} using $addresses"
else else
addnatrule $chain -s $s $destnet -j MASQUERADE for destnet in $(separate_list $destnets); do
addnatrule $chain -s $s -d $destnet -j MASQUERADE
done
echo " To $destination from $s through ${interface}" echo " To $destination from $s through ${interface}"
fi fi
done done
elif [ -n "$address" ]; then elif [ -n "$address" ]; then
addnatrule $chain $destnet -j SNAT $temp for destnet in $(separate_list $destnets); do
addnatrule $chain -d $destnet -j SNAT $temp
done
echo " To $destination from $source through ${interface} using $addresses" echo " To $destination from $source through ${interface} using $addresses"
else else
addnatrule $chain $destnet -j MASQUERADE for destnet in $(separate_list $destnets); do
addnatrule $chain -d $destnet -j MASQUERADE
done
echo " To $destination from $source through ${interface}" echo " To $destination from $source through ${interface}"
fi fi
@ -4345,9 +4443,26 @@ build_common_chain() {
# #
add_common_rules() { add_common_rules() {
local savelogparms="$LOGPARMS" local savelogparms="$LOGPARMS"
local broadcasts="$(find_broadcasts) 255.255.255.255 224.0.0.0/4"
# #
# Reject Rules # Reject Rules -- Don't respond to broadcasts with an ICMP
# #
qt iptables -A reject -m pkttype --pkt-type broadcast -j DROP
if ! qt iptables -A reject -m pkttype --pkt-type multicast -j DROP; then
#
# No pkttype support -- do it the hard way
#
for address in $broadcasts ; do
run_iptables -A reject -d $address -j DROP
done
fi
#
# Don't feed the smurfs
#
for address in $broadcasts ; do
run_iptables -A reject -s $address -j DROP
done
run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset
run_iptables -A reject -p udp -j REJECT run_iptables -A reject -p udp -j REJECT
# #
@ -4754,6 +4869,8 @@ activate_rules()
echo "$FW $zone $chain1" >> ${STATEDIR}/chains echo "$FW $zone $chain1" >> ${STATEDIR}/chains
echo "$zone $FW $chain2" >> ${STATEDIR}/chains echo "$zone $FW $chain2" >> ${STATEDIR}/chains
need_broadcast=
for host in $source_hosts; do for host in $source_hosts; do
interface=${host%:*} interface=${host%:*}
subnet=${host#*:} subnet=${host#*:}
@ -4771,8 +4888,19 @@ activate_rules()
[ -n "$complex" ] && \ [ -n "$complex" ] && \
run_iptables -A `forward_chain $interface` -s $subnet -j $frwd_chain run_iptables -A `forward_chain $interface` -s $subnet -j $frwd_chain
if [ "$subnet" != 0.0.0.0/0 ]; then
if ! list_search $interface $need_broadcast ; then
eval options=\$`chain_base ${interface}`_options
list_search detectnets $options && need_broadcast="$need_broadcast $interface"
fi
fi
done done
for interface in $need_broadcast ; do
run_iptables -A OUTPUT -o $interface -d 255.255.255.255 -j $chain1
run_iptables -A OUTPUT -o $interface -d 224.0.0.0/4 -j $chain1
done
for zone1 in $zones; do for zone1 in $zones; do
eval policy=\$${zone}2${zone1}_policy eval policy=\$${zone}2${zone1}_policy

2
STABLE/install.sh
View File

@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall. # /etc/rc.d/rc.local file is modified to start the firewall.
# #
VERSION=1.4.9 VERSION=1.4.10
usage() # $1 = exit status usage() # $1 = exit status
{ {

7
STABLE/interfaces
View File

@ -117,6 +117,13 @@
# interface. The interface must be up # interface. The interface must be up
# when Shorewall is started. # when Shorewall is started.
# #
# detectnets - Automatically taylors the zone named
# in the ZONE column to include only those
# hosts routed through the interface.
#
# WARNING: DO NOT SET THE detectnets OPTION ON YOUR
# INTERNET INTERFACE!
#
# The order in which you list the options is not # The order in which you list the options is not
# significant but the list should have no embedded white # significant but the list should have no embedded white
# space. # space.

9
STABLE/masq
View File

@ -18,7 +18,12 @@
# PLACE IN YOUR SHOREWALL CONFIGURATION. # PLACE IN YOUR SHOREWALL CONFIGURATION.
# #
# This may be qualified by adding the character # This may be qualified by adding the character
# ":" followed by a destination host or subnet. # ":" followed by a comma-separed list of
# destination hosts or subnets. If this list begins with
# "!" then masquerading will occur if and only if the
# connection destination is NOT included in the list.
# Otherwise, the masquerading will occur if and only if
# the destination IS included in the list.
# #
# #
# SUBNET -- Subnet that you wish to masquerade. You can specify this as # SUBNET -- Subnet that you wish to masquerade. You can specify this as
@ -89,7 +94,7 @@
# #
# You want all outgoing traffic from 192.168.1.0/24 through # You want all outgoing traffic from 192.168.1.0/24 through
# eth0 to use source address 206.124.146.176 which is NOT the # eth0 to use source address 206.124.146.176 which is NOT the
# primary address of eth0. You want 206.124.146.176 added to # primary address of eth0. You want 206.124.146.176 to
# be added to eth0 with name eth0:0. # be added to eth0 with name eth0:0.
# #
# eth0:0 192.168.1.0/24 206.124.146.176 # eth0:0 192.168.1.0/24 206.124.146.176

