extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-20 01:37:59 +02:00
Code Issues Packages Projects Releases Wiki Activity

Documentation changes for OLD_PING_HANDLING

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@409 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-01-22 00:37:23 +00:00
parent a5f8c0595d
commit b35d93acac
15 changed files with 8315 additions and 7951 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

748
Shorewall-docs/Documentation.htm
View File

File diff suppressed because it is too large Load Diff

783
Shorewall-docs/News.htm
View File

File diff suppressed because it is too large Load Diff

34
Shorewall-docs/Shorewall_CA_html.html
View File

@ -28,22 +28,22 @@
Given that I develop and support Shorewall without asking for any renumeration, Given that I develop and support Shorewall without asking for any renumeration,
I can hardly justify paying $200US+ a year to a Certificate Authority such I can hardly justify paying $200US+ a year to a Certificate Authority such
as Thawte (A Division of VeriSign) for an X.509 certificate to prove that as Thawte (A Division of VeriSign) for an X.509 certificate to prove that
I am who I am. I have therefore established my own Certificate Authority (CA) I am who I am. I have therefore established my own Certificate Authority
and sign my own X.509 certificates. I use these certificates on my mail server (CA) and sign my own X.509 certificates. I use these certificates on my list
(<a href="https://mail.shorewall.net">https://mail.shorewall.net</a>) server (<a href="https://lists.shorewall.net">https://lists.shorewall.net</a>)
which hosts parts of this web site.<br> which hosts parts of this web site.<br>
<br> <br>
X.509 certificates are the basis for the Secure Socket Layer (SSL). As part X.509 certificates are the basis for the Secure Socket Layer (SSL). As
of establishing an SSL session (URL https://...), your browser verifies the part of establishing an SSL session (URL https://...), your browser verifies
X.509 certificate supplied by the HTTPS server against the set of Certificate the X.509 certificate supplied by the HTTPS server against the set of Certificate
Authority Certificates that were shipped with your browser. It is expected Authority Certificates that were shipped with your browser. It is expected
that the server's certificate was issued by one of the authorities whose identities that the server's certificate was issued by one of the authorities whose
are known to your browser. <br> identities are known to your browser. <br>
<br> <br>
This mechanism, while supposedly guaranteeing that when you connect to https://www.foo.bar This mechanism, while supposedly guaranteeing that when you connect to
you are REALLY connecting to www.foo.bar, means that the CAs literally have https://www.foo.bar you are REALLY connecting to www.foo.bar, means that
a license to print money -- they are selling a string of bits (an X.509 certificate) the CAs literally have a license to print money -- they are selling a string
for $200US+ per year!!!I <br> of bits (an X.509 certificate) for $200US+ per year!!!I <br>
<br> <br>
I wish that I had decided to become a CA rather that designing and writing I wish that I had decided to become a CA rather that designing and writing
Shorewall.<br> Shorewall.<br>
@ -72,8 +72,8 @@ so that it will accept any certificate signed by me. <br>
<li>If you install my CA certificate then you assume that I am trustworthy <li>If you install my CA certificate then you assume that I am trustworthy
and that Shorewall running on your firewall won't redirect HTTPS requests and that Shorewall running on your firewall won't redirect HTTPS requests
intented to go to your bank's server to one of my systems that will present intented to go to your bank's server to one of my systems that will present
your browser with a bogus certificate claiming that my server is that of your browser with a bogus certificate claiming that my server is that of your
your bank.</li> bank.</li>
<li>If you only accept my server's certificate when prompted then the <li>If you only accept my server's certificate when prompted then the
most that you have to loose is that when you connect to https://mail.shorewall.net, most that you have to loose is that when you connect to https://mail.shorewall.net,
the server you are connecting to might not be mine.</li> the server you are connecting to might not be mine.</li>
@ -82,10 +82,12 @@ the server you are connecting to might not be mine.</li>
I have my CA certificate loaded into all of my browsers but I certainly I have my CA certificate loaded into all of my browsers but I certainly
won't be offended if you decline to load it into yours... :-)<br> won't be offended if you decline to load it into yours... :-)<br>
<p align="left"><font size="2">Last Updated 12/29/2002 - Tom Eastep</font></p> <p align="left"><font size="2">Last Updated 1/17/2003 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> &copy; <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> size="2">Copyright</font> &copy; <font size="2">2001, 2002, 2003 Thomas
M. Eastep.</font></a></font></p>
<br>
<br> <br>
<br> <br>
</body> </body>

51
Shorewall-docs/Shorewall_index_frame.htm
View File

@ -30,6 +30,7 @@
<td width="100%" height="90"> <td width="100%" height="90">
<h3 align="center"><font color="#ffffff">Shorewall</font></h3> <h3 align="center"><font color="#ffffff">Shorewall</font></h3>
</td> </td>
</tr> </tr>
@ -39,10 +40,12 @@
<ul> <ul>
<li> <a href="seattlefirewall_index.htm">Home</a></li> <li> <a
href="seattlefirewall_index.htm">Home</a></li>
<li> <a <li> <a
href="shorewall_features.htm">Features</a></li> href="shorewall_features.htm">Features</a></li>
<li> <a href="shorewall_prerequisites.htm">Requirements</a></li> <li> <a
href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <a href="download.htm">Download</a><br> <li> <a href="download.htm">Download</a><br>
</li> </li>
<li> <a href="Install.htm">Installation/Upgrade/</a><br> <li> <a href="Install.htm">Installation/Upgrade/</a><br>
@ -53,20 +56,25 @@
</li> </li>
<li> <b><a <li> <b><a
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li> href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li>
<li> <a href="Documentation.htm">Reference Manual</a></li> <li> <a href="Documentation.htm">Reference
Manual</a></li>
<li> <a href="FAQ.htm">FAQs</a></li> <li> <a href="FAQ.htm">FAQs</a></li>
<li><a href="useful_links.html">Useful Links</a><br> <li><a href="useful_links.html">Useful
Links</a><br>
</li> </li>
<li> <a href="troubleshoot.htm">Troubleshooting</a></li> <li> <a href="troubleshoot.htm">Troubleshooting</a></li>
<li> <a href="errata.htm">Errata</a></li> <li> <a href="errata.htm">Errata</a></li>
<li> <a href="upgrade_issues.htm">Upgrade Issues</a></li> <li> <a href="upgrade_issues.htm">Upgrade
Issues</a></li>
<li> <a href="support.htm">Support</a></li> <li> <a href="support.htm">Support</a></li>
<li> <a href="mailing_list.htm">Mailing Lists</a></li> <li> <a href="mailing_list.htm">Mailing
Lists</a></li>
<li> <a href="shorewall_mirrors.htm">Mirrors</a> <li> <a href="shorewall_mirrors.htm">Mirrors</a>
<ul> <ul>
<li><a target="_top" <li><a target="_top"
href="http://slovakia.shorewall.net">Slovak Republic</a></li> href="http://slovakia.shorewall.net">Slovak Republic</a></li>
@ -78,33 +86,38 @@
href="http://shorewall.correofuego.com.ar">Argentina</a></li> href="http://shorewall.correofuego.com.ar">Argentina</a></li>
<li><a target="_top" <li><a target="_top"
href="http://france.shorewall.net">France</a></li> href="http://france.shorewall.net">France</a></li>
<li><a href="http://www.shorewall.net" target="_top">Washington <li><a href="http://www.shorewall.net"
State, USA</a><br> target="_top">Washington State, USA</a><br>
</li> </li>
</ul> </ul>
</li> </li>
</ul> </ul>
<ul> <ul>
<li> <a href="News.htm">News Archive</a></li> <li> <a href="News.htm">News Archive</a></li>
<li> <a href="Shorewall_CVS_Access.html">CVS <li> <a
Repository</a></li> href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li> <a href="quotes.htm">Quotes from Users</a></li> <li> <a href="quotes.htm">Quotes from Users</a></li>
<li> <a href="shoreline.htm">About the Author</a></li> <li> <a href="shoreline.htm">About the
Author</a></li>
<li> <a <li> <a
href="seattlefirewall_index.htm#Donations">Donations</a></li> href="seattlefirewall_index.htm#Donations">Donations</a></li>
</ul> </ul>
</td> </td>
</tr> </tr>
@ -113,10 +126,10 @@ Repository</a></li>
</tbody> </tbody>
</table> </table>
<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch"> <form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
<strong><br> <strong><br>
<b>Note: </b></strong>Search is unavailable Daily 0200-0330 <b>Note: </b></strong>Search is unavailable Daily
GMT.<br> 0200-0330 GMT.<br>
<strong></strong> <strong></strong>
<p><strong>Quick Search</strong><br> <p><strong>Quick Search</strong><br>
@ -127,13 +140,13 @@ Repository</a></li>
type="hidden" name="config" value="htdig"> <input type="submit" type="hidden" name="config" value="htdig"> <input type="submit"
value="Search"></font> </p> value="Search"></font> </p>
<font face="Arial"> <input type="hidden" <font face="Arial"> <input type="hidden"
name="exclude" value="[http://mail.shorewall.net/pipermail/*]"> </font> name="exclude" value="[http://lists.shorewall.net/pipermail/*]"> </font>
</form> </form>
<p><b><a href="http://www.shorewall.net/htdig/search.html">Extended Search</a></b></p> <p><b><a href="http://lists.shorewall.net/htdig/search.html">Extended Search</a></b></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002 Thomas M. Eastep.</font></a></p> size="2">2001-2003 Thomas M. Eastep.</font></a></p>
<p><a href="http://www.shorewall.net" target="_top"> <img border="1" <p><a href="http://www.shorewall.net" target="_top"> <img border="1"
src="images/shorewall.jpg" width="119" height="38" hspace="0"> src="images/shorewall.jpg" width="119" height="38" hspace="0">
@ -145,6 +158,8 @@ Repository</a></li>
<br> <br>
<br> <br>
<br> <br>
<br>
<br>
<br>
</body> </body>
</html> </html>

55
Shorewall-docs/Shorewall_sfindex_frame.htm
View File

@ -40,10 +40,12 @@
<ul> <ul>
<li> <a href="seattlefirewall_index.htm">Home</a></li> <li> <a
href="seattlefirewall_index.htm">Home</a></li>
<li> <a <li> <a
href="shorewall_features.htm">Features</a></li> href="shorewall_features.htm">Features</a></li>
<li> <a href="shorewall_prerequisites.htm">Requirements</a></li> <li> <a
href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <a href="download.htm">Download</a><br> <li> <a href="download.htm">Download</a><br>
</li> </li>
<li> <a href="Install.htm">Installation/Upgrade/</a><br> <li> <a href="Install.htm">Installation/Upgrade/</a><br>
@ -57,18 +59,22 @@
<li> <a href="Documentation.htm">Reference <li> <a href="Documentation.htm">Reference
Manual</a></li> Manual</a></li>
<li> <a href="FAQ.htm">FAQs</a></li> <li> <a href="FAQ.htm">FAQs</a></li>
<li><a href="useful_links.html">Useful Links</a><br> <li><a href="useful_links.html">Useful
Links</a><br>
</li> </li>
<li> <a href="troubleshoot.htm">Troubleshooting</a></li> <li> <a href="troubleshoot.htm">Troubleshooting</a></li>
<li> <a href="errata.htm">Errata</a></li> <li> <a href="errata.htm">Errata</a></li>
<li> <a href="upgrade_issues.htm">Upgrade Issues</a></li> <li> <a href="upgrade_issues.htm">Upgrade
Issues</a></li>
<li> <a href="support.htm">Support</a></li> <li> <a href="support.htm">Support</a></li>
<li> <a href="mailing_list.htm">Mailing Lists</a></li> <li> <a href="mailing_list.htm">Mailing
Lists</a></li>
<li> <a href="shorewall_mirrors.htm">Mirrors</a> <li> <a href="shorewall_mirrors.htm">Mirrors</a>
<ul> <ul>
<li><a target="_top" <li><a target="_top"
href="http://slovakia.shorewall.net">Slovak Republic</a></li> href="http://slovakia.shorewall.net">Slovak Republic</a></li>
@ -80,33 +86,39 @@ Manual</a></li>
href="http://shorewall.correofuego.com.ar">Argentina</a></li> href="http://shorewall.correofuego.com.ar">Argentina</a></li>
<li><a target="_top" <li><a target="_top"
href="http://france.shorewall.net">France</a></li> href="http://france.shorewall.net">France</a></li>
<li><a href="http://www.shorewall.net" target="_top">Washington <li><a href="http://www.shorewall.net"
State, USA</a><br> target="_top">Washington State, USA</a><br>
</li> </li>
</ul> </ul>
</li> </li>
</ul> </ul>
<ul> <ul>
<li> <a href="News.htm">News Archive</a></li> <li> <a href="News.htm">News Archive</a></li>
<li> <a href="Shorewall_CVS_Access.html">CVS <li> <a
Repository</a></li> href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li> <a href="quotes.htm">Quotes from Users</a></li> <li> <a href="quotes.htm">Quotes from
<li> <a href="shoreline.htm">About the Author</a></li> Users</a></li>
<li> <a href="shoreline.htm">About the
Author</a></li>
<li> <a <li> <a
href="sourceforge_index.htm#Donations">Donations</a></li> href="sourceforge_index.htm#Donations">Donations</a></li>
</ul> </ul>
</td> </td>
</tr> </tr>
@ -115,10 +127,10 @@ Manual</a></li>
</tbody> </tbody>
</table> </table>
<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch"> <form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
<strong><br> <strong><br>
<b>Note: </b></strong>Search is unavailable Daily 0200-0330 <b>Note: </b></strong>Search is unavailable Daily
GMT.<br> 0200-0330 GMT.<br>
<strong></strong> <strong></strong>
<p><strong>Quick Search</strong><br> <p><strong>Quick Search</strong><br>
@ -128,14 +140,14 @@ Manual</a></li>
value="long"> <input type="hidden" name="method" value="and"> <input value="long"> <input type="hidden" name="method" value="and"> <input
type="hidden" name="config" value="htdig"> <input type="submit" type="hidden" name="config" value="htdig"> <input type="submit"
value="Search"></font> </p> value="Search"></font> </p>
<font face="Arial"> <input type="hidden" <font face="Arial"> <input
name="exclude" value="[http://mail.shorewall.net/pipermail/*]"> </font> type="hidden" name="exclude"
</form> value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
<p><b><a href="http://www.shorewall.net/htdig/search.html">Extended Search</a></b></p> <p><b><a href="http://lists.shorewall.net/htdig/search.html">Extended Search</a></b></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002 Thomas M. Eastep.</font></a></p> size="2">2001-2003 Thomas M. Eastep.</font></a></p>
<p><a href="http://www.shorewall.net" target="_top"> </a><br> <p><a href="http://www.shorewall.net" target="_top"> </a><br>
</p> </p>
@ -145,6 +157,9 @@ Manual</a></li>
<br> <br>
<br> <br>
<br> <br>
<br>
<br>
<br>
<br>
</body> </body>
</html> </html>

2
Shorewall-docs/download.htm
View File

@ -374,7 +374,7 @@ site.</b></p>
<blockquote> <blockquote>
<p align="left">The <a target="_top" <p align="left">The <a target="_top"
href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">CVS repository at href="http://cvs.shorewall.net/Shorewall_CVS_Access.html">CVS repository at
cvs.shorewall.net</a> contains the latest snapshots of the each Shorewall cvs.shorewall.net</a> contains the latest snapshots of the each Shorewall
component. There's no guarantee that what you find there will work component. There's no guarantee that what you find there will work
at all.<br> at all.<br>

