mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-22 07:33:43 +01:00
Documentation Updates
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1736 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
29e3991465
commit
b1a3ce39a3
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-05-22</pubdate>
|
||||
<pubdate>2004-11-02</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001</year>
|
||||
@ -35,10 +35,21 @@
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
</legalnotice>
|
||||
|
||||
<revhistory>
|
||||
<revision>
|
||||
<revnumber>1.4</revnumber>
|
||||
|
||||
<date>2004-11-02</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Added link to Greg Kops's tutorial.</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.3</revnumber>
|
||||
|
||||
@ -46,7 +57,8 @@
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Warning about PPTP conntrack patch and GRE tunnels.</revremark>
|
||||
<revremark>Warning about PPTP conntrack patch and GRE
|
||||
tunnels.</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
@ -56,7 +68,8 @@
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Revised instructions regarding PPTP conntrack patch.</revremark>
|
||||
<revremark>Revised instructions regarding PPTP conntrack
|
||||
patch.</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
@ -66,12 +79,14 @@
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Added note about PPTP module support in Bering 1.2</revremark>
|
||||
<revremark>Added note about PPTP module support in Bering
|
||||
1.2</revremark>
|
||||
</revision>
|
||||
</revhistory>
|
||||
|
||||
<abstract>
|
||||
<para>Shorewall easily supports PPTP in a number of configurations.</para>
|
||||
<para>Shorewall easily supports PPTP in a number of
|
||||
configurations.</para>
|
||||
</abstract>
|
||||
</articleinfo>
|
||||
|
||||
@ -80,8 +95,9 @@
|
||||
|
||||
<note>
|
||||
<para>I am no longer attempting to maintain MPPE patches for current
|
||||
Linux kernel's and pppd. I recommend that you refer to the following
|
||||
URLs for information about installing MPPE into your kernel and pppd.</para>
|
||||
Linux kernel's and pppd. I recommend that you refer to the following
|
||||
URLs for information about installing MPPE into your kernel and
|
||||
pppd.</para>
|
||||
</note>
|
||||
|
||||
<para>The <ulink url="http://pptpclient.sourceforge.net">Linux PPTP client
|
||||
@ -89,12 +105,13 @@
|
||||
connections where your Linux system is the PPTP client. This is what I
|
||||
currently use. I am no longer running PoPToP but rather I use the PPTP
|
||||
Server included with XP Professional (see <ulink
|
||||
url="PPTP.htm#ServerBehind">PPTP Server running behind your Firewall</ulink>
|
||||
below).</para>
|
||||
url="PPTP.htm#ServerBehind">PPTP Server running behind your
|
||||
Firewall</ulink> below).</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><ulink url="http://pptpclient.sourceforge.net">http://pptpclient.sourceforge.net</ulink></term>
|
||||
<term><ulink
|
||||
url="http://pptpclient.sourceforge.net">http://pptpclient.sourceforge.net</ulink></term>
|
||||
|
||||
<listitem>
|
||||
<para>Everything you need to run a PPTP client.</para>
|
||||
@ -102,13 +119,23 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><ulink url="http://www.poptop.org">http://www.poptop.org</ulink></term>
|
||||
<term><ulink
|
||||
url="http://www.poptop.org">http://www.poptop.org</ulink></term>
|
||||
|
||||
<listitem>
|
||||
<para>The <quote>kernelmod</quote> package can be used to quickly
|
||||
install MPPE into your kernel without rebooting.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><ulink
|
||||
url="http://devel.elucid8design.com/el8/devel/tutorials/pptp.php">http://devel.elucid8design.com/el8/devel/tutorials/pptp.php</ulink></term>
|
||||
|
||||
<listitem>
|
||||