117
STABLE/releasenotes.txt
View File

@ -1,24 +1,23 @@
This is a minor release of Shorewall. This is a minor release of Shorewall.
Problems Corrected since version 1.4.8: Problems Corrected since version 1.4.9:
1) There has been a low continuing level of confusion over the terms 1. The column descriptions in the action.template file did not match
"Source NAT" (SNAT) and "Static NAT". To avoid future confusion, all the column headings. That has been corrected.
instances of "Static NAT" have been replaced with "One-to-one NAT"
in the documentation and configuration files.
2) The description of NEWNOTSYN in shorewall.conf has been reworded for 2. The presence of IPV6 addresses on devices generates error messages
clarity. during [re]start if ADD_IP_ALIASES=Yes or ADD_SNAT_ALIASES=Yes are
specified in /etc/shorewall/shorewall.conf.
3) Wild-card rules (those involving "all" as SOURCE or DEST) will no 3. The CONTINUE action in /etc/shorewall/rules now works correctly. A
longer produce an error if they attempt to add a rule that would couple of problems involving rate limiting have been
override a NONE policy. The logic for expanding these wild-card corrected. These bug fixes courtesy of Steven Jan Springl.
rules now simply skips those (SOURCE,DEST) pairs that have a NONE
policy.
4) DNAT rules that also specified SNAT now work reliably. Previously, 4. Shorewall now tries to avoid sending an ICMP response to broadcasts
there were cases where the SNAT specification was effectively and smurfs.
ignored.
5. Specifying "-" or "all" in the PROTO column of an action no longer
causes a startup error.
Migration Issues: Migration Issues:
@ -26,79 +25,37 @@ None.
New Features: New Features:
1) The documentation has been completely rebased to Docbook XML. The 1) The INTERFACE column in the /etc/shorewall/masq file may now
documentation is now released as separate HTML and XML packages. specify a destination list.
2) To cut down on the number of "Why are these ports closed rather than Example:
stealthed?" questions, the SMB-related rules in
/etc/shorewall/common.def have been changed from 'reject' to 'DROP'.
3) For easier identification, packets logged under the 'norfc1918' #INTERFACE SUBNET ADDRESS
interface option are now logged out of chains named eth0:192.0.2.3,192.0.2.16/28 eth1
'rfc1918'. Previously, such packets were logged under chains named
'logdrop'.
4) Distributors and developers seem to be regularly inventing new If the list begins with "!" then SNAT will occur only if the
naming conventions for kernel modules. To avoid the need to change destination IP address is NOT included in the list.
Shorewall code for each new convention, the MODULE_SUFFIX option has
been added to shorewall.conf. MODULE_SUFFIX may be set to the suffix
for module names in your particular distribution. If MODULE_SUFFIX
is not set in shorewall.conf, Shorewall will use the list "o gz ko
o.gz".
To see what suffix is used by your distribution: 2) Output traffic control rules (those with the firewall as the source)
may now be qualified by the effective userid and/or effective group
id of the program generating the output. This feature is courtesy of
Frédéric LESPEZ.
ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter A new USER column has been added to /etc/shorewall/tcrules.
All of the files listed should have the same suffix (extension). Set It may contain :
MODULE_SUFFIX to that suffix.
Examples: [<user name or number>]:[<group name or number>]
If all files end in ".kzo" then set MODULE_SUFFIX="kzo" The colon is optionnal when specifying only a user.
If all files end in ".kz.o" then set MODULE_SUFFIX="kz.o"
5) Support for user defined rule ACTIONS has been implemented through Examples : john: / john / :users / john:users
two new files:
/etc/shorewall/actions - used to list the user-defined ACTIONS. 3) A "detectnets" interface option has been added for entries in
/etc/shorewall/action.template - For each user defined <action>, copy /etc/shorewall/interfaces. This option automatically taylors the
this file to definition of the zone named in the ZONE column to include just
/etc/shorewall/action.<action> and those hosts that have routes through the interface named in the
add the appropriate rules for that INTERFACE column. The named interface must be UP when
<action>. Shorewall is [re]started.
Once an <action> has been defined, it may be used like any of the
builtin ACTIONS (ACCEPT, DROP, etc.) in /etc/shorewall/rules.
Example: You want an action that logs a packet at the 'info' level WARNING: DO NOT SET THIS OPTION ON YOUR INTERNET INTERFACE!
and accepts the connection.
In /etc/shorewall/actions, you would add:
LogAndAccept
You would then copy /etc/shorewall/action.template to
/etc/shorewall/action.LogAndAccept and in that file, you would add the two
rules:
LOG:info
ACCEPT
6) The default value for NEWNOTSYN in shorewall.conf is now "Yes"
(non-syn TCP packets that are not part of an existing connection are
filtered according to the rules and policies rather than being
dropped). I have made this change for two reasons:
a) NEWNOTSYN=No tends to result in lots of "stuck" connections since
any timeout during TCP session tear down results in the firewall
dropping all of the retries.
b) The old default of NEWNOTSYN=No and LOGNEWNOTSYN=info resulted in
lots of confusing messages when a connection got "stuck". While I
could have changed the default value of LOGNEWNOTSYN to suppress
logging, I dislike defaults that silently throw away packets.
7) The common.def file now contains an entry that silently drops ICMP
packets with a null source address. Ad Koster reported a case where
these were occuring frequently as a result of a broken system on his
external network.

2
STABLE/rfc1918
View File

@ -46,7 +46,7 @@
49.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98 49.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
50.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98 50.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
58.0.0.0/7 logdrop # Reserved 58.0.0.0/7 logdrop # Reserved
70.0.0.0/7 logdrop # Reserved 71.0.0.0/8 logdrop # Reserved
72.0.0.0/5 logdrop # Reserved 72.0.0.0/5 logdrop # Reserved
85.0.0.0/8 logdrop # Reserved 85.0.0.0/8 logdrop # Reserved
86.0.0.0/7 logdrop # Reserved 86.0.0.0/7 logdrop # Reserved

10
STABLE/shorewall.spec
View File

@ -1,5 +1,5 @@
%define name shorewall %define name shorewall
%define version 1.4.9 %define version 1.4.10
%define release 1 %define release 1
%define prefix /usr %define prefix /usr
@ -109,6 +109,14 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog %changelog
* Fri Jan 30 2004 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.10-1
* Tue Jan 27 2004 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.10-RC3
* Sat Jan 24 2004 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.10-RC2
* Thu Jan 22 2004 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.10-RC1
* Tue Jan 13 2004 Tom Eastep <tom@shorewall.net> * Tue Jan 13 2004 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.9 - Changed version to 1.4.9
* Mon Dec 29 2003 Tom Eastep <tom@shorewall.net> * Mon Dec 29 2003 Tom Eastep <tom@shorewall.net>

17
STABLE/tcrules
View File

@ -57,7 +57,22 @@
# any source port is acceptable. Specified as a comma- # any source port is acceptable. Specified as a comma-
# separated list of port names, port numbers or port # separated list of port names, port numbers or port
# ranges. # ranges.
#
# USER This column may only be non-empty if the SOURCE is
# the firewall itself.
#
# When this column is non-empty, the rule applies only
# if the program generating the output is running under
# the effective user and/or group.
#
# It may contain :
#
# [<user name or number>]:[<group name or number>]
#
# The colon is optionnal when specifying only a user.
# Examples : john: / john / :users / john:users
#
############################################################################## ##############################################################################
#MARK SOURCE DEST PROTO PORT(S) CLIENT #MARK SOURCE DEST PROTO PORT(S) CLIENT USER
# PORT(S) # PORT(S)
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

2
STABLE/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall # shown below. Simply run this script to remove Seattle Firewall
VERSION=1.4.9 VERSION=1.4.10
usage() # $1 = exit status usage() # $1 = exit status
{ {