109
Shorewall-docs/errata.htm
View File

@ -11,6 +11,7 @@
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
@ -22,6 +23,7 @@
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1>
</td> </td>
</tr> </tr>
@ -58,13 +60,13 @@ script in /etc/shorewall/firewall, /usr/lib/shorewall/firewall
and /var/lib/shorewall/firewall are symbolic links that point and /var/lib/shorewall/firewall are symbolic links that point
to the 'shorewall' file used by your system initialization scripts to the 'shorewall' file used by your system initialization scripts
to start Shorewall during boot. It is that file that must be overwritten to start Shorewall during boot. It is that file that must be overwritten
with the corrected script. Beginning with Shorewall 1.3.11, you with the corrected script. Beginning with Shorewall 1.3.11,
may rename the existing file before copying in the new file.</b></p> you may rename the existing file before copying in the new file.</b></p>
</li> </li>
<li> <li>
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS <p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. For ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW.
example, do NOT install the 1.3.9a firewall script if you are running For example, do NOT install the 1.3.9a firewall script if you are running
1.3.7c.</font></b><br> 1.3.7c.</font></b><br>
</p> </p>
</li> </li>
@ -84,11 +86,12 @@ may rename the existing file before copying in the new file.</b></p>
on RH7.2</a></font></b></li> on RH7.2</a></font></b></li>
<li> <b><a href="#Debug">Problems <li> <b><a href="#Debug">Problems
with kernels &gt;= 2.4.18 and RedHat iptables</a></b></li> with kernels &gt;= 2.4.18 and RedHat iptables</a></b></li>
<li><b><a href="#SuSE">Problems installing/upgrading RPM <li><b><a href="#SuSE">Problems installing/upgrading
on SuSE</a></b></li> RPM on SuSE</a></b></li>
<li><b><a href="#Multiport">Problems with iptables version <li><b><a href="#Multiport">Problems with iptables version
1.2.7 and MULTIPORT=Yes</a></b></li> 1.2.7 and MULTIPORT=Yes</a></b></li>
<li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10 and NAT</a></b><br> <li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10 and
NAT</a></b><br>
</li> </li>
</ul> </ul>
@ -97,16 +100,33 @@ on RH7.2</a></font></b></li>
<h2 align="left"><a name="V1.3"></a>Problems in Version 1.3</h2> <h2 align="left"><a name="V1.3"></a>Problems in Version 1.3</h2>
<h3>Version 1.3.12</h3> <h3>Version 1.3.13</h3>
<ul> <ul>
<li>If RFC_1918_LOG_LEVEL is set to anything but ULOG, the effect is the <li>The 'shorewall add' command produces an error message referring to
same as if RFC_1918_LOG_LEVEL=info had been specified. The problem is corrected 'find_interfaces_by_maclist'.</li>
by <a <li>The 'shorewall delete' command can leave behind undeleted rules.<br>
</li>
</ul>
Both problems are corrected by <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.13/firewall">this
firewall script</a> which may be installed in /usr/lib/shorewall as described
above.<br>
<h3>Version 1.3.12</h3>
<ul>
<li>If RFC_1918_LOG_LEVEL is set to anything but ULOG, the effect is
the same as if RFC_1918_LOG_LEVEL=info had been specified. The problem is
corrected by <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.12/firewall">this href="http://www.shorewall.net/pub/shorewall/errata/1.3.12/firewall">this
firewall script</a> which may be installed in /usr/lib/shorewall as described firewall script</a> which may be installed in /usr/lib/shorewall as described
above.<br> above.<br>
</li> </li>
</ul> </ul>
<h3>Version 1.3.12 LRP</h3> <h3>Version 1.3.12 LRP</h3>
<ul> <ul>
@ -135,8 +155,8 @@ following warnings:<br>
     user teastep does not exist - using root<br>      user teastep does not exist - using root<br>
     group teastep does not exist - using root<br>      group teastep does not exist - using root<br>
<br> <br>
These warnings are harmless and may be ignored. Users downloading the These warnings are harmless and may be ignored. Users downloading
.rpm from shorewall.net or mirrors should no longer see these warnings the .rpm from shorewall.net or mirrors should no longer see these warnings
as the .rpm you will get from there has been corrected.</li> as the .rpm you will get from there has been corrected.</li>
<li>DNAT rules that exclude a source subzone (SOURCE column contains <li>DNAT rules that exclude a source subzone (SOURCE column contains
! followed by a sub-zone list) result in an error message and Shorewall ! followed by a sub-zone list) result in an error message and Shorewall
@ -159,11 +179,12 @@ fails to start.<br>
on your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels, on your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels,
<a <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.10/firewall">this href="http://www.shorewall.net/pub/shorewall/errata/1.3.10/firewall">this
version of the firewall script</a> may help. Please report any cases where version of the firewall script</a> may help. Please report any cases
installing this script in /usr/lib/shorewall/firewall solved your connection where installing this script in /usr/lib/shorewall/firewall solved your
problems. Beginning with version 1.3.10, it is safe to save the old version connection problems. Beginning with version 1.3.10, it is safe to save
of /usr/lib/shorewall/firewall before copying in the new one since /usr/lib/shorewall/firewall the old version of /usr/lib/shorewall/firewall before copying in the
is the real script now and not just a symbolic link to the real script.<br> new one since /usr/lib/shorewall/firewall is the real script now and
not just a symbolic link to the real script.<br>
</li> </li>
</ul> </ul>
@ -181,8 +202,8 @@ fails to start.<br>
<blockquote> The updated firewall script at <a <blockquote> The updated firewall script at <a
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall" href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a> target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
corrects this problem.Copy the script to /usr/lib/shorewall/firewall as corrects this problem.Copy the script to /usr/lib/shorewall/firewall
described above.<br> as described above.<br>
</blockquote> </blockquote>
<blockquote> Alternatively, edit /usr/lob/shorewall/firewall and change the <blockquote> Alternatively, edit /usr/lob/shorewall/firewall and change the
@ -211,8 +232,8 @@ script at <a
<br> <br>
Version 1.3.8 Version 1.3.8
<ul> <ul>
<li> Use of shell variables in the LOG LEVEL or SYNPARMS columns <li> Use of shell variables in the LOG LEVEL or SYNPARMS
of the policy file doesn't work.</li> columns of the policy file doesn't work.</li>
<li>A DNAT rule with the same original and new IP addresses <li>A DNAT rule with the same original and new IP addresses
but with different port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24 but with different port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24
tcp 25 - 10.1.1.1")<br> tcp 25 - 10.1.1.1")<br>
@ -222,8 +243,8 @@ script at <a
Installing <a Installing <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.8/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.8/firewall">
this corrected firewall script</a> in /var/lib/shorewall/firewall this corrected firewall script</a> in /var/lib/shorewall/firewall
as described above corrects these problems. as described above corrects these
problems.
<h3>Version 1.3.7b</h3> <h3>Version 1.3.7b</h3>
<p>DNAT rules where the source zone is 'fw' ($FW) <p>DNAT rules where the source zone is 'fw' ($FW)
@ -257,8 +278,8 @@ script at <a
<ol> <ol>
<li>If the firewall is running <li>If the firewall is running
a DHCP server, the client won't be a DHCP server, the client won't be
able to obtain an IP address lease from able to obtain an IP address lease
that server.</li> from that server.</li>
<li>With this order of checking, <li>With this order of checking,
the "dhcp" option cannot be used as the "dhcp" option cannot be used as
a noise-reduction measure where there a noise-reduction measure where there
@ -391,8 +412,8 @@ so it's a good idea to run that command after you have made configura
version has a size of 38126 bytes.</p> version has a size of 38126 bytes.</p>
<ul> <ul>
<li>The code to detect a duplicate interface entry <li>The code to detect a duplicate interface
in /etc/shorewall/interfaces contained a typo that prevented entry in /etc/shorewall/interfaces contained a typo that prevented
it from working correctly. </li> it from working correctly. </li>
<li>"NAT_BEFORE_RULES=No" was broken; it behaved <li>"NAT_BEFORE_RULES=No" was broken; it behaved
just like "NAT_BEFORE_RULES=Yes".</li> just like "NAT_BEFORE_RULES=Yes".</li>
@ -421,8 +442,8 @@ version has a size of 38126 bytes.</p>
<li>TCP SYN packets may be double counted when <li>TCP SYN packets may be double counted when
LIMIT:BURST is included in a CONTINUE or ACCEPT policy (i.e., LIMIT:BURST is included in a CONTINUE or ACCEPT policy (i.e.,
each packet is sent through the limit chain twice).</li> each packet is sent through the limit chain twice).</li>
<li>An unnecessary jump to the policy chain is <li>An unnecessary jump to the policy chain
sometimes generated for a CONTINUE policy.</li> is sometimes generated for a CONTINUE policy.</li>
<li>When an option is given for more than one <li>When an option is given for more than one
interface in /etc/shorewall/interfaces then depending interface in /etc/shorewall/interfaces then depending
on the option, Shorewall may ignore all but the first on the option, Shorewall may ignore all but the first
@ -432,11 +453,11 @@ appearence of the option. For example:<br>
loc    eth1    dhcp<br> loc    eth1    dhcp<br>
<br> <br>
Shorewall will ignore the 'dhcp' on eth1.</li> Shorewall will ignore the 'dhcp' on eth1.</li>
<li>Update 17 June 2002 - The bug described in <li>Update 17 June 2002 - The bug described
the prior bullet affects the following options: dhcp, dropunclean, in the prior bullet affects the following options: dhcp,
logunclean, norfc1918, routefilter, multi, filterping and dropunclean, logunclean, norfc1918, routefilter, multi,
noping. An additional bug has been found that affects only filterping and noping. An additional bug has been found
the 'routestopped' option.<br> that affects only the 'routestopped' option.<br>
<br> <br>
Users who downloaded the corrected script prior Users who downloaded the corrected script prior
to 1850 GMT today should download and install the corrected to 1850 GMT today should download and install the corrected
@ -490,6 +511,7 @@ iptables-1.2.4 rpm which you can download here</a>. If you are currently
running RedHat 7.1, you can install either of these RPMs running RedHat 7.1, you can install either of these RPMs
<b><u>before</u> </b>you upgrade to RedHat 7.2.</p> <b><u>before</u> </b>you upgrade to RedHat 7.2.</p>
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat <p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
has released an iptables-1.2.4 RPM of their own which you can download has released an iptables-1.2.4 RPM of their own which you can download
from<font color="#ff6633"> <a from<font color="#ff6633"> <a
@ -515,6 +537,7 @@ iptables-1.2.4 rpm which you can download here</a>. If you are currently
</ul> </ul>
</blockquote> </blockquote>
<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18 <h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18
and RedHat iptables</h3> and RedHat iptables</h3>
@ -529,12 +552,12 @@ iptables-1.2.4 rpm which you can download here</a>. If you are currently
<p>The RedHat iptables RPM is compiled with debugging enabled but the <p>The RedHat iptables RPM is compiled with debugging enabled but the
user-space debugging code was not updated to reflect recent changes in user-space debugging code was not updated to reflect recent changes in
the Netfilter 'mangle' table. You can correct the problem by installing the Netfilter 'mangle' table. You can correct the problem by
<a installing <a
href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm"> href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
this iptables RPM</a>. If you are already running a 1.2.5 version this iptables RPM</a>. If you are already running a 1.2.5 version
of iptables, you will need to specify the --oldpackage option to rpm of iptables, you will need to specify the --oldpackage option to
(e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p> rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
</blockquote> </blockquote>
@ -573,8 +596,8 @@ iptables-1.2.4 rpm which you can download here</a>. If you are currently
<h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br> <h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br>
</h3> </h3>
/etc/shorewall/nat entries of the following form will result in /etc/shorewall/nat entries of the following form will result
Shorewall being unable to start:<br> in Shorewall being unable to start:<br>
<br> <br>
<pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22    eth0    192.168.9.22   yes     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre> <pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22    eth0    192.168.9.22   yes     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
@ -586,7 +609,7 @@ for LOCAL=yes has never worked properly and 2.4.18-10 has disabled it.
The 2.4.19 kernel contains corrected support under a new kernel configuraiton The 2.4.19 kernel contains corrected support under a new kernel configuraiton
option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br> option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
<p><font size="2"> Last updated 1/3/2003 - <p><font size="2"> Last updated 1/21/2003 -
<a href="support.htm">Tom Eastep</a></font> </p> <a href="support.htm">Tom Eastep</a></font> </p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
@ -597,5 +620,7 @@ The 2.4.19 kernel contains corrected support under a new kernel configuraiton
<br> <br>
<br> <br>
<br> <br>
<br>
<br>
</body> </body>
</html> </html>