<para>A nice tutorial for installing a PPTP server on Fedora.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para>I am leaving the instructions for building MPPE-enabled kernels and
|
||||
@ -120,8 +147,8 @@
|
||||
<title>PPTP Server Running on your Firewall</title>
|
||||
|
||||
<para>I will try to give you an idea of how to set up a PPTP server on
|
||||
your firewall system. This isn't a detailed HOWTO but rather an
|
||||
example of how I have set up a working PPTP server on my own firewall.</para>
|
||||
your firewall system. This isn't a detailed HOWTO but rather an example of
|
||||
how I have set up a working PPTP server on my own firewall.</para>
|
||||
|
||||
<para>The steps involved are:</para>
|
||||
|
||||
@ -181,15 +208,15 @@
|
||||
parent directory):</para>
|
||||
|
||||
<programlisting>cd ppp-2.4.1
|
||||
patch -p1 < ../ppp-2.4.0-openssl-0.9.6-mppe.patch
|
||||
patch -p1 < ../ppp-2.4.1-MSCHAPv2-fix.patch
|
||||
(Optional) patch -p1 < ../require-mppe.diff
|
||||
patch -p1 < ../ppp-2.4.0-openssl-0.9.6-mppe.patch
|
||||
patch -p1 < ../ppp-2.4.1-MSCHAPv2-fix.patch
|
||||
(Optional) patch -p1 < ../require-mppe.diff
|
||||
./configure
|
||||
make</programlisting>
|
||||
|
||||
<para>You will need to install the resulting binary on your firewall
|
||||
system. To do that, I NFS mount my source filesystem and use
|
||||
<quote>make install</quote> from the ppp-2.4.1 directory.</para>
|
||||
system. To do that, I NFS mount my source filesystem and use <quote>make
|
||||
install</quote> from the ppp-2.4.1 directory.</para>
|
||||
</section>
|
||||
|
||||
<section id="PatchKernel">
|
||||
@ -207,8 +234,8 @@ make</programlisting>
|
||||
<para>Uncompress the patch into the same directory where your top-level
|
||||
kernel source is located and:</para>
|
||||
|
||||
<programlisting>cd <your GNU/Linux source top-level directory>
|
||||
patch -p1 < ../linux-2.4.16-openssl-0.9.6b-mppe.patch</programlisting>
|
||||
<programlisting>cd <your GNU/Linux source top-level directory>
|
||||
patch -p1 < ../linux-2.4.16-openssl-0.9.6b-mppe.patch</programlisting>
|
||||
|
||||
<para>Now configure your kernel. Here is my ppp configuration:</para>
|
||||
|
||||
@ -297,12 +324,12 @@ require-mppe-stateless</programlisting>
|
||||
</itemizedlist>
|
||||
</note>
|
||||
|
||||
<para>Here's my /etc/ppp/chap-secrets:</para>
|
||||
<para>Here's my /etc/ppp/chap-secrets:</para>
|
||||
|
||||
<programlisting>Secrets for authentication using CHAP
|
||||
# client server secret IP addresses
|
||||
CPQTDM\\TEastep * <shhhhhh> 192.168.1.7
|
||||
TEastep * <shhhhhh> 192.168.1.7</programlisting>
|
||||
CPQTDM\\TEastep * <shhhhhh> 192.168.1.7
|
||||
TEastep * <shhhhhh> 192.168.1.7</programlisting>
|
||||
|
||||
<para>I am the only user who connects to the server but I may connect
|
||||
either with or without a domain being specified. The system I connect
|
||||
@ -338,7 +365,7 @@ remoteip 192.168.1.33-38</programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The local IP is the same as my internal interface's
|
||||
<para>The local IP is the same as my internal interface's
|
||||
(192.168.1.254).</para>
|
||||
</listitem>
|
||||
|
||||
@ -362,9 +389,9 @@ remoteip 192.168.1.33-38</programlisting>
|
||||
# description: control pptp server
|
||||
#
|
||||
|
||||
case "$1" in
|
||||
case "$1" in
|
||||
start)
|
||||
echo 1 > /proc/sys/net/ipv4/ip_forward
|
||||
echo 1 > /proc/sys/net/ipv4/ip_forward
|
||||
modprobe ppp_async
|
||||
modprobe ppp_generic
|
||||
modprobe ppp_mppe
|
||||
@ -387,7 +414,7 @@ status)
|
||||
ifconfig
|
||||
;;
|
||||
*)
|
||||
echo "Usage: $0 {start|stop|restart|status}"
|
||||
echo "Usage: $0 {start|stop|restart|status}"
|
||||
;;
|
||||
esac</programlisting>
|
||||
</section>
|
||||
@ -398,11 +425,11 @@ esac</programlisting>
|
||||
<section>
|
||||
<title>Basic Setup</title>
|
||||
|
||||
<para>Here' a basic setup that treats your remote users as if they
|
||||