605
Shorewall-docs/FAQ.xml
View File

@ -17,7 +17,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2004-01-24</pubdate> <pubdate>2004-01-25</pubdate>
<copyright> <copyright>
<year>2001-2004</year> <year>2001-2004</year>
@ -60,132 +60,22 @@
shows how to do port forwarding under Shorewall. The format of a shows how to do port forwarding under Shorewall. The format of a
port-forwarding rule to a local system is as follows:</para> port-forwarding rule to a local system is as follows:</para>
<informaltable> <programlisting>#ACTION SOURCE DEST PROTO DEST PORT
<tgroup cols="7"> DNAT net loc:&#60;l<emphasis>ocal IP address</emphasis>&#62;[:&#60;<emphasis>local port</emphasis>&#62;] &#60;<emphasis>protocol</emphasis>&#62; &#60;<emphasis>port #</emphasis>&#62;</programlisting>
<thead>
<row>
<entry align="center">ACTION</entry>
<entry align="center">SOURCE</entry>
<entry align="center">DESTINATION</entry>
<entry align="center">PROTOCOL</entry>
<entry align="center">PORT</entry>
<entry align="center">SOURCE PORT</entry>
<entry align="center">ORIG. DEST.</entry>
</row>
</thead>
<tbody>
<row>
<entry>DNAT</entry>
<entry>net</entry>
<entry>loc:&#60;local IP address&#62;[:&#60;local port&#62;]</entry>
<entry>&#60;protocol&#62;</entry>
<entry>&#60;port #&#62;</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</informaltable>
<para>So to forward UDP port 7777 to internal system 192.168.1.5, the <para>So to forward UDP port 7777 to internal system 192.168.1.5, the
rule is:</para> rule is:</para>
<informaltable> <programlisting>#ACTION SOURCE DEST PROTO DEST PORT
<tgroup cols="7"> DNAT net loc:192.168.1.5 udp 7777</programlisting>
<thead>
<row>
<entry align="center">ACTION</entry>
<entry align="center">SOURCE</entry>
<entry align="center">DESTINATION</entry>
<entry align="center">PROTOCOL</entry>
<entry align="center">PORT</entry>
<entry align="center">SOURCE PORT</entry>
<entry align="center">ORIG. DEST.</entry>
</row>
</thead>
<tbody>
<row>
<entry>DNAT</entry>
<entry>net</entry>
<entry>loc:192.168.1.5</entry>
<entry>udp</entry>
<entry>7777</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</informaltable>
<para>If you want to forward requests directed to a particular address ( <para>If you want to forward requests directed to a particular address (
<emphasis>&#60;external IP&#62;</emphasis> ) on your firewall to an <emphasis>&#60;external IP&#62;</emphasis> ) on your firewall to an
internal system:</para> internal system:</para>
<informaltable> <programlisting>#ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL
<tgroup cols="7"> # PORT DEST.
<thead> DNAT net loc:&#60;l<emphasis>ocal IP address</emphasis>&#62;[:&#60;<emphasis>local port</emphasis>&#62;] &#60;<emphasis>protocol</emphasis>&#62; &#60;<emphasis>port #</emphasis>&#62; - &#60;<emphasis>external IP</emphasis>&#62;</programlisting>
<row>
<entry align="center">ACTION</entry>
<entry align="center">SOURCE</entry>
<entry align="center">DESTINATION</entry>
<entry align="center">PROTOCOL</entry>
<entry align="center">PORT</entry>
<entry align="center">SOURCE PORT</entry>
<entry align="center">ORIG. DEST.</entry>
</row>
</thead>
<tbody>
<row>
<entry>DNAT</entry>
<entry>net</entry>
<entry>loc:&#60;local IP address&#62;[:&#60;local port&#62;]</entry>
<entry>&#60;protocol&#62;</entry>
<entry>&#60;port #&#62;</entry>
<entry>-</entry>
<entry>&#60;external IP&#62;</entry>
</row>
</tbody>
</tgroup>
</informaltable>
<para>Finally, if you need to forward a range of ports, in the PORT <para>Finally, if you need to forward a range of ports, in the PORT
column specify the range as <emphasis>&#60;low-port&#62;:&#60;high-port&#62;</emphasis>.</para> column specify the range as <emphasis>&#60;low-port&#62;:&#60;high-port&#62;</emphasis>.</para>
@ -235,8 +125,8 @@
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>As root, type <quote>iptables -t nat -Z</quote>. This clears <para>As root, type <quote><command>iptables -t nat -Z</command></quote>.
the NetFilter counters in the nat table.</para> This clears the NetFilter counters in the nat table.</para>
</listitem> </listitem>
<listitem> <listitem>
@ -244,7 +134,7 @@
</listitem> </listitem>
<listitem> <listitem>
<para>As root type <quote>shorewall show nat</quote></para> <para>As root type <quote><command>shorewall show nat</command></quote></para>
</listitem> </listitem>
<listitem> <listitem>
@ -295,47 +185,10 @@
my firewall and have the firewall forward the connection to port 22 on my firewall and have the firewall forward the connection to port 22 on
local system 192.168.1.3. How do I do that?</title> local system 192.168.1.3. How do I do that?</title>
<para>In /etc/shorewall/rules:</para> <para>In /<filename>etc/shorewall/rules</filename>:</para>
<informaltable> <programlisting>#ACTION SOURCE DEST PROTO DEST PORT
<tgroup cols="7"> DNAT net loc:192.168.3:22 tcp 1022</programlisting>
<thead>
<row>
<entry align="center">ACTION</entry>
<entry align="center">SOURCE</entry>
<entry>DESTINATION</entry>
<entry>PROTOCOL</entry>
<entry>PORT</entry>
<entry>SOURCE PORT</entry>
<entry>ORIG. DEST.</entry>
</row>
</thead>
<tbody>
<row>
<entry>DNAT</entry>
<entry>net</entry>
<entry>loc:192.168.1.3:22</entry>
<entry>tcp</entry>
<entry>1022</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</informaltable>
</section> </section>
</section> </section>
@ -407,127 +260,30 @@
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>In /etc/shorewall/interfaces:</para> <para>In <filename>/etc/shorewall/interfaces</filename>:</para>
<informaltable> <programlisting>#ZONE INTERFACE BROADCAST OPTIONS
<tgroup cols="4"> loc eth1 detect <emphasis role="bold">routeback</emphasis></programlisting>
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">INTERFACE</entry>
<entry align="center">BROADCAST</entry>
<entry align="center">OPTIONS</entry>
</row>
</thead>
<tbody>
<row>
<entry>loc</entry>
<entry>eth1</entry>
<entry>detect</entry>
<entry><emphasis role="bold">routeback</emphasis></entry>
</row>
</tbody>
</tgroup>
</informaltable>
</listitem> </listitem>
<listitem> <listitem>
<para>In /etc/shorewall/rules:</para> <para>In <filename>/etc/shorewall/rules</filename>:</para>
<informaltable> <programlisting>#ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL
<tgroup cols="7"> # PORT DEST.
<thead> DNAT loc loc:192.168.1.5 tcp www - 130.151.100.69:192.168.1.254</programlisting>
<row>
<entry align="center">ACTION</entry>
<entry align="center">SOURCE</entry>
<entry align="center">DESTINATION</entry>
<entry align="center">PROTOCOL</entry>
<entry align="center">PORT</entry>
<entry align="center">SOURCE PORT</entry>
<entry align="center">ORIG. DEST.</entry>
</row>
</thead>
<tbody>
<row>
<entry>DNAT</entry>
<entry>loc</entry>
<entry>web:192.168.1.5</entry>
<entry>tcp</entry>
<entry>www</entry>
<entry>-</entry>
<entry>130.151.100.69:192.168.1.254</entry>
</row>
</tbody>
</tgroup>
</informaltable>
<para>That rule only works of course if you have a static external <para>That rule only works of course if you have a static external
IP address. If you have a dynamic IP address and are running IP address. If you have a dynamic IP address and are running
Shorewall 1.3.4 or later then include this in /etc/shorewall/init:</para> Shorewall 1.3.4 or later then include this in <filename>/etc/shorewall/init</filename>:</para>
<programlisting>ETH0_IP=`find_interface_address eth0`</programlisting> <programlisting><command>ETH0_IP=`find_interface_address eth0`</command></programlisting>
<para>and make your DNAT rule:</para> <para>and make your DNAT rule:</para>
<informaltable> <programlisting>#ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL
<tgroup cols="7"> # PORT DEST.
<thead> DNAT loc loc:192.168.1.5 tcp www - $ETH0_IP:192.168.1.254</programlisting>
<row>
<entry align="center">ACTION</entry>
<entry align="center">SOURCE</entry>
<entry align="center">DESTINATION</entry>
<entry align="center">PROTOCOL</entry>
<entry align="center">PORT</entry>
<entry align="center">SOURCE PORT</entry>
<entry align="center">ORIG. DEST.</entry>
</row>
</thead>
<tbody>
<row>
<entry>DNAT</entry>
<entry>loc</entry>
<entry>web:192.168.1.5</entry>
<entry>tcp</entry>
<entry>www</entry>
<entry>-</entry>
<entry>$ETH0_IP:192.168.1.254</entry>
</row>
</tbody>
</tgroup>
</informaltable>
<para>Using this technique, you will want to configure your <para>Using this technique, you will want to configure your
DHCP/PPPoE client to automatically restart Shorewall each time that DHCP/PPPoE client to automatically restart Shorewall each time that
@ -597,94 +353,23 @@
<literallayout>Zone: dmz Interface: eth2 Subnet: 192.168.2.0/24</literallayout> <literallayout>Zone: dmz Interface: eth2 Subnet: 192.168.2.0/24</literallayout>
<para>In /etc/shorewall/interfaces:</para> <para>In <filename>/etc/shorewall/interfaces</filename>:</para>
<informaltable> <programlisting>#ZONE INTERFACE BROADCAST OPTIONS
<tgroup cols="4"> loc eth2 192.168.2.255 <emphasis role="bold">routeback</emphasis></programlisting>
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">INTERFACE</entry> <para>In <filename>/etc/shorewall/policy</filename>:</para>
<entry align="center">BROADCAST</entry> <programlisting>#SOURCE DESTINATION POLICY LIMIT:BURST
dmz dmz ACCEPT</programlisting>