115
Shorewall-docs/mailing_list.htm
View File

@ -98,14 +98,15 @@ HTML traffic. At least one MTA has gone so far as to blacklist shorewall.net
"for continuous abuse" because it has been my policy to allow HTML in list "for continuous abuse" because it has been my policy to allow HTML in list
posts!!<br> posts!!<br>
<br> <br>
I think that blocking all HTML is a Draconian way to control spam and I think that blocking all HTML is a Draconian way to control spam
that the ultimate losers here are not the spammers but the list subscribers and that the ultimate losers here are not the spammers but the list subscribers
whose MTAs are bouncing all shorewall.net mail. As one list subscriber wrote whose MTAs are bouncing all shorewall.net mail. As one list subscriber
to me privately "These e-mail admin's need to get a <i>(explitive deleted)</i> wrote to me privately "These e-mail admin's need to get a <i>(explitive
life instead of trying to rid the planet of HTML based e-mail". Nevertheless, deleted)</i> life instead of trying to rid the planet of HTML based e-mail".
to allow subscribers to receive list posts as must as possible, I have now Nevertheless, to allow subscribers to receive list posts as must as possible,
configured the list server at shorewall.net to strip all HTML from outgoing I have now configured the list server at shorewall.net to strip all HTML
posts. This means that HTML-only posts will be bounced by the list server.<br> from outgoing posts. This means that HTML-only posts will be bounced by
the list server.<br>
<p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br> <p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br>
</p> </p>
@ -113,15 +114,16 @@ posts!!<br>
<h2>Other Mail Delivery Problems</h2> <h2>Other Mail Delivery Problems</h2>
If you find that you are missing an occasional list post, your e-mail If you find that you are missing an occasional list post, your e-mail
admin may be blocking mail whose <i>Received:</i> headers contain the names admin may be blocking mail whose <i>Received:</i> headers contain the names
of certain ISPs. Again, I believe that such policies hurt more than they of certain ISPs. Again, I believe that such policies hurt more than they help
help but I'm not prepared to go so far as to start stripping <i>Received:</i> but I'm not prepared to go so far as to start stripping <i>Received:</i>
headers to circumvent those policies.<br> headers to circumvent those policies.<br>
<h2 align="left">Mailing Lists Archive Search</h2> <h2 align="left">Mailing Lists Archive Search</h2>
<form method="post" action="http://mail.shorewall.net/cgi-bin/htsearch"> <form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
<p> <font size="-1"> Match: <p> <font size="-1"> Match:
<select name="method"> <select name="method">
<option value="and">All </option> <option value="and">All </option>
<option value="or">Any </option> <option value="or">Any </option>
@ -143,15 +145,15 @@ headers to circumvent those policies.<br>
</select> </select>
</font> <input type="hidden" name="config" value="htdig"> </font> <input type="hidden" name="config" value="htdig">
<input type="hidden" name="restrict" <input type="hidden" name="restrict"
value="[http://mail.shorewall.net/pipermail/.*]"> <input type="hidden" value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden"
name="exclude" value=""> <br> name="exclude" value=""> <br>
Search: <input type="text" size="30" name="words" Search: <input type="text" size="30" name="words"
value=""> <input type="submit" value="Search"> </p> value=""> <input type="submit" value="Search"> </p>
</form> </form>
<h2 align="left"><font color="#ff0000">Please do not try to download the <h2 align="left"><font color="#ff0000">Please do not try to download the entire
entire Archive -- it is 75MB (and growing daily) and my slow DSL line simply Archive -- it is 75MB (and growing daily) and my slow DSL line simply won't
won't stand the traffic. If I catch you, you will be blacklisted.<br> stand the traffic. If I catch you, you will be blacklisted.<br>
</font></h2> </font></h2>
<h2 align="left">Shorewall CA Certificate</h2> <h2 align="left">Shorewall CA Certificate</h2>
@ -167,40 +169,49 @@ Firewall (such as the one used on my web site), you may <a
<p align="left">The Shorewall Users Mailing list provides a way for users <p align="left">The Shorewall Users Mailing list provides a way for users
to get answers to questions and to report problems. Information of to get answers to questions and to report problems. Information of
general interest to the Shorewall user community is also posted to this general interest to the Shorewall user community is also posted to
list.</p> this list.</p>
<p align="left"><b>Before posting a problem report to this list, please see <p align="left"><b>Before posting a problem report to this list, please see
the <a href="support.htm">problem reporting guidelines</a>.</b></p> the <a href="support.htm">problem reporting guidelines</a>.</b></p>
<p align="left">To subscribe to the mailing list, go to <a <p align="left">To subscribe to the mailing list:<br>
href="http://mail.shorewall.net/mailman/listinfo/shorewall-users">http://mail.shorewall.net/mailman/listinfo/shorewall-users</a> </p>
SSL: <a <ul>
href="https://mail.shorewall.net/mailman/listinfo/shorewall-users" <li><b>Insecure: </b><a
target="_top">https//mail.shorewall.net/mailman/listinfo/shorewall-users</a></p> href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a></li>
<li><b>SSL:</b> <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-users"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-users</a></li>
</ul>
<p align="left">To post to the list, post to <a <p align="left">To post to the list, post to <a
href="mailto:shorewall-users@shorewall.net">shorewall-users@shorewall.net</a>.</p> href="mailto:shorewall-users@lists.shorewall.net">shorewall-users@lists.shorewall.net</a>.</p>
<p align="left">The list archives are at <a <p align="left">The list archives are at <a
href="http://mail.shorewall.net/pipermail/shorewall-users/index.html">http://mail.shorewall.net/pipermail/shorewall-users</a>.</p> href="http://lists.shorewall.net/pipermail/shorewall-users/index.html">http://lists.shorewall.net/pipermail/shorewall-users</a>.</p>
<p align="left">Note that prior to 1/1/2002, the mailing list was hosted at <p align="left">Note that prior to 1/1/2002, the mailing list was hosted
<a href="http://sourceforge.net">Sourceforge</a>. The archives from that list at <a href="http://sourceforge.net">Sourceforge</a>. The archives from that
may be found at <a list may be found at <a
href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p> href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p>
<h2 align="left">Shorewall Announce Mailing List</h2> <h2 align="left">Shorewall Announce Mailing List</h2>
<p align="left">This list is for announcements of general interest to the <p align="left">This list is for announcements of general interest to the
Shorewall community. To subscribe, go to <a Shorewall community. To subscribe:<br>
href="http://mail.shorewall.net/mailman/listinfo/shorewall-announce">http://mail.shorewall.net/mailman/listinfo/shorewall-announce</a> </p>
SSL: <a <p align="left"></p>
href="https://mail.shorewall.net/mailman/listinfo/shorewall-announce" <ul>
target="_top">https//mail.shorewall.net/mailman/listinfo/shorewall-announce.<br> <li><b>Insecure:</b> <a
</a><br> href="http://lists.shorewall.net/mailman/listinfo/shorewall-announce">http://lists.shorewall.net/mailman/listinfo/shorewall-announce</a></li>
<li><b>SSL</b>: <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-announce"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-announce.</a></li>
</ul>
<p align="left"><br>
The list archives are at <a The list archives are at <a
href="http://mail.shorewall.net/pipermail/shorewall-announce">http://mail.shorewall.net/pipermail/shorewall-announce</a>.</p> href="http://lists.shorewall.net/pipermail/shorewall-announce">http://lists.shorewall.net/pipermail/shorewall-announce</a>.</p>
<h2 align="left">Shorewall Development Mailing List</h2> <h2 align="left">Shorewall Development Mailing List</h2>
@ -208,23 +219,27 @@ may be found at <a
the exchange of ideas about the future of Shorewall and for coordinating the exchange of ideas about the future of Shorewall and for coordinating
ongoing Shorewall Development.</p> ongoing Shorewall Development.</p>
<p align="left">To subscribe to the mailing list, go to <a <p align="left">To subscribe to the mailing list:<br>
href="http://mail.shorewall.net/mailman/listinfo/shorewall-devel">http://mail.shorewall.net/mailman/listinfo/shorewall-devel</a> </p>
SSL: <a <ul>
href="https://mail.shorewall.net/mailman/listinfo/shorewall-devel" <li><b>Insecure: </b><a
target="_top">https//mail.shorewall.net/mailman/listinfo/shorewall-devel.</a><br> href="http://lists.shorewall.net/mailman/listinfo/shorewall-devel">http://lists.shorewall.net/mailman/listinfo/shorewall-devel</a></li>
To post to the list, post to <a <li><b>SSL:</b> <a
href="mailto:shorewall-devel@shorewall.net">shorewall-devel@shorewall.net</a>. </p> href="https://lists.shorewall.net/mailman/listinfo/shorewall-devel"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-devel.</a></li>
</ul>
<p align="left"> To post to the list, post to <a
href="mailto:shorewall-devel@lists.shorewall.net">shorewall-devel@lists.shorewall.net</a>. </p>
<p align="left">The list archives are at <a <p align="left">The list archives are at <a
href="http://mail.shorewall.net/pipermail/shorewall-devel">http://mail.shorewall.net/pipermail/shorewall-devel</a>.</p> href="http://lists.shorewall.net/pipermail/shorewall-devel">http://lists.shorewall.net/pipermail/shorewall-devel</a>.</p>
<h2 align="left"><a name="Unsubscribe"></a>How to Unsubscribe from one of <h2 align="left"><a name="Unsubscribe"></a>How to Unsubscribe from one of
the Mailing Lists</h2> the Mailing Lists</h2>
<p align="left">There seems to be near-universal confusion about unsubscribing <p align="left">There seems to be near-universal confusion about unsubscribing
from Mailman-managed lists although Mailman 2.1 has attempted to make from Mailman-managed lists although Mailman 2.1 has attempted to
this less confusing. To unsubscribe:</p> make this less confusing. To unsubscribe:</p>
<ul> <ul>
<li> <li>
@ -243,8 +258,9 @@ may be found at <a
<li> <li>
<p align="left">There will now be a box where you can enter your password <p align="left">There will now be a box where you can enter your password
and click on "Unsubscribe"; if you have forgotten your password, there and click on "Unsubscribe"; if you have forgotten your password,
is another button that will cause your password to be emailed to you.</p> there is another button that will cause your password to be emailed
to you.</p>
</li> </li>
</ul> </ul>
@ -254,11 +270,11 @@ may be found at <a
<p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p> <p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p>
<p align="left"><font size="2">Last updated 12/31/2002 - <a <p align="left"><font size="2">Last updated 1/14/2003 - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font> <p align="left"><a href="copyright.htm"> <font size="2">Copyright</font> ©
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a><br> <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br> <br>
<br> <br>
@ -266,5 +282,6 @@ may be found at <a
<br> <br>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

97
Shorewall-docs/ping.html
View File

@ -2,11 +2,14 @@
<html> <html>
<head> <head>
<title>ICMP Echo-request (Ping)</title> <title>ICMP Echo-request (Ping)</title>
<meta http-equiv="content-type" <meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1"> content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep"> <meta name="author" content="Tom Eastep">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
@ -20,47 +23,88 @@
</tbody> </tbody>
</table> </table>
<br> <br>
Shorewall 'Ping' management has evolved over time in a less than consistant Shorewall 'Ping' management has evolved over time with the latest change
way. This page describes how it now works.<br> coming in Shorewall version 1.3.14. In that version, a new option (<b>OLD_PING_HANDLING</b>)
was added to /etc/shorewall/shorewall.conf. The value of that option determines
the overall handling of ICMP echo requests (pings).<br>
<h2>Shorewall Versions &gt;= 1.3.14 with OLD_PING_HANDLING=No in /etc/shorewall/shorewall.conf</h2>
In 1.3.14, Ping handling was put under control of the rules and policies
just like any other connection request. In order to accept ping requests
from zone z1 to zone z2, you need a rule in /etc/shoreall/rules of the form:<br>
<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp;
</i>icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
Example: <br>
<br> <br>
There are several aspects to Shorewall Ping management:<br> To permit ping from the local zone to the firewall:<br>
<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;
icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
If you would like to accept 'ping' by default, create <b>/etc/shorewall/icmpdef
</b>if it doesn't already exist and in that file place the following command:<br>
<blockquote>
<pre><b><font color="#009900">run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT<br></font></b></pre>
</blockquote>
With that rule in place, if you want to ignore 'ping' from z1 to z2 then
you need a rule of the form:<br>
<blockquote>DROP&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp;
</i>icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
Example:<br>
<br>
To drop ping from the internet, you would need this rule in /etc/shorewall/rules:<br>
<blockquote>DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;
icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
<blockquote> </blockquote>
<h2>Shorewall Versions &lt; 1.3.14 or with OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf<br>
</h2>
There are several aspects to the old Shorewall Ping management:<br>
<ol> <ol>
<li>The <b>noping</b> and <b>filterping </b>interface options in <a <li>The <b>noping</b> and <b>filterping </b>interface options in <a
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li> href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
<li>The <b>FORWARDPING</b> option in<a <li>The <b>FORWARDPING</b> option in<a href="Documentation.htm#Conf">
href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf</a>.</li> /etc/shorewall/shorewall.conf</a>.</li>
<li>Explicit rules in <a <li>Explicit rules in <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
</ol> </ol>
There are two cases to consider:<br> There are two cases to consider:<br>
<ol> <ol>
<li>Ping requests addressed to the firewall itself; and</li> <li>Ping requests addressed to the firewall itself; and</li>
<li>Ping requests being forwarded to another system. Included here are <li>Ping requests being forwarded to another system. Included here are
all cases of packet forwarding including NAT, DNAT rule, Proxy ARP and simple all cases of packet forwarding including NAT, DNAT rule, Proxy ARP and simple
routing.</li> routing.</li>
</ol> </ol>
These cases will be covered separately.<br> These cases will be covered separately.<br>
<h2>Ping Requests Addressed to the Firewall Itself</h2>
<h3>Ping Requests Addressed to the Firewall Itself</h3>
For ping requests addressed to the firewall, the sequence is as follows:<br> For ping requests addressed to the firewall, the sequence is as follows:<br>
<ol> <ol>
<li>If neither <b>noping</b> nor <b>filterping </b>are specified for the <li>If neither <b>noping</b> nor <b>filterping </b>are specified for the
interface that receives the ping request then the request will be responded interface that receives the ping request then the request will be responded
to with an ICMP echo-reply.</li> to with an ICMP echo-reply.</li>
<li>If <b>noping</b> is specified for the interface that receives the ping <li>If <b>noping</b> is specified for the interface that receives the
request then the request is ignored.</li> ping request then the request is ignored.</li>
<li>If <b>filterping </b>is specified for the interface then the request <li>If <b>filterping </b>is specified for the interface then the request
is passed to the rules/policy evaluation.</li> is passed to the rules/policy evaluation.</li>
</ol> </ol>
<h2>Ping Requests Forwarded by the Firewall</h2>
<h3>Ping Requests Forwarded by the Firewall</h3>
These requests are <b>always</b> passed to rules/policy evaluation.<br> These requests are <b>always</b> passed to rules/policy evaluation.<br>
<h2>Rules Evaluation</h2>
<h3>Rules Evaluation</h3>
Ping requests are ICMP type 8. So the general rule format is:<br> Ping requests are ICMP type 8. So the general rule format is:<br>
<br> <br>
&nbsp;&nbsp;&nbsp; <i>Target&nbsp;&nbsp;&nbsp; Source&nbsp;&nbsp;&nbsp; Destination&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <i>Target&nbsp;&nbsp;&nbsp; Source&nbsp;&nbsp;&nbsp;
</i>icmp&nbsp;&nbsp;&nbsp; 8<br> Destination&nbsp;&nbsp;&nbsp; </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
<br> <br>
Example 1. Accept pings from the net to the dmz (pings are responded to with Example 1. Accept pings from the net to the dmz (pings are responded to
an ICMP echo-reply):<br> with an ICMP echo-reply):<br>
<br> <br>
&nbsp;&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; dmz&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; dmz&nbsp;&nbsp;&nbsp;
icmp&nbsp;&nbsp;&nbsp; 8<br> icmp&nbsp;&nbsp;&nbsp; 8<br>
@ -69,22 +113,27 @@ Example 2. Drop pings from the net to the firewall<br>
<br> <br>
&nbsp;&nbsp;&nbsp; DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;
icmp&nbsp;&nbsp;&nbsp; 8<br> icmp&nbsp;&nbsp;&nbsp; 8<br>
<h2>Policy Evaluation</h2>
<h3>Policy Evaluation</h3>
If no applicable rule is found, then the policy for the source to the destination If no applicable rule is found, then the policy for the source to the destination
is applied.<br> is applied.<br>
<ol> <ol>
<li>If the relevant policy is ACCEPT then the request is responded to with <li>If the relevant policy is ACCEPT then the request is responded to
an ICMP echo-reply.</li> with an ICMP echo-reply.</li>
<li>If <b>FORWARDPING</b> is set to Yes in /etc/shorewall/shorewall.conf <li>If <b>FORWARDPING</b> is set to Yes in /etc/shorewall/shorewall.conf
then the request is responded to with an ICMP echo-reply.</li> then the request is responded to with an ICMP echo-reply.</li>
<li>Otherwise, the relevant REJECT or DROP policy is used and the request <li>Otherwise, the relevant REJECT or DROP policy is used and the request
is either rejected or simply ignored.</li> is either rejected or simply ignored.</li>
</ol>
<p><font size="2">Updated 12/13/2002 - <a
href="support.htm">Tom Eastep</a> </font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> </ol>
&copy; <font size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
<p><font size="2">Updated 1/21/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></p>
<br>
<br> <br>
</body> </body>
</html> </html>