<para>Here' a basic setup that treats your remote users as if they
|
||||
were part of your <emphasis role="bold">loc</emphasis> zone. Note that
|
||||
if your primary internet connection uses ppp0, then be sure that
|
||||
<emphasis role="bold">loc</emphasis> follows <emphasis role="bold">net</emphasis>
|
||||
in /etc/shorewall/zones.</para>
|
||||
<emphasis role="bold">loc</emphasis> follows <emphasis
|
||||
role="bold">net</emphasis> in /etc/shorewall/zones.</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/tunnels</title>
|
||||
@ -606,12 +633,14 @@ esac</programlisting>
|
||||
|
||||
<para>Often there will be situations where you want multiple
|
||||
connections from remote networks with these networks having different
|
||||
firewalling requirements.<graphic fileref="images/MultiPPTP.png" /></para>
|
||||
firewalling requirements.<graphic
|
||||
fileref="images/MultiPPTP.png" /></para>
|
||||
|
||||
<para>Here's how you configure this in Shorewall. Note that if
|
||||
your primary internet connection uses ppp0 then be sure that the
|
||||
<emphasis role="bold">vpn{1-3}</emphasis> zones follows <emphasis
|
||||
role="bold">net</emphasis> in /etc/shorewall/zones as shown below.</para>
|
||||
<para>Here's how you configure this in Shorewall. Note that if your
|
||||
primary internet connection uses ppp0 then be sure that the <emphasis
|
||||
role="bold">vpn{1-3}</emphasis> zones follows <emphasis
|
||||
role="bold">net</emphasis> in /etc/shorewall/zones as shown
|
||||
below.</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/tunnels</title>
|
||||
@ -833,7 +862,7 @@ esac</programlisting>
|
||||
|
||||
<entry>net</entry>
|
||||
|
||||
<entry>loc:<<emphasis>server address</emphasis>></entry>
|
||||
<entry>loc:<<emphasis>server address</emphasis>></entry>
|
||||
|
||||
<entry>tcp</entry>
|
||||
|
||||
@ -849,7 +878,7 @@ esac</programlisting>
|
||||
|
||||
<entry>net</entry>
|
||||
|
||||
<entry>loc:<<emphasis>server address</emphasis>></entry>
|
||||
<entry>loc:<<emphasis>server address</emphasis>></entry>
|
||||
|
||||
<entry>47</entry>
|
||||
|
||||
@ -864,8 +893,8 @@ esac</programlisting>
|
||||
</table>
|
||||
|
||||
<para>If you have multiple external IP address and you want to forward a
|
||||
single <<emphasis>external address</emphasis>>, add the following
|
||||
to your /etc/shorewall/rules file:</para>
|
||||
single <<emphasis>external address</emphasis>>, add the following to
|
||||
your /etc/shorewall/rules file:</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/rules</title>
|
||||
@ -895,7 +924,7 @@ esac</programlisting>
|
||||
|
||||
<entry>net</entry>
|
||||
|
||||
<entry>loc:<<emphasis>server address</emphasis>></entry>
|
||||
<entry>loc:<<emphasis>server address</emphasis>></entry>
|
||||
|
||||
<entry>tcp</entry>
|
||||
|
||||
@ -903,7 +932,7 @@ esac</programlisting>
|
||||
|
||||
<entry>-</entry>
|
||||
|
||||
<entry><<emphasis>external address</emphasis>></entry>
|
||||
<entry><<emphasis>external address</emphasis>></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
@ -911,7 +940,7 @@ esac</programlisting>
|
||||
|
||||
<entry>net</entry>
|
||||
|
||||
<entry>loc:<<emphasis>server address</emphasis>></entry>
|
||||
<entry>loc:<<emphasis>server address</emphasis>></entry>
|
||||
|
||||
<entry>47</entry>
|
||||
|
||||
@ -919,7 +948,7 @@ esac</programlisting>
|
||||
|
||||
<entry>-</entry>
|
||||
|
||||
<entry><<emphasis>external address</emphasis>></entry>
|
||||
<entry><<emphasis>external address</emphasis>></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
@ -929,10 +958,10 @@ esac</programlisting>
|
||||
<section id="ClientsBehind">
|
||||
<title>PPTP Clients Running Behind your Firewall</title>
|
||||
|
||||
<para>You shouldn't have to take any special action for this case
|
||||
unless you wish to connect multiple clients to the same external server.
