Shorewall 1.4.10

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1099 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-01-31 03:24:02 +00:00
parent f67cb1eab8
commit afee989ee5
21 changed files with 540 additions and 702 deletions

View File

@ -92,7 +92,7 @@
# Otherwise, a separate rule will be generated for each
# port.
#
# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted,
# SOURCE PORT(S) (Optional) Port(s) used by the client. If omitted,
# any source port is acceptable. Specified as a comma-
# separated list of port names, port numbers or port
# ranges.
@ -126,6 +126,6 @@
# place a similar limit in the TARGET column.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
# PORT PORT(S) DEST LIMIT
#TARGET SOURCE DEST PROTO DEST SOURCE RATE
# PORT PORT(S) LIMIT
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

View File

@ -1,23 +1,23 @@
Changes since 1.4.8
Changes since 1.4.9
1) Replace "Static NAT" with "One-to-one NAT".
1) Implement destination list in masq file.
2) Change SMB common rules to DROP.
2) Appled Frédéric LESPEZ's patch for packet marking by user/group id.
3) Change wording in release notes.
3) Correct column headings in action.template
4) Move ip_forward handling to a function.
4) Handle IPV6 addresses correctly with ADD_IP_ALIASES=Yes or
ADD_SNAT_ALIASES=Yes.
5) Change 'norfc1918' logging to log out of chains named 'rfc1918'.
5) Implement "detectnets" option.
6) Reword the description of NEWNOTSYN in shorewall.conf.
6) Correct the CONTINUE target and fix a couple of bugs in rate
limiting (with an assist from Steven Jan Springl).
7) Added MODULE_SUFFIX option to shorewall.conf.
7) Silently drop smurfs and broadcasts in the 'reject' chain.
8) Add /etc/shorewall/actions and /etc/shorewall/action.template
8) Add multicast to 'detectnets' zones.
9) Fix SNAT handling in DNAT rules.
9) Don't add broadcasts to /0 groups.
10) Change default to NEWNOTSYN=Yes
11) Add rule to drop null source addressed ICMPs.
10) Fix "-" in PROTO column of an action file.

View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=1.4.9
VERSION=1.4.10
usage() # $1 = exit status
{

View File

@ -564,11 +564,21 @@ determine_hosts() {
eval interfaces=\$${zone}_interfaces
for interface in $interfaces; do
if [ -z "$hosts" ]; then
hosts=$interface:0.0.0.0/0
eval options=\$`chain_base ${interface}`_options
if list_search detectnets $options; then
subnets=`get_routed_subnets $interface`
else
hosts="$hosts $interface:0.0.0.0/0"
subnets=0.0.0.0/0
fi
for subnet in $subnets; do
if [ -z "$hosts" ]; then
hosts=$interface:$subnet
else
hosts="$hosts $interface:$subnet"
fi
done
done
interfaces=
@ -611,6 +621,8 @@ validate_zone() # $1 = zone
# Validate the zone names and options in the interfaces file
#
validate_interfaces_file() {
local wildcard
while read z interface subnet options; do
expandv z interface subnet options
r="$z $interface $subnet $options"
@ -628,10 +640,15 @@ validate_interfaces_file() {
list_search $interface $all_interfaces && \
startup_error "Duplicate Interface $interface"
wildcard=
case $interface in
*:*)
startup_error "Invalid Interface Name: $interface"
;;
*+*)
wildcard=Yes
;;
esac
all_interfaces="$all_interfaces $interface"
@ -646,6 +663,10 @@ validate_interfaces_file() {
case $option in
dhcp|norfc1918|tcpflags|newnotsyn|arp_filter|routefilter|blacklist|proxyarp|maclist|-)
;;
detectnets)
[ -n "$wildcard" ] && \
startup_error "The \"detectnets\" option may not be used with a wild-card interface"
;;
dropunclean|logunclean)
error_message \
"Warning: The 'dropunclean' and 'logunclean' options will be removed in a future release"
@ -1709,6 +1730,25 @@ process_tc_rule()
esac
fi
if [ "x$user" != "x-" ]; then
[ "$chain" != tcout ] && \
fatal_error "Invalid use of a user/group: rule \"$rule\""
case "$user" in
*:*)
r="$r-m owner"
temp="${user%:*}"
[ -n "$temp" ] && r="$r --uid-owner $temp "
temp="${user#*:}"
[ -n "$temp" ] && r="$r --gid-owner $temp "
;;
*)
r="$r-m owner --uid-owner $user "
;;
esac
fi
[ "x$dest" = "x-" ] || r="${r}-d $dest "
[ "$proto" = "all" ] || r="${r}-p $proto "
[ "x$port" = "x-" ] || r="${r}--dport $port "
@ -1767,9 +1807,9 @@ setup_tc1() {
#
strip_file tcrules
while read mark sources dests proto ports sports; do
expandv mark sources dests proto ports sports
rule=`echo "$mark $sources $dests $proto $ports $sports"`
while read mark sources dests proto ports sports user; do
expandv mark sources dests proto ports sports user
rule=`echo "$mark $sources $dests $proto $ports $sports $user"`
process_tc_rule
done < $TMP_DIR/tcrules
#
@ -2335,7 +2375,7 @@ process_action() # $1 = action
# Generate Netfilter rule(s)
protocol=${protocol:=all}
[ "x$protocol" = "x-" ] && protocol=all || protocol=${protocol:=all}
if [ -n "$MULTIPORT" ] && \
! list_search $protocol "icmp" "ICMP" "1" && \
@ -2904,6 +2944,8 @@ process_rule() # $1 = target
# Function Body - isolate rate limit
[ "x$ratelimit" = "x-" ] && ratelimit=
if [ -z "$ratelimit" ]; then
if [ "$target" != "${target%<*}" ]; then
ratelimit="${target#*<}"
@ -2915,9 +2957,6 @@ process_rule() # $1 = target
if [ -n "$ratelimit" ]; then
case $ratelimit in
-)
ratelimit=
;;
*:*)
ratelimit="-m limit --limit ${ratelimit%:*} --limit-burst ${ratelimit#*:}"
;;
@ -2955,7 +2994,11 @@ process_rule() # $1 = target
case "$userset" in
*:*)
case $target in
ACCEPT|REJECT|DROP)
ACCEPT)
;;
REJECT|DROP)
[ -n "$ratelimit" ] && fatal_error \
"Rate Limiting only available with ACCEPT, DNAT[-], REDIRECT[-] and LOG"
;;
*)
fatal_error "<user>:<group> may only be specified in ACCEPT, REJECT and DROP rules: rule \"$rule\""
@ -2981,9 +3024,13 @@ process_rule() # $1 = target
target=`accept_chain $userset`
;;
DROP)
[ -n "$ratelimit" ] && fatal_error \
"Rate Limiting only available with ACCEPT, DNAT[-], REDIRECT[-] and LOG"
target=`drop_chain $userset`
;;
REJECT)
[ -n "$ratelimit" ] && fatal_error \
"Rate Limiting only available with ACCEPT, DNAT[-], REDIRECT[-] and LOG"
target=`reject_chain $userset`
;;
*)
@ -2999,8 +3046,15 @@ process_rule() # $1 = target
ACCEPT|LOG)
;;
REJECT)
[ -n "$ratelimit" ] && fatal_error \
"Rate Limiting only available with ACCEPT, DNAT[-], REDIRECT[-] and LOG"
target=reject
;;
CONTINUE)
[ -n "$ratelimit" ] && fatal_error \
"Rate Limiting only available with ACCEPT, DNAT[-], REDIRECT[-] and LOG"
target=RETURN
;;
DNAT)
target=ACCEPT
address=${address:=detect}
@ -3735,7 +3789,7 @@ setup_masq()
case $fullinterface in
*:*:*)
# Both alias name and subnet
destnet="${fullinterface##*:}"
destnets="${fullinterface##*:}"
fullinterface="${fullinterface%:*}"
;;
*:*)
@ -3743,17 +3797,17 @@ setup_masq()
case ${fullinterface#*:} in
*.*)
# It's a subnet
destnet="${fullinterface#*:}"
destnets="${fullinterface#*:}"
fullinterface="${fullinterface%:*}"
;;
*)
#it's an alias name
destnet="0.0.0.0/0"
destnets="0.0.0.0/0"
;;
esac
;;
*)
destnet="0.0.0.0/0"
destnets="0.0.0.0/0"
;;
esac
@ -3770,7 +3824,6 @@ setup_masq()
subnet="${subnet%!*}"
fi
chain=`masq_chain $interface`
source="$subnet"
@ -3799,33 +3852,70 @@ setup_masq()
done
fi
destination=$destnet
destination=$destnets
if [ -n "$nomasq" ]; then
newchain=masq${masq_seq}
createnatchain $newchain
chain=`masq_chain $interface`
if [ -n "$subnet" ]; then
for s in $subnet; do
addnatrule $chain -d $destnet -s $s -j $newchain
case $destnets in
!*)
newchain=masq${masq_seq}
createnatchain $newchain
destnets=${destnets#!}
for destnet in $(separate_list $destnets); do
addnatrule $newchain -d $destnet -j RETURN
done
else
addnatrule $chain -d $destnet -j $newchain
fi
masq_seq=$(($masq_seq + 1))
chain=$newchain
subnet=
destnet=
if [ -n "$subnet" ]; then
for s in $subnet; do
addnatrule $chain -s $s -j $newchain
done
subnet=
else
addnatrule $chain -j $newchain
fi
for addr in `separate_list $nomasq`; do
addnatrule $chain -s $addr -j RETURN
done
masq_seq=$(($masq_seq + 1))
chain=$newchain
destnets=0.0.0.0/0
source="$source except $nomasq"
else
destnet="-d $destnet"
fi
if [ -n "$nonmasq" ]; then
for addr in `separate_list $nomasq`; do
addnatrule $chain -s $addr -j RETURN
done
source="$source except $nomasq"
fi
;;
*)
if [ -n "$nomasq" ]; then
newchain=masq${masq_seq}
createnatchain $newchain
if [ -n "$subnet" ]; then
for s in $subnet; do
for destnet in $(separate_list $destnets); do
addnatrule $chain -d $destnet -s $s -j $newchain
done
done
else
for destnet in $(separate_list $destnets); do
addnatrule $chain -d $destnet -j $newchain
done
fi
masq_seq=$(($masq_seq + 1))
chain=$newchain
subnet=
destnets=0.0.0.0/0
for addr in `separate_list $nomasq`; do
addnatrule $chain -s $addr -j RETURN
done
source="$source except $nomasq"
fi
;;
esac
if [ -n "$addresses" ]; then
temp=
@ -3837,18 +3927,26 @@ setup_masq()
if [ -n "$subnet" ]; then
for s in $subnet; do
if [ -n "$addresses" ]; then
addnatrule $chain -s $s $destnet -j SNAT $temp
for destnet in $(separate_list $destnets); do
addnatrule $chain -s $s -d $destnet -j SNAT $temp
done
echo " To $destination from $s through ${interface} using $addresses"
else
addnatrule $chain -s $s $destnet -j MASQUERADE
for destnet in $(separate_list $destnets); do
addnatrule $chain -s $s -d $destnet -j MASQUERADE
done
echo " To $destination from $s through ${interface}"
fi
done
elif [ -n "$address" ]; then
addnatrule $chain $destnet -j SNAT $temp
for destnet in $(separate_list $destnets); do
addnatrule $chain -d $destnet -j SNAT $temp
done
echo " To $destination from $source through ${interface} using $addresses"
else
addnatrule $chain $destnet -j MASQUERADE
for destnet in $(separate_list $destnets); do
addnatrule $chain -d $destnet -j MASQUERADE
done
echo " To $destination from $source through ${interface}"
fi
@ -4345,9 +4443,26 @@ build_common_chain() {
#
add_common_rules() {
local savelogparms="$LOGPARMS"
local broadcasts="$(find_broadcasts) 255.255.255.255 224.0.0.0/4"
#
# Reject Rules
# Reject Rules -- Don't respond to broadcasts with an ICMP
#
qt iptables -A reject -m pkttype --pkt-type broadcast -j DROP
if ! qt iptables -A reject -m pkttype --pkt-type multicast -j DROP; then
#
# No pkttype support -- do it the hard way
#
for address in $broadcasts ; do
run_iptables -A reject -d $address -j DROP
done
fi
#
# Don't feed the smurfs
#
for address in $broadcasts ; do
run_iptables -A reject -s $address -j DROP
done
run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset
run_iptables -A reject -p udp -j REJECT
#
@ -4754,6 +4869,8 @@ activate_rules()
echo "$FW $zone $chain1" >> ${STATEDIR}/chains
echo "$zone $FW $chain2" >> ${STATEDIR}/chains
need_broadcast=
for host in $source_hosts; do
interface=${host%:*}
subnet=${host#*:}
@ -4771,8 +4888,19 @@ activate_rules()
[ -n "$complex" ] && \
run_iptables -A `forward_chain $interface` -s $subnet -j $frwd_chain
if [ "$subnet" != 0.0.0.0/0 ]; then
if ! list_search $interface $need_broadcast ; then
eval options=\$`chain_base ${interface}`_options
list_search detectnets $options && need_broadcast="$need_broadcast $interface"
fi
fi
done
for interface in $need_broadcast ; do
run_iptables -A OUTPUT -o $interface -d 255.255.255.255 -j $chain1
run_iptables -A OUTPUT -o $interface -d 224.0.0.0/4 -j $chain1
done
for zone1 in $zones; do
eval policy=\$${zone}2${zone1}_policy