<entry align="center">OPTIONS</entry> <para>In <filename>/etc/shorewall/masq</filename>:</para>
</row>
</thead>
<tbody> <programlisting>#INTERFACE SUBNET ADDRESS
<row> eth2 192.168.2.0/24</programlisting>
<entry>dmz</entry>
<entry>eth2</entry> <para>In <filename>/etc/shorewall/na</filename>t, be sure that you
have <quote>Yes</quote> in the ALL INTERFACES column.</para>
<entry>192.168.2.255</entry>
<entry><emphasis role="bold">routeback</emphasis></entry>
</row>
</tbody>
</tgroup>
</informaltable>
<para>In /etc/shorewall/policy:</para>
<informaltable>
<tgroup cols="4">
<thead>
<row>
<entry align="center">SOURCE</entry>
<entry align="center">DESTINATION</entry>
<entry align="center">POLICY</entry>
<entry align="center">LIMIT:BURST</entry>
</row>
</thead>
<tbody>
<row>
<entry>dmz</entry>
<entry>dmz</entry>
<entry>ACCEPT</entry>
<entry><emphasis role="bold"></emphasis></entry>
</row>
</tbody>
</tgroup>
</informaltable>
<para>In /etc/shorewall/masq:</para>
<informaltable>
<tgroup cols="3">
<thead>
<row>
<entry align="center">INTERFACE</entry>
<entry align="center">SUBNET</entry>
<entry align="center">ADDRESS</entry>
</row>
</thead>
<tbody>
<row>
<entry>eth2</entry>
<entry>192.168.2.0/24</entry>
<entry><emphasis role="bold"></emphasis></entry>
</row>
</tbody>
</tgroup>
</informaltable>
<para>In /etc/shorewall/nat, be sure that you have <quote>Yes</quote>
in the ALL INTERFACES column.</para>
</example> </example>
</section> </section>
</section> </section>
@ -791,18 +476,19 @@
<orderedlist> <orderedlist>
<listitem> <listitem>
<para>Create /etc/shorewall/common if it doesn&#39;t already exist.</para> <para>Create <filename>/etc/shorewall/common</filename> if it
doesn&#39;t already exist.</para>
</listitem> </listitem>
<listitem> <listitem>
<para>Be sure that the first command in the file is <quote>. <para>Be sure that the first command in the file is <quote>.
/etc/shorewall/common.def</quote></para> <filename>/etc/shorewall/common.de</filename>f</quote></para>
</listitem> </listitem>
<listitem> <listitem>
<para>Add the following to /etc/shorewall/common</para> <para>Add the following to <filename>/etc/shorewall/common</filename></para>
<programlisting>run_iptables -A icmpdef -p ICMP --icmp-type echo-request -j ACCEPT</programlisting> <programlisting><command>run_iptables -A icmpdef -p ICMP --icmp-type echo-request -j ACCEPT</command></programlisting>
</listitem> </listitem>
</orderedlist> </orderedlist>
@ -859,14 +545,15 @@
see <quote>man syslog</quote>) in your <ulink see <quote>man syslog</quote>) in your <ulink
url="Documentation.htm#Policy">policies</ulink> and <ulink url="Documentation.htm#Policy">policies</ulink> and <ulink
url="Documentation.htm#Rules">rules</ulink>. The destination for url="Documentation.htm#Rules">rules</ulink>. The destination for
messaged logged by syslog is controlled by /etc/syslog.conf (see messaged logged by syslog is controlled by <filename>/etc/syslog.conf</filename>
<quote>man syslog.conf</quote>). When you have changed /etc/syslog.conf, (see <quote>man syslog.conf</quote>). When you have changed
be sure to restart syslogd (on a RedHat system, <quote>service syslog /etc/syslog.conf, be sure to restart syslogd (on a RedHat system,
restart</quote>).</para> <quote>service syslog restart</quote>).</para>
<para>By default, older versions of Shorewall ratelimited log messages <para>By default, older versions of Shorewall ratelimited log messages
through <ulink url="Documentation.htm#Conf">settings</ulink> in through <ulink url="Documentation.htm#Conf">settings</ulink> in
/etc/shorewall/shorewall.conf -- If you want to log all messages, set:</para> <filename>/etc/shorewall/shorewall.conf</filename> -- If you want to log
all messages, set:</para>
<programlisting>LOGLIMIT=&#34;&#34; <programlisting>LOGLIMIT=&#34;&#34;
LOGBURST=&#34;&#34;</programlisting> LOGBURST=&#34;&#34;</programlisting>
@ -929,20 +616,21 @@ url="http://www.shorewall.net/pub/shorewall/parsefw/">http://www.shorewall.net/p
</orderedlist> </orderedlist>
<para>You can distinguish the difference by setting the <emphasis <para>You can distinguish the difference by setting the <emphasis
role="bold">logunclean</emphasis> option (<ulink role="bold">logunclean</emphasis> option (<filename><ulink
url="Documentation.htm#Interfaces">/etc/shorewall/interfaces</ulink>) url="Documentation.htm#Interfaces">/etc/shorewall/interfaces</ulink></filename>)
on your external interface (eth0 in the above example). If they get on your external interface (eth0 in the above example). If they get
logged twice, they are corrupted. I solve this problem by using an logged twice, they are corrupted. I solve this problem by using an
/etc/shorewall/common file like this:</para> /etc/shorewall/common file like this:</para>
<programlisting># <programlisting>#
# Include the standard common.def file # Include the standard common.def file
# . /etc/shorewall/common.def #
<command>. /etc/shorewall/common.def</command>
# #
# The following rule is non-standard and compensates for tardy # The following rule is non-standard and compensates for tardy
# DNS replies # DNS replies
# #
run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP</programlisting> <command>run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP</command></programlisting>
<para>The above file is also include in all of my sample <para>The above file is also include in all of my sample
configurations available in the <ulink configurations available in the <ulink
@ -1012,8 +700,8 @@ run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP</programlis
<tip> <tip>
<para>Under Debian, you can set KLOGD=<quote>-c 5</quote> in <para>Under Debian, you can set KLOGD=<quote>-c 5</quote> in
/etc/init.d/klogd to suppress info (log level 6) messages on the <filename>/etc/init.d/klogd</filename> to suppress info (log level 6)
console.</para> messages on the console.</para>
</tip> </tip>
<tip> <tip>
@ -1034,9 +722,9 @@ run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP</programlis
<term>man1918 or logdrop</term> <term>man1918 or logdrop</term>
<listitem> <listitem>
<para>The destination address is listed in /etc/shorewall/rfc1918 <para>The destination address is listed in <filename>/etc/shorewall/rfc1918</filename>
with a <emphasis role="bold">logdrop</emphasis> target -- see with a <emphasis role="bold">logdrop</emphasis> target -- see
<ulink url="Documentation.htm#rfc1918">/etc/shorewall/rfc1918</ulink>.</para> <filename><ulink url="Documentation.htm#rfc1918">/etc/shorewall/rfc1918</ulink></filename>.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1044,9 +732,9 @@ run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP</programlis
<term>rfc1918 or logdrop</term> <term>rfc1918 or logdrop</term>
<listitem> <listitem>
<para>The source address is listed in /etc/shorewall/rfc1918 with <para>The source address is listed in <filename>/etc/shorewall/rfc1918</filename>
a <emphasis role="bold">logdrop</emphasis> target -- see <ulink with a <emphasis role="bold">logdrop</emphasis> target -- see
url="Documentation.htm#rfc1918">/etc/shorewall/rfc1918</ulink>.</para> <filename><ulink url="Documentation.htm#rfc1918">/etc/shorewall/rfc1918</ulink></filename>.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1099,7 +787,7 @@ run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP</programlis
<para>The packet is being logged under the <emphasis role="bold">dropunclean</emphasis> <para>The packet is being logged under the <emphasis role="bold">dropunclean</emphasis>
<ulink url="Documentation.htm#Interfaces">interface option</ulink> <ulink url="Documentation.htm#Interfaces">interface option</ulink>
as specified in the <emphasis role="bold">LOGUNCLEAN</emphasis> as specified in the <emphasis role="bold">LOGUNCLEAN</emphasis>
setting in <ulink url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>.</para> setting in <ulink url="Documentation.htm#Conf"><filename>/etc/shorewall/shorewall.conf</filename></ulink>.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1108,7 +796,8 @@ run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP</programlis
<listitem> <listitem>
<para>The packet is being logged because the source IP is <para>The packet is being logged because the source IP is
blacklisted in the <ulink url="Documentation.htm#Blacklist">/etc/shorewall/blacklist</ulink> blacklisted in the <filename><ulink
url="Documentation.htm#Blacklist">/etc/shorewall/blacklist</ulink></filename>
file.</para> file.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1121,7 +810,7 @@ run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP</programlis
is not part of any current connection yet it is not a syn packet. is not part of any current connection yet it is not a syn packet.
Options affecting the logging of such packets include <emphasis Options affecting the logging of such packets include <emphasis
role="bold">NEWNOTSYN</emphasis> and <emphasis role="bold">LOGNEWNOTSYN</emphasis> role="bold">NEWNOTSYN</emphasis> and <emphasis role="bold">LOGNEWNOTSYN</emphasis>
in <ulink url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>.</para> in <ulink url="Documentation.htm#Conf"><filename>/etc/shorewall/shorewall.conf</filename></ulink>.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1290,78 +979,29 @@ run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP</programlis