|
||||
In that case, you must install the PPTP connection/tracking and NAT patch
|
||||
from <ulink url="http://www.netfilter.org">Netfilter Patch-O-Mati</ulink>c
|
||||
<para>You shouldn't have to take any special action for this case unless
|
||||
you wish to connect multiple clients to the same external server. In that
|
||||
case, you must install the PPTP connection/tracking and NAT patch from
|
||||
<ulink url="http://www.netfilter.org">Netfilter Patch-O-Mati</ulink>c
|
||||
(some distributions are now shipping with this patch installed). I
|
||||
recommend that you also add these four lines to your
|
||||
/etc/shorewall/modules file:</para>
|
||||
@ -1127,7 +1156,8 @@ loadmodule ip_nat_proto_gre</programlisting>
|
||||
</table>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/tunnels (For Shorewall versions 1.3.10 and later)</title>
|
||||
<title>/etc/shorewall/tunnels (For Shorewall versions 1.3.10 and
|
||||
later)</title>
|
||||
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
@ -1160,13 +1190,13 @@ loadmodule ip_nat_proto_gre</programlisting>
|
||||
<quote>cpq</quote> zone because I also run a PPTP server on my firewall
|
||||
(see above). Using this technique allows me to distinguish clients of my
|
||||
own PPTP server from arbitrary hosts at Compaq; I assign addresses in
|
||||
192.168.1.0/24 to my PPTP clients and Compaq doesn't use that RFC1918
|
||||
192.168.1.0/24 to my PPTP clients and Compaq doesn't use that RFC1918
|
||||
Class C subnet.</para>
|
||||
|
||||
<para>I use this script in /etc/init.d to control the client. The reason
|
||||
that I disable ECN when connecting is that the Compaq tunnel servers
|
||||
don't do ECN yet and reject the initial TCP connection request if I
|
||||
enable ECN :-(</para>
|
||||
that I disable ECN when connecting is that the Compaq tunnel servers don't
|
||||
do ECN yet and reject the initial TCP connection request if I enable ECN
|
||||
:-(</para>
|
||||
|
||||
<programlisting>#!/bin/sh
|
||||
#
|
||||
@ -1175,48 +1205,48 @@ loadmodule ip_nat_proto_gre</programlisting>
|
||||
# chkconfig: 5 60 85
|
||||
# description: PPTP Link Control
|
||||
#
|
||||
NAME="Tandem"
|
||||
NAME="Tandem"
|
||||
ADDRESS=tunnel-tandem.compaq.com
|
||||
USER='Tandem\tommy'
|
||||
USER='Tandem\tommy'
|
||||
ECN=0
|
||||
DEBUG=
|
||||
|
||||
start_pptp() {
|
||||
echo $ECN > /proc/sys/net/ipv4/tcp_ecn
|
||||
echo $ECN > /proc/sys/net/ipv4/tcp_ecn
|
||||
if /usr/sbin/pptp $ADDRESS user $USER noauth $DEBUG; then
|
||||
touch /var/lock/subsys/pptp
|
||||
echo "PPTP Connection to $NAME Started"
|
||||
echo "PPTP Connection to $NAME Started"
|
||||
fi
|
||||
}
|
||||
|
||||
stop_pptp() {
|
||||
if killall /usr/sbin/pptp 2> /dev/null; then
|
||||
echo "Stopped pptp"
|
||||
if killall /usr/sbin/pptp 2> /dev/null; then
|
||||
echo "Stopped pptp"
|
||||
else
|
||||
rm -f /var/run/pptp/*
|
||||
fi
|
||||
|
||||
# if killall pppd; then
|
||||
# echo "Stopped pppd"
|
||||
# echo "Stopped pppd"
|
||||
# fi
|
||||
|
||||
rm -f /var/lock/subsys/pptp
|
||||
|
||||
echo 1 > /proc/sys/net/ipv4/tcp_ecn
|
||||
echo 1 > /proc/sys/net/ipv4/tcp_ecn
|
||||
}
|
||||
|
||||
|
||||
case "$1" in
|
||||
case "$1" in
|
||||
start)
|
||||
echo "Starting PPTP Connection to ${NAME}..."
|
||||
echo "Starting PPTP Connection to ${NAME}..."