208
Shorewall-docs/seattlefirewall_index.htm
View File

@ -103,9 +103,10 @@
<p>The Shoreline Firewall, more commonly known as "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based <p>The Shoreline Firewall, more commonly known as "Shorewall", is a
firewall that can be used on a dedicated firewall system, a multi-function <a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
that can be used on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.</p> gateway/router/server or on a standalone GNU/Linux system.</p>
@ -116,24 +117,25 @@ firewall that can be used on a dedicated firewall system, a multi-functio
<p>This program is free software; you can redistribute it and/or modify <p>This program is free software; you can redistribute it and/or modify
it under the terms of <a it under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU General
General Public License</a> as published by the Free Software Foundation.<br> Public License</a> as published by the Free Software Foundation.<br>
<br> <br>
This program is distributed in the hope that This program is distributed in the hope
it will be useful, but WITHOUT ANY WARRANTY; that it will be useful, but WITHOUT ANY WARRANTY;
without even the implied warranty of MERCHANTABILITY without even the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE. See the GNU or FITNESS FOR A PARTICULAR PURPOSE. See the
General Public License for more details.<br> GNU General Public License for more details.<br>
<br> <br>
You should have received a copy of the GNU You should have received a copy of the
General Public License along with this program; GNU General Public License along with this
if not, write to the Free Software Foundation, program; if not, write to the Free Software Foundation,
Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p> Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
@ -144,6 +146,7 @@ General Public License for more details.<br>
<p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p> <p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
@ -158,24 +161,24 @@ General Public License for more details.<br>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img <p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36"> border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques Nilo and Eric Wolzak have </a>Jacques Nilo and Eric Wolzak
a LEAF (router/firewall/gateway on a floppy, CD or compact have a LEAF (router/firewall/gateway on a floppy, CD or
flash) distribution called <i>Bering</i> that compact flash) distribution called <i>Bering</i>
features Shorewall-1.3.10 and Kernel-2.4.18. You that features Shorewall-1.3.10 and Kernel-2.4.18.
can find their work at: <a You can find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br> href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
</a></p> </a></p>
<p><b>Congratulations to Jacques and Eric on the recent release of <p><b>Congratulations to Jacques and Eric on the recent release of Bering
Bering 1.0 Final!!! </b><br> 1.0 Final!!! </b><br>
</p> </p>
<h2>This is a mirror of the main Shorewall web site at SourceForge <h2>This is a mirror of the main Shorewall web site at SourceForge (<a
(<a href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2> href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
@ -198,6 +201,7 @@ Bering 1.0 Final!!! </b><br>
<h2></h2> <h2></h2>
@ -205,9 +209,30 @@ Bering 1.0 Final!!! </b><br>
<p><b>1/13/2003 - Shorewall 1.3.13</b><b> </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)"> <p><b>1/18/2002 - Shorewall 1.3.13 Documentation in PDF Format</b><b> </b><b><img
</b><br> border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.13
documenation. the PDF may be downloaded from</p>
    <a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/"
target="_self">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a>
<p><b>1/17/2003 - shorewall.net has MOVED</b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
 </b></p>
<p>Thanks to the generosity of Alex Martin and <a
href="http://www.rettc.com">Rett Consulting</a>, www.shorewall.net and
ftp.shorewall.net are now hosted on a system in Bellevue, Washington. A
big thanks to Alex for making this happen.<br>
</p>
<p><b>1/13/2003 - Shorewall 1.3.13</b><br>
</p> </p>
<p>Just includes a few things that I had on the burner:<br> <p>Just includes a few things that I had on the burner:<br>
@ -218,10 +243,10 @@ Bering 1.0 Final!!! </b><br>
file. DNAT- is intended for advanced users who wish to minimize the number file. DNAT- is intended for advanced users who wish to minimize the number
of rules that connection requests must traverse.<br> of rules that connection requests must traverse.<br>
<br> <br>
A Shorewall DNAT rule actually generates two iptables rules: a header rewriting A Shorewall DNAT rule actually generates two iptables rules: a header
rule in the 'nat' table and an ACCEPT rule in the 'filter' table. A DNAT- rewriting rule in the 'nat' table and an ACCEPT rule in the 'filter' table.
rule only generates the first of these rules. This is handy when you have A DNAT- rule only generates the first of these rules. This is handy when
several DNAT rules that would generate the same ACCEPT rule.<br> you have several DNAT rules that would generate the same ACCEPT rule.<br>
<br> <br>
   Here are three rules from my previous rules file:<br>    Here are three rules from my previous rules file:<br>
<br> <br>
@ -233,26 +258,26 @@ several DNAT rules that would generate the same ACCEPT rule.<br>
<br> <br>
         ACCEPT net  dmz:206.124.146.177 tcp smtp<br>          ACCEPT net  dmz:206.124.146.177 tcp smtp<br>
<br> <br>
   By writing the rules this way, I end up with only one copy of the ACCEPT    By writing the rules this way, I end up with only one copy of the
rule.<br> ACCEPT rule.<br>
<br> <br>
        DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.178<br>         DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.178<br>
        DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.179<br>         DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.179<br>
        ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,....<br>         ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,....<br>
<br> <br>
</li> </li>
<li>The 'shorewall check' command now prints out the applicable policy <li>The 'shorewall check' command now prints out the applicable
between each pair of zones.<br> policy between each pair of zones.<br>
<br> <br>
</li> </li>
<li>A new CLEAR_TC option has been added to shorewall.conf. If this <li>A new CLEAR_TC option has been added to shorewall.conf. If
option is set to 'No' then Shorewall won't clear the current traffic control this option is set to 'No' then Shorewall won't clear the current traffic
rules during [re]start. This setting is intended for use by people that prefer control rules during [re]start. This setting is intended for use by people
to configure traffic shaping when the network interfaces come up rather than that prefer to configure traffic shaping when the network interfaces come
when the firewall is started. If that is what you want to do, set TC_ENABLED=Yes up rather than when the firewall is started. If that is what you want to
and CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That way, do, set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an /etc/shorewall/tcstart
your traffic shaping rules can still use the 'fwmark' classifier based on file. That way, your traffic shaping rules can still use the 'fwmark' classifier
packet marking defined in /etc/shorewall/tcrules.<br> based on packet marking defined in /etc/shorewall/tcrules.<br>
<br> <br>
</li> </li>
<li>A new SHARED_DIR variable has been added that allows distribution <li>A new SHARED_DIR variable has been added that allows distribution
@ -260,7 +285,9 @@ packagers to easily move the shared directory (default /usr/lib/shorewall).
Users should never have a need to change the value of this shorewall.conf Users should never have a need to change the value of this shorewall.conf
setting.<br> setting.<br>
</li> </li>
</ol> </ol>
<p><b>1/6/2003 -</b><b><big><big><big><big><big><big><big><big> B</big></big></big></big></big><small>U<small>R<small>N<small>O<small>U<small>T</small></small></small></small></small></small></big></big></big></b><b> <p><b>1/6/2003 -</b><b><big><big><big><big><big><big><big><big> B</big></big></big></big></big><small>U<small>R<small>N<small>O<small>U<small>T</small></small></small></small></small></small></big></big></big></b><b>
</b></p> </b></p>
@ -289,26 +316,28 @@ setting.<br>
<p><b>12/27/2002 - Shorewall 1.3.12 Released</b><b> <p><b>12/27/2002 - Shorewall 1.3.12 Released</b><b>
</b></p> </b></p>
<p> Features include:<br> <p> Features include:<br>
</p> </p>
<ol> <ol>
<li>"shorewall refresh" now reloads the traffic shaping rules <li>"shorewall refresh" now reloads the traffic shaping
(tcrules and tcstart).</li> rules (tcrules and tcstart).</li>
<li>"shorewall debug [re]start" now turns off debugging after <li>"shorewall debug [re]start" now turns off debugging
an error occurs. This places the point of the failure near the end of after an error occurs. This places the point of the failure near the
the trace rather than up in the middle of it.</li> end of the trace rather than up in the middle of it.</li>
<li>"shorewall [re]start" has been speeded up by more than <li>"shorewall [re]start" has been speeded up by more
40% with my configuration. Your milage may vary.</li> than 40% with my configuration. Your milage may vary.</li>
<li>A "shorewall show classifiers" command has been added <li>A "shorewall show classifiers" command has been added
which shows the current packet classification filters. The output from which shows the current packet classification filters. The output
this command is also added as a separate page in "shorewall monitor"</li> from this command is also added as a separate page in "shorewall monitor"</li>
<li>ULOG (must be all caps) is now accepted as a valid syslog <li>ULOG (must be all caps) is now accepted as a valid
level and causes the subject packets to be logged using the ULOG target syslog level and causes the subject packets to be logged using the ULOG
rather than the LOG target. This allows you to run ulogd (available from target rather than the LOG target. This allows you to run ulogd (available
<a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>) from <a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
and log all Shorewall messages <a href="shorewall_logging.html">to a and log all Shorewall messages <a href="shorewall_logging.html">to
separate log file</a>.</li> a separate log file</a>.</li>
<li>If you are running a kernel that has a FORWARD chain <li>If you are running a kernel that has a FORWARD chain
in the mangle table ("shorewall show mangle" will show you the chains in the mangle table ("shorewall show mangle" will show you the chains
in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes in <a in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes in <a
@ -316,9 +345,9 @@ in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes in <a
input packets based on their destination even when you are using Masquerading input packets based on their destination even when you are using Masquerading
or SNAT.</li> or SNAT.</li>
<li>I have cluttered up the /etc/shorewall directory with <li>I have cluttered up the /etc/shorewall directory with
empty 'init', 'start', 'stop' and 'stopped' files. If you already have empty 'init', 'start', 'stop' and 'stopped' files. If you already
a file with one of these names, don't worry -- the upgrade process won't have a file with one of these names, don't worry -- the upgrade process
overwrite your file.</li> won't overwrite your file.</li>
<li>I have added a new RFC1918_LOG_LEVEL variable to <a <li>I have added a new RFC1918_LOG_LEVEL variable to <a
href="Documentation.htm#Conf">shorewall.conf</a>. This variable specifies href="Documentation.htm#Conf">shorewall.conf</a>. This variable specifies
the syslog level at which packets are logged as a result of entries in the syslog level at which packets are logged as a result of entries in
@ -326,17 +355,21 @@ overwrite your file.</li>
logged at the 'info' level.<br> logged at the 'info' level.<br>
</li> </li>
</ol> </ol>
<p><b>12/20/2002 - Shorewall 1.3.12 Beta 3</b><br> <p><b>12/20/2002 - Shorewall 1.3.12 Beta 3</b><br>
</p> </p>
This version corrects a problem with Blacklist logging. In Beta This version corrects a problem with Blacklist logging. In Beta
2, if BLACKLIST_LOG_LEVEL was set to anything but ULOG, the firewall would 2, if BLACKLIST_LOG_LEVEL was set to anything but ULOG, the firewall would
fail to start and "shorewall refresh" would also fail.<br> fail to start and "shorewall refresh" would also fail.<br>
<p> You may download the Beta from:<br> <p> You may download the Beta from:<br>
</p> </p>
<blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br> <blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta" <a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br> target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
@ -345,8 +378,8 @@ logged at the 'info' level.<br>
<p><b>12/20/2002 - Shorewall 1.3.12 Beta 2</b><b> <p><b>12/20/2002 - Shorewall 1.3.12 Beta 2</b><b>
</b></p> </b></p>
The first public Beta version of Shorewall 1.3.12 is now available The first public Beta version of Shorewall 1.3.12 is now
(Beta 1 was made available to a limited audience). <br> available (Beta 1 was made available to a limited audience). <br>
<br> <br>
Features include:<br> Features include:<br>
<br> <br>
@ -358,22 +391,23 @@ logged at the 'info' level.<br>
<li>"shorewall debug [re]start" now turns off debugging <li>"shorewall debug [re]start" now turns off debugging
after an error occurs. This places the point of the failure near the after an error occurs. This places the point of the failure near the
end of the trace rather than up in the middle of it.</li> end of the trace rather than up in the middle of it.</li>
<li>"shorewall [re]start" has been speeded up by more <li>"shorewall [re]start" has been speeded up by
than 40% with my configuration. Your milage may vary.</li> more than 40% with my configuration. Your milage may vary.</li>
<li>A "shorewall show classifiers" command has been <li>A "shorewall show classifiers" command has been
added which shows the current packet classification filters. The output added which shows the current packet classification filters. The output
from this command is also added as a separate page in "shorewall monitor"</li> from this command is also added as a separate page in "shorewall monitor"</li>
<li>ULOG (must be all caps) is now accepted as a valid <li>ULOG (must be all caps) is now accepted as a
syslog level and causes the subject packets to be logged using the ULOG valid syslog level and causes the subject packets to be logged using
target rather than the LOG target. This allows you to run ulogd (available the ULOG target rather than the LOG target. This allows you to run ulogd
from <a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>) (available from <a
and log all Shorewall messages <a href="shorewall_logging.html">to a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
separate log file</a>.</li> and log all Shorewall messages <a href="shorewall_logging.html">to
<li>If you are running a kernel that has a FORWARD chain a separate log file</a>.</li>
in the mangle table ("shorewall show mangle" will show you the chains <li>If you are running a kernel that has a FORWARD
in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf. chain in the mangle table ("shorewall show mangle" will show you the
This allows for marking input packets based on their destination even chains in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes
when you are using Masquerading or SNAT.</li> in shorewall.conf. This allows for marking input packets based on
their destination even when you are using Masquerading or SNAT.</li>
<li>I have cluttered up the /etc/shorewall directory <li>I have cluttered up the /etc/shorewall directory
with empty 'init', 'start', 'stop' and 'stopped' files. If you already with empty 'init', 'start', 'stop' and 'stopped' files. If you already
have a file with one of these names, don't worry -- the upgrade process have a file with one of these names, don't worry -- the upgrade process
@ -406,11 +440,13 @@ won't overwrite your file.</li>
</b></p> </b></p>
<p>Two months and 3 days after I pre-ordered Mandrake 9.0, it was finally <p>Two months and 3 days after I pre-ordered Mandrake 9.0, it was finally
delivered. I have installed 9.0 on one of my systems and I am now delivered. I have installed 9.0 on one of my systems and I am now
in a position to support Shorewall users who run Mandrake 9.0.</p> in a position to support Shorewall users who run Mandrake 9.0.</p>
<p><b>12/6/2002 -  Debian 1.3.11a Packages Available</b><br> <p><b>12/6/2002 -  Debian 1.3.11a Packages Available</b><br>
</p> </p>
@ -437,11 +473,13 @@ won't overwrite your file.</li>
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11 <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11
documenation. the PDF may be downloaded from</p> documenation. the PDF may be downloaded from</p>
<p>    <a <p>    <a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br> href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a     <a
@ -450,6 +488,7 @@ won't overwrite your file.</li>
<p><b>11/24/2002 - Shorewall 1.3.11</b><b> </b><b> <p><b>11/24/2002 - Shorewall 1.3.11</b><b> </b><b>
</b></p> </b></p>
@ -460,14 +499,15 @@ won't overwrite your file.</li>
<ul> <ul>
<li>A 'tcpflags' option has been added to <li>A 'tcpflags' option has been added
entries in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. to entries in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
This option causes Shorewall to make a set of sanity check on TCP packet This option causes Shorewall to make a set of sanity check on TCP
header flags.</li> packet header flags.</li>
<li>It is now allowed to use 'all' in the <li>It is now allowed to use 'all' in the
SOURCE or DEST column in a <a href="Documentation.htm#Rules">rule</a>. SOURCE or DEST column in a <a href="Documentation.htm#Rules">rule</a>.
When used, 'all' must appear by itself (in may not be qualified) and When used, 'all' must appear by itself (in may not be qualified)
it does not enable intra-zone traffic. For example, the rule <br> and it does not enable intra-zone traffic. For example, the rule
<br>
<br> <br>
    ACCEPT loc all tcp 80<br>     ACCEPT loc all tcp 80<br>
<br> <br>
@ -550,11 +590,11 @@ is now compatible with bash clones such as ash and dash.</li>
<p align="center"><font size="4" color="#ffffff">Shorewall is free <p align="center"><font size="4" color="#ffffff">Shorewall is free but
but if you try it and find it useful, please consider making a donation if you try it and find it useful, please consider making a donation
to <a to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
Children's Foundation.</font></a> Thanks!</font></p> Foundation.</font></a> Thanks!</font></p>
</td> </td>
@ -570,7 +610,7 @@ Children's Foundation.</font></a> Thanks!</font></p>
<p><font size="2">Updated 1/13/2003 - <a href="support.htm">Tom Eastep</a></font> <p><font size="2">Updated 1/18/2003 - <a href="support.htm">Tom Eastep</a></font>
<br> <br>
</p> </p>