View File

@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall.
#
VERSION=1.4.9
VERSION=1.4.10
usage() # $1 = exit status
{

View File

@ -117,6 +117,13 @@
# interface. The interface must be up
# when Shorewall is started.
#
# detectnets - Automatically taylors the zone named
# in the ZONE column to include only those
# hosts routed through the interface.
#
# WARNING: DO NOT SET THE detectnets OPTION ON YOUR
# INTERNET INTERFACE!
#
# The order in which you list the options is not
# significant but the list should have no embedded white
# space.

View File

@ -18,7 +18,12 @@
# PLACE IN YOUR SHOREWALL CONFIGURATION.
#
# This may be qualified by adding the character
# ":" followed by a destination host or subnet.
# ":" followed by a comma-separed list of
# destination hosts or subnets. If this list begins with
# "!" then masquerading will occur if and only if the
# connection destination is NOT included in the list.
# Otherwise, the masquerading will occur if and only if
# the destination IS included in the list.
#
#
# SUBNET -- Subnet that you wish to masquerade. You can specify this as
@ -89,7 +94,7 @@
#
# You want all outgoing traffic from 192.168.1.0/24 through
# eth0 to use source address 206.124.146.176 which is NOT the
# primary address of eth0. You want 206.124.146.176 added to
# primary address of eth0. You want 206.124.146.176 to
# be added to eth0 with name eth0:0.
#
# eth0:0 192.168.1.0/24 206.124.146.176