|
||||
start_pptp
|
||||
;;
|
||||
stop)
|
||||
echo "Stopping $NAME PPTP Connection..."
|
||||
echo "Stopping $NAME PPTP Connection..."
|
||||
stop_pptp
|
||||
;;
|
||||
restart)
|
||||
echo "Restarting $NAME PPTP Connection..."
|
||||
echo "Restarting $NAME PPTP Connection..."
|
||||
stop_pptp
|
||||
start_pptp
|
||||
;;
|
||||
@ -1224,11 +1254,11 @@ status)
|
||||
ifconfig
|
||||
;;
|
||||
*)
|
||||
echo "Usage: $0 {start|stop|restart|status}"
|
||||
echo "Usage: $0 {start|stop|restart|status}"
|
||||
;;
|
||||
esac</programlisting>
|
||||
|
||||
<para>Here's my /etc/ppp/options file:</para>
|
||||
<para>Here's my /etc/ppp/options file:</para>
|
||||
|
||||
<programlisting>#
|
||||
# Identify this connection
|
||||
@ -1239,7 +1269,7 @@ ipparam Compaq
|
||||
#
|
||||
lock
|
||||
#
|
||||
# We don't need the tunnel server to authenticate itself
|
||||
# We don't need the tunnel server to authenticate itself
|
||||
#
|
||||
noauth
|
||||
|
||||
@ -1250,7 +1280,7 @@ noauth
|
||||
multilink
|
||||
mrru 1614
|
||||
#
|
||||
# Turn off transmission protocols we know won't be used
|
||||
# Turn off transmission protocols we know won't be used
|
||||
#
|
||||
nobsdcomp
|
||||
nodeflate
|
||||
@ -1295,19 +1325,19 @@ restart_pptp() {
|
||||
/sbin/service pptp stop
|
||||
sleep 10
|
||||
if /sbin/service pptp start; then
|
||||
/usr/bin/logger "PPTP Restarted"
|
||||
/usr/bin/logger "PPTP Restarted"
|
||||
fi
|
||||
}
|
||||
|
||||
if [ -n "`ps ax | grep /usr/sbin/pptp | grep -v grep`" ]; then
|
||||
if [ -n "`ps ax | grep /usr/sbin/pptp | grep -v grep`" ]; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
echo "Attempting to restart PPTP"
|
||||
echo "Attempting to restart PPTP"
|
||||
|
||||
restart_pptp > /dev/null 2>&1 &</programlisting>
|
||||
restart_pptp > /dev/null 2>&1 &</programlisting>
|
||||
|
||||
<para><ulink url="ftp://ftp.shorewall.net/pub/shorewall/misc/Vonau">Here's
|
||||
<para><ulink url="ftp://ftp.shorewall.net/pub/shorewall/misc/Vonau">Here's
|
||||
a scriptand corresponding ip-up.local</ulink> from Jerry Vonau
|
||||
<email>jvonau@home.com</email> that controls two PPTP connections.</para>
|
||||
</section>
|
||||
@ -1323,7 +1353,8 @@ restart_pptp > /dev/null 2>&1 &</programlisting>
|
||||
PPTP (interface ppp0). If you have this type of setup, you need to modify
|
||||
the sample configuration that you downloaded as described in this section.
|
||||
<emphasis role="bold">These changes are in addition to those described in
|
||||
the <ulink url="shorewall_quickstart_guide.htm">QuickStart Guides</ulink>.</emphasis></para>
|
||||
the <ulink url="shorewall_quickstart_guide.htm">QuickStart
|
||||
Guides</ulink>.</emphasis></para>
|
||||
|
||||
<para>Lets assume the following:</para>
|
||||
|
||||
|
BIN
Shorewall-docs2/images/netfilter2.6.png
Normal file
BIN
Shorewall-docs2/images/netfilter2.6.png
Normal file
Binary file not shown.