2
Shorewall-docs/shorewall_mirrors.htm
View File

@ -45,7 +45,7 @@ and is located in California, USA. It is mirrored at:</p>
(Martinez (Zona Norte - GBA), Argentina)</li> (Martinez (Zona Norte - GBA), Argentina)</li>
<li><a target="_top" href="http://france.shorewall.net">http://france.shorewall.net</a> <li><a target="_top" href="http://france.shorewall.net">http://france.shorewall.net</a>
(Paris, France)</li> (Paris, France)</li>
<li><a href="http://shorewall.sf.net" target="_top">http://www.shorewall.net</a> <li><a href="http://www.shorewall.net" target="_top">http://www.shorewall.net</a>
(Washington State, USA)<br> (Washington State, USA)<br>
</li> </li>

211
Shorewall-docs/sourceforge_index.htm
View File

@ -6,6 +6,7 @@
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.3</title> <title>Shoreline Firewall (Shorewall) 1.3</title>
@ -13,8 +14,8 @@
<base
target="_self"> <base target="_self">
</head> </head>
<body> <body>
@ -37,14 +38,15 @@
<h1 align="center"> <font size="4"><i> <a <h1 align="center"> <font size="4"><i> <a
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4" href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
alt="Shorwall Logo" height="70" width="85" align="left" alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0"> src="images/washington.jpg" border="0">
</a></i></font><font color="#ffffff">Shorewall </a></i></font><font color="#ffffff">Shorewall
1.3 - <font size="4">"<i>iptables made 1.3 - <font size="4">"<i>iptables
easy"</i></font></font><a href="http://www.sf.net"> </a></h1> made easy"</i></font></font><a href="http://www.sf.net"> </a></h1>
@ -67,6 +69,7 @@
<div align="center"> <div align="center">
<center> <center>
@ -99,7 +102,8 @@
<p>The Shoreline Firewall, more commonly known as "Shorewall", is
<p>The Shoreline Firewall, more commonly known as  "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
firewall that can be used on a dedicated firewall system, a multi-function firewall that can be used on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.</p> gateway/router/server or on a standalone GNU/Linux system.</p>
@ -113,25 +117,28 @@ firewall that can be used on a dedicated firewall system, a multi-functio
<p>This program is free software; you can redistribute it and/or modify <p>This program is free software; you can redistribute it and/or modify
it under the terms of <a it under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU General
General Public License</a> as published by the Free Software Foundation.<br> Public License</a> as published by the Free Software Foundation.<br>
<br> <br>
This program is distributed in the This program is distributed in the
hope that it will be useful, but WITHOUT ANY hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY WARRANTY; without even the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE. See the or FITNESS FOR A PARTICULAR PURPOSE. See
GNU General Public License for more details.<br> the GNU General Public License for more details.<br>
<br> <br>
You should have received a copy of the You should have received a copy of
GNU General Public License along with this the GNU General Public License along with
program; if not, write to the Free Software Foundation, this program; if not, write to the Free Software
Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p> Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139,
USA</p>
@ -163,11 +170,12 @@ hope that it will be useful, but WITHOUT ANY
that features Shorewall-1.3.10 and Kernel-2.4.18. that features Shorewall-1.3.10 and Kernel-2.4.18.
You can find their work at: <a You can find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p> href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
<b>Congratulations to Jacques and Eric on <b>Congratulations to Jacques and Eric
the recent release of Bering 1.0 Final!!! <br> on the recent release of Bering 1.0 Final!!! <br>
</b> </b>
<h2>News</h2> <h2>News</h2>
@ -182,6 +190,28 @@ the recent release of Bering 1.0 Final!!! <br>
<p><b>1/18/2002 - Shorewall 1.3.13 Documentation in PDF Format</b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.13
documenation. the PDF may be downloaded from</p>
    <a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/"
target="_self">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a>
<p><b>1/17/2003 - shorewall.net has MOVED</b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
 </b></p>
<p>Thanks to the generosity of Alex Martin and <a
href="http://www.rettc.com">Rett Consulting</a>, www.shorewall.net and
ftp.shorewall.net are now hosted on a system in Bellevue, Washington. A
big thanks to Alex for making this happen.<br>
</p>
<p><b>1/13/2003 - Shorewall 1.3.13</b><b> </b><b><img border="0" <p><b>1/13/2003 - Shorewall 1.3.13</b><b> </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)"> src="images/new10.gif" width="28" height="12" alt="(New)">
</b><br> </b><br>
@ -195,10 +225,10 @@ the recent release of Bering 1.0 Final!!! <br>
file. DNAT- is intended for advanced users who wish to minimize the number file. DNAT- is intended for advanced users who wish to minimize the number
of rules that connection requests must traverse.<br> of rules that connection requests must traverse.<br>
<br> <br>
A Shorewall DNAT rule actually generates two iptables rules: a header rewriting A Shorewall DNAT rule actually generates two iptables rules: a header
rule in the 'nat' table and an ACCEPT rule in the 'filter' table. A DNAT- rewriting rule in the 'nat' table and an ACCEPT rule in the 'filter' table.
rule only generates the first of these rules. This is handy when you have A DNAT- rule only generates the first of these rules. This is handy when
several DNAT rules that would generate the same ACCEPT rule.<br> you have several DNAT rules that would generate the same ACCEPT rule.<br>
<br> <br>
   Here are three rules from my previous rules file:<br>    Here are three rules from my previous rules file:<br>
<br> <br>
@ -210,33 +240,35 @@ several DNAT rules that would generate the same ACCEPT rule.<br>
<br> <br>
         ACCEPT net  dmz:206.124.146.177 tcp smtp<br>          ACCEPT net  dmz:206.124.146.177 tcp smtp<br>
<br> <br>
   By writing the rules this way, I end up with only one copy of the ACCEPT    By writing the rules this way, I end up with only one copy of the
rule.<br> ACCEPT rule.<br>
<br> <br>
        DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.178<br>         DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.178<br>
        DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.179<br>         DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.179<br>
        ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,....<br>         ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,....<br>
<br> <br>
</li> </li>
<li>The 'shorewall check' command now prints out the applicable policy <li>The 'shorewall check' command now prints out the applicable
between each pair of zones.<br> policy between each pair of zones.<br>
<br> <br>
</li> </li>
<li>A new CLEAR_TC option has been added to shorewall.conf. If this <li>A new CLEAR_TC option has been added to shorewall.conf. If
option is set to 'No' then Shorewall won't clear the current traffic control this option is set to 'No' then Shorewall won't clear the current traffic
rules during [re]start. This setting is intended for use by people that prefer control rules during [re]start. This setting is intended for use by people
to configure traffic shaping when the network interfaces come up rather than that prefer to configure traffic shaping when the network interfaces come
when the firewall is started. If that is what you want to do, set TC_ENABLED=Yes up rather than when the firewall is started. If that is what you want to
and CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That way, do, set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an /etc/shorewall/tcstart
your traffic shaping rules can still use the 'fwmark' classifier based on file. That way, your traffic shaping rules can still use the 'fwmark' classifier
packet marking defined in /etc/shorewall/tcrules.<br> based on packet marking defined in /etc/shorewall/tcrules.<br>
<br> <br>
</li> </li>
<li>A new SHARED_DIR variable has been added that allows distribution <li>A new SHARED_DIR variable has been added that allows distribution
packagers to easily move the shared directory (default /usr/lib/shorewall). packagers to easily move the shared directory (default /usr/lib/shorewall).
Users should never have a need to change the value of this shorewall.conf Users should never have a need to change the value of this shorewall.conf
setting.</li> setting.</li>
</ol> </ol>
<p><b>1/6/2003 - </b><b><big><big><big><big><big><big><big><big>B</big></big></big></big></big><small>U<small>R<small>N<small>O<small>U<small>T</small></small></small></small></small></small></big></big></big></b><b> <p><b>1/6/2003 - </b><b><big><big><big><big><big><big><big><big>B</big></big></big></big></big><small>U<small>R<small>N<small>O<small>U<small>T</small></small></small></small></small></small></big></big></big></b><b>
</b></p> </b></p>
@ -265,26 +297,28 @@ setting.</li>
<p><b>12/27/2002 - Shorewall 1.3.12 Released</b><b> <p><b>12/27/2002 - Shorewall 1.3.12 Released</b><b>
</b></p> </b></p>
<p> Features include:<br> <p> Features include:<br>
</p> </p>
<ol> <ol>
<li>"shorewall refresh" now reloads the traffic shaping rules <li>"shorewall refresh" now reloads the traffic shaping
(tcrules and tcstart).</li> rules (tcrules and tcstart).</li>
<li>"shorewall debug [re]start" now turns off debugging after <li>"shorewall debug [re]start" now turns off debugging
an error occurs. This places the point of the failure near the end of after an error occurs. This places the point of the failure near the
the trace rather than up in the middle of it.</li> end of the trace rather than up in the middle of it.</li>
<li>"shorewall [re]start" has been speeded up by more than <li>"shorewall [re]start" has been speeded up by more
40% with my configuration. Your milage may vary.</li> than 40% with my configuration. Your milage may vary.</li>
<li>A "shorewall show classifiers" command has been added <li>A "shorewall show classifiers" command has been added
which shows the current packet classification filters. The output from which shows the current packet classification filters. The output
this command is also added as a separate page in "shorewall monitor"</li> from this command is also added as a separate page in "shorewall monitor"</li>
<li>ULOG (must be all caps) is now accepted as a valid syslog <li>ULOG (must be all caps) is now accepted as a valid
level and causes the subject packets to be logged using the ULOG target syslog level and causes the subject packets to be logged using the ULOG
rather than the LOG target. This allows you to run ulogd (available from target rather than the LOG target. This allows you to run ulogd (available
<a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>) from <a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
and log all Shorewall messages <a href="shorewall_logging.html">to a and log all Shorewall messages <a href="shorewall_logging.html">to
separate log file</a>.</li> a separate log file</a>.</li>
<li>If you are running a kernel that has a FORWARD chain <li>If you are running a kernel that has a FORWARD chain
in the mangle table ("shorewall show mangle" will show you the chains in the mangle table ("shorewall show mangle" will show you the chains
in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes in <a in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes in <a
@ -292,26 +326,30 @@ in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes in <a
input packets based on their destination even when you are using Masquerading input packets based on their destination even when you are using Masquerading
or SNAT.</li> or SNAT.</li>
<li>I have cluttered up the /etc/shorewall directory with <li>I have cluttered up the /etc/shorewall directory with
empty 'init', 'start', 'stop' and 'stopped' files. If you already have empty 'init', 'start', 'stop' and 'stopped' files. If you already
a file with one of these names, don't worry -- the upgrade process won't have a file with one of these names, don't worry -- the upgrade process
overwrite your file.</li> won't overwrite your file.</li>
<li>I have added a new RFC1918_LOG_LEVEL variable to <a <li>I have added a new RFC1918_LOG_LEVEL variable to <a
href="Documentation.htm#Conf">shorewall.conf</a>. This variable specifies href="Documentation.htm#Conf">shorewall.conf</a>. This variable specifies
the syslog level at which packets are logged as a result of entries in the syslog level at which packets are logged as a result of entries in
the /etc/shorewall/rfc1918 file. Previously, these packets were always the /etc/shorewall/rfc1918 file. Previously, these packets were always
logged at the 'info' level.</li> logged at the 'info' level.</li>
</ol> </ol>
<p><b>12/20/2002 - Shorewall 1.3.12 Beta 3</b><br> <p><b>12/20/2002 - Shorewall 1.3.12 Beta 3</b><br>
</p> </p>
This version corrects a problem with Blacklist logging. In Beta This version corrects a problem with Blacklist logging. In Beta
2, if BLACKLIST_LOG_LEVEL was set to anything but ULOG, the firewall would 2, if BLACKLIST_LOG_LEVEL was set to anything but ULOG, the firewall
fail to start and "shorewall refresh" would also fail.<br> would fail to start and "shorewall refresh" would also fail.<br>
<p> You may download the Beta from:<br> <p> You may download the Beta from:<br>
</p> </p>
<blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br> <blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta" <a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br> target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
@ -320,8 +358,8 @@ logged at the 'info' level.</li>
<p><b>12/20/2002 - Shorewall 1.3.12 Beta 2</b><b> <p><b>12/20/2002 - Shorewall 1.3.12 Beta 2</b><b>
</b></p> </b></p>
The first public Beta version of Shorewall 1.3.12 is now available The first public Beta version of Shorewall 1.3.12 is now
(Beta 1 was made available only to a limited audience). <br> available (Beta 1 was made available only to a limited audience). <br>
<br> <br>
Features include:<br> Features include:<br>
<br> <br>
@ -333,22 +371,23 @@ logged at the 'info' level.</li>
<li>"shorewall debug [re]start" now turns off debugging <li>"shorewall debug [re]start" now turns off debugging
after an error occurs. This places the point of the failure near the after an error occurs. This places the point of the failure near the
end of the trace rather than up in the middle of it.</li> end of the trace rather than up in the middle of it.</li>
<li>"shorewall [re]start" has been speeded up by more <li>"shorewall [re]start" has been speeded up by
than 40% with my configuration. Your milage may vary.</li> more than 40% with my configuration. Your milage may vary.</li>
<li>A "shorewall show classifiers" command has been <li>A "shorewall show classifiers" command has been
added which shows the current packet classification filters. The output added which shows the current packet classification filters. The output
from this command is also added as a separate page in "shorewall monitor"</li> from this command is also added as a separate page in "shorewall monitor"</li>
<li>ULOG (must be all caps) is now accepted as a valid <li>ULOG (must be all caps) is now accepted as a
syslog level and causes the subject packets to be logged using the ULOG valid syslog level and causes the subject packets to be logged using
target rather than the LOG target. This allows you to run ulogd (available the ULOG target rather than the LOG target. This allows you to run ulogd
from <a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>) (available from <a
and log all Shorewall messages <a href="shorewall_logging.html">to a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
separate log file</a>.</li> and log all Shorewall messages <a href="shorewall_logging.html">to
<li>If you are running a kernel that has a FORWARD chain a separate log file</a>.</li>
in the mangle table ("shorewall show mangle" will show you the chains <li>If you are running a kernel that has a FORWARD
in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf. chain in the mangle table ("shorewall show mangle" will show you the
This allows for marking input packets based on their destination even chains in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes
when you are using Masquerading or SNAT.</li> in shorewall.conf. This allows for marking input packets based on
their destination even when you are using Masquerading or SNAT.</li>
<li>I have cluttered up the /etc/shorewall directory <li>I have cluttered up the /etc/shorewall directory
with empty 'init', 'start', 'stop' and 'stopped' files. If you already with empty 'init', 'start', 'stop' and 'stopped' files. If you already
have a file with one of these names, don't worry -- the upgrade process have a file with one of these names, don't worry -- the upgrade process
@ -381,11 +420,13 @@ won't overwrite your file.</li>
</b></p> </b></p>
<p>Two months and 3 days after I pre-ordered Mandrake 9.0, it was finally <p>Two months and 3 days after I pre-ordered Mandrake 9.0, it was finally
delivered. I have installed 9.0 on one of my systems and I am now delivered. I have installed 9.0 on one of my systems and I am now
in a position to support Shorewall users who run Mandrake 9.0.</p> in a position to support Shorewall users who run Mandrake 9.0.</p>
<p><b>12/6/2002 -  Debian 1.3.11a Packages Available</b><b></b><br> <p><b>12/6/2002 -  Debian 1.3.11a Packages Available</b><b></b><br>
</p> </p>
@ -412,11 +453,13 @@ won't overwrite your file.</li>
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11 <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11
documenation. the PDF may be downloaded from</p> documenation. the PDF may be downloaded from</p>
<p>    <a <p>    <a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br> href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a     <a
@ -425,6 +468,7 @@ won't overwrite your file.</li>
<p><b>11/24/2002 - Shorewall 1.3.11</b><b> <p><b>11/24/2002 - Shorewall 1.3.11</b><b>
</b></p> </b></p>
@ -435,22 +479,23 @@ won't overwrite your file.</li>
<ul> <ul>
<li>A 'tcpflags' option has been added to <li>A 'tcpflags' option has been added
entries in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. to entries in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
This option causes Shorewall to make a set of sanity check on TCP packet This option causes Shorewall to make a set of sanity check on TCP packet
header flags.</li> header flags.</li>
<li>It is now allowed to use 'all' in the <li>It is now allowed to use 'all' in
SOURCE or DEST column in a <a href="Documentation.htm#Rules">rule</a>. the SOURCE or DEST column in a <a
When used, 'all' must appear by itself (in may not be qualified) href="Documentation.htm#Rules">rule</a>. When used, 'all' must
and it does not enable intra-zone traffic. For example, the rule <br> appear by itself (in may not be qualified) and it does not enable
intra-zone traffic. For example, the rule <br>
<br> <br>
    ACCEPT loc all tcp 80<br>     ACCEPT loc all tcp 80<br>
<br> <br>
does not enable http traffic from 'loc' to 'loc'.</li> does not enable http traffic from 'loc' to 'loc'.</li>
<li>Shorewall's use of the 'echo' command <li>Shorewall's use of the 'echo' command
is now compatible with bash clones such as ash and dash.</li> is now compatible with bash clones such as ash and dash.</li>
<li>fw-&gt;fw policies now generate a startup <li>fw-&gt;fw policies now generate a
error. fw-&gt;fw rules generate a warning and are ignored</li> startup error. fw-&gt;fw rules generate a warning and are ignored</li>
@ -463,11 +508,13 @@ is now compatible with bash clones such as ash and dash.</li>
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10 <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10
documenation. the PDF may be downloaded from</p> documenation. the PDF may be downloaded from</p>
<p>    <a <p>    <a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br> href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a     <a
@ -476,9 +523,11 @@ is now compatible with bash clones such as ash and dash.</li>
<p><b></b></p> <p><b></b></p>
<ul> <ul>
@ -493,6 +542,7 @@ is now compatible with bash clones such as ash and dash.</li>
<p><b></b><a href="News.htm">More News</a></p> <p><b></b><a href="News.htm">More News</a></p>
@ -510,6 +560,7 @@ is now compatible with bash clones such as ash and dash.</li>
<h1 align="center"><a href="http://www.sf.net"><img align="left" <h1 align="center"><a href="http://www.sf.net"><img align="left"
alt="SourceForge Logo" alt="SourceForge Logo"
src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3"> src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3">
@ -518,6 +569,7 @@ is now compatible with bash clones such as ash and dash.</li>
<h4> </h4> <h4> </h4>
@ -529,6 +581,7 @@ is now compatible with bash clones such as ash and dash.</li>
<h2><a name="Donations"></a>Donations</h2> <h2><a name="Donations"></a>Donations</h2>
</td> </td>
@ -586,11 +639,11 @@ is now compatible with bash clones such as ash and dash.</li>
<p align="center"><font size="4" color="#ffffff">Shorewall is free <p align="center"><font size="4" color="#ffffff">Shorewall is free but
but if you try it and find it useful, please consider making a donation if you try it and find it useful, please consider making a donation
to <a to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
Children's Foundation.</font></a> Thanks!</font></p> Foundation.</font></a> Thanks!</font></p>
</td> </td>
@ -606,7 +659,7 @@ Children's Foundation.</font></a> Thanks!</font></p>
<p><font size="2">Updated 1/6/2003 - <a href="support.htm">Tom Eastep</a></font> <p><font size="2">Updated 1/18/2003 - <a href="support.htm">Tom Eastep</a></font>
<br> <br>
</p> </p>