<para>Setting this up in Shorewall is easy; setting up the routing is a <para>Setting this up in Shorewall is easy; setting up the routing is a
bit harder.</para> bit harder.</para>
<para>Assuming that eth0 and eth1 are the interfaces to the two ISPs <para>Assuming that <filename class="devicefile">eth0</filename> and
then:</para> <filename class="devicefile">eth1</filename> are the interfaces to the
two ISPs then:</para>
<para>/etc/shorewall/interfaces:</para> <para><filename>/etc/shorewall/interfaces</filename>:</para>
<informaltable> <programlisting>#ZONE INTERFACE BROADCAST OPTIONS
<tgroup cols="4"> net eth0 detect
<thead> net eth1 detect</programlisting>
<row>
<entry align="center">ZONE</entry>
<entry align="center">INTERFACE</entry> <para><filename>/etc/shorewall/policy</filename>:</para>
<entry align="center">BROADCAST</entry> <programlisting>#SOURCE DESTINATION POLICY LIMIT:BURST
net net DROP</programlisting>
<entry align="center">OPTIONS</entry> <para>If you have masqueraded hosts, be sure to update
</row> <filename>/etc/shorewall/masq</filename> to masquerade to both ISPs. For
</thead> example, if you masquerade all hosts connected to <filename
class="devicefile">eth2</filename> then:</para>
<tbody> <programlisting>#INTERFACE SUBNET ADDRESS
<row> eth0 eth2
<entry>net</entry> eth1 eth2</programlisting>
<entry>eth0</entry>
<entry>detect</entry>
<entry>...</entry>
</row>
<row>
<entry>net</entry>
<entry>eth1</entry>
<entry>detect</entry>
<entry>...</entry>
</row>
</tbody>
</tgroup>
</informaltable>
<para>/etc/shorewall/policy:</para>
<informaltable>
<tgroup cols="4">
<thead>
<row>
<entry align="center">SOURCE</entry>
<entry align="center">DESTINATION</entry>
<entry align="center">POLICY</entry>
<entry align="center">LIMIT:BURST</entry>
</row>
</thead>
<tbody>
<row>
<entry>net</entry>
<entry>net</entry>
<entry>DROP</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</informaltable>
<para><citetitle>There was an article in SysAdmin covering this topic. <para><citetitle>There was an article in SysAdmin covering this topic.
It may be found at <ulink It may be found at <ulink
@ -1520,11 +1160,11 @@ ip route add 127.0.0.0/8 dev lo table T2</programlisting>
<title>(FAQ 7) When I stop Shorewall using <quote>shorewall stop</quote>, <title>(FAQ 7) When I stop Shorewall using <quote>shorewall stop</quote>,
I can&#39;t connect to anything. Why doesn&#39;t that command work?</title> I can&#39;t connect to anything. Why doesn&#39;t that command work?</title>
<para>The <quote>stop</quote> command is intended to place your firewall <para>The <quote><command>stop</command></quote> command is intended to
into a safe state whereby only those hosts listed in place your firewall into a safe state whereby only those hosts listed in
/etc/shorewall/routestopped&#39; are activated. If you want to totally <filename>/etc/shorewall/routestopped</filename>&#39; are activated. If
open up your firewall, you must use the <quote>shorewall clear</quote> you want to totally open up your firewall, you must use the
command.</para> <quote><command>shorewall clear</command></quote> command.</para>
</section> </section>
<section id="faq8"> <section id="faq8">
@ -1590,12 +1230,13 @@ Creating input Chains...
<para><emphasis role="bold">Answer:</emphasis> The above output is <para><emphasis role="bold">Answer:</emphasis> The above output is
perfectly normal. The Net zone is defined as all hosts that are perfectly normal. The Net zone is defined as all hosts that are
connected through eth0 and the local zone is defined as all hosts connected through eth0 and the local zone is defined as all hosts
connected through eth1. If you are running Shorewall 1.4.10 or later, connected through <filename class="devicefile">eth1</filename>. If you
you can consider setting the <ulink url="Documentation.htm#Interfaces"><emphasis are running Shorewall 1.4.10 or later, you can consider setting the
role="bold">detectnets</emphasis> interface option</ulink> on your local <ulink url="Documentation.htm#Interfaces"><emphasis role="bold">detectnets</emphasis>
interface (eth1 in the above example). That will cause Shorewall to interface option</ulink> on your local interface (<filename
restrict the local zone to only those networks routed through that class="devicefile">eth1</filename> in the above example). That will
interface.</para> cause Shorewall to restrict the local zone to only those networks routed
through that interface.</para>
</section> </section>
<section id="faq22"> <section id="faq22">
@ -1665,7 +1306,7 @@ Creating input Chains...
<para>At the shell prompt, type:</para> <para>At the shell prompt, type:</para>
<programlisting>/sbin/shorewall version</programlisting> <programlisting><command>/sbin/shorewall version</command></programlisting>
</section> </section>
<section id="faq31"> <section id="faq31">
@ -1745,32 +1386,15 @@ Creating input Chains...
version of Shorewall earlier than 1.3.1, create /etc/shorewall/start and version of Shorewall earlier than 1.3.1, create /etc/shorewall/start and
in it, place the following:</para> in it, place the following:</para>
<programlisting>run_iptables -I rfc1918 -s 192.168.100.1 -j ACCEPT</programlisting> <programlisting><command>run_iptables -I rfc1918 -s 192.168.100.1 -j ACCEPT</command></programlisting>
<para>If you are running version 1.3.1 or later, simply add the <para>If you are running version 1.3.1 or later, simply add the
following to <ulink url="Documentation.htm#rfc1918">/etc/shorewall/rfc1918</ulink>:</para> following to <ulink url="Documentation.htm#rfc1918">/etc/shorewall/rfc1918</ulink>:</para>
<para>Be sure that you add the entry ABOVE the entry for 192.168.0.0/16.</para> <para>Be sure that you add the entry ABOVE the entry for 192.168.0.0/16.</para>
<informaltable> <programlisting>#SUBNET TARGET
<tgroup cols="2"> 192.168.100.1 RETURN</programlisting>
<thead>
<row>
<entry align="center">SUBNET</entry>
<entry align="center">TARGET</entry>
</row>
</thead>
<tbody>
<row>
<entry>192.168.100.1</entry>
<entry>RETURN</entry>
</row>
</tbody>
</tgroup>
</informaltable>
<note> <note>
<para>If you add a second IP address to your external firewall <para>If you add a second IP address to your external firewall
@ -1779,31 +1403,9 @@ Creating input Chains...
configure the address 192.168.100.2 on your firewall, then you would configure the address 192.168.100.2 on your firewall, then you would
add two entries to /etc/shorewall/rfc1918:</para> add two entries to /etc/shorewall/rfc1918:</para>
<informaltable> <programlisting>#SUBNET TARGET
<tgroup cols="2"> 192.168.100.1 RETURN
<thead> 192.168.100.2 RETURN</programlisting>
<row>
<entry align="center">SUBNET</entry>
<entry align="center">TARGET</entry>
</row>
</thead>
<tbody>
<row>
<entry>192.168.100.1</entry>
<entry>RETURN</entry>
</row>
<row>
<entry>192.168.100.2</entry>
<entry>RETURN</entry>
</row>
</tbody>
</tgroup>
</informaltable>
</note> </note>
<section id="faq14a"> <section id="faq14a">
@ -1883,7 +1485,7 @@ Creating input Chains...
<para>Add this command to your /etc/shorewall/start file:</para> <para>Add this command to your /etc/shorewall/start file:</para>
<programlisting>run_iptables -D OUTPUT -p ! icmp -m state --state INVALID -j DROP</programlisting> <programlisting><command>run_iptables -D OUTPUT -p ! icmp -m state --state INVALID -j DROP</command></programlisting>
</section> </section>
</section> </section>
@ -1941,8 +1543,9 @@ iptables: Invalid argument
<appendix> <appendix>
<title>Revision History</title> <title>Revision History</title>
<para><revhistory><revision><revnumber>1.14</revnumber><date>2004-01-24</date><authorinitials>TE</authorinitials><revremark>Added <para><revhistory><revision><revnumber>1.15</revnumber><date>2004-01-25</date><authorinitials>TE</authorinitials><revremark>Updated
FAQ 27a regarding kernel/iptables incompatibility.<emphasis role="bold"></emphasis></revremark></revision><revision><revnumber>1.13</revnumber><date>2004-01-24</date><authorinitials>TE</authorinitials><revremark>Add FAQ 32 to mention masquerading. Remove tables.</revremark></revision><revision><revnumber>1.14</revnumber><date>2004-01-24</date><authorinitials>TE</authorinitials><revremark>Added
FAQ 27a regarding kernel/iptables incompatibility.</revremark></revision><revision><revnumber>1.13</revnumber><date>2004-01-24</date><authorinitials>TE</authorinitials><revremark>Add
a note about the <emphasis role="bold">detectnets</emphasis> interface a note about the <emphasis role="bold">detectnets</emphasis> interface
option in FAQ 9.</revremark></revision><revision><revnumber>1.12</revnumber><date>2004-01-20</date><authorinitials>TE</authorinitials><revremark>Improve option in FAQ 9.</revremark></revision><revision><revnumber>1.12</revnumber><date>2004-01-20</date><authorinitials>TE</authorinitials><revremark>Improve
FAQ 16 answer.</revremark></revision><revision><revnumber>1.11</revnumber><date>2004-01-14</date><authorinitials>TE</authorinitials><revremark>Corrected FAQ 16 answer.</revremark></revision><revision><revnumber>1.11</revnumber><date>2004-01-14</date><authorinitials>TE</authorinitials><revremark>Corrected