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-05-19</pubdate>
|
||||
<pubdate>2004-11-01</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2004</year>
|
||||
@ -29,25 +29,27 @@
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<note>
|
||||
<para>For information regarding configuring and building GNU/Linux
|
||||
kernels, see <ulink url="http://www.kernelnewbies.org">http://www.kernelnewbies.org</ulink>.</para>
|
||||
kernels, see <ulink
|
||||
url="http://www.kernelnewbies.org">http://www.kernelnewbies.org</ulink>.</para>
|
||||
</note>
|
||||
|
||||
<section>
|
||||
<title>Network Options Configuration</title>
|
||||
|
||||
<para>Here's a screen shot of my Network Options Configuration:<graphic
|
||||
<para>Here's a screen shot of my Network Options Configuration:<graphic
|
||||
align="center" fileref="images/netopts.jpg" /></para>
|
||||
|
||||
<para>While not all of the options that I've selected are required,
|
||||
they should be sufficient for most applications. Here's an excerpt
|
||||
from the corresponding .config file (Note: If you are running a kernel
|
||||
older than 2.4.17, be sure to select CONFIG_NETLINK and CONFIG_RTNETLINK):</para>
|
||||
<para>While not all of the options that I've selected are required, they
|
||||
should be sufficient for most applications. Here's an excerpt from the
|
||||
corresponding .config file (Note: If you are running a kernel older than
|
||||
2.4.17, be sure to select CONFIG_NETLINK and CONFIG_RTNETLINK):</para>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#
|
||||
@ -84,19 +86,19 @@
|
||||
<section>
|
||||
<title>Netfilter Configuration</title>
|
||||
|
||||
<para>Here's a screen shot of my Netfilter configuration:<graphic
|
||||
<para>Here's a screen shot of my Netfilter configuration:<graphic
|
||||
align="center" fileref="images/menuconfig1.jpg" /></para>
|
||||
|
||||
<para>Note that I have built everything I need as modules. You can also
|
||||
build everything into your kernel but if you want to be able to deal with
|
||||
FTP running on a non-standard port then you <emphasis role="bold">must</emphasis>
|
||||
modularize FTP Protocol support.</para>
|
||||
FTP running on a non-standard port then you <emphasis
|
||||
role="bold">must</emphasis> modularize FTP Protocol support.</para>
|
||||
|
||||
<para>Here's the corresponding part of my .config file:</para>
|
||||
<para>Here's the corresponding part of my .config file:</para>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#
|
||||
#   IP: Netfilter Configuration
|
||||
# IP: Netfilter Configuration
|
||||
#
|
||||
CONFIG_IP_NF_CONNTRACK=m
|
||||
CONFIG_IP_NF_FTP=m
|
||||
@ -148,4 +150,97 @@ CONFIG_IP_NF_ARPFILTER=m
|
||||
# CONFIG_IP_NF_COMPAT_IPFWADM is not set</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Kernel 2.6 Netfilter Options</title>
|
||||
|
||||
<para>Here's a screenshot of my modularized 2.6 Kernel config (Navigation:
|
||||
Device Drivers → Networking Support → Networking Options → Network Packet
|
||||