View File

@ -1,24 +1,23 @@
This is a minor release of Shorewall.
Problems Corrected since version 1.4.8:
Problems Corrected since version 1.4.9:
1) There has been a low continuing level of confusion over the terms
"Source NAT" (SNAT) and "Static NAT". To avoid future confusion, all
instances of "Static NAT" have been replaced with "One-to-one NAT"
in the documentation and configuration files.
1. The column descriptions in the action.template file did not match
the column headings. That has been corrected.
2) The description of NEWNOTSYN in shorewall.conf has been reworded for
clarity.
2. The presence of IPV6 addresses on devices generates error messages
during [re]start if ADD_IP_ALIASES=Yes or ADD_SNAT_ALIASES=Yes are
specified in /etc/shorewall/shorewall.conf.
3) Wild-card rules (those involving "all" as SOURCE or DEST) will no
longer produce an error if they attempt to add a rule that would
override a NONE policy. The logic for expanding these wild-card
rules now simply skips those (SOURCE,DEST) pairs that have a NONE
policy.
3. The CONTINUE action in /etc/shorewall/rules now works correctly. A
couple of problems involving rate limiting have been
corrected. These bug fixes courtesy of Steven Jan Springl.
4) DNAT rules that also specified SNAT now work reliably. Previously,
there were cases where the SNAT specification was effectively
ignored.
4. Shorewall now tries to avoid sending an ICMP response to broadcasts
and smurfs.
5. Specifying "-" or "all" in the PROTO column of an action no longer
causes a startup error.
Migration Issues:
@ -26,79 +25,37 @@ None.
New Features:
1) The documentation has been completely rebased to Docbook XML. The
documentation is now released as separate HTML and XML packages.
1) The INTERFACE column in the /etc/shorewall/masq file may now
specify a destination list.
2) To cut down on the number of "Why are these ports closed rather than
stealthed?" questions, the SMB-related rules in
/etc/shorewall/common.def have been changed from 'reject' to 'DROP'.
Example:
3) For easier identification, packets logged under the 'norfc1918'
interface option are now logged out of chains named
'rfc1918'. Previously, such packets were logged under chains named
'logdrop'.
#INTERFACE SUBNET ADDRESS
eth0:192.0.2.3,192.0.2.16/28 eth1
4) Distributors and developers seem to be regularly inventing new
naming conventions for kernel modules. To avoid the need to change
Shorewall code for each new convention, the MODULE_SUFFIX option has
been added to shorewall.conf. MODULE_SUFFIX may be set to the suffix
for module names in your particular distribution. If MODULE_SUFFIX
is not set in shorewall.conf, Shorewall will use the list "o gz ko
o.gz".
If the list begins with "!" then SNAT will occur only if the
destination IP address is NOT included in the list.
To see what suffix is used by your distribution:
2) Output traffic control rules (those with the firewall as the source)
may now be qualified by the effective userid and/or effective group
id of the program generating the output. This feature is courtesy of
Frédéric LESPEZ.
ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
A new USER column has been added to /etc/shorewall/tcrules.
All of the files listed should have the same suffix (extension). Set
MODULE_SUFFIX to that suffix.
It may contain :
Examples:
[<user name or number>]:[<group name or number>]
If all files end in ".kzo" then set MODULE_SUFFIX="kzo"
If all files end in ".kz.o" then set MODULE_SUFFIX="kz.o"
The colon is optionnal when specifying only a user.
5) Support for user defined rule ACTIONS has been implemented through
two new files:
Examples : john: / john / :users / john:users
/etc/shorewall/actions - used to list the user-defined ACTIONS.
/etc/shorewall/action.template - For each user defined <action>, copy
this file to
/etc/shorewall/action.<action> and
add the appropriate rules for that
<action>.
Once an <action> has been defined, it may be used like any of the
builtin ACTIONS (ACCEPT, DROP, etc.) in /etc/shorewall/rules.
3) A "detectnets" interface option has been added for entries in
/etc/shorewall/interfaces. This option automatically taylors the
definition of the zone named in the ZONE column to include just
those hosts that have routes through the interface named in the
INTERFACE column. The named interface must be UP when
Shorewall is [re]started.
Example: You want an action that logs a packet at the 'info' level
and accepts the connection.
In /etc/shorewall/actions, you would add:
LogAndAccept
You would then copy /etc/shorewall/action.template to
/etc/shorewall/action.LogAndAccept and in that file, you would add the two
rules:
LOG:info
ACCEPT
6) The default value for NEWNOTSYN in shorewall.conf is now "Yes"
(non-syn TCP packets that are not part of an existing connection are
filtered according to the rules and policies rather than being
dropped). I have made this change for two reasons:
a) NEWNOTSYN=No tends to result in lots of "stuck" connections since
any timeout during TCP session tear down results in the firewall
dropping all of the retries.
b) The old default of NEWNOTSYN=No and LOGNEWNOTSYN=info resulted in
lots of confusing messages when a connection got "stuck". While I
could have changed the default value of LOGNEWNOTSYN to suppress
logging, I dislike defaults that silently throw away packets.
7) The common.def file now contains an entry that silently drops ICMP
packets with a null source address. Ad Koster reported a case where
these were occuring frequently as a result of a broken system on his
external network.
WARNING: DO NOT SET THIS OPTION ON YOUR INTERNET INTERFACE!

View File

@ -46,7 +46,7 @@
49.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
50.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
58.0.0.0/7 logdrop # Reserved
70.0.0.0/7 logdrop # Reserved
71.0.0.0/8 logdrop # Reserved
72.0.0.0/5 logdrop # Reserved
85.0.0.0/8 logdrop # Reserved
86.0.0.0/7 logdrop # Reserved

View File

@ -1,5 +1,5 @@
%define name shorewall
%define version 1.4.9
%define version 1.4.10
%define release 1
%define prefix /usr
@ -109,6 +109,14 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog
* Fri Jan 30 2004 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.10-1
* Tue Jan 27 2004 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.10-RC3
* Sat Jan 24 2004 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.10-RC2
* Thu Jan 22 2004 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.10-RC1
* Tue Jan 13 2004 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.9
* Mon Dec 29 2003 Tom Eastep <tom@shorewall.net>

View File

@ -57,7 +57,22 @@
# any source port is acceptable. Specified as a comma-
# separated list of port names, port numbers or port
# ranges.
#
# USER This column may only be non-empty if the SOURCE is
# the firewall itself.
#
# When this column is non-empty, the rule applies only
# if the program generating the output is running under
# the effective user and/or group.
#
# It may contain :
#
# [<user name or number>]:[<group name or number>]
#
# The colon is optionnal when specifying only a user.
# Examples : john: / john / :users / john:users
#
##############################################################################
#MARK SOURCE DEST PROTO PORT(S) CLIENT
#MARK SOURCE DEST PROTO PORT(S) CLIENT USER
# PORT(S)
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall
VERSION=1.4.9
VERSION=1.4.10
usage() # $1 = exit status
{