80
Shorewall-docs/Introduction.xml
View File

@ -13,10 +13,10 @@
<surname>Eastep</surname> <surname>Eastep</surname>
</author> </author>
<pubdate>2003/12/23</pubdate> <pubdate>2004-01-26</pubdate>
<copyright> <copyright>
<year>2003</year> <year>2003-2004</year>
<holder>Thomas M. Eastep</holder> <holder>Thomas M. Eastep</holder>
</copyright> </copyright>
@ -98,6 +98,82 @@
</section> </section>
</section> </section>
<section>
<title>Shorewall Concepts</title>
<para>The configuration files for Shorewall are contained in the directory
<filename class="directory">/etc/shorewall</filename> -- for simple
setups, you will only need to deal with a few of them.</para>
<para>Shorewall views the network where it is running as being composed of
a set of zones. In the <ulink url="three-interface.htm">three-interface
sample configuration</ulink> for example, the following zone names are
used: <informaltable frame="all" pgwide="0"><tgroup align="left" cols="2"><thead
valign="middle"><row valign="middle"><entry align="left">Name</entry><entry
align="left">Description</entry></row></thead><tbody valign="middle"><row
valign="middle"><entry align="left"><varname>net</varname></entry><entry
align="left">The Internet</entry></row><row valign="middle"><entry
align="left"><varname>loc</varname></entry><entry align="left">Your Local
Network</entry></row><row valign="middle"><entry align="left"><varname>dmz</varname></entry><entry
align="left">Demilitarized Zone</entry></row></tbody></tgroup></informaltable>Zones
are defined in the <ulink url="Documentation.htm#Zones"><filename
class="directory">/etc/shorewall/</filename><filename>zones</filename></ulink>
file.</para>
<para>Shorewall also recognizes the firewall system as its own zone - by
default, the firewall itself is known as <emphasis role="bold"><varname>fw</varname></emphasis>.</para>
<para>Rules about what traffic to allow and what traffic to deny are
expressed in terms of zones. <itemizedlist spacing="compact"><listitem><para>You
express your default policy for connections from one zone to another zone
in the <ulink url="Documentation.htm#Policy"><filename class="directory">/etc/shorewall/</filename><filename>policy</filename></ulink>
file.</para></listitem><listitem><para>You define exceptions to those
default policies in the <ulink url="Documentation.htm#Rules"><filename
class="directory">/etc/shorewall/</filename><filename>rules</filename></ulink>
file.</para></listitem></itemizedlist>For each connection request entering
the firewall, the request is first checked against the <filename
class="directory">/etc/shorewall/</filename><filename>rules</filename>
file. If no rule in that file matches the connection request then the
first policy in <filename class="directory">/etc/shorewall/</filename><filename>policy</filename>
that matches the request is applied. If that policy is <varname>REJECT</varname>
or <varname>DROP</varname> the request is first checked against the rules
in <filename class="directory">/etc/shorewall/</filename><filename>common</filename>
if that file exists; otherwise the rules in <filename class="directory">/etc/shorewall/</filename><filename>common.def</filename>
are checked.</para>
<para>The <filename class="directory">/etc/shorewall/</filename><filename>policy</filename>
file included with the three-interface sample has the following policies:
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
loc net ACCEPT
net all DROP info
all all REJECT info</programlisting>In the three-interface
sample, the line below is included but commented out. If you want your
firewall system to have full access to servers on the internet, uncomment
that line. <programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
fw net ACCEPT</programlisting> The above policy will:
<itemizedlist><listitem><para>Allow all connection requests from your
local network to the internet</para></listitem><listitem><para>Drop
(ignore) all connection requests from the internet to your firewall or
local network</para></listitem><listitem><para>Optionally accept all
connection requests from the firewall to the internet (if you uncomment
the additional policy)</para></listitem><listitem><para>reject all other
connection requests.</para></listitem></itemizedlist></para>
<para>The simplest way to define a zone is to associate the zone with a
network interface using the <ulink url="Documentation.htm#Interfaces"><filename>/etc/shorewall/interfaces</filename></ulink>
file. In the three-interface sample, the three zones are defined using
that file as follows:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect dhcp,routefilter,norfc1918
loc eth1 detect
dmz eth2 detect</programlisting>
<para>The above file defines the net zone as all hosts interfacing to the
firewall through eth0, the loc zone as all hosts interfacing through eth1
and the dmz as all hosts interfacing through eth2.</para>
</section>
<section> <section>
<title>License</title> <title>License</title>