Filtering (replaces ipchains) → IP: Netfilter configuration):</para>
|
||||
|
||||
<graphic align="center" fileref="images/netfilter2.6.png" valign="middle" />
|
||||
|
||||
<para>Here is the corresponding part of the .config file:</para>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>CONFIG_IP_NF_CONNTRACK=m
|
||||
CONFIG_IP_NF_FTP=m
|
||||
CONFIG_IP_NF_IRC=m
|
||||
CONFIG_IP_NF_TFTP=m
|
||||
CONFIG_IP_NF_AMANDA=m
|
||||
CONFIG_IP_NF_QUEUE=m
|
||||
CONFIG_IP_NF_IPTABLES=m
|
||||
CONFIG_IP_NF_MATCH_LIMIT=m
|
||||
CONFIG_IP_NF_MATCH_IPRANGE=m
|
||||
CONFIG_IP_NF_MATCH_MAC=m
|
||||
CONFIG_IP_NF_MATCH_PKTTYPE=m
|
||||
CONFIG_IP_NF_MATCH_MARK=m
|
||||
CONFIG_IP_NF_MATCH_MULTIPORT=m
|
||||
CONFIG_IP_NF_MATCH_TOS=m
|
||||
CONFIG_IP_NF_MATCH_RECENT=m
|
||||
CONFIG_IP_NF_MATCH_ECN=m
|
||||
CONFIG_IP_NF_MATCH_DSCP=m
|
||||
CONFIG_IP_NF_MATCH_AH_ESP=m
|
||||
CONFIG_IP_NF_MATCH_LENGTH=m
|
||||
CONFIG_IP_NF_MATCH_TTL=m
|
||||
CONFIG_IP_NF_MATCH_TCPMSS=m
|
||||
CONFIG_IP_NF_MATCH_HELPER=m
|
||||
CONFIG_IP_NF_MATCH_STATE=m
|
||||
CONFIG_IP_NF_MATCH_CONNTRACK=m
|
||||
CONFIG_IP_NF_MATCH_OWNER=m
|
||||
CONFIG_IP_NF_MATCH_PHYSDEV=m
|
||||
CONFIG_IP_NF_FILTER=m
|
||||
CONFIG_IP_NF_TARGET_REJECT=m
|
||||
CONFIG_IP_NF_NAT=m
|
||||
CONFIG_IP_NF_NAT_NEEDED=y
|
||||
CONFIG_IP_NF_TARGET_MASQUERADE=m
|
||||
CONFIG_IP_NF_TARGET_REDIRECT=m
|
||||
CONFIG_IP_NF_TARGET_NETMAP=m
|
||||
CONFIG_IP_NF_TARGET_SAME=m
|
||||
CONFIG_IP_NF_NAT_LOCAL=y
|
||||
CONFIG_IP_NF_NAT_SNMP_BASIC=m
|
||||
CONFIG_IP_NF_NAT_IRC=m
|
||||
CONFIG_IP_NF_NAT_FTP=m
|
||||
CONFIG_IP_NF_NAT_TFTP=m
|
||||
CONFIG_IP_NF_NAT_AMANDA=m
|
||||
CONFIG_IP_NF_MANGLE=m
|
||||
CONFIG_IP_NF_TARGET_TOS=m
|
||||
CONFIG_IP_NF_TARGET_ECN=m
|
||||
CONFIG_IP_NF_TARGET_DSCP=m
|
||||
CONFIG_IP_NF_TARGET_MARK=m
|
||||
CONFIG_IP_NF_TARGET_CLASSIFY=m
|
||||
CONFIG_IP_NF_TARGET_LOG=m
|
||||
CONFIG_IP_NF_TARGET_ULOG=m
|
||||
CONFIG_IP_NF_TARGET_TCPMSS=m
|
||||
# CONFIG_IP_NF_ARPTABLES is not set
|
||||
# CONFIG_IP_NF_COMPAT_IPCHAINS is not set
|
||||
# CONFIG_IP_NF_COMPAT_IPFWADM is not set
|
||||
# CONFIG_IP_NF_RAW is not set
|
||||
CONFIG_IP_NF_MATCH_ADDRTYPE=m
|
||||
# CONFIG_IP_NF_MATCH_REALM is not set
|
||||
CONFIG_IP6_NF_QUEUE=m
|
||||
CONFIG_IP6_NF_IPTABLES=m
|
||||
CONFIG_IP6_NF_MATCH_LIMIT=m
|
||||
CONFIG_IP6_NF_MATCH_MAC=m
|
||||
CONFIG_IP6_NF_MATCH_RT=m
|
||||
CONFIG_IP6_NF_MATCH_OPTS=m
|
||||
CONFIG_IP6_NF_MATCH_FRAG=m
|
||||
CONFIG_IP6_NF_MATCH_HL=m
|
||||
CONFIG_IP6_NF_MATCH_MULTIPORT=m
|
||||
CONFIG_IP6_NF_MATCH_OWNER=m
|
||||
CONFIG_IP6_NF_MATCH_MARK=m
|
||||
CONFIG_IP6_NF_MATCH_IPV6HEADER=m
|
||||
CONFIG_IP6_NF_MATCH_AHESP=m
|
||||
CONFIG_IP6_NF_MATCH_LENGTH=m
|
||||
CONFIG_IP6_NF_MATCH_EUI64=m
|
||||
CONFIG_IP6_NF_FILTER=m
|
||||
CONFIG_IP6_NF_TARGET_LOG=m
|
||||
CONFIG_IP6_NF_MANGLE=m
|
||||
CONFIG_IP6_NF_TARGET_MARK=m
|
||||
# CONFIG_IP6_NF_RAW is not set
|
||||
CONFIG_DECNET_NF_GRABULATOR=m
|
||||
CONFIG_BRIDGE_NF_EBTABLES=m
|
||||
</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
</article>
|
Loading…
Reference in New Issue
Block a user