View File

@ -17,7 +17,7 @@
</author>
</authorgroup>
<pubdate>2004-01-24</pubdate>
<pubdate>2004-01-25</pubdate>
<copyright>
<year>2001-2004</year>
@ -60,132 +60,22 @@
shows how to do port forwarding under Shorewall. The format of a
port-forwarding rule to a local system is as follows:</para>
<informaltable>
<tgroup cols="7">
<thead>
<row>
<entry align="center">ACTION</entry>
<entry align="center">SOURCE</entry>
<entry align="center">DESTINATION</entry>
<entry align="center">PROTOCOL</entry>
<entry align="center">PORT</entry>
<entry align="center">SOURCE PORT</entry>
<entry align="center">ORIG. DEST.</entry>
</row>
</thead>
<tbody>
<row>
<entry>DNAT</entry>
<entry>net</entry>
<entry>loc:&#60;local IP address&#62;[:&#60;local port&#62;]</entry>
<entry>&#60;protocol&#62;</entry>
<entry>&#60;port #&#62;</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</informaltable>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT
DNAT net loc:&#60;l<emphasis>ocal IP address</emphasis>&#62;[:&#60;<emphasis>local port</emphasis>&#62;] &#60;<emphasis>protocol</emphasis>&#62; &#60;<emphasis>port #</emphasis>&#62;</programlisting>
<para>So to forward UDP port 7777 to internal system 192.168.1.5, the
rule is:</para>
<informaltable>
<tgroup cols="7">
<thead>
<row>
<entry align="center">ACTION</entry>
<entry align="center">SOURCE</entry>
<entry align="center">DESTINATION</entry>
<entry align="center">PROTOCOL</entry>
<entry align="center">PORT</entry>
<entry align="center">SOURCE PORT</entry>
<entry align="center">ORIG. DEST.</entry>
</row>
</thead>
<tbody>
<row>
<entry>DNAT</entry>
<entry>net</entry>
<entry>loc:192.168.1.5</entry>
<entry>udp</entry>
<entry>7777</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</informaltable>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT
DNAT net loc:192.168.1.5 udp 7777</programlisting>
<para>If you want to forward requests directed to a particular address (
<emphasis>&#60;external IP&#62;</emphasis> ) on your firewall to an
internal system:</para>
<informaltable>
<tgroup cols="7">
<thead>
<row>
<entry align="center">ACTION</entry>
<entry align="center">SOURCE</entry>
<entry align="center">DESTINATION</entry>
<entry align="center">PROTOCOL</entry>
<entry align="center">PORT</entry>
<entry align="center">SOURCE PORT</entry>
<entry align="center">ORIG. DEST.</entry>
</row>
</thead>
<tbody>
<row>
<entry>DNAT</entry>
<entry>net</entry>
<entry>loc:&#60;local IP address&#62;[:&#60;local port&#62;]</entry>
<entry>&#60;protocol&#62;</entry>
<entry>&#60;port #&#62;</entry>
<entry>-</entry>
<entry>&#60;external IP&#62;</entry>
</row>
</tbody>
</tgroup>
</informaltable>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL
# PORT DEST.
DNAT net loc:&#60;l<emphasis>ocal IP address</emphasis>&#62;[:&#60;<emphasis>local port</emphasis>&#62;] &#60;<emphasis>protocol</emphasis>&#62; &#60;<emphasis>port #</emphasis>&#62; - &#60;<emphasis>external IP</emphasis>&#62;</programlisting>
<para>Finally, if you need to forward a range of ports, in the PORT
column specify the range as <emphasis>&#60;low-port&#62;:&#60;high-port&#62;</emphasis>.</para>
@ -235,8 +125,8 @@
<itemizedlist>
<listitem>
<para>As root, type <quote>iptables -t nat -Z</quote>. This clears
the NetFilter counters in the nat table.</para>
<para>As root, type <quote><command>iptables -t nat -Z</command></quote>.
This clears the NetFilter counters in the nat table.</para>
</listitem>
<listitem>
@ -244,7 +134,7 @@
</listitem>
<listitem>
<para>As root type <quote>shorewall show nat</quote></para>
<para>As root type <quote><command>shorewall show nat</command></quote></para>
</listitem>
<listitem>
@ -295,47 +185,10 @@
my firewall and have the firewall forward the connection to port 22 on
local system 192.168.1.3. How do I do that?</title>
<para>In /etc/shorewall/rules:</para>
<para>In /<filename>etc/shorewall/rules</filename>:</para>
<informaltable>
<tgroup cols="7">
<thead>
<row>
<entry align="center">ACTION</entry>
<entry align="center">SOURCE</entry>
<entry>DESTINATION</entry>
<entry>PROTOCOL</entry>
<entry>PORT</entry>
<entry>SOURCE PORT</entry>
<entry>ORIG. DEST.</entry>
</row>
</thead>
<tbody>
<row>
<entry>DNAT</entry>
<entry>net</entry>
<entry>loc:192.168.1.3:22</entry>
<entry>tcp</entry>
<entry>1022</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</informaltable>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT
DNAT net loc:192.168.3:22 tcp 1022</programlisting>
</section>
</section>
@ -407,127 +260,30 @@
<itemizedlist>
<listitem>
<para>In /etc/shorewall/interfaces:</para>
<para>In <filename>/etc/shorewall/interfaces</filename>:</para>
<informaltable>
<tgroup cols="4">
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">INTERFACE</entry>
<entry align="center">BROADCAST</entry>
<entry align="center">OPTIONS</entry>
</row>
</thead>
<tbody>
<row>
<entry>loc</entry>
<entry>eth1</entry>
<entry>detect</entry>
<entry><emphasis role="bold">routeback</emphasis></entry>
</row>
</tbody>
</tgroup>
</informaltable>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
loc eth1 detect <emphasis role="bold">routeback</emphasis></programlisting>
</listitem>
<listitem>
<para>In /etc/shorewall/rules:</para>
<para>In <filename>/etc/shorewall/rules</filename>:</para>
<informaltable>
<tgroup cols="7">
<thead>
<row>
<entry align="center">ACTION</entry>
<entry align="center">SOURCE</entry>
<entry align="center">DESTINATION</entry>
<entry align="center">PROTOCOL</entry>
<entry align="center">PORT</entry>
<entry align="center">SOURCE PORT</entry>
<entry align="center">ORIG. DEST.</entry>
</row>
</thead>
<tbody>
<row>
<entry>DNAT</entry>
<entry>loc</entry>
<entry>web:192.168.1.5</entry>
<entry>tcp</entry>
<entry>www</entry>
<entry>-</entry>
<entry>130.151.100.69:192.168.1.254</entry>
</row>
</tbody>
</tgroup>
</informaltable>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL
# PORT DEST.
DNAT loc loc:192.168.1.5 tcp www - 130.151.100.69:192.168.1.254</programlisting>
<para>That rule only works of course if you have a static external
IP address. If you have a dynamic IP address and are running
Shorewall 1.3.4 or later then include this in /etc/shorewall/init:</para>
Shorewall 1.3.4 or later then include this in <filename>/etc/shorewall/init</filename>:</para>
<programlisting>ETH0_IP=`find_interface_address eth0`</programlisting>
<programlisting><command>ETH0_IP=`find_interface_address eth0`</command></programlisting>
<para>and make your DNAT rule:</para>
<informaltable>
<tgroup cols="7">
<thead>
<row>
<entry align="center">ACTION</entry>
<entry align="center">SOURCE</entry>
<entry align="center">DESTINATION</entry>
<entry align="center">PROTOCOL</entry>
<entry align="center">PORT</entry>
<entry align="center">SOURCE PORT</entry>
<entry align="center">ORIG. DEST.</entry>
</row>
</thead>
<tbody>
<row>
<entry>DNAT</entry>
<entry>loc</entry>
<entry>web:192.168.1.5</entry>
<entry>tcp</entry>
<entry>www</entry>
<entry>-</entry>
<entry>$ETH0_IP:192.168.1.254</entry>
</row>
</tbody>
</tgroup>
</informaltable>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL
# PORT DEST.
DNAT loc loc:192.168.1.5 tcp www - $ETH0_IP:192.168.1.254</programlisting>
<para>Using this technique, you will want to configure your
DHCP/PPPoE client to automatically restart Shorewall each time that
@ -597,94 +353,23 @@
<literallayout>Zone: dmz Interface: eth2 Subnet: 192.168.2.0/24</literallayout>
<para>In /etc/shorewall/interfaces:</para>
<para>In <filename>/etc/shorewall/interfaces</filename>:</para>
<informaltable>
<tgroup cols="4">
<thead>
<row>
<entry align="center">ZONE</entry>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