104
Shorewall-docs/User_defined_Actions.xml
View File

@ -15,14 +15,10 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2003-12-09</pubdate> <pubdate>2003-01-29</pubdate>
<copyright> <copyright>
<year>2001</year> <year>2003-2004</year>
<year>2002</year>
<year>2003</year>
<holder>Thomas M. Eastep</holder> <holder>Thomas M. Eastep</holder>
</copyright> </copyright>
@ -37,8 +33,8 @@
</legalnotice> </legalnotice>
</articleinfo> </articleinfo>
<para>Prior to Shorewall version 1.4.9, rules in /etc/shorewall/rules were <para>Prior to Shorewall version 1.4.9, rules in <filename>/etc/shorewall/rules</filename>
limited to those defined by Netfilter (ACCEPT, DROP, REJECT, etc.). were limited to those defined by Netfilter (ACCEPT, DROP, REJECT, etc.).
Beginning with Shorewall version 1.4.9, users may use sequences of these Beginning with Shorewall version 1.4.9, users may use sequences of these
elementary operations to define more complex actions.</para> elementary operations to define more complex actions.</para>
@ -46,18 +42,19 @@
<orderedlist> <orderedlist>
<listitem> <listitem>
<para>Add a line to /etc/shorewall/actions that names your new action. <para>Add a line to <filename><filename>/etc/shorewall/actions</filename></filename>
Action names must be valid shell variable names as well as valid that names your new action. Action names must be valid shell variable
Netfilter chain names. It is recommended that the name you select for a names as well as valid Netfilter chain names. It is recommended that the
new action begins with with a capital letter; that way, the name name you select for a new action begins with with a capital letter; that
won&#39;t conflict with a Shorewall-defined chain name.</para> way, the name won&#39;t conflict with a Shorewall-defined chain name.</para>
</listitem> </listitem>
<listitem> <listitem>
<para>Once you have defined your new action name (ActionName), then copy <para>Once you have defined your new action name (ActionName), then copy
/etc/shorewall/action.template to /etc/shorewall/action.ActionName (for /etc/shorewall/action.template to <filename>/etc/shorewall/action.ActionName</filename>
example, if your new action name is <quote>Foo</quote> then copy (for example, if your new action name is <quote>Foo</quote> then copy
/etc/shorewall/action.template to /etc/shorewall/action.foo).</para> <filename>/etc/shorewall/action.template</filename> to
<filename>/etc/shorewall/action.Foo</filename>).</para>
</listitem> </listitem>
<listitem> <listitem>
@ -70,13 +67,15 @@
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>TARGET - Must be ACCEPT, DROP, REJECT, LOG, QUEUE or <para>TARGET - Must be ACCEPT, DROP, REJECT, LOG, QUEUE or
&#60;action&#62; where &#60;action&#62; is a previously-defined action. &#60;action&#62; where &#60;action&#62; is a previously-defined action
The TARGET may optionally be followed by a colon (<quote>:</quote>) and (that is, it must precede the action being defined in this file in your
a syslog log level (e.g, REJECT:info or ACCEPT:debugging). This causes <filename>/etc/shorewall/actions</filename> file). The TARGET may
the packet to be logged at the specified level. You may also specify optionally be followed by a colon (<quote>:</quote>) and a syslog log
ULOG (must be in upper case) as a log level.This will log to the ULOG level (e.g, REJECT:info or ACCEPT:debugging). This causes the packet to
target for routing to a separate log through use of ulogd be logged at the specified level. You may also specify ULOG (must be in
(http://www.gnumonks.org/projects/ulogd).</para> upper case) as a log level.This will log to the ULOG target for routing
to a separate log through use of ulogd (<ulink
url="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</ulink>).</para>
</listitem> </listitem>
<listitem> <listitem>
@ -97,7 +96,8 @@
MAC addresses are not allowed.</para> MAC addresses are not allowed.</para>
<para>Unlike in the SOURCE column, you may specify a range of up to 256 <para>Unlike in the SOURCE column, you may specify a range of up to 256
IP addresses using the syntax &#60;first ip&#62;-&#60;last ip&#62;.</para> IP addresses using the syntax &#60;<emphasis>first ip</emphasis>&#62;-&#60;<emphasis>last
ip</emphasis>&#62;.</para>
</listitem> </listitem>
<listitem> <listitem>
@ -107,20 +107,45 @@
<listitem> <listitem>
<para>DEST PORT(S) - Destination Ports. A comma-separated list of Port <para>DEST PORT(S) - Destination Ports. A comma-separated list of Port
names (from /etc/services), port numbers or port ranges; if the protocol names (from <filename>/etc/services</filename>), port numbers or port
is <quote>icmp</quote>, this column is interpreted as the destination ranges; if the protocol is <quote>icmp</quote>, this column is
icmp-type(s).</para> interpreted as the destination icmp-type(s).</para>
<para>A port range is expressed as &#60;low port&#62;:&#60;high <para>A port range is expressed as &#60;<emphasis>low port</emphasis>&#62;:&#60;<emphasis>high
port&#62;.</para> port</emphasis>&#62;.</para>
<para>This column is ignored if PROTOCOL = all but must be entered if <para>This column is ignored if PROTOCOL = all but must be entered if
any of the following ields are supplied. In that case, it is suggested any of the following ields are supplied. In that case, it is suggested
that this field contain <quote>-</quote>.</para> that this field contain <quote>-</quote>.</para>
<para>If your kernel contains multi-port match support, then only a <para>If your kernel contains multi-port match support, then only a
single Netfilter rule will be generated if in this list and the CLIENT single Netfilter rule will be generated if in this list and in the
PORT(S) list below:</para> CLIENT PORT(S) list below:</para>
<orderedlist>
<listitem>
<para>There are 15 or less ports listed.</para>
</listitem>
<listitem>
<para>No port ranges are included.</para>
</listitem>
</orderedlist>
<para>Otherwise, a separate rule will be generated for each port.</para>
</listitem>
<listitem>
<para>SOURCE PORT(S) - Port(s) used by the client. If omitted, any
source port is acceptable. Specified as a comma-separated list of port
names, port numbers or port ranges.</para>
<para>If you don&#39;t want to restrict client ports but need to specify
an ADDRESS in the next column, then place &#34;-&#34; in this column.</para>
<para>If your kernel contains multi-port match support, then only a
single Netfilter rule will be generated if in this list and in the DEST
PORT(S) list above:</para>
<orderedlist> <orderedlist>
<listitem> <listitem>
@ -139,11 +164,13 @@
<para>RATE LIMIT - You may rate-limit the rule by placing a value in <para>RATE LIMIT - You may rate-limit the rule by placing a value in
this column:</para> this column:</para>
<para><programlisting> &#60;rate&#62;/&#60;interval&#62;[:&#60;burst&#62;]</programlisting>where <para><programlisting> &#60;<emphasis>rate</emphasis>&#62;/&#60;<emphasis>interval</emphasis>&#62;[:&#60;<emphasis>burst</emphasis>&#62;]</programlisting>where
&#60;rate&#62; is the number of connections per &#60;interval&#62; (<quote>sec</quote> &#60;<emphasis>rate</emphasis>&#62; is the number of connections per
or <quote>min</quote>) and &#60;burst&#62; is the largest burst &#60;<emphasis>interval</emphasis>&#62; (<quote>sec</quote> or
permitted. If no &#60;burst&#62; is given, a value of 5 is assumed. <quote>min</quote>) and &#60;<emphasis>burst</emphasis>&#62; is the
There may be no whitespace embedded in the specification.</para> largest burst permitted. If no &#60;<emphasis>burst</emphasis>&#62; is
given, a value of 5 is assumed. There may be no whitespace embedded in
the specification.</para>
<para><programlisting> Example: 10/sec:20</programlisting></para> <para><programlisting> Example: 10/sec:20</programlisting></para>
</listitem> </listitem>
@ -151,9 +178,8 @@
<para>Example:</para> <para>Example:</para>
<para><emphasis role="bold">/etc/shorewall/actions:</emphasis></para> <para><filename>/etc/shorewall/actions</filename>:</para>
<para><programlisting> LogAndAccept</programlisting><emphasis <para><programlisting> LogAndAccept</programlisting><phrase><filename>/etc/shorewall/action.LogAndAccept</filename></phrase><programlisting> LOG:info
role="bold">/etc/shorewall/action.LogAndAccept</emphasis><programlisting> LOG:info
ACCEPT</programlisting></para> ACCEPT</programlisting></para>
</article> </article>