45
Shorewall-docs/support.htm
View File

@ -41,14 +41,14 @@
</tbody> </tbody>
</table> </table>
<p> <b><big><big><font color="#ff0000">Due to "Shorewall burnout", I am currently <p> <b><big><big><font color="#ff0000">While I don't answer Shorewall  questions
not involved in either Shorewall development or Shorewall support. Nevertheless, emailed directly to me, I try to spend some time each day answering questions
the mailing list is being ably manned by other Shorewall users.</font></big><span on the Shorewall Users Mailing List.</font></big><span
style="font-weight: 400;"></span></big></b></p> style="font-weight: 400;"></span></big></b></p>
<h2 align="center"><big><font color="#ff0000"><b>-Tom Eastep</b></font></big></h2> <h2 align="center"><big><font color="#ff0000"><b>-Tom Eastep</b></font></big></h2>
<h2>Before Reporting a Problem</h2> <h1>Before Reporting a Problem</h1>
There are a number of sources for problem There are a number of sources for problem
solution information. Please try these before you post. solution information. Please try these before you post.
@ -57,8 +57,8 @@
<h3> </h3> <h3> </h3>
<ul> <ul>
<li>More than half of the questions posted on the support list <li>More than half of the questions posted on the support
have answers directly accessible from the <a list have answers directly accessible from the <a
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a><br> href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a><br>
<br> <br>
</li> </li>
@ -98,7 +98,7 @@ has solutions to more than 20 common problems. </li>
<h2>Mailing List Archive Search</h2> <h2>Mailing List Archive Search</h2>
<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch"> <form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
<p> <font size="-1"> Match: <p> <font size="-1"> Match:
@ -126,7 +126,7 @@ has solutions to more than 20 common problems. </li>
</select> </select>
</font> <input type="hidden" name="config" </font> <input type="hidden" name="config"
value="htdig"> <input type="hidden" name="restrict" value="htdig"> <input type="hidden" name="restrict"
value="[http://mail.shorewall.net/pipermail/.*]"> <input type="hidden" value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden"
name="exclude" value=""> <br> name="exclude" value=""> <br>
Search: <input type="text" size="30" Search: <input type="text" size="30"
name="words" value=""> <input type="submit" value="Search"> </p> name="words" value=""> <input type="submit" value="Search"> </p>
@ -151,8 +151,8 @@ all of the explanations for the smells would be completely plausible."<br>
<h3> </h3> <h3> </h3>
<ul> <ul>
<li>Please remember we only know what is posted in your message. Do <li>Please remember we only know what is posted in your message.
not leave out any information that appears to be correct, or was mentioned Do not leave out any information that appears to be correct, or was mentioned
in a previous post. There have been countless posts by people who were in a previous post. There have been countless posts by people who were
sure that some part of their configuration was correct when it actually sure that some part of their configuration was correct when it actually
contained a small error. We tend to be skeptics where detail is lacking.<br> contained a small error. We tend to be skeptics where detail is lacking.<br>
@ -167,10 +167,10 @@ entries, command output, and other output is better than a paraphrase or
summary.<br> summary.<br>
<br> <br>
</li> </li>
<li> Please don't describe your environment <li> Please don't describe your
and then ask us to send you custom configuration files. environment and then ask us to send you custom configuration
We're here to answer your questions but we can't do your files. We're here to answer your questions but we can't
job for you.<br> do your job for you.<br>
<br> <br>
</li> </li>
<li>When reporting a problem, <strong>ALWAYS</strong> include this <li>When reporting a problem, <strong>ALWAYS</strong> include this
@ -299,6 +299,7 @@ you try to "<font color="#009900"><b>shorewall start</b></font>",
<ul> <ul>
<li> <li>
<h3><b>The list server limits posts to 120kb so don't post GIFs of <h3><b>The list server limits posts to 120kb so don't post GIFs of
your network layout, etc. to the Mailing List -- your your network layout, etc. to the Mailing List -- your
post will be rejected.</b></h3> post will be rejected.</b></h3>
@ -307,15 +308,16 @@ post will be rejected.</b></h3>
</ul> </ul>
The author gratefully acknowleges that the above list was heavily plagiarized The author gratefully acknowleges that the above list was heavily plagiarized
from the excellent LEAF document by <i>Ray</i> <em>Olszewski</em> found from the excellent LEAF document by <i>Ray</i> <em>Olszewski</em> found
at <a href="http://leaf-project.org/pub/doc/docmanager/docid_1891.html">http://leaf-project.org/pub/doc/docmanager/docid_1891.html</a>.<br> at <a
href="http://leaf-project.org/pub/doc/docmanager/docid_1891.html">http://leaf-project.org/pub/doc/docmanager/docid_1891.html</a>.<br>
<h2>Please post in plain text</h2> <h2>Please post in plain text</h2>
<blockquote> </blockquote> <blockquote> </blockquote>
A growing number of MTAs serving list subscribers are rejecting all A growing number of MTAs serving list subscribers are rejecting all
HTML traffic. At least one MTA has gone so far as to blacklist shorewall.net HTML traffic. At least one MTA has gone so far as to blacklist shorewall.net
"for continuous abuse" because it has been my policy to allow HTML in list "for continuous abuse" because it has been my policy to allow HTML in
posts!!<br> list posts!!<br>
<br> <br>
I think that blocking all HTML is a Draconian way to control spam I think that blocking all HTML is a Draconian way to control spam
and that the ultimate losers here are not the spammers but the list subscribers and that the ultimate losers here are not the spammers but the list subscribers
@ -336,27 +338,28 @@ from outgoing posts.<br>
<b>If you run Shorewall under MandrakeSoft Multi Network Firewall <b>If you run Shorewall under MandrakeSoft Multi Network Firewall
(MNF) and you have not purchased an MNF license from MandrakeSoft then (MNF) and you have not purchased an MNF license from MandrakeSoft then
you can post non MNF-specific Shorewall questions to the </b><a you can post non MNF-specific Shorewall questions to the </b><a
href="mailto:shorewall-users@shorewall.net">Shorewall users mailing list.</a> href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing list.</a>
<b>Do not expect to get free MNF support on the list.</b><br> <b>Do not expect to get free MNF support on the list.</b><br>
<p>Otherwise, please post your question or problem to the <a <p>Otherwise, please post your question or problem to the <a
href="mailto:shorewall-users@shorewall.net">Shorewall users mailing list.</a></p> href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing list.</a></p>
</blockquote> </blockquote>
<p>To Subscribe to the mailing list go to <a <p>To Subscribe to the mailing list go to <a
href="http://mail.shorewall.net/mailman/listinfo/shorewall-users">http://mail.shorewall.net/mailman/listinfo/shorewall-users</a> href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a>
.</p> .</p>
<p align="left"><font size="2">Last Updated 1/9/2002 - Tom Eastep</font></p> <p align="left"><font size="2">Last Updated 1/16/2002 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br> size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p> </p>
<br> <br>
<br>
</body> </body>
</html> </html>