loc eth2 192.168.2.255 <emphasis role="bold">routeback</emphasis></programlisting>
<entry align="center">INTERFACE</entry>
<para>In <filename>/etc/shorewall/policy</filename>:</para>
<entry align="center">BROADCAST</entry>
<programlisting>#SOURCE DESTINATION POLICY LIMIT:BURST
dmz dmz ACCEPT</programlisting>
<entry align="center">OPTIONS</entry>
</row>
</thead>
<para>In <filename>/etc/shorewall/masq</filename>:</para>
<tbody>
<row>
<entry>dmz</entry>
<programlisting>#INTERFACE SUBNET ADDRESS
eth2 192.168.2.0/24</programlisting>
<entry>eth2</entry>
<entry>192.168.2.255</entry>
<entry><emphasis role="bold">routeback</emphasis></entry>
</row>
</tbody>
</tgroup>
</informaltable>
<para>In /etc/shorewall/policy:</para>
<informaltable>
<tgroup cols="4">
<thead>
<row>
<entry align="center">SOURCE</entry>
<entry align="center">DESTINATION</entry>
<entry align="center">POLICY</entry>
<entry align="center">LIMIT:BURST</entry>
</row>
</thead>
<tbody>
<row>
<entry>dmz</entry>
<entry>dmz</entry>
<entry>ACCEPT</entry>
<entry><emphasis role="bold"></emphasis></entry>
</row>
</tbody>
</tgroup>
</informaltable>
<para>In /etc/shorewall/masq:</para>
<informaltable>
<tgroup cols="3">
<thead>
<row>
<entry align="center">INTERFACE</entry>
<entry align="center">SUBNET</entry>
<entry align="center">ADDRESS</entry>
</row>
</thead>
<tbody>
<row>
<entry>eth2</entry>
<entry>192.168.2.0/24</entry>
<entry><emphasis role="bold"></emphasis></entry>
</row>
</tbody>
</tgroup>
</informaltable>
<para>In /etc/shorewall/nat, be sure that you have <quote>Yes</quote>
in the ALL INTERFACES column.</para>
<para>In <filename>/etc/shorewall/na</filename>t, be sure that you
have <quote>Yes</quote> in the ALL INTERFACES column.</para>
</example>
</section>
</section>
@ -791,18 +476,19 @@
<orderedlist>
<listitem>
<para>Create /etc/shorewall/common if it doesn&#39;t already exist.</para>
<para>Create <filename>/etc/shorewall/common</filename> if it
doesn&#39;t already exist.</para>
</listitem>
<listitem>
<para>Be sure that the first command in the file is <quote>.
/etc/shorewall/common.def</quote></para>
<filename>/etc/shorewall/common.de</filename>f</quote></para>
</listitem>
<listitem>
<para>Add the following to /etc/shorewall/common</para>
<para>Add the following to <filename>/etc/shorewall/common</filename></para>
<programlisting>run_iptables -A icmpdef -p ICMP --icmp-type echo-request -j ACCEPT</programlisting>
<programlisting><command>run_iptables -A icmpdef -p ICMP --icmp-type echo-request -j ACCEPT</command></programlisting>
</listitem>
</orderedlist>
@ -859,14 +545,15 @@
see <quote>man syslog</quote>) in your <ulink
url="Documentation.htm#Policy">policies</ulink> and <ulink
url="Documentation.htm#Rules">rules</ulink>. The destination for
messaged logged by syslog is controlled by /etc/syslog.conf (see
<quote>man syslog.conf</quote>). When you have changed /etc/syslog.conf,
be sure to restart syslogd (on a RedHat system, <quote>service syslog
restart</quote>).</para>
messaged logged by syslog is controlled by <filename>/etc/syslog.conf</filename>
(see <quote>man syslog.conf</quote>). When you have changed
/etc/syslog.conf, be sure to restart syslogd (on a RedHat system,
<quote>service syslog restart</quote>).</para>
<para>By default, older versions of Shorewall ratelimited log messages
through <ulink url="Documentation.htm#Conf">settings</ulink> in
/etc/shorewall/shorewall.conf -- If you want to log all messages, set:</para>
<filename>/etc/shorewall/shorewall.conf</filename> -- If you want to log
all messages, set:</para>
<programlisting>LOGLIMIT=&#34;&#34;
LOGBURST=&#34;&#34;</programlisting>
@ -929,20 +616,21 @@ url="http://www.shorewall.net/pub/shorewall/parsefw/">http://www.shorewall.net/p
</orderedlist>
<para>You can distinguish the difference by setting the <emphasis
role="bold">logunclean</emphasis> option (<ulink
url="Documentation.htm#Interfaces">/etc/shorewall/interfaces</ulink>)
role="bold">logunclean</emphasis> option (<filename><ulink
url="Documentation.htm#Interfaces">/etc/shorewall/interfaces</ulink></filename>)
on your external interface (eth0 in the above example). If they get
logged twice, they are corrupted. I solve this problem by using an
/etc/shorewall/common file like this:</para>
<programlisting>#
# Include the standard common.def file
# . /etc/shorewall/common.def
#
<command>. /etc/shorewall/common.def</command>
#
# The following rule is non-standard and compensates for tardy
# DNS replies
#
run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP</programlisting>
<command>run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP</command></programlisting>
<para>The above file is also include in all of my sample
configurations available in the <ulink
@ -1012,8 +700,8 @@ run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP</programlis
<tip>
<para>Under Debian, you can set KLOGD=<quote>-c 5</quote> in
/etc/init.d/klogd to suppress info (log level 6) messages on the
console.</para>
<filename>/etc/init.d/klogd</filename> to suppress info (log level 6)
messages on the console.</para>
</tip>
<tip>
@ -1034,9 +722,9 @@ run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP</programlis
<term>man1918 or logdrop</term>
<listitem>
<para>The destination address is listed in /etc/shorewall/rfc1918
<para>The destination address is listed in <filename>/etc/shorewall/rfc1918</filename>
with a <emphasis role="bold">logdrop</emphasis> target -- see
<ulink url="Documentation.htm#rfc1918">/etc/shorewall/rfc1918</ulink>.</para>
<filename><ulink url="Documentation.htm#rfc1918">/etc/shorewall/rfc1918</ulink></filename>.</para>
</listitem>
</varlistentry>
@ -1044,9 +732,9 @@ run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP</programlis
<term>rfc1918 or logdrop</term>
<listitem>
<para>The source address is listed in /etc/shorewall/rfc1918 with
a <emphasis role="bold">logdrop</emphasis> target -- see <ulink
url="Documentation.htm#rfc1918">/etc/shorewall/rfc1918</ulink>.</para>
<para>The source address is listed in <filename>/etc/shorewall/rfc1918</filename>
with a <emphasis role="bold">logdrop</emphasis> target -- see
<filename><ulink url="Documentation.htm#rfc1918">/etc/shorewall/rfc1918</ulink></filename>.</para>
</listitem>
</varlistentry>
@ -1099,7 +787,7 @@ run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP</programlis
<para>The packet is being logged under the <emphasis role="bold">dropunclean</emphasis>
<ulink url="Documentation.htm#Interfaces">interface option</ulink>
as specified in the <emphasis role="bold">LOGUNCLEAN</emphasis>
setting in <ulink url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>.</para>
setting in <ulink url="Documentation.htm#Conf"><filename>/etc/shorewall/shorewall.conf</filename></ulink>.</para>
</listitem>
</varlistentry>
@ -1108,7 +796,8 @@ run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP</programlis
<listitem>
<para>The packet is being logged because the source IP is
blacklisted in the <ulink url="Documentation.htm#Blacklist">/etc/shorewall/blacklist</ulink>
blacklisted in the <filename><ulink
url="Documentation.htm#Blacklist">/etc/shorewall/blacklist</ulink></filename>
file.</para>
</listitem>
</varlistentry>
@ -1121,7 +810,7 @@ run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP</programlis
is not part of any current connection yet it is not a syn packet.
Options affecting the logging of such packets include <emphasis
role="bold">NEWNOTSYN</emphasis> and <emphasis role="bold">LOGNEWNOTSYN</emphasis>
in <ulink url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>.</para>