21
Shorewall-docs/ports.xml
View File

@ -13,7 +13,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2004-01-04</pubdate> <pubdate>2004-01-26</pubdate>
<copyright> <copyright>
<year>2001-2002</year> <year>2001-2002</year>
@ -44,6 +44,17 @@
<para>In the rules that are shown in this document, the ACTION is shown as <para>In the rules that are shown in this document, the ACTION is shown as
ACCEPT. You may need to use DNAT (see <ulink url="FAQ.htm#faq30">FAQ 30</ulink>) ACCEPT. You may need to use DNAT (see <ulink url="FAQ.htm#faq30">FAQ 30</ulink>)
or you may want DROP or REJECT if you are trying to block the application.</para> or you may want DROP or REJECT if you are trying to block the application.</para>
<para>Example: You want to port forward FTP from the net to your server at
192.168.1.4 in your DMZ. The FTP section below gives you:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 21</programlisting>
<para>You would code your rule as follows:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
DNAT net dmz:192.168.1.4 tcp 21</programlisting>
</note> </note>
<section> <section>
@ -75,7 +86,7 @@ ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> udp 4000 ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> udp 4000
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 53</programlisting> ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 4000:4100</programlisting>
<para>UDP Port 4000. You will also need to open a range of TCP ports which <para>UDP Port 4000. You will also need to open a range of TCP ports which
you can specify to your ICQ client. By default, clients use 4000-4100.</para> you can specify to your ICQ client. By default, clients use 4000-4100.</para>
@ -108,7 +119,8 @@ ACCEPT <emphasis>&#60;destination&#62;</emphasis> <emphasis>&#60;source&#62
<title>NFS</title> <title>NFS</title>
<para>I personally use the following rules for opening access from zone z1 <para>I personally use the following rules for opening access from zone z1
to a server with IP address a.b.c.d in zone z2:</para> to a server with IP address a.b.c.d in zone z2. I have found though that
different distributions behave differently so your milage may vary.</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;z1&#62;</emphasis> <emphasis> &#60;z2&#62;</emphasis>:a.b.c.d tcp 111 ACCEPT <emphasis>&#60;z1&#62;</emphasis> <emphasis> &#60;z2&#62;</emphasis>:a.b.c.d tcp 111
@ -237,7 +249,8 @@ ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62
<appendix> <appendix>
<title>Revision History</title> <title>Revision History</title>
<para><revhistory><revision><revnumber>1.3</revnumber><date>2004-01-04</date><authorinitials>TE</authorinitials><revremark>Alphabetize</revremark></revision><revision><revnumber>1.2</revnumber><date>2004-01-03</date><authorinitials>TE</authorinitials><revremark>Add <para><revhistory><revision><revnumber>1.4</revnumber><date>2004-01-26</date><authorinitials>TE</authorinitials><revremark>Correct
ICQ.</revremark></revision><revision><revnumber>1.3</revnumber><date>2004-01-04</date><authorinitials>TE</authorinitials><revremark>Alphabetize</revremark></revision><revision><revnumber>1.2</revnumber><date>2004-01-03</date><authorinitials>TE</authorinitials><revremark>Add
rules file entries.</revremark></revision><revision><revnumber>1.1</revnumber><date>2002-07-30</date><authorinitials>TE</authorinitials><revremark>Initial rules file entries.</revremark></revision><revision><revnumber>1.1</revnumber><date>2002-07-30</date><authorinitials>TE</authorinitials><revremark>Initial
version converted to Docbook XML</revremark></revision></revhistory></para> version converted to Docbook XML</revremark></revision></revhistory></para>
</appendix> </appendix>

10
Shorewall-docs/two-interface.xml
View File

@ -12,7 +12,7 @@
<surname>Eastep</surname> <surname>Eastep</surname>
</author> </author>
<pubdate>2003-01-06</pubdate> <pubdate>2003-01-26</pubdate>
<copyright> <copyright>
<year>2002</year> <year>2002</year>
@ -164,14 +164,12 @@
valign="middle"><row valign="middle"><entry align="left"><varname>net</varname></entry><entry valign="middle"><row valign="middle"><entry align="left"><varname>net</varname></entry><entry
align="left">The Internet</entry></row><row valign="middle"><entry align="left">The Internet</entry></row><row valign="middle"><entry
align="left"><varname>loc</varname></entry><entry align="left">Your Local align="left"><varname>loc</varname></entry><entry align="left">Your Local
Network</entry></row><row valign="middle"><entry align="left"><varname>dmz</varname></entry><entry Network</entry></row></tbody></tgroup></informaltable> Zones are defined
align="left">Demilitarized Zone</entry></row></tbody></tgroup></informaltable> in the <ulink url="Documentation.htm#Zones"><filename class="directory">/etc/shorewall/</filename><filename>zones</filename></ulink>
Zones are defined in the <ulink url="Documentation.htm#Zones"><filename
class="directory">/etc/shorewall/</filename><filename>zones</filename></ulink>
file.</para> file.</para>
<para>Shorewall also recognizes the firewall system as its own zone - by <para>Shorewall also recognizes the firewall system as its own zone - by
default, the firewall itself is known as <varname>fw</varname>.</para> default, the firewall itself is known as <emphasis role="bold"><varname>fw</varname></emphasis>.</para>
<para>Rules about what traffic to allow and what traffic to deny are <para>Rules about what traffic to allow and what traffic to deny are
expressed in terms of zones. <itemizedlist spacing="compact"><listitem><para>You expressed in terms of zones. <itemizedlist spacing="compact"><listitem><para>You

2
Shorewall/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of # shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall. # Shoreline Firewall.
VERSION=1.4.10-RC3 VERSION=1.4.10
usage() # $1 = exit status usage() # $1 = exit status
{ {

2
Shorewall/install.sh
View File

@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall. # /etc/rc.d/rc.local file is modified to start the firewall.
# #
VERSION=1.4.10-RC3 VERSION=1.4.10
usage() # $1 = exit status usage() # $1 = exit status
{ {

4
Shorewall/shorewall.spec
View File

@ -1,6 +1,6 @@
%define name shorewall %define name shorewall
%define version 1.4.10 %define version 1.4.10
%define release 0RC3 %define release 1
%define prefix /usr %define prefix /usr
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@ -109,6 +109,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog %changelog
* Fri Jan 30 2004 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.10-1
* Tue Jan 27 2004 Tom Eastep <tom@shorewall.net> * Tue Jan 27 2004 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.10-RC3 - Changed version to 1.4.10-RC3
* Sat Jan 24 2004 Tom Eastep <tom@shorewall.net> * Sat Jan 24 2004 Tom Eastep <tom@shorewall.net>

2
Shorewall/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall # shown below. Simply run this script to remove Seattle Firewall
VERSION=1.4.10-RC3 VERSION=1.4.10
usage() # $1 = exit status usage() # $1 = exit status
{ {