169
Shorewall-docs/three-interface.htm
View File

@ -31,8 +31,8 @@
<h2 align="center">Version 2.0.1</h2> <h2 align="center">Version 2.0.1</h2>
<p align="left">Setting up a Linux system as a firewall for a small network <p align="left">Setting up a Linux system as a firewall for a small network
with DMZ is a fairly straight-forward task if you understand the basics with DMZ is a fairly straight-forward task if you understand the
and follow the documentation.</p> basics and follow the documentation.</p>
<p>This guide doesn't attempt to acquaint you with all of the features of <p>This guide doesn't attempt to acquaint you with all of the features of
Shorewall. It rather focuses on what is required to configure Shorewall Shorewall. It rather focuses on what is required to configure Shorewall
@ -55,8 +55,8 @@ dial-up, ...</li>
</p> </p>
<p>This guide assumes that you have the iproute/iproute2 package installed <p>This guide assumes that you have the iproute/iproute2 package installed
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell (on RedHat, the package is called <i>iproute</i>)<i>. </i>You can
if this package is installed by the presence of an <b>ip</b> program tell if this package is installed by the presence of an <b>ip</b> program
on your firewall system. As root, you can use the 'which' command to on your firewall system. As root, you can use the 'which' command to
check for this program:</p> check for this program:</p>
@ -103,8 +103,8 @@ names that were placed in /etc/shorewall when Shorewall was installed)</b>.<
and default entries.</p> and default entries.</p>
<p>Shorewall views the network where it is running as being composed of a <p>Shorewall views the network where it is running as being composed of a
set of <i>zones.</i> In the three-interface sample configuration, the set of <i>zones.</i> In the three-interface sample configuration,
following zone names are used:</p> the following zone names are used:</p>
<table border="0" style="border-collapse: collapse;" cellpadding="3" <table border="0" style="border-collapse: collapse;" cellpadding="3"
cellspacing="0" id="AutoNumber2"> cellspacing="0" id="AutoNumber2">
@ -147,10 +147,10 @@ zone to another zone in the<a href="Documentation.htm#Policy"> /etc/shorew
</ul> </ul>
<p>For each connection request entering the firewall, the request is first <p>For each connection request entering the firewall, the request is first
checked against the /etc/shorewall/rules file. If no rule in that file checked against the /etc/shorewall/rules file. If no rule in that
matches the connection request then the first policy in /etc/shorewall/policy file matches the connection request then the first policy in /etc/shorewall/policy
that matches the request is applied. If that policy is REJECT or DROP  that matches the request is applied. If that policy is REJECT or
the request is first checked against the rules in /etc/shorewall/common DROP  the request is first checked against the rules in /etc/shorewall/common
(the samples provide that file for you).</p> (the samples provide that file for you).</p>
<p>The /etc/shorewall/policy file included with the three-interface sample <p>The /etc/shorewall/policy file included with the three-interface sample
@ -189,6 +189,7 @@ zone to another zone in the<a href="Documentation.htm#Policy"> /etc/shorew
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -216,6 +217,7 @@ zone to another zone in the<a href="Documentation.htm#Policy"> /etc/shorew
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -223,8 +225,8 @@ zone to another zone in the<a href="Documentation.htm#Policy"> /etc/shorew
<p>The above policy will:</p> <p>The above policy will:</p>
<ol> <ol>
<li>allow all connection requests from your local network to <li>allow all connection requests from your local network
the internet</li> to the internet</li>
<li>drop (ignore) all connection requests from the internet <li>drop (ignore) all connection requests from the internet
to your firewall or local network</li> to your firewall or local network</li>
<li>optionally accept all connection requests from the firewall <li>optionally accept all connection requests from the firewall
@ -234,8 +236,8 @@ to your firewall or local network</li>
</ol> </ol>
<p><img border="0" src="images/BD21298_1.gif" width="13" height="13"> <p><img border="0" src="images/BD21298_1.gif" width="13" height="13">
    At this point, edit your /etc/shorewall/policy file and make     At this point, edit your /etc/shorewall/policy file and
any changes that you wish.</p> make any changes that you wish.</p>
<h2 align="left">Network Interfaces</h2> <h2 align="left">Network Interfaces</h2>
@ -249,9 +251,9 @@ to your firewall or local network</li>
<b>eth0</b>)  <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <b>eth0</b>)  <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint
<u>P</u>rotocol over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint
<u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External <u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External
Interface will be a ppp interface (e.g., <b>ppp0</b>). If you connect via Interface will be a ppp interface (e.g., <b>ppp0</b>). If you connect
a regular modem, your External Interface will also be <b>ppp0</b>. If you via a regular modem, your External Interface will also be <b>ppp0</b>.
connect using ISDN, you external interface will be <b>ippp0.</b></p> If you connect using ISDN, you external interface will be <b>ippp0.</b></p>
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13" <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13"> height="13">
@ -274,25 +276,27 @@ computer using a <i>cross-over </i> cable).</p>
<p align="left"><u><b> <img border="0" src="images/j0213519.gif" <p align="left"><u><b> <img border="0" src="images/j0213519.gif"
width="60" height="60"> width="60" height="60">
</b></u>Do not connect more than one interface to the same hub </b></u>Do not connect more than one interface to the same hub
or switch (even for testing). It won't work the way that you expect it or switch (even for testing). It won't work the way that you expect
to and you will end up confused and believing that Shorewall doesn't it to and you will end up confused and believing that Shorewall doesn't
work at all.</p> work at all.</p>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13" <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13"> height="13">
    The Shorewall three-interface sample configuration assumes     The Shorewall three-interface sample configuration assumes
that the external interface is <b>eth0, </b>the local interface is <b>eth1 that the external interface is <b>eth0, </b>the local interface is
</b>and the DMZ interface is <b> eth2</b>. If your configuration is different, <b>eth1 </b>and the DMZ interface is <b> eth2</b>. If your configuration
you will have to modify the sample /etc/shorewall/interfaces file accordingly. is different, you will have to modify the sample /etc/shorewall/interfaces
While you are there, you may wish to review the list of options that file accordingly. While you are there, you may wish to review the list
are specified for the interfaces. Some hints:</p> of options that are specified for the interfaces. Some hints:</p>
<ul> <ul>
<li> <li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>, <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>,
you can replace the "detect" in the second column with "-". </p> you can replace the "detect" in the second column with "-". </p>
</li> </li>
<li> <li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b> <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>
or if you have a static IP address, you can remove "dhcp" from the or if you have a static IP address, you can remove "dhcp" from the
option list. </p> option list. </p>
@ -309,9 +313,9 @@ the<i> Dynamic Host Configuration Protocol</i> (DHCP) or as part of
establishing your connection when you dial in (standard modem) or establish establishing your connection when you dial in (standard modem) or establish
your PPP connection. In rare cases, your ISP may assign you a<i> static</i> your PPP connection. In rare cases, your ISP may assign you a<i> static</i>
IP address; that means that you configure your firewall's external interface IP address; that means that you configure your firewall's external interface
to use that address permanently.<i> </i>Regardless of how the address is to use that address permanently.<i> </i>Regardless of how the address
assigned, it will be shared by all of your systems when you access the is assigned, it will be shared by all of your systems when you access
Internet. You will have to assign your own addresses for your internal the Internet. You will have to assign your own addresses for your internal
network (the local and DMZ Interfaces on your firewall plus your other network (the local and DMZ Interfaces on your firewall plus your other
computers). RFC 1918 reserves several <i>Private </i>IP address ranges for computers). RFC 1918 reserves several <i>Private </i>IP address ranges for
this purpose:</p> this purpose:</p>
@ -334,8 +338,8 @@ entry in /etc/shorewall/interfaces.</p>
sub-network </i>or <i>subnet</i> and your DMZ addresses from another sub-network </i>or <i>subnet</i> and your DMZ addresses from another
subnet. For our purposes, we can consider a subnet to consists of a subnet. For our purposes, we can consider a subnet to consists of a
range of addresses x.y.z.0 - x.y.z.255. Such a subnet will have a <i>Subnet range of addresses x.y.z.0 - x.y.z.255. Such a subnet will have a <i>Subnet
Mask </i>of 255.255.255.0. The address x.y.z.0 is reserved as the <i>Subnet Mask </i>of 255.255.255.0. The address x.y.z.0 is reserved as the
Address</i> and x.y.z.255 is reserved as the <i>Subnet Broadcast</i> <i>Subnet Address</i> and x.y.z.255 is reserved as the <i>Subnet Broadcast</i>
<i>Address</i>. In Shorewall, a subnet is described using <a <i>Address</i>. In Shorewall, a subnet is described using <a
href="shorewall_setup_guide.htm#Subnets"><i>Classless InterDomain Routing href="shorewall_setup_guide.htm#Subnets"><i>Classless InterDomain Routing
</i>(CIDR)</a> notation with consists of the subnet address followed </i>(CIDR)</a> notation with consists of the subnet address followed
@ -369,6 +373,7 @@ the left of the subnet mask. </p>
<td>10.10.10.0/24</td> <td>10.10.10.0/24</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -376,8 +381,8 @@ the left of the subnet mask. </p>
<div align="left"> <div align="left">
<p align="left">It is conventional to assign the internal interface either <p align="left">It is conventional to assign the internal interface either
the first usable address in the subnet (10.10.10.1 in the above example) the first usable address in the subnet (10.10.10.1 in the above
or the last usable address (10.10.10.254).</p> example) or the last usable address (10.10.10.254).</p>
</div> </div>
<div align="left"> <div align="left">
@ -411,9 +416,19 @@ more about IP addressing and routing, I highly recommend <i>"IP Fundamental
</p> </p>
<p align="left">The default gateway for the DMZ computers would be 10.10.11.254 <p align="left">The default gateway for the DMZ computers would be 10.10.11.254
and the default gateway for the Local computers would be 10.10.10.254.</p> and the default gateway for the Local computers would be 10.10.10.254.<br>
</p>
<h2 align="left">IP Masquerading (SNAT)</h2> <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13" alt="">
    <font color="#ff0000"><b>WARNING: </b></font><b>Your ISP  might assign
your external interface an RFC 1918 address. If that address is in the 10.10.10.0/24
subnet then you will need to select a DIFFERENT RFC 1918 subnet for your
local network and if it is in the 10.10.11.0/24 subnet then you will need
to select a different RFC 1918 subnet for your DMZ.</b><br>
</p>
<p align="left">IP Masquerading (SNAT)</p>
<p align="left">The addresses reserved by RFC 1918 are sometimes referred <p align="left">The addresses reserved by RFC 1918 are sometimes referred
to as <i>non-routable</i> because the Internet backbone routers don't to as <i>non-routable</i> because the Internet backbone routers don't
@ -423,12 +438,12 @@ of your local systems (let's assume local computer 1) sends a connection
Translation </i>(NAT). The firewall rewrites the source address in the Translation </i>(NAT). The firewall rewrites the source address in the
packet to be the address of the firewall's external interface; in other packet to be the address of the firewall's external interface; in other
words, the firewall makes it look as if the firewall itself is initiating words, the firewall makes it look as if the firewall itself is initiating
the connection.  This is necessary so that the destination host will be the connection.  This is necessary so that the destination host will
able to route return packets back to the firewall (remember that packets be able to route return packets back to the firewall (remember that
whose destination address is reserved by RFC 1918 can't be routed accross packets whose destination address is reserved by RFC 1918 can't be routed
the internet). When the firewall receives a return packet, it rewrites accross the internet). When the firewall receives a return packet, it
the destination address back to 10.10.10.1 and forwards the packet on rewrites the destination address back to 10.10.10.1 and forwards the
to local computer 1. </p> packet on to local computer 1. </p>
<p align="left">On Linux systems, the above process is often referred to <p align="left">On Linux systems, the above process is often referred to
as<i> IP Masquerading</i> and you will also see the term <i>Source Network as<i> IP Masquerading</i> and you will also see the term <i>Source Network
@ -437,11 +452,13 @@ with Netfilter:</p>
<ul> <ul>
<li> <li>
<p align="left"><i>Masquerade</i> describes the case where you let your <p align="left"><i>Masquerade</i> describes the case where you let your
firewall system automatically detect the external interface address. firewall system automatically detect the external interface address.
</p> </p>
</li> </li>
<li> <li>
<p align="left"><i>SNAT</i> refers to the case when you explicitly specify <p align="left"><i>SNAT</i> refers to the case when you explicitly specify
the source address that you want outbound packets from your local the source address that you want outbound packets from your local
network to use. </p> network to use. </p>
@ -454,17 +471,17 @@ network to use. </p>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13" <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13"> height="13">
    If your external firewall interface is <b>eth0</b>, your local     If your external firewall interface is <b>eth0</b>, your
interface <b>eth1 </b>and your DMZ interface is <b>eth2</b> then you local interface <b>eth1 </b>and your DMZ interface is <b>eth2</b> then
do not need to modify the file provided with the sample. Otherwise, edit you do not need to modify the file provided with the sample. Otherwise,
/etc/shorewall/masq and change it to match your configuration.</p> edit /etc/shorewall/masq and change it to match your configuration.</p>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13" <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13"> height="13">
    If your external IP is static, you can enter it in the third     If your external IP is static, you can enter it in the third
column in the /etc/shorewall/masq entry if you like although your firewall column in the /etc/shorewall/masq entry if you like although your firewall
will work fine if you leave that column empty. Entering your static IP will work fine if you leave that column empty. Entering your static
in column 3 makes <br> IP in column 3 makes <br>
processing outgoing packets a little more efficient.<br> processing outgoing packets a little more efficient.<br>
</p> </p>
@ -485,9 +502,9 @@ do not need to modify the file provided with the sample. Otherwise, edit
<h2 align="left">Port Forwarding (DNAT)</h2> <h2 align="left">Port Forwarding (DNAT)</h2>
<p align="left">One of your goals will be to run one or more servers on your <p align="left">One of your goals will be to run one or more servers on your
DMZ computers. Because these computers have RFC-1918 addresses, it is DMZ computers. Because these computers have RFC-1918 addresses, it
not possible for clients on the internet to connect directly to them. is not possible for clients on the internet to connect directly to
It is rather necessary for those clients to address their connection them. It is rather necessary for those clients to address their connection
requests to your firewall who rewrites the destination address to the requests to your firewall who rewrites the destination address to the
address of your server and forwards the packet to that server. When your address of your server and forwards the packet to that server. When your
server responds, the firewall automatically performs SNAT to rewrite server responds, the firewall automatically performs SNAT to rewrite
@ -524,6 +541,7 @@ the source address in the response.</p>
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -566,6 +584,7 @@ be the same as <i>&lt;port&gt;</i>.</p>
<td>from the local network</td> <td>from the local network</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -573,8 +592,8 @@ be the same as <i>&lt;port&gt;</i>.</p>
<p>A couple of important points to keep in mind:</p> <p>A couple of important points to keep in mind:</p>
<ul> <ul>
<li>When you are connecting to your server from your local systems, <li>When you are connecting to your server from your local
you must use the server's internal IP address (10.10.11.2).</li> systems, you must use the server's internal IP address (10.10.11.2).</li>
<li>Many ISPs block incoming connection requests to port 80. <li>Many ISPs block incoming connection requests to port 80.
If you have problems connecting to your web server, try the following If you have problems connecting to your web server, try the following
rule and try connecting to port 5000 (e.g., connect to <a rule and try connecting to port 5000 (e.g., connect to <a
@ -606,6 +625,7 @@ If you have problems connecting to your web server, try the following
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -637,6 +657,7 @@ If you have problems connecting to your web server, try the following
<td><i>&lt;external IP&gt;</i></td> <td><i>&lt;external IP&gt;</i></td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -678,6 +699,7 @@ If you have problems connecting to your web server, try the following
<td>$ETH0_IP</td> <td>$ETH0_IP</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -702,6 +724,7 @@ of two approaches:</p>
<ul> <ul>
<li> <li>
<p align="left">You can configure your internal systems to use your ISP's <p align="left">You can configure your internal systems to use your ISP's
name servers. If you ISP gave you the addresses of their servers name servers. If you ISP gave you the addresses of their servers
or if those addresses are available on their web site, you can configure or if those addresses are available on their web site, you can configure
@ -711,19 +734,20 @@ isn't available, look in /etc/resolv.conf on your firewall system
</p> </p>
</li> </li>
<li> <li>
<p align="left"><img border="0" src="images/BD21298_2.gif" <p align="left"><img border="0" src="images/BD21298_2.gif"
width="13" height="13"> width="13" height="13">
    You can configure a<i> Caching Name Server </i>on your firewall     You can configure a<i> Caching Name Server </i>on your
or in your DMZ.<i> </i>Red Hat has an RPM for a caching name server firewall or in your DMZ.<i> </i>Red Hat has an RPM for a caching name
(which also requires the 'bind' RPM) and for Bering users, there server (which also requires the 'bind' RPM) and for Bering users,
is dnscache.lrp. If you take this approach, you configure your internal there is dnscache.lrp. If you take this approach, you configure your
systems to use the caching name server as their primary (and only) internal systems to use the caching name server as their primary (and
name server. You use the internal IP address of the firewall (10.10.10.254 only) name server. You use the internal IP address of the firewall (10.10.10.254
in the example above) for the name server address if you choose to in the example above) for the name server address if you choose to
run the name server on your firewall. To allow your local systems to talk run the name server on your firewall. To allow your local systems to
to your caching name server, you must open port 53 (both UDP and TCP) talk to your caching name server, you must open port 53 (both UDP
from the local network to the server; you do that by adding the rules and TCP) from the local network to the server; you do that by adding
in /etc/shorewall/rules. </p> the rules in /etc/shorewall/rules. </p>
</li> </li>
</ul> </ul>
@ -780,6 +804,7 @@ in /etc/shorewall/rules. </p>
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</p> </p>
@ -838,6 +863,7 @@ in /etc/shorewall/rules. </p>
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -884,6 +910,7 @@ in /etc/shorewall/rules. </p>
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -932,6 +959,7 @@ in /etc/shorewall/rules. </p>
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -972,6 +1000,7 @@ in /etc/shorewall/rules. </p>
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -1015,6 +1044,7 @@ in /etc/shorewall/rules. </p>
<td>from the internet</td> <td>from the internet</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -1060,6 +1090,7 @@ want shell access to your firewall from the internet, use SSH:</p>
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -1068,8 +1099,8 @@ want shell access to your firewall from the internet, use SSH:</p>
<div align="left"> <div align="left">
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13" <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13"> height="13">
    Now modify /etc/shorewall/rules to add or remove other connections     Now modify /etc/shorewall/rules to add or remove other
as required.</p> connections as required.</p>
</div> </div>
<div align="left"> <div align="left">
@ -1098,9 +1129,9 @@ want shell access to your firewall from the internet, use SSH:</p>
and stopped using "shorewall stop". When the firewall is stopped, and stopped using "shorewall stop". When the firewall is stopped,
routing is enabled on those hosts that have an entry in <a routing is enabled on those hosts that have an entry in <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A
running firewall may be restarted using the "shorewall restart" command. running firewall may be restarted using the "shorewall restart"
If you want to totally remove any trace of Shorewall from your Netfilter command. If you want to totally remove any trace of Shorewall from
configuration, use "shorewall clear".</p> your Netfilter configuration, use "shorewall clear".</p>
</div> </div>
<div align="left"> <div align="left">
@ -1124,11 +1155,13 @@ to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p> href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p>
</div> </div>
<p align="left"><font size="2">Last updated 12/20/2002 - <a <p align="left"><font size="2">Last updated 1/21/2003 - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas <p align="left"><a href="copyright.htm"><font size="2">Copyright 2002, 2003
M. Eastep</font></a></p> Thomas M. Eastep</font></a></p>
<br>
<br>
<br> <br>
<br> <br>
<br> <br>