in <ulink url="Documentation.htm#Conf"><filename>/etc/shorewall/shorewall.conf</filename></ulink>.</para>
</listitem>
</varlistentry>
@ -1290,78 +979,29 @@ run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP</programlis
<para>Setting this up in Shorewall is easy; setting up the routing is a
bit harder.</para>
<para>Assuming that eth0 and eth1 are the interfaces to the two ISPs
then:</para>
<para>Assuming that <filename class="devicefile">eth0</filename> and
<filename class="devicefile">eth1</filename> are the interfaces to the
two ISPs then:</para>
<para>/etc/shorewall/interfaces:</para>
<para><filename>/etc/shorewall/interfaces</filename>:</para>
<informaltable>
<tgroup cols="4">
<thead>
<row>
<entry align="center">ZONE</entry>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect
net eth1 detect</programlisting>
<entry align="center">INTERFACE</entry>
<para><filename>/etc/shorewall/policy</filename>:</para>
<entry align="center">BROADCAST</entry>
<programlisting>#SOURCE DESTINATION POLICY LIMIT:BURST
net net DROP</programlisting>
<entry align="center">OPTIONS</entry>
</row>
</thead>
<para>If you have masqueraded hosts, be sure to update
<filename>/etc/shorewall/masq</filename> to masquerade to both ISPs. For
example, if you masquerade all hosts connected to <filename
class="devicefile">eth2</filename> then:</para>
<tbody>
<row>
<entry>net</entry>
<entry>eth0</entry>
<entry>detect</entry>
<entry>...</entry>
</row>
<row>
<entry>net</entry>
<entry>eth1</entry>
<entry>detect</entry>
<entry>...</entry>
</row>
</tbody>
</tgroup>
</informaltable>
<para>/etc/shorewall/policy:</para>
<informaltable>
<tgroup cols="4">
<thead>
<row>
<entry align="center">SOURCE</entry>
<entry align="center">DESTINATION</entry>
<entry align="center">POLICY</entry>
<entry align="center">LIMIT:BURST</entry>
</row>
</thead>
<tbody>
<row>
<entry>net</entry>
<entry>net</entry>
<entry>DROP</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</informaltable>
<programlisting>#INTERFACE SUBNET ADDRESS
eth0 eth2
eth1 eth2</programlisting>
<para><citetitle>There was an article in SysAdmin covering this topic.
It may be found at <ulink
@ -1520,11 +1160,11 @@ ip route add 127.0.0.0/8 dev lo table T2</programlisting>
<title>(FAQ 7) When I stop Shorewall using <quote>shorewall stop</quote>,
I can&#39;t connect to anything. Why doesn&#39;t that command work?</title>
<para>The <quote>stop</quote> command is intended to place your firewall
into a safe state whereby only those hosts listed in
/etc/shorewall/routestopped&#39; are activated. If you want to totally
open up your firewall, you must use the <quote>shorewall clear</quote>
command.</para>
<para>The <quote><command>stop</command></quote> command is intended to
place your firewall into a safe state whereby only those hosts listed in
<filename>/etc/shorewall/routestopped</filename>&#39; are activated. If
you want to totally open up your firewall, you must use the
<quote><command>shorewall clear</command></quote> command.</para>
</section>
<section id="faq8">
@ -1590,12 +1230,13 @@ Creating input Chains...
<para><emphasis role="bold">Answer:</emphasis> The above output is
perfectly normal. The Net zone is defined as all hosts that are
connected through eth0 and the local zone is defined as all hosts
connected through eth1. If you are running Shorewall 1.4.10 or later,
you can consider setting the <ulink url="Documentation.htm#Interfaces"><emphasis
role="bold">detectnets</emphasis> interface option</ulink> on your local
interface (eth1 in the above example). That will cause Shorewall to
restrict the local zone to only those networks routed through that
interface.</para>
connected through <filename class="devicefile">eth1</filename>. If you
are running Shorewall 1.4.10 or later, you can consider setting the
<ulink url="Documentation.htm#Interfaces"><emphasis role="bold">detectnets</emphasis>
interface option</ulink> on your local interface (<filename
class="devicefile">eth1</filename> in the above example). That will
cause Shorewall to restrict the local zone to only those networks routed
through that interface.</para>
</section>
<section id="faq22">
@ -1665,7 +1306,7 @@ Creating input Chains...
<para>At the shell prompt, type:</para>
<programlisting>/sbin/shorewall version</programlisting>
<programlisting><command>/sbin/shorewall version</command></programlisting>
</section>
<section id="faq31">
@ -1745,32 +1386,15 @@ Creating input Chains...
version of Shorewall earlier than 1.3.1, create /etc/shorewall/start and
in it, place the following:</para>
<programlisting>run_iptables -I rfc1918 -s 192.168.100.1 -j ACCEPT</programlisting>
<programlisting><command>run_iptables -I rfc1918 -s 192.168.100.1 -j ACCEPT</command></programlisting>
<para>If you are running version 1.3.1 or later, simply add the
following to <ulink url="Documentation.htm#rfc1918">/etc/shorewall/rfc1918</ulink>:</para>
<para>Be sure that you add the entry ABOVE the entry for 192.168.0.0/16.</para>
<informaltable>
<tgroup cols="2">
<thead>
<row>
<entry align="center">SUBNET</entry>
<entry align="center">TARGET</entry>
</row>
</thead>
<tbody>
<row>
<entry>192.168.100.1</entry>
<entry>RETURN</entry>
</row>
</tbody>
</tgroup>
</informaltable>
<programlisting>#SUBNET TARGET
192.168.100.1 RETURN</programlisting>
<note>
<para>If you add a second IP address to your external firewall
@ -1779,31 +1403,9 @@ Creating input Chains...
configure the address 192.168.100.2 on your firewall, then you would
add two entries to /etc/shorewall/rfc1918:</para>
<informaltable>
<tgroup cols="2">
<thead>
<row>
<entry align="center">SUBNET</entry>
<entry align="center">TARGET</entry>
</row>
</thead>
<tbody>
<row>
<entry>192.168.100.1</entry>
<entry>RETURN</entry>
</row>
<row>
<entry>192.168.100.2</entry>
<entry>RETURN</entry>
</row>
</tbody>
</tgroup>
</informaltable>
<programlisting>#SUBNET TARGET
192.168.100.1 RETURN
192.168.100.2 RETURN</programlisting>
</note>
<section id="faq14a">
@ -1883,7 +1485,7 @@ Creating input Chains...
<para>Add this command to your /etc/shorewall/start file:</para>
<programlisting>run_iptables -D OUTPUT -p ! icmp -m state --state INVALID -j DROP</programlisting>
<programlisting><command>run_iptables -D OUTPUT -p ! icmp -m state --state INVALID -j DROP</command></programlisting>
</section>
</section>
@ -1941,8 +1543,9 @@ iptables: Invalid argument
<appendix>
<title>Revision History</title>
<para><revhistory><revision><revnumber>1.14</revnumber><date>2004-01-24</date><authorinitials>TE</authorinitials><revremark>Added
FAQ 27a regarding kernel/iptables incompatibility.<emphasis role="bold"></emphasis></revremark></revision><revision><revnumber>1.13</revnumber><date>2004-01-24</date><authorinitials>TE</authorinitials><revremark>Add
<para><revhistory><revision><revnumber>1.15</revnumber><date>2004-01-25</date><authorinitials>TE</authorinitials><revremark>Updated
FAQ 32 to mention masquerading. Remove tables.</revremark></revision><revision><revnumber>1.14</revnumber><date>2004-01-24</date><authorinitials>TE</authorinitials><revremark>Added
FAQ 27a regarding kernel/iptables incompatibility.</revremark></revision><revision><revnumber>1.13</revnumber><date>2004-01-24</date><authorinitials>TE</authorinitials><revremark>Add
a note about the <emphasis role="bold">detectnets</emphasis> interface
option in FAQ 9.</revremark></revision><revision><revnumber>1.12</revnumber><date>2004-01-20</date><authorinitials>TE</authorinitials><revremark>Improve
FAQ 16 answer.</revremark></revision><revision><revnumber>1.11</revnumber><date>2004-01-14</date><authorinitials>TE</authorinitials><revremark>Corrected