161
Shorewall-docs/two-interface.htm
View File

@ -12,6 +12,7 @@
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Two-Interface Firewall</title> <title>Two-Interface Firewall</title>
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
@ -60,8 +61,8 @@ network.</li>
</p> </p>
<p>This guide assumes that you have the iproute/iproute2 package installed <p>This guide assumes that you have the iproute/iproute2 package installed
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell (on RedHat, the package is called <i>iproute</i>)<i>. </i>You can
if this package is installed by the presence of an <b>ip</b> program tell if this package is installed by the presence of an <b>ip</b> program
on your firewall system. As root, you can use the 'which' command to on your firewall system. As root, you can use the 'which' command to
check for this program:</p> check for this program:</p>
@ -95,12 +96,12 @@ of dos2unix</a></li>
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13" <p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
alt=""> alt="">
    The configuration files for Shorewall are contained in the directory     The configuration files for Shorewall are contained in the directory
/etc/shorewall -- for simple setups, you will only need to deal with a few /etc/shorewall -- for simple setups, you will only need to deal with a
of these as described in this guide. After you have <a few of these as described in this guide. After you have <a
href="Install.htm">installed Shorewall</a>, <b>download the <a href="Install.htm">installed Shorewall</a>, <b>download the <a
href="/pub/shorewall/LATEST.samples/two-interfaces.tgz">two-interface sample</a>, href="/pub/shorewall/LATEST.samples/two-interfaces.tgz">two-interface sample</a>,
un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files to /etc/shorewall un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files to
(these files will replace files with the same name).</b></p> /etc/shorewall (these files will replace files with the same name).</b></p>
<p>As each file is introduced, I suggest that you look through the actual <p>As each file is introduced, I suggest that you look through the actual
file on your system -- each file contains detailed configuration instructions file on your system -- each file contains detailed configuration instructions
@ -148,10 +149,10 @@ zone to another zone in the<a href="Documentation.htm#Policy"> /etc/shorew
</ul> </ul>
<p>For each connection request entering the firewall, the request is first <p>For each connection request entering the firewall, the request is first
checked against the /etc/shorewall/rules file. If no rule in that file checked against the /etc/shorewall/rules file. If no rule in that
matches the connection request then the first policy in /etc/shorewall/policy file matches the connection request then the first policy in /etc/shorewall/policy
that matches the request is applied. If that policy is REJECT or DROP  that matches the request is applied. If that policy is REJECT or
the request is first checked against the rules in /etc/shorewall/common DROP  the request is first checked against the rules in /etc/shorewall/common
(the samples provide that file for you).</p> (the samples provide that file for you).</p>
<p>The /etc/shorewall/policy file included with the two-interface sample <p>The /etc/shorewall/policy file included with the two-interface sample
@ -190,6 +191,7 @@ has the following policies:</p>
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -217,6 +219,7 @@ has the following policies:</p>
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -224,8 +227,8 @@ has the following policies:</p>
<p>The above policy will:</p> <p>The above policy will:</p>
<ol> <ol>
<li>allow all connection requests from your local network to <li>allow all connection requests from your local network
the internet</li> to the internet</li>
<li>drop (ignore) all connection requests from the internet <li>drop (ignore) all connection requests from the internet
to your firewall or local network</li> to your firewall or local network</li>
<li>optionally accept all connection requests from the firewall <li>optionally accept all connection requests from the firewall
@ -275,19 +278,21 @@ Shorewall doesn't work at all.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" align="left" <p align="left"><img border="0" src="images/BD21298_.gif" align="left"
width="13" height="13"> width="13" height="13">
    The Shorewall two-interface sample configuration assumes that     The Shorewall two-interface sample configuration assumes
the external interface is <b>eth0</b> and the internal interface is <b>eth1</b>. that the external interface is <b>eth0</b> and the internal interface
If your configuration is different, you will have to modify the sample is <b>eth1</b>. If your configuration is different, you will have to
<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> file modify the sample <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
accordingly. While you are there, you may wish to review the list of file accordingly. While you are there, you may wish to review the list
options that are specified for the interfaces. Some hints:</p> of options that are specified for the interfaces. Some hints:</p>
<ul> <ul>
<li> <li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>, <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>,
you can replace the "detect" in the second column with "-". </p> you can replace the "detect" in the second column with "-". </p>
</li> </li>
<li> <li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b> <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>
or if you have a static IP address, you can remove "dhcp" from the or if you have a static IP address, you can remove "dhcp" from the
option list. </p> option list. </p>
@ -304,11 +309,11 @@ the<i> Dynamic Host Configuration Protocol</i> (DHCP) or as part of
establishing your connection when you dial in (standard modem) or establish establishing your connection when you dial in (standard modem) or establish
your PPP connection. In rare cases, your ISP may assign you a<i> static</i> your PPP connection. In rare cases, your ISP may assign you a<i> static</i>
IP address; that means that you configure your firewall's external interface IP address; that means that you configure your firewall's external interface
to use that address permanently.<i> </i>However your external address is to use that address permanently.<i> </i>However your external address
assigned, it will be shared by all of your systems when you access the is assigned, it will be shared by all of your systems when you access the
Internet. You will have to assign your own addresses in your internal network Internet. You will have to assign your own addresses in your internal
(the Internal Interface on your firewall plus your other computers). RFC network (the Internal Interface on your firewall plus your other computers).
1918 reserves several <i>Private </i>IP address ranges for this purpose:</p> RFC 1918 reserves several <i>Private </i>IP address ranges for this purpose:</p>
<div align="left"> <div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre> <pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
@ -326,14 +331,15 @@ entry in /etc/shorewall/interfaces.</p>
<div align="left"> <div align="left">
<p align="left">You will want to assign your addresses from the same <i> <p align="left">You will want to assign your addresses from the same <i>
sub-network </i>(<i>subnet)</i>.  For our purposes, we can consider a subnet sub-network </i>(<i>subnet)</i>.  For our purposes, we can consider a subnet
to consists of a range of addresses x.y.z.0 - x.y.z.255. Such a subnet to consists of a range of addresses x.y.z.0 - x.y.z.255. Such a
will have a <i>Subnet Mask </i>of 255.255.255.0. The address x.y.z.0 subnet will have a <i>Subnet Mask </i>of 255.255.255.0. The address
is reserved as the <i>Subnet Address</i> and x.y.z.255 is reserved x.y.z.0 is reserved as the <i>Subnet Address</i> and x.y.z.255 is
as the <i>Subnet Broadcast</i> <i>Address</i>. In Shorewall, a subnet reserved as the <i>Subnet Broadcast</i> <i>Address</i>. In Shorewall,
is described using <a href="shorewall_setup_guide.htm#Subnets"><i>Classless a subnet is described using <a
InterDomain Routing </i>(CIDR) notation</a> with consists of the subnet href="shorewall_setup_guide.htm#Subnets"><i>Classless InterDomain Routing
address followed by "/24". The "24" refers to the number of consecutive </i>(CIDR) notation</a> with consists of the subnet address followed
leading "1" bits from the left of the subnet mask. </p> by "/24". The "24" refers to the number of consecutive leading "1"
bits from the left of the subnet mask. </p>
</div> </div>
<div align="left"> <div align="left">
@ -362,6 +368,7 @@ leading "1" bits from the left of the subnet mask. </p>
<td>10.10.10.0/24</td> <td>10.10.10.0/24</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -369,8 +376,8 @@ leading "1" bits from the left of the subnet mask. </p>
<div align="left"> <div align="left">
<p align="left">It is conventional to assign the internal interface either <p align="left">It is conventional to assign the internal interface either
the first usable address in the subnet (10.10.10.1 in the above example) the first usable address in the subnet (10.10.10.1 in the above
or the last usable address (10.10.10.254).</p> example) or the last usable address (10.10.10.254).</p>
</div> </div>
<div align="left"> <div align="left">
@ -383,10 +390,10 @@ leading "1" bits from the left of the subnet mask. </p>
<div align="left"> <div align="left">
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13" <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13"> height="13">
    Your local computers (computer 1 and computer 2 in the above     Your local computers (computer 1 and computer 2 in the
diagram) should be configured with their<i> default gateway</i> to above diagram) should be configured with their<i> default gateway</i>
be the IP address of the firewall's internal interface.<i>      </i> to be the IP address of the firewall's internal interface.<i>     
</p> </i> </p>
</div> </div>
<p align="left">The foregoing short discussion barely scratches the surface <p align="left">The foregoing short discussion barely scratches the surface
@ -402,7 +409,16 @@ more about IP addressing and routing, I highly recommend <i>"IP Fundamental
height="635"> height="635">
</p> </p>
<p align="left">The default gateway for computer's 1 &amp; 2 would be 10.10.10.254.</p> <p align="left">The default gateway for computer's 1 &amp; 2 would be 10.10.10.254.<br>
</p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13" alt="">
    <font color="#ff0000"><b>WARNING: </b></font><b>Your ISP might assign
your external interface an RFC 1918 address. If that address is in the 10.10.10.0/24
subnet then you will need to select a DIFFERENT RFC 1918 subnet for your
local network.</b><br>
</p>
<h2 align="left">IP Masquerading (SNAT)</h2> <h2 align="left">IP Masquerading (SNAT)</h2>
@ -411,8 +427,8 @@ more about IP addressing and routing, I highly recommend <i>"IP Fundamental
forward packets which have an RFC-1918 destination address. When one forward packets which have an RFC-1918 destination address. When one
of your local systems (let's assume computer 1) sends a connection request of your local systems (let's assume computer 1) sends a connection request
to an internet host, the firewall must perform <i>Network Address Translation to an internet host, the firewall must perform <i>Network Address Translation
</i>(NAT). The firewall rewrites the source address in the packet to </i>(NAT). The firewall rewrites the source address in the packet
be the address of the firewall's external interface; in other words, to be the address of the firewall's external interface; in other words,
the firewall makes it look as if the firewall itself is initiating the the firewall makes it look as if the firewall itself is initiating the
connection.  This is necessary so that the destination host will be able connection.  This is necessary so that the destination host will be able
to route return packets back to the firewall (remember that packets whose to route return packets back to the firewall (remember that packets whose
@ -428,11 +444,13 @@ with Netfilter:</p>
<ul> <ul>
<li> <li>
<p align="left"><i>Masquerade</i> describes the case where you let your <p align="left"><i>Masquerade</i> describes the case where you let your
firewall system automatically detect the external interface address. firewall system automatically detect the external interface address.
</p> </p>
</li> </li>
<li> <li>
<p align="left"><i>SNAT</i> refers to the case when you explicitly specify <p align="left"><i>SNAT</i> refers to the case when you explicitly specify
the source address that you want outbound packets from your local the source address that you want outbound packets from your local
network to use. </p> network to use. </p>
@ -456,8 +474,8 @@ interface.</p>
height="13"> height="13">
    If your external IP is static, you can enter it in the third     If your external IP is static, you can enter it in the third
column in the /etc/shorewall/masq entry if you like although your firewall column in the /etc/shorewall/masq entry if you like although your firewall
will work fine if you leave that column empty. Entering your static IP will work fine if you leave that column empty. Entering your static
in column 3 makes processing outgoing packets a little more efficient.<br> IP in column 3 makes processing outgoing packets a little more efficient.<br>
<br> <br>
<img border="0" src="images/BD21298_.gif" width="13" height="13" <img border="0" src="images/BD21298_.gif" width="13" height="13"
alt=""> alt="">
@ -476,9 +494,9 @@ interface.</p>
<h2 align="left">Port Forwarding (DNAT)</h2> <h2 align="left">Port Forwarding (DNAT)</h2>
<p align="left">One of your goals may be to run one or more servers on your <p align="left">One of your goals may be to run one or more servers on your
local computers. Because these computers have RFC-1918 addresses, it local computers. Because these computers have RFC-1918 addresses,
is not possible for clients on the internet to connect directly to them. it is not possible for clients on the internet to connect directly to
It is rather necessary for those clients to address their connection them. It is rather necessary for those clients to address their connection
requests to the firewall who rewrites the destination address to the requests to the firewall who rewrites the destination address to the
address of your server and forwards the packet to that server. When address of your server and forwards the packet to that server. When
your server responds, the firewall automatically performs SNAT to rewrite your server responds, the firewall automatically performs SNAT to rewrite
@ -515,6 +533,7 @@ the source address in the response.</p>
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -545,6 +564,7 @@ the source address in the response.</p>
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -552,8 +572,8 @@ the source address in the response.</p>
<p>A couple of important points to keep in mind:</p> <p>A couple of important points to keep in mind:</p>
<ul> <ul>
<li>You must test the above rule from a client outside of your <li>You must test the above rule from a client outside of
local network (i.e., don't test from a browser running on computers your local network (i.e., don't test from a browser running on computers
1 or 2 or on the firewall). If you want to be able to access your web 1 or 2 or on the firewall). If you want to be able to access your web
server using the IP address of your external interface, see <a server using the IP address of your external interface, see <a
href="FAQ.htm#faq2">Shorewall FAQ #2</a>.</li> href="FAQ.htm#faq2">Shorewall FAQ #2</a>.</li>
@ -586,6 +606,7 @@ If you have problems connecting to your web server, try the following
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -607,6 +628,7 @@ the resolver in your internal systems. You can take one of two approaches:<
<ul> <ul>
<li> <li>
<p align="left">You can configure your internal systems to use your ISP's <p align="left">You can configure your internal systems to use your ISP's
name servers. If you ISP gave you the addresses of their servers name servers. If you ISP gave you the addresses of their servers
or if those addresses are available on their web site, you can configure or if those addresses are available on their web site, you can configure
@ -616,18 +638,19 @@ isn't available, look in /etc/resolv.conf on your firewall system
</p> </p>
</li> </li>
<li> <li>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13" <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13"> height="13">
    You can configure a<i> Caching Name Server </i>on your firewall.<i>     You can configure a<i> Caching Name Server </i>on your
</i>Red Hat has an RPM for a caching name server (the RPM also firewall.<i> </i>Red Hat has an RPM for a caching name server (the
requires the 'bind' RPM) and for Bering users, there is dnscache.lrp. RPM also requires the 'bind' RPM) and for Bering users, there is dnscache.lrp.
If you take this approach, you configure your internal systems to use If you take this approach, you configure your internal systems to use
the firewall itself as their primary (and only) name server. You use the the firewall itself as their primary (and only) name server. You use
internal IP address of the firewall (10.10.10.254 in the example above) the internal IP address of the firewall (10.10.10.254 in the example
for the name server address. To allow your local systems to talk to above) for the name server address. To allow your local systems to
your caching name server, you must open port 53 (both UDP and TCP) from talk to your caching name server, you must open port 53 (both UDP and
the local network to the firewall; you do that by adding the following TCP) from the local network to the firewall; you do that by adding
rules in /etc/shorewall/rules. </p> the following rules in /etc/shorewall/rules. </p>
</li> </li>
</ul> </ul>
@ -664,6 +687,7 @@ rules in /etc/shorewall/rules. </p>
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -709,6 +733,7 @@ rules in /etc/shorewall/rules. </p>
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -748,6 +773,7 @@ rules in /etc/shorewall/rules. </p>
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -787,6 +813,7 @@ rules in /etc/shorewall/rules. </p>
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -830,6 +857,7 @@ rules in /etc/shorewall/rules. </p>
<td>from the local network</td> <td>from the local network</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -876,6 +904,7 @@ want shell access to your firewall from the internet, use SSH:</p>
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -914,18 +943,18 @@ other connections as required.</p>
and stopped using "shorewall stop". When the firewall is stopped, and stopped using "shorewall stop". When the firewall is stopped,
routing is enabled on those hosts that have an entry in <a routing is enabled on those hosts that have an entry in <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A
running firewall may be restarted using the "shorewall restart" command. running firewall may be restarted using the "shorewall restart"
If you want to totally remove any trace of Shorewall from your Netfilter command. If you want to totally remove any trace of Shorewall from
configuration, use "shorewall clear".</p> your Netfilter configuration, use "shorewall clear".</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left"><img border="0" src="images/BD21298_.gif" width="13" <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13"> height="13">
    The two-interface sample assumes that you want to enable     The two-interface sample assumes that you want to enable
routing to/from <b>eth1 </b>(the local network) when Shorewall is stopped. routing to/from <b>eth1 </b>(the local network) when Shorewall is
If your local network isn't connected to <b>eth1</b> or if you wish to stopped. If your local network isn't connected to <b>eth1</b> or if you
enable access to/from other hosts, change /etc/shorewall/routestopped wish to enable access to/from other hosts, change /etc/shorewall/routestopped
accordingly.</p> accordingly.</p>
</div> </div>
@ -940,11 +969,13 @@ to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p> href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p>
</div> </div>
<p align="left"><font size="2">Last updated 12/20/2002 - <a <p align="left"><font size="2">Last updated 1/21/2003 - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas <p align="left"><a href="copyright.htm"><font size="2">Copyright 2002, 2003
M. Eastep</font></a></p> Thomas M. Eastep</font></a></p>
<br>
<br>
<br> <br>
<br> <br>
<br> <br>