View File

@ -13,10 +13,10 @@
<surname>Eastep</surname>
</author>
<pubdate>2003/12/23</pubdate>
<pubdate>2004-01-26</pubdate>
<copyright>
<year>2003</year>
<year>2003-2004</year>
<holder>Thomas M. Eastep</holder>
</copyright>
@ -98,6 +98,82 @@
</section>
</section>
<section>
<title>Shorewall Concepts</title>
<para>The configuration files for Shorewall are contained in the directory
<filename class="directory">/etc/shorewall</filename> -- for simple
setups, you will only need to deal with a few of them.</para>
<para>Shorewall views the network where it is running as being composed of
a set of zones. In the <ulink url="three-interface.htm">three-interface
sample configuration</ulink> for example, the following zone names are
used: <informaltable frame="all" pgwide="0"><tgroup align="left" cols="2"><thead
valign="middle"><row valign="middle"><entry align="left">Name</entry><entry
align="left">Description</entry></row></thead><tbody valign="middle"><row
valign="middle"><entry align="left"><varname>net</varname></entry><entry
align="left">The Internet</entry></row><row valign="middle"><entry
align="left"><varname>loc</varname></entry><entry align="left">Your Local
Network</entry></row><row valign="middle"><entry align="left"><varname>dmz</varname></entry><entry
align="left">Demilitarized Zone</entry></row></tbody></tgroup></informaltable>Zones
are defined in the <ulink url="Documentation.htm#Zones"><filename
class="directory">/etc/shorewall/</filename><filename>zones</filename></ulink>
file.</para>
<para>Shorewall also recognizes the firewall system as its own zone - by
default, the firewall itself is known as <emphasis role="bold"><varname>fw</varname></emphasis>.</para>
<para>Rules about what traffic to allow and what traffic to deny are
expressed in terms of zones. <itemizedlist spacing="compact"><listitem><para>You
express your default policy for connections from one zone to another zone
in the <ulink url="Documentation.htm#Policy"><filename class="directory">/etc/shorewall/</filename><filename>policy</filename></ulink>
file.</para></listitem><listitem><para>You define exceptions to those
default policies in the <ulink url="Documentation.htm#Rules"><filename
class="directory">/etc/shorewall/</filename><filename>rules</filename></ulink>
file.</para></listitem></itemizedlist>For each connection request entering
the firewall, the request is first checked against the <filename
class="directory">/etc/shorewall/</filename><filename>rules</filename>
file. If no rule in that file matches the connection request then the
first policy in <filename class="directory">/etc/shorewall/</filename><filename>policy</filename>
that matches the request is applied. If that policy is <varname>REJECT</varname>
or <varname>DROP</varname> the request is first checked against the rules
in <filename class="directory">/etc/shorewall/</filename><filename>common</filename>
if that file exists; otherwise the rules in <filename class="directory">/etc/shorewall/</filename><filename>common.def</filename>
are checked.</para>
<para>The <filename class="directory">/etc/shorewall/</filename><filename>policy</filename>
file included with the three-interface sample has the following policies:
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
loc net ACCEPT
net all DROP info
all all REJECT info</programlisting>In the three-interface
sample, the line below is included but commented out. If you want your
firewall system to have full access to servers on the internet, uncomment
that line. <programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
fw net ACCEPT</programlisting> The above policy will:
<itemizedlist><listitem><para>Allow all connection requests from your
local network to the internet</para></listitem><listitem><para>Drop
(ignore) all connection requests from the internet to your firewall or
local network</para></listitem><listitem><para>Optionally accept all
connection requests from the firewall to the internet (if you uncomment
the additional policy)</para></listitem><listitem><para>reject all other
connection requests.</para></listitem></itemizedlist></para>
<para>The simplest way to define a zone is to associate the zone with a
network interface using the <ulink url="Documentation.htm#Interfaces"><filename>/etc/shorewall/interfaces</filename></ulink>
file. In the three-interface sample, the three zones are defined using
that file as follows:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect dhcp,routefilter,norfc1918
loc eth1 detect
dmz eth2 detect</programlisting>
<para>The above file defines the net zone as all hosts interfacing to the
firewall through eth0, the loc zone as all hosts interfacing through eth1
and the dmz as all hosts interfacing through eth2.</para>
</section>
<section>
<title>License</title>

View File

@ -15,14 +15,10 @@
</author>
</authorgroup>
<pubdate>2003-12-09</pubdate>
<pubdate>2003-01-29</pubdate>
<copyright>
<year>2001</year>
<year>2002</year>
<year>2003</year>
<year>2003-2004</year>
<holder>Thomas M. Eastep</holder>
</copyright>
@ -37,8 +33,8 @@
</legalnotice>
</articleinfo>
<para>Prior to Shorewall version 1.4.9, rules in /etc/shorewall/rules were
limited to those defined by Netfilter (ACCEPT, DROP, REJECT, etc.).
<para>Prior to Shorewall version 1.4.9, rules in <filename>/etc/shorewall/rules</filename>
were limited to those defined by Netfilter (ACCEPT, DROP, REJECT, etc.).
Beginning with Shorewall version 1.4.9, users may use sequences of these
elementary operations to define more complex actions.</para>
@ -46,18 +42,19 @@
<orderedlist>
<listitem>
<para>Add a line to /etc/shorewall/actions that names your new action.
Action names must be valid shell variable names as well as valid
Netfilter chain names. It is recommended that the name you select for a
new action begins with with a capital letter; that way, the name
won&#39;t conflict with a Shorewall-defined chain name.</para>
<para>Add a line to <filename><filename>/etc/shorewall/actions</filename></filename>
that names your new action. Action names must be valid shell variable
names as well as valid Netfilter chain names. It is recommended that the
name you select for a new action begins with with a capital letter; that
way, the name won&#39;t conflict with a Shorewall-defined chain name.</para>
</listitem>
<listitem>
<para>Once you have defined your new action name (ActionName), then copy
/etc/shorewall/action.template to /etc/shorewall/action.ActionName (for
example, if your new action name is <quote>Foo</quote> then copy
/etc/shorewall/action.template to /etc/shorewall/action.foo).</para>
/etc/shorewall/action.template to <filename>/etc/shorewall/action.ActionName</filename>
(for example, if your new action name is <quote>Foo</quote> then copy
<filename>/etc/shorewall/action.template</filename> to
<filename>/etc/shorewall/action.Foo</filename>).</para>
</listitem>
<listitem>
@ -70,13 +67,15 @@
<itemizedlist>
<listitem>
<para>TARGET - Must be ACCEPT, DROP, REJECT, LOG, QUEUE or
&#60;action&#62; where &#60;action&#62; is a previously-defined action.
The TARGET may optionally be followed by a colon (<quote>:</quote>) and
a syslog log level (e.g, REJECT:info or ACCEPT:debugging). This causes
the packet to be logged at the specified level. You may also specify
ULOG (must be in upper case) as a log level.This will log to the ULOG
target for routing to a separate log through use of ulogd
(http://www.gnumonks.org/projects/ulogd).</para>
&#60;action&#62; where &#60;action&#62; is a previously-defined action
(that is, it must precede the action being defined in this file in your
<filename>/etc/shorewall/actions</filename> file). The TARGET may
optionally be followed by a colon (<quote>:</quote>) and a syslog log
level (e.g, REJECT:info or ACCEPT:debugging). This causes the packet to
be logged at the specified level. You may also specify ULOG (must be in
upper case) as a log level.This will log to the ULOG target for routing
to a separate log through use of ulogd (<ulink
url="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</ulink>).</para>
</listitem>
<listitem>
@ -97,7 +96,8 @@
MAC addresses are not allowed.</para>
<para>Unlike in the SOURCE column, you may specify a range of up to 256
IP addresses using the syntax &#60;first ip&#62;-&#60;last ip&#62;.</para>
IP addresses using the syntax &#60;<emphasis>first ip</emphasis>&#62;-&#60;<emphasis>last
ip</emphasis>&#62;.</para>
</listitem>
<listitem>
@ -107,20 +107,45 @@
<listitem>
<para>DEST PORT(S) - Destination Ports. A comma-separated list of Port
names (from /etc/services), port numbers or port ranges; if the protocol
is <quote>icmp</quote>, this column is interpreted as the destination
icmp-type(s).</para>
names (from <filename>/etc/services</filename>), port numbers or port
ranges; if the protocol is <quote>icmp</quote>, this column is
interpreted as the destination icmp-type(s).</para>
<para>A port range is expressed as &#60;low port&#62;:&#60;high
port&#62;.</para>
<para>A port range is expressed as &#60;<emphasis>low port</emphasis>&#62;:&#60;<emphasis>high
port</emphasis>&#62;.</para>
<para>This column is ignored if PROTOCOL = all but must be entered if
any of the following ields are supplied. In that case, it is suggested
that this field contain <quote>-</quote>.</para>
<para>If your kernel contains multi-port match support, then only a
single Netfilter rule will be generated if in this list and the CLIENT
PORT(S) list below:</para>
single Netfilter rule will be generated if in this list and in the
CLIENT PORT(S) list below:</para>
<orderedlist>
<listitem>
<para>There are 15 or less ports listed.</para>
</listitem>
<listitem>
<para>No port ranges are included.</para>
</listitem>
</orderedlist>
<para>Otherwise, a separate rule will be generated for each port.</para>
</listitem>
<listitem>
<para>SOURCE PORT(S) - Port(s) used by the client. If omitted, any
source port is acceptable. Specified as a comma-separated list of port
names, port numbers or port ranges.</para>
<para>If you don&#39;t want to restrict client ports but need to specify
an ADDRESS in the next column, then place &#34;-&#34; in this column.</para>
<para>If your kernel contains multi-port match support, then only a
single Netfilter rule will be generated if in this list and in the DEST
PORT(S) list above:</para>
<orderedlist>
<listitem>
@ -139,11 +164,13 @@
<para>RATE LIMIT - You may rate-limit the rule by placing a value in
this column:</para>
<para><programlisting> &#60;rate&#62;/&#60;interval&#62;[:&#60;burst&#62;]</programlisting>where
&#60;rate&#62; is the number of connections per &#60;interval&#62; (<quote>sec</quote>
or <quote>min</quote>) and &#60;burst&#62; is the largest burst
permitted. If no &#60;burst&#62; is given, a value of 5 is assumed.
There may be no whitespace embedded in the specification.</para>
<para><programlisting> &#60;<emphasis>rate</emphasis>&#62;/&#60;<emphasis>interval</emphasis>&#62;[:&#60;<emphasis>burst</emphasis>&#62;]</programlisting>where
&#60;<emphasis>rate</emphasis>&#62; is the number of connections per
&#60;<emphasis>interval</emphasis>&#62; (<quote>sec</quote> or
<quote>min</quote>) and &#60;<emphasis>burst</emphasis>&#62; is the
largest burst permitted. If no &#60;<emphasis>burst</emphasis>&#62; is
given, a value of 5 is assumed. There may be no whitespace embedded in
the specification.</para>
<para><programlisting> Example: 10/sec:20</programlisting></para>
</listitem>
@ -151,9 +178,8 @@
<para>Example:</para>
<para><emphasis role="bold">/etc/shorewall/actions:</emphasis></para>
<para><filename>/etc/shorewall/actions</filename>:</para>
<para><programlisting> LogAndAccept</programlisting><emphasis
role="bold">/etc/shorewall/action.LogAndAccept</emphasis><programlisting> LOG:info
<para><programlisting> LogAndAccept</programlisting><phrase><filename>/etc/shorewall/action.LogAndAccept</filename></phrase><programlisting> LOG:info
ACCEPT</programlisting></para>
</article>

View File

@ -13,7 +13,7 @@
</author>
</authorgroup>
<pubdate>2004-01-04</pubdate>
<pubdate>2004-01-26</pubdate>
<copyright>
<year>2001-2002</year>
@ -44,6 +44,17 @@
<para>In the rules that are shown in this document, the ACTION is shown as
ACCEPT. You may need to use DNAT (see <ulink url="FAQ.htm#faq30">FAQ 30</ulink>)
or you may want DROP or REJECT if you are trying to block the application.</para>
<para>Example: You want to port forward FTP from the net to your server at
192.168.1.4 in your DMZ. The FTP section below gives you:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 21</programlisting>
<para>You would code your rule as follows:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
DNAT net dmz:192.168.1.4 tcp 21</programlisting>
</note>
<section>
@ -75,7 +86,7 @@ ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> udp 4000
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 53</programlisting>
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 4000:4100</programlisting>
<para>UDP Port 4000. You will also need to open a range of TCP ports which
you can specify to your ICQ client. By default, clients use 4000-4100.</para>
@ -108,7 +119,8 @@ ACCEPT <emphasis>&#60;destination&#62;</emphasis> <emphasis>&#60;source&#62
<title>NFS</title>
<para>I personally use the following rules for opening access from zone z1
to a server with IP address a.b.c.d in zone z2:</para>
to a server with IP address a.b.c.d in zone z2. I have found though that
different distributions behave differently so your milage may vary.</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;z1&#62;</emphasis> <emphasis> &#60;z2&#62;</emphasis>:a.b.c.d tcp 111
@ -237,7 +249,8 @@ ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62
<appendix>
<title>Revision History</title>
<para><revhistory><revision><revnumber>1.3</revnumber><date>2004-01-04</date><authorinitials>TE</authorinitials><revremark>Alphabetize</revremark></revision><revision><revnumber>1.2</revnumber><date>2004-01-03</date><authorinitials>TE</authorinitials><revremark>Add
<para><revhistory><revision><revnumber>1.4</revnumber><date>2004-01-26</date><authorinitials>TE</authorinitials><revremark>Correct
ICQ.</revremark></revision><revision><revnumber>1.3</revnumber><date>2004-01-04</date><authorinitials>TE</authorinitials><revremark>Alphabetize</revremark></revision><revision><revnumber>1.2</revnumber><date>2004-01-03</date><authorinitials>TE</authorinitials><revremark>Add
rules file entries.</revremark></revision><revision><revnumber>1.1</revnumber><date>2002-07-30</date><authorinitials>TE</authorinitials><revremark>Initial
version converted to Docbook XML</revremark></revision></revhistory></para>
</appendix>

View File

@ -12,7 +12,7 @@
<surname>Eastep</surname>
</author>
<pubdate>2003-01-06</pubdate>
<pubdate>2003-01-26</pubdate>
<copyright>
<year>2002</year>
@ -164,14 +164,12 @@
valign="middle"><row valign="middle"><entry align="left"><varname>net</varname></entry><entry
align="left">The Internet</entry></row><row valign="middle"><entry
align="left"><varname>loc</varname></entry><entry align="left">Your Local
Network</entry></row><row valign="middle"><entry align="left"><varname>dmz</varname></entry><entry
align="left">Demilitarized Zone</entry></row></tbody></tgroup></informaltable>
Zones are defined in the <ulink url="Documentation.htm#Zones"><filename
class="directory">/etc/shorewall/</filename><filename>zones</filename></ulink>
Network</entry></row></tbody></tgroup></informaltable> Zones are defined
in the <ulink url="Documentation.htm#Zones"><filename class="directory">/etc/shorewall/</filename><filename>zones</filename></ulink>
file.</para>
<para>Shorewall also recognizes the firewall system as its own zone - by
default, the firewall itself is known as <varname>fw</varname>.</para>
default, the firewall itself is known as <emphasis role="bold"><varname>fw</varname></emphasis>.</para>
<para>Rules about what traffic to allow and what traffic to deny are
expressed in terms of zones. <itemizedlist spacing="compact"><listitem><para>You

View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=1.4.10-RC3
VERSION=1.4.10
usage() # $1 = exit status
{

View File

@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall.
#
VERSION=1.4.10-RC3
VERSION=1.4.10
usage() # $1 = exit status
{

View File

@ -1,6 +1,6 @@
%define name shorewall
%define version 1.4.10
%define release 0RC3
%define release 1
%define prefix /usr
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@ -109,6 +109,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog
* Fri Jan 30 2004 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.10-1
* Tue Jan 27 2004 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.10-RC3
* Sat Jan 24 2004 Tom Eastep <tom@shorewall.net>

View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall
VERSION=1.4.10-RC3
VERSION=1.4.10
usage() # $1 = exit